[Windbg] Windbg 初階上課筆記
最近在公司裡上了一堂 Windbg 的入門課,
其實還真是很久沒碰 Windows 平台的 debugging 了,
以前雖然有用過一點 Windbg,不過也差不多忘光光了 =_=…
下面就把上課的筆記記一下,有需要可以回來查 (英文懶得翻中文啦)~
Useful tools
- Process explorer
- Process dump
- LiveKD
- NotMyFault
Windbg basic operations
- Open crash dump with File > Open crash dump
- Load symbols
- .symfix C:\symbols: Set local symbol folder
- .reload: Reload symbols
- .sympath: Show current symbol path
List threads
- ~: List all threads
Switch thread
- ~0s: Change to thread 0
- ~1s: Change to thread 1
Show stacks
- ~*k: List all threads’ stacks
- ~*kv: List all threads’s stacks with 3 function arguments
- k: List current thread’s stack
- kv: List current thread’s stack with 3 function arguments
- kp: List current thread’s stack with all function arguments (need symbol)
Show environment
- lm: List modules
- lmv: List module versions
- lmvm: List specific module versions
Crash dump automatic analysis
- !analyze –v: Analyze a crash
- !analyze –v –hang: Analyze a hang
Show exception context
- Get context address from `kv`
- .cxr <address>
- If there is “???” shown in the result of .cxr, it indicates an invalid address access or memory corruption
Disassemble code
- u: Disassemble code at the address
- ub: Disassemble code before that address
CPU high analysis
- !runaway 7: Check thread used CPU time and total elapsed time
- If thread CPU used time occupies a large portion of total execution time, it might indicate a CPU high symptom.
Analyze deadlock
- !analyze –v –hang
- However, it might not give correct result
- !locks
- Show current locks
- !cs –s –l –o
- Show critical section owner
- ub <return address for EnterCriticalSection line>
- Show the critical section it is going to enter
Analyze Stack overflow (recursive)
- ~*k
- Shows a lot of same functions in call stack
- !teb
- Show stack base and limit
- dps <stack limit> <stack base>
- Show stack range content
Analyze .NET framework process crash
- There is “mscorwks” in call stack
- Show .NET version
- lmvm mscorwks
- Load sos extension dll
- .load C:\Windows\Microsoft.NET\<version>\SOS.dll
- .unload sos
- Print .NET exception with sos extension dll
- !pe
Analyze WoW64 process
- There is “wow64” in call stack
- Show current machine type
- .effmach
- Set machine type to x86
- .effmach x86
- !sw can switch between x86 and x64
- .load wow64exts
- Then we can see x86 call stacks
- To see MessageBox parameters
- du <argument address>
Analyze memory leak
- Turn on gflags by executing Windows Kits > Global Flags > System Registry > Create user mode stack trace database
- Show current gflag
- !gflag
- Show heaps
- !heap –s
- !heap –k –h <heap id>
Analyze infinite wait
- Analyze with !analyze
- !analyze –v –hang
- Show WaitForMultipleObjects arguments
- 1st argument = number of handles
- 2nd argument = handle array
- dp <2nd argument address>
- Show each handle
- !handle <handle address> f
Analyze kernel dump
- List current process
- !process
- List all processes
- !process 0 0
- !process 0 7: with call stack
- Get IRP list from output of !process <process address>
- Show IRP
- !irp <irp address>
- Get device object from “Device” in IRP list, then show its info
- !devobj <device obj address>
- Get file object from “File” in IRP list, then show its info
- !fileobj <file obj address>
- Show thread info
- !thread
- !thread <thread address>
- Change thread
- .thread <thread address>
- Show page table entry
- !pte <address>
- Check if is running on VM
- lmvm vmmemctl: for VMware
Analyze kernel dump for memory problem
- Show memory
- !vm
- If NonPagedPool Usage is close to NonPagedPool Max, or if PagedPool Usage is closed to PagedPool Max, there could be memory stress problem.
- !poolused 2: non-paged memory
- !poolused 4: paged memory
- Show running processors and threads
- !running
- !running –i –t: include idle processor, and show call stack
- Show system info
- !sysinfo cpuinfo
- !sysinfo
Analyze complete kernel dump
- There is “Kernel Complete Dump File: Full address space is available” in the output of windbg
- Change process
- .process /r /P <process address>
- Change thread
- .thread <thread address>
(本頁面已被瀏覽過 6,236 次)