.symfix
.sympath+
.reload
sxd *
.loadby sos mscorwks
!threads
kp
!do *throwable*
!do *_stackTraceString*
*** debugging dump
lmv mmscorwks
.reload /f mscorwks.dll
!load sos
!threads
!clrstack
!pe -nested
*** setup
.sympath srv*g:\binaries*http://msdl.microsoft.com/download/symbols
.reload
.symfix
ld -> loads module symbols
ld moduleName
.loadby sos mscorwks
*** memory
d
dw
dd
dd /c 1 00401060 -> display dwords in 1 column from address 00401060
db
da -> ascii
du -> unicode
dds myFunction -> try to resolve symbol
dv -> display variables (needs symbols)
dv /V
dt -> display type
dt _EXCEPTION_POINTERS
ln -> list near
*** search
s -> search memory
s -a 77f75acc L80 "B" -> searches from 77f75acc to 77f75acc+80 for the ascci 'B'
s 77f75acc L80 42 40 3a -> searches from 77f75acc to 77f75acc+80 for the string 42, 40 and 3a
x -> search symbols
x *! -> list of all the modules in the process with their beginning and ending memory locations
x *!my* -> list the functions that start with 'my' in all modules
x my!* -> list the functions in 'my' module
*** registers
r
rm
*** step
g -> go until breakpoint
p -> step
t -> step into
gu -> step out
pa -> st
ta -> trace into to address
.restart
bp function -> set breakpoint
bp function "command" (ex.: bp kernel32!CreateFileW "du poi(esp+4); g")
bp address
*** stack
k
kP
.frame
kb 50 -> show 50 frames
~*k5 -> for each thread, show 5 frames
*** assembly
u -> unassemble function
uf myFunction
!u -> unassemble managed function
*** exceptions
sxe ld
sxe clr -> break in CLR exceptions
*** windows
!gle -> GetLastError()
*** dumps
!threads
!DumpObj = !do
!DumpStackObjects
!dt
!dso
!pe -nested
!peb
.cordll -u -l
!dumpheap -type theType
*** dumps (2)
lmv mmscorwks
Find matching package at \\server\share and copy all files (except symbols) to c:\debuggers folder
.loadby sos mscorwks (or, if doesn't work, .load %debuggers%\sos.dll)
May need to execute .cordll –u –l
*** help
!help
*** sources
.srcpath
.lines
.l+, .l-
*** security descriptor
!object \BaseNamedObjects\CLR_CASOFF_MUTEX
dt nt!_OBJECT_HEADER objHeader
?? SecurityDescriptor & ~0x7
!sd *result* 1
*** kernel dbg setup
in Vista:
bcdedit /bootdebug ON
bcdedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200
in XP: in boot.ini
/debug /debugport=com1 /baudrate=115200
connect Vista to box XXX with a null cable
in XXX
- kd.exe -server tcp:port=999 -k com:port=com1,baud=115200
- from windbg: .server tcp:port=999
restart Vista
to start debugging, kd.exe -remote tcp:server=serverboxname,port=999
From WinPE:
bcdedit /store c:\boot\bcd -enum -v
GUID corresponding to Vista -> {GUID}
bcdedit /store c:\boot\bcd –debug {GUID} on
*** kernel dbg
!stacks -> list threads
!locks -> lists locks
*** SOS commands
Object Inspection
-----------------------------
DumpObj (do)
DumpArray (da)
DumpStackObjects (dso)
DumpHeap
DumpVC
GCRoot
ObjSize
FinalizeQueue
PrintException (pe)
TraverseHeap
Examining CLR data structures
-----------------------------
DumpDomain
EEHeap
Name2EE
SyncBlk
DumpMT
DumpClass
DumpMD
Token2EE
EEVersion
DumpModule
ThreadPool
DumpAssembly
DumpMethodSig
DumpRuntimeTypes
DumpSig
RCWCleanupList
DumpIL
Examining code and stacks
-----------------------------
Threads
CLRStack
IP2MD
U
DumpStack
EEStack
GCInfo
EHInfo
COMState
BPMD
Diagnostic Utilities
-----------------------------
VerifyHeap
DumpLog
FindAppDomain
SaveModule
GCHandles
GCHandleLeaks
VMMap
VMStat
ProcInfo
StopOnException (soe)
MinidumpMode
 
