Postrediori/WinDbg-Cheatcheet.md

Created April 10, 2024 09:32

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/Postrediori/3e7be5944dc6e06466ae43e21851139b.js"></script>
Save Postrediori/3e7be5944dc6e06466ae43e21851139b to your computer and use it in GitHub Desktop.

Download ZIP

WinDbg Cheatsheet

Raw

WinDbg-Cheatcheet.md

WinDbg Cheatsheet

Get WinDbg installation files

Download WDK installation tool (https://learn.microsoft.com/en-us/windows-hardware/drivers/other-wdk-downloads)
Download WDK files
Locate X86 Debuggers And Tools-x86_en-us.msi and X64 Debuggers And Tools-x64_en-us.msi

Basic commands

General commands structure

Command type	Example	Description
command starting with `!`	`!peb!`	high-level command, e.g. for checks of process structure in memory
command starting with `.`	`.reload`	work with debugger settings
command without `!` or `.`	`dt`	low-level command

Debugger commands

Command	Desctiption
`.reload`
`.reload /user`	Load symbols from current process in userspace
`.reload /f`	Force reload all symbols
`.reload /f cscui.dll`	Force reload symbols for specific DLLs
`_NT_SYSMBOL_PATH`

User-mode debug

Debug controls

Command	Description
`g`	Go until breakpoint
`p`	Step
`t`	Trace
`.restart`	Restart debug

Breakpoints

Command	Examples	Description
`bp`		Breakpoint
	`bp kernel32!createfilew`, `bp ntdll!ntcreatefile`	Breakpoint functions
`bl`		List breakpoints
`ba r <width> <addr>`		Read memory breakpoint
	`ba r 1 0x0b528128`	Read byte breakpoint
	`ba r 2 0x0b528128`	Read word breakpoint
	`ba r 4 0x0b528128`	Read dword breakpoint

Dump memory

Command	Description
`d<type> [addr] [count]`	Dump `count` bytes from memory at `addr`
`db`	Dump bytes
`dd`	Dump DWORDs
`dq`	Dump QWORDs
`du`	Dump Unicode
`du @rcx`	Dump from address in registry
`du @rcx 1`	Display 1 item

Checking process stats

Command	Examples	Description
`k`		Call stack
`r`		Registers
`s -a 0 L?<addr> "<str>"`	`s -a 0 L?80000000 "Forest"`	Look for string in memory
`lm`		Show DLLs ("loaded modules")
`!dlls`		Show DLLs
`!peb`		Show Process Environment Block
`!teb`		Thread Environment Block
`!handle [PARAMS]`		Check handle info
	`!handle`	General handle info
	`!handle x f`	Show the most handle information (`f` - four bits mask, show all info)

Kernel debugging

Command	Examples	Description
`!process n m [NAME]`		List of processes. `n` - process ID, `0` - all processes, `m` - detail level, `0` - the least amount of detail
	`!process 0 0`	List of all processes
	`!process 0 0 process.exe`	Search of processes by name
`dt nt!_eprocess <addr>`		Executive Process ("eprocess") info
`!object <addr>`		Info on object (handle) by address
`.process /p <addr>`		Resolve further addresses with regard to process
	`.process /p addr; !peb addr`	Redirecting info using `;` (`!peb` will use process address)
`eb <addr> <byte>`		Rewrite byte in address space
`dt nt!_eprocess <addr> Protection.`		Info about memory protection

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment