Skip to content

Instantly share code, notes, and snippets.

@poizan42

poizan42/PDEv11.3.help.dml

Last active November 14, 2019 08:05
Show Gist options
  • Save poizan42/43d9083e015626206673227858e3c298 to your computer and use it in GitHub Desktop.
Save poizan42/43d9083e015626206673227858e3c298 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
PDEv11.3.help.dml
=========================================================================================
<link cmd="!PDE.help">Help</link> for <b>Prototype Debugger Extension (PDE) v11.3</b> - Copyright 2009-2017 Andrew Richards
=========================================================================================
!seek - Equivalent of ~*knL and/or !deep 1
!seek [-q] [-e symbol] [&lt;symbol&gt; [command]]
- Execute 'command' against stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
- Specify '-q' (quiet) to omit the per-thread header
- Specify '-e' to exclude stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
e.g. !seek
!seek ReadFile
!seek ReadFile kbn
!seek ReadFile dps @rsp @rsp+0x20
!seek -q ReadFile !teb
!seek -e SleepEx ReadFile !teb
!seek -? - Display the help for !seek
!seek -help - Display the help for !seek
=========================================================================================
!deep - Equivalent of ~*knL but only displays stacks that are at least
'depth' frames deep (default depth is 1)
!deep [&lt;depth&gt; [-q] [-s symbol] [-e symbol] [command]]
- Execute 'command' against stacks that are at least 'depth' frames deep
- Specify '-q' (quiet) to omit the per-thread header
- Specify '-s' to only include stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
- Specify '-e' to exclude stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
e.g. !deep
!deep 25
!deep 25 kbn
!deep 25 dps @rsp @rsp+0x20
!deep 25 -q
!deep 25 -q !teb
!deep 25 -s ReadFile
!deep 25 -s ReadFile kbn
!deep 25 -s ReadFile dps @rsp @rsp+0x20
!deep 25 -e SleepEx
!deep 25 -e SleepEx kbn
!deep 25 -e SleepEx dps @rsp @rsp+0x20
!deep -? - Display the help for !deep
!deep -help - Display the help for !deep
=========================================================================================
!busy - Equivalent of ~*knL but only displays stacks that are at least
'depth' frames deep (default depth is 1) and are not waiting for:-
~ ntdll!NtWaitFor*
~ ntdll!ZwWaitFor*
~ ntdll!NtRemoveIoCompletion
~ ntdll!ZwRemoveIoCompletion
~ ntdll!NtReplyWaitReceivePort
~ ntdll!ZwReplyWaitReceivePortEx
!busy [&lt;depth&gt; [-x] [-q] [-s symbol] [-e symbol] [command]]
- Execute 'command' against stacks that are at least 'depth' frames deep
and are not waiting (for the list above)
- Specify '-x' to also exclude waiters of network calls, sleeps nad messages:-
~ ntdll!NtRequestWaitReplyPort
~ ntdll!ZwRequestWaitReplyPort
~ ntdll!NtDelayExecution
~ ntdll!ZwDelayExecution
~ ntdll!RtlDeactivateActivationContextUnsafeFast
~ *!NtUserWaitMessage
~ *!ZwUserWaitMessage
~ *!ZwUserGetMessage
~ *!NtUserGetMessage
- Specify '-q' (quiet) to omit the per-thread header
- Specify '-s' to only include stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
- Specify '-e' to exclude stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
e.g. !busy
!busy 25
!busy 25 kbn
!busy 25 dps @rsp @rsp+0x20
!busy 25 -x
!busy 25 -x kbn
!busy 25 -x dps @rsp @rsp+0x20
!busy 25 -q
!busy 25 -q !teb
!busy 25 -s ReadFile
!busy 25 -s ReadFile kbn
!busy 25 -s ReadFile dps @rsp @rsp+0x20
!busy 25 -e SleepEx
!busy 25 -e SleepEx kbn
!busy 25 -e SleepEx dps @rsp @rsp+0x20
!busy -? - Display the help for !busy
!busy -help - Display the help for !busy
=========================================================================================
!dpx - Equivalent of dps, dpp, dpa and dpu (combined); also class types (dt) and trap frames (kV)
