Windbg scratchpad

// ------------------------------- GENERAL ---------------------------------

!address mem => info de mem
!analyze -v => analyze crash
r => registers
dS => print UNICODE_STRING
db 0x1245 => dump binary memory at address 0x1245
poi() => Reference point. Ex db poi(poi(Thing)+0x18) => Dump info of something in the +0x18 pointed by Thing
cls => clear screen
~~[6a28]s => switch to thread
k => callstack

// Reference of common
// http://windbg.info/doc/1-common-cmds.html

// ------------------------- CONTROL FLOW ----------------------------------

// Set breakpoint with symbols loaded
bp module!myfunction

// Set breakpoint when the symbols can be resolved, ex, before driver load
bu module!myfunction

// Remove breakpoint n
bc <n>

// Skip Driver entry, if it's bsoding or anything :)
// Can use this to skip other functions
bu myDriver!DriverEntry "r eip = poi(@esp); r esp = @esp + 0xC; .echo myDriver!DriverEntry skipped; g"


// ----------------------------- SYMBOLS -----------------------------------

// Symbol path
.sympath cache*D:\custom\cache\path;srv*\\CUSTOM_SYMBOL\SERVER;srv*https://msdl.microsoft.com/download/symbols;

// If they don't fit exactly, you can use this
// Beware this can cause the stack trace to be a a bit of a mess
.symopt+0x40

// Reload symbols, always use name of the module with extensions
.reload /f driver.sys

// Symbol debugging, can use quiet to reverse
!sym noisy

// Info about module
lmv m program 
.reload /i program.exe

// Verification, note no extension!
!lmi nt => verify symbols loaded

// See all modules
x *! 


// ---------------------------- MEMORY LEAKS -------------------------------
// gflags
!gflag => flags enabled, ie 0x00001000 => userspace stack trace enabled

// Enable stack traces
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\gflags.exe" /i LeakExample.exe +ust

!address -summary => list usage
!heap -s => Not super realiable, but list heaps
!heap -stat -h #heapadrr => lists usage of top allocs, by block size/reps (hex!)
!heap -flt s #size
!heap -flt s #size => lists allocs of blocks of given size, including usrptr
!heap -p -a #usrptr => if available, lists stack trace of said alloc
u #addr => search asm y source if possible. #addr may be module relative.

// Display stack when reserving memory
// Check the heap you want, ex  0x12345678, with esp
// And filter for certain allocations sizes with esp, ex 0x123
// After the alloc, continue
bp ntdll!RtlAllocateHeap "j ((poi(@esp+4) = 0x12345678) & (poi(@esp+c) = 0x123) )'k';'gc'" 

// View Nonpaged by amount of bytes
!poolused /t 5  0x2
!vm
!memusage
!for_each_module s -a @#Base @#End "Proc "
ln 8096c909 
lm a 8096c909
!for_each_module s -d @#Base @#End 8096c8cc

// Memory POOLs. BEWARE, in xp, you must activate it with gflags
!poolused

// ------------------------------- UTILITIES -----------------------------------
// Dump dump's information (heh)
.dumpdebug

// Reg
!reg q \registry\machine\system\controlset001
!reg q \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\myDriver
// hive then subkey
!reg keyinfo e1036b60 d1402e8c

// Enable dbgprint
ed Kd_DEFAULT_Mask 0x8
!dbgprint

// Services, nonwindbg. Note the spaces!
sc create FsFilter type= filesys binPath= c:\FSFilter.sys
sc start FsFilter
sc stop FsFilter
sc delete FsFilter.sympath cache*C:\symbols;C:\symbolsaux\symbolsforcleaning;srv*https://msdl.microsoft.com/download/symbols

// W32
!wow64exts.k => load wow64mode (64 bit dumps of 32 bit processes)
sw => switch mode