Wednesday, July 30, 2008

Windbg cheat-sheet

*** steps to find an exception

.symfix
.sympath+
.reload
sxd *
.loadby sos mscorwks
!threads
kp
!do *throwable*
!do *_stackTraceString*

*** debugging dump

lmv mmscorwks
.reload /f mscorwks.dll
!load sos
!threads
!clrstack
!pe -nested

*** setup

.sympath srv*g:\binaries*http://msdl.microsoft.com/download/symbols
.reload
.symfix
ld -> loads module symbols
ld moduleName
.loadby sos mscorwks

*** memory

d
dw
dd
dd /c 1 00401060 -> display dwords in 1 column from address 00401060
db
da -> ascii
du -> unicode
dds myFunction -> try to resolve symbol
dv -> display variables (needs symbols)
dv /V
dt -> display type
dt _EXCEPTION_POINTERS
ln -> list near

*** search

s -> search memory
s -a 77f75acc L80 "B" -> searches from 77f75acc to 77f75acc+80 for the ascci 'B'
s 77f75acc L80 42 40 3a -> searches from 77f75acc to 77f75acc+80 for the string 42, 40 and 3a
x -> search symbols
x *! -> list of all the modules in the process with their beginning and ending memory locations
x *!my* -> list the functions that start with 'my' in all modules
x my!* -> list the functions in 'my' module

*** registers

r
rm

*** step

g -> go until breakpoint
p -> step
t -> step into
gu -> step out
pa -> st
ta -> trace into to address
.restart
bp function -> set breakpoint
bp function "command" (ex.: bp kernel32!CreateFileW "du poi(esp+4); g")
bp address

*** stack

k
kP
.frame
kb 50 -> show 50 frames
~*k5 -> for each thread, show 5 frames

*** assembly

u -> unassemble function
uf myFunction
!u -> unassemble managed function

*** exceptions

sxe ld (to disable sxd)
sxe clr -> break in CLR exceptions

*** windows

!gle -> GetLastError()

*** dumps

!threads
!DumpObj = !do
!DumpStackObjects
!dt
!dso
!pe -nested
!peb
.cordll -u -l
!dumpheap -type theType

*** dumps (2)

lmv mmscorwks
Find matching package at \\server\share and copy all files (except symbols) to c:\debuggers folder
.loadby sos mscorwks (or, if doesn't work, .load %debuggers%\sos.dll)
May need to execute .cordll –u –l

*** help

!help

*** sources

.srcpath
.lines
.l+, .l-

*** security descriptor

!object \BaseNamedObjects\CLR_CASOFF_MUTEX
dt nt!_OBJECT_HEADER objHeader
?? SecurityDescriptor & ~0x7
!sd *result* 1

*** kernel dbg setup

in Vista:
bcdedit /bootdebug ON
bcdedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200
in XP: in boot.ini
/debug /debugport=com1 /baudrate=115200
connect Vista to box XXX with a null cable
in XXX
- kd.exe -server tcp:port=999 -k com:port=com1,baud=115200
- from windbg: .server tcp:port=999

restart Vista
to start debugging, kd.exe -remote tcp:server=serverboxname,port=999

From WinPE:

bcdedit /store c:\boot\bcd -enum -v
GUID corresponding to Vista -> {GUID}
bcdedit /store c:\boot\bcd –debug {GUID} on

*** kernel dbg

!stacks -> list threads
!locks -> lists locks

*** SOS commands

Object Inspection
-----------------------------
DumpObj (do)
DumpArray (da)
DumpStackObjects (dso)
DumpHeap
DumpVC
GCRoot
ObjSize
FinalizeQueue
PrintException (pe)
TraverseHeap

Examining CLR data structures
-----------------------------
DumpDomain
EEHeap
Name2EE
SyncBlk
DumpMT
DumpClass
DumpMD
Token2EE
EEVersion
DumpModule
ThreadPool
DumpAssembly
DumpMethodSig
DumpRuntimeTypes
DumpSig
RCWCleanupList
DumpIL

Examining code and stacks
-----------------------------
Threads
CLRStack
IP2MD
U
DumpStack
EEStack
GCInfo
EHInfo
COMState
BPMD

Diagnostic Utilities
-----------------------------
VerifyHeap
DumpLog
FindAppDomain
SaveModule
GCHandles
GCHandleLeaks
VMMap
VMStat
ProcInfo
StopOnException (soe)
MinidumpMode