!dpx - Displays from stack pointer to the stack base
!dpx N - Displays the first N values, from the stack pointer down
!dpx &lt;addr&gt; N
- Displays the first N values, from &lt;addr&gt; down
!dpx &lt;addr&gt; &lt;addr&gt;
- Displays from addr to addr
- Specify '-u' to display an unlimited number of values
Default limit is 6,000 addresses
- Specify '-a' to display all stack values
Default only displays stack values that point to a value
- Interface pointers are adjusted to align with the class's virtual function table (vftable)
- When there is a value adjustment, the pointer is displayed in <col fg="clbg">light blue</col> text
- Specify the following to limit the types; multiple options are allowed
-da : <col fg="srcstr">ANSI strings</col>
-du : <col fg="srcstr">UNICODE strings</col>
-dt : <col fg="srccmnt">Data Types</col>
-ds : <col fg="srcannot">Symbols</col>
-df : Trap Frames (Kernel only)
-dse: Stowed Exceptions (WinRT apps only)
e.g. !dpx
!dpx 20
!dpx -a
!dpx -da -du 20
!dpx &lt;addr&gt; &lt;addr&gt; -u
!dpx &lt;addr&gt; &lt;addr&gt; -u -a
=========================================================================================
!spx - Find an expression (number) or data type (symbol)
- Search is pointer aligned
- Special handling for multiple interface classes
- Add -dt to perform a 'dt' on each address
- Very fast in User Mode
- Very slow in Kernel Mode
!spx [-dt] [-s &lt;addr&gt;] [-e &lt;addr&gt;] &lt;expression&gt;
e.g. !spx combase!CComApartment
!spx -dt combase!CComApartment
!spx -s @rsp -e @rsp+1000 0x1234000+0n56
=========================================================================================
!ssz - Find ANSI and UNICODE strings
!ssa - Find ANSI strings
!ssu - Find UNICODE strings
- Search is case sensitive
- Displays up to 200 characters after the initial match
- UNICODE search is a conversion of the ANSI command line
- Very FAST in User Mode
- Very slow in Kernel Mode
!ssz [-s &lt;addr&gt;] [-e &lt;addr&gt;] &lt;string&gt;
!ssa [-s &lt;addr&gt;] [-e &lt;addr&gt;] &lt;string&gt;
!ssu [-s &lt;addr&gt;] [-e &lt;addr&gt;] &lt;string&gt;
e.g. !ssz Program Files
!ssz Windows
!ssz -s @rsp -e @rsp+1000 User
=========================================================================================
!dtr - Equivalent of dt for each valid register
!dtr [args]
!dtr - Lists registers that point to an address; includes class type
!dtr &lt;arg&gt; - Equivalent of dt @reg &lt;arg&gt; for each valid register
!dtr &lt;arg&gt; --&gt; dt @reg &lt;arg&gt;
e.g. !dtr
!dtr nt!_ERESOURCE
!dtr nt!_ERESOURCE Flag
=========================================================================================
!grep - Only shows lines which contain &lt;search&gt;
- Search is case insensitive
- Lines are delimited by newline ('\n')
- !grep can be chained
!grep &lt;search&gt; &lt;command&gt;
e.g. !grep days vertarget
!grep call u @eip
!grep dt !dpx
!grep dt !grep DUser !dpx
!ungrep - Same as !grep but exclusion
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
!bold - Highlight the lines which contain &lt;search&gt;
- Search is case insensitive
- Lines are delimited by newline ('\n')
!bold &lt;search&gt; &lt;command&gt;
e.g. !bold version vertarget
!bold call uf ntdll!RtlUserThreadStart
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
!head - Display the first N bytes of a command
!tail - Display the last N bytes of a command
!head &lt;bytes&gt; &lt;command&gt;
!tail &lt;bytes&gt; &lt;command&gt;
=========================================================================================
!ghostthreads - Lists all threads; real or ghosts
!gt - Same as !ghostthreads
!gt [command] - If 'command' is specified, the command is run
for each thread, instead of the summary table.
- The following substitutions are made:
- $teb - TEB Address
- $base - Stack Base Address
- $limit - Stack Limit Address
e.g. !gt !teb $teb
!gt !dpx $base $limit
=========================================================================================
!loadsos - Runs #1
!loadpsscor - Runs #2
!loadsosex - Runs #3
!loadspext - Runs #4
Define PDE_LOADCORDLL to change the default (at load)
0 = Disabled
1 = SOS (default)
2 = PSSCORx + SOSEX
3 = SOS + SOSEX
4 = SOS + SOSEX + SPEXT
=========================================================================================
!comment - Display the dump's comment (with DML)
!notes - Executes commands based on the dump type - starts your case notes
!exr - Executes commands based on the exception code (.exr -1)
!line - Print a line
!bigline - Print three big lines
!du &lt;addr&gt; - Display a UNICODE string (up to 4Gb)
!da &lt;addr&gt; - Display a ANSI string (up to 4Gb)
!err &lt;code&gt; - Display an Error Code
!guid &lt;addr&gt; - Display a GUID
!url &lt;url&gt; - Open a url; use !ext.url instead
!kr - knL printed upside down so WinDiff works better
!dtr - Displays Data Types in Registers
!msr - Displays the Model-Specific Registers (MSR)
!stowedexceptions
- Display the Stowed Exceptions of a Store app
!dse - Same as !stowedexceptions
!bgtask - Display the Background Tasks of a Store app
!symsrvaudit - Display the SRV status of each lookup made during the command
- Command defaults to &quot;.reload /f&quot;
!diadump &lt;module&gt;
- Dump the DIA Tables and Assembly Information of the specified Module
!dbgp - Dump a DBGP ACPI table
!dbg2 - Dump a DBG2 ACPI table
!msdm - Dump a MSDM ACPI table
!slic - Dump a SLIC ACPI table
!dmem - Display the Memory Regions of a User Mode dump
!vmem - Display the Virtual Regions of a User Mode process
!tags [GUID] - List the GUID and Size of the secondary callback chunks
!tagshex [GUID] - List the GUID and Size of the secondary callback chunks, and dump in HEX
!tagstext [GUID]- List the GUID and Size of the secondary callback chunks, and dump in TEXT
!crashtask - Enable crashdump support on the current (modern) process
!dml - Toggle .prefer_dml
!dmlraw - Print DML output as TEXT (used to review DML)
!help - Displays the help for all commands
=========================================================================================
-- Defaults --
DML On - .prefer_dml 1
UNICODE On - .enable_unicode 1
Ignore Pages On - .ignore_missing_pages 1
Lines Disabled - .lines -d
-- Aliases --
symoff - .outmask- 0x200
symon - .outmask+ 0x200
dml - !PDE.dml
av - !ext.analyze -nodb -v
avv - !ext.analyze -nodb -v6
ax - !ext.analyze -nodb -xml
axv - !ext.analyze -nodb -xml -xcs -xmi
axs - !ext.analyze -nodb -xsd
show - !ext.analyze -show
sn - !sym noisy
sq - !sym quiet
rf - .reload /f
ru - .reload /u
=========================================================================================
Raw
PDEv11.3.help.txt
=========================================================================================
Help for Prototype Debugger Extension (PDE) v11.3 - Copyright 2009-2017 Andrew Richards
=========================================================================================
!seek - Equivalent of ~*knL and/or !deep 1
!seek [-q] [-e symbol] [<symbol> [command]]
- Execute 'command' against stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
- Specify '-q' (quiet) to omit the per-thread header
- Specify '-e' to exclude stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
e.g. !seek
!seek ReadFile
!seek ReadFile kbn
!seek ReadFile dps @rsp @rsp+0x20
!seek -q ReadFile !teb
!seek -e SleepEx ReadFile !teb
!seek -? - Display the help for !seek
!seek -help - Display the help for !seek
=========================================================================================
!deep - Equivalent of ~*knL but only displays stacks that are at least
'depth' frames deep (default depth is 1)
!deep [<depth> [-q] [-s symbol] [-e symbol] [command]]
- Execute 'command' against stacks that are at least 'depth' frames deep
- Specify '-q' (quiet) to omit the per-thread header
- Specify '-s' to only include stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
- Specify '-e' to exclude stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
e.g. !deep
!deep 25
!deep 25 kbn
!deep 25 dps @rsp @rsp+0x20
!deep 25 -q
!deep 25 -q !teb
!deep 25 -s ReadFile
!deep 25 -s ReadFile kbn
!deep 25 -s ReadFile dps @rsp @rsp+0x20
!deep 25 -e SleepEx
!deep 25 -e SleepEx kbn
!deep 25 -e SleepEx dps @rsp @rsp+0x20
!deep -? - Display the help for !deep
!deep -help - Display the help for !deep
=========================================================================================
!busy - Equivalent of ~*knL but only displays stacks that are at least
'depth' frames deep (default depth is 1) and are not waiting for:-
~ ntdll!NtWaitFor*
~ ntdll!ZwWaitFor*
~ ntdll!NtRemoveIoCompletion
~ ntdll!ZwRemoveIoCompletion
~ ntdll!NtReplyWaitReceivePort
~ ntdll!ZwReplyWaitReceivePortEx
!busy [<depth> [-x] [-q] [-s symbol] [-e symbol] [command]]
- Execute 'command' against stacks that are at least 'depth' frames deep
and are not waiting (for the list above)
- Specify '-x' to also exclude waiters of network calls, sleeps nad messages:-
~ ntdll!NtRequestWaitReplyPort
~ ntdll!ZwRequestWaitReplyPort
~ ntdll!NtDelayExecution
~ ntdll!ZwDelayExecution
~ ntdll!RtlDeactivateActivationContextUnsafeFast
~ *!NtUserWaitMessage
~ *!ZwUserWaitMessage
~ *!ZwUserGetMessage
~ *!NtUserGetMessage
- Specify '-q' (quiet) to omit the per-thread header
- Specify '-s' to only include stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
- Specify '-e' to exclude stacks that contain 'symbol'
(Note, don't include a displacement in the specified symbol)
e.g. !busy
!busy 25
!busy 25 kbn
!busy 25 dps @rsp @rsp+0x20
!busy 25 -x
!busy 25 -x kbn
!busy 25 -x dps @rsp @rsp+0x20
!busy 25 -q
!busy 25 -q !teb
!busy 25 -s ReadFile
!busy 25 -s ReadFile kbn
!busy 25 -s ReadFile dps @rsp @rsp+0x20
!busy 25 -e SleepEx
!busy 25 -e SleepEx kbn
!busy 25 -e SleepEx dps @rsp @rsp+0x20
!busy -? - Display the help for !busy
!busy -help - Display the help for !busy
=========================================================================================
!dpx - Equivalent of dps, dpp, dpa and dpu (combined); also class types (dt) and trap frames (kV)
!dpx - Displays from stack pointer to the stack base
!dpx N - Displays the first N values, from the stack pointer down
!dpx <addr> N
- Displays the first N values, from <addr> down
!dpx <addr> <addr>
- Displays from addr to addr
- Specify '-u' to display an unlimited number of values
Default limit is 6,000 addresses
- Specify '-a' to display all stack values
Default only displays stack values that point to a value
- Interface pointers are adjusted to align with the class's virtual function table (vftable)
- When there is a value adjustment, the pointer is displayed in light blue text
- Specify the following to limit the types; multiple options are allowed
-da : ANSI strings
-du : UNICODE strings
-dt : Data Types
-ds : Symbols
-df : Trap Frames (Kernel only)
-dse: Stowed Exceptions (WinRT apps only)
e.g. !dpx
!dpx 20
!dpx -a
!dpx -da -du 20
!dpx <addr> <addr> -u
!dpx <addr> <addr> -u -a
=========================================================================================
!spx - Find an expression (number) or data type (symbol)
- Search is pointer aligned
- Special handling for multiple interface classes
- Add -dt to perform a 'dt' on each address
- Very fast in User Mode
- Very slow in Kernel Mode
!spx [-dt] [-s <addr>] [-e <addr>] <expression>
e.g. !spx combase!CComApartment
!spx -dt combase!CComApartment
!spx -s @rsp -e @rsp+1000 0x1234000+0n56
=========================================================================================
!ssz - Find ANSI and UNICODE strings
!ssa - Find ANSI strings
!ssu - Find UNICODE strings
- Search is case sensitive
- Displays up to 200 characters after the initial match
- UNICODE search is a conversion of the ANSI command line
- Very FAST in User Mode
- Very slow in Kernel Mode
!ssz [-s <addr>] [-e <addr>] <string>
!ssa [-s <addr>] [-e <addr>] <string>
!ssu [-s <addr>] [-e <addr>] <string>
e.g. !ssz Program Files
!ssz Windows
!ssz -s @rsp -e @rsp+1000 User
=========================================================================================
!dtr - Equivalent of dt for each valid register
!dtr [args]
!dtr - Lists registers that point to an address; includes class type
!dtr <arg> - Equivalent of dt @reg <arg> for each valid register
!dtr <arg> --> dt @reg <arg>
e.g. !dtr
!dtr nt!_ERESOURCE
!dtr nt!_ERESOURCE Flag
=========================================================================================
!grep - Only shows lines which contain <search>
- Search is case insensitive
- Lines are delimited by newline ('\n')
- !grep can be chained
!grep <search> <command>
e.g. !grep days vertarget
!grep call u @eip
!grep dt !dpx
!grep dt !grep DUser !dpx
!ungrep - Same as !grep but exclusion
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
!bold - Highlight the lines which contain <search>
- Search is case insensitive
- Lines are delimited by newline ('\n')
!bold <search> <command>
e.g. !bold version vertarget
!bold call uf ntdll!RtlUserThreadStart
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
!head - Display the first N bytes of a command
!tail - Display the last N bytes of a command
!head <bytes> <command>
!tail <bytes> <command>
=========================================================================================
!ghostthreads - Lists all threads; real or ghosts
!gt - Same as !ghostthreads
!gt [command] - If 'command' is specified, the command is run
for each thread, instead of the summary table.
- The following substitutions are made:
- $teb - TEB Address
- $base - Stack Base Address
- $limit - Stack Limit Address
e.g. !gt !teb $teb
!gt !dpx $base $limit
=========================================================================================
!loadsos - Runs #1
!loadpsscor - Runs #2
!loadsosex - Runs #3
!loadspext - Runs #4
Define PDE_LOADCORDLL to change the default (at load)
0 = Disabled
1 = SOS (default)
2 = PSSCORx + SOSEX
3 = SOS + SOSEX
4 = SOS + SOSEX + SPEXT
=========================================================================================
!comment - Display the dump's comment (with DML)
!notes - Executes commands based on the dump type - starts your case notes
!exr - Executes commands based on the exception code (.exr -1)
!line - Print a line
!bigline - Print three big lines
!du <addr> - Display a UNICODE string (up to 4Gb)
!da <addr> - Display a ANSI string (up to 4Gb)
!err <code> - Display an Error Code
!guid <addr> - Display a GUID
!url <url> - Open a url; use !ext.url instead
!kr - knL printed upside down so WinDiff works better
!dtr - Displays Data Types in Registers
!msr - Displays the Model-Specific Registers (MSR)
!stowedexceptions
- Display the Stowed Exceptions of a Store app
!dse - Same as !stowedexceptions
!bgtask - Display the Background Tasks of a Store app
!symsrvaudit - Display the SRV status of each lookup made during the command
- Command defaults to ".reload /f"
!diadump <module>
- Dump the DIA Tables and Assembly Information of the specified Module
!dbgp - Dump a DBGP ACPI table
!dbg2 - Dump a DBG2 ACPI table
!msdm - Dump a MSDM ACPI table
!slic - Dump a SLIC ACPI table
!dmem - Display the Memory Regions of a User Mode dump
!vmem - Display the Virtual Regions of a User Mode process
!tags [GUID] - List the GUID and Size of the secondary callback chunks
!tagshex [GUID] - List the GUID and Size of the secondary callback chunks, and dump in HEX
!tagstext [GUID]- List the GUID and Size of the secondary callback chunks, and dump in TEXT
!crashtask - Enable crashdump support on the current (modern) process
!dml - Toggle .prefer_dml
!dmlraw - Print DML output as TEXT (used to review DML)
!help - Displays the help for all commands
=========================================================================================
-- Defaults --
DML On - .prefer_dml 1
UNICODE On - .enable_unicode 1
Ignore Pages On - .ignore_missing_pages 1
Lines Disabled - .lines -d
-- Aliases --
symoff - .outmask- 0x200
symon - .outmask+ 0x200
dml - !PDE.dml
av - !ext.analyze -nodb -v
avv - !ext.analyze -nodb -v6
ax - !ext.analyze -nodb -xml
axv - !ext.analyze -nodb -xml -xcs -xmi
axs - !ext.analyze -nodb -xsd
show - !ext.analyze -show
sn - !sym noisy
sq - !sym quiet
rf - .reload /f
ru - .reload /u
=========================================================================================
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment