shows the most common ways that data can be displayed.
For example, to display a string at offset 0x401020, you would use the command da 0x401020.
The e command is used in the same way to change memory values. It uses the following syntax:
ex addressToWrite dataToWriteThe x values are the same values used by the dx commands. You’ll find many additional options documented in the help files.
You can perform operations on memory and registers directly from the command line using simple arithmetic operations, such as addition (+), subtraction (-), multiplication (*), and division (/). Command-line options are useful as shortcuts and when trying to create expressions for conditional breakpoints.
The dwo command is used to dereference a 32-bit pointer and see the value at that location. For example, if you are at a breakpoint for a function and the first argument is a wide character string, you can view the string with this command:
du dwo (esp+4)
The esp+4 is the location of the argument. The dwo operator identifies the location of the pointer for the string, and du tells WinDbg to display the wide character string at that location.
The bp command is used to set basic breakpoints in WinDbg. You can also specify commands to be run automatically when a breakpoint is hit prior to control being passed to the user. This is used with the go (g) command, so that the breakpoint performs an action and then continues without waiting for the user. For example, the following command will print out the second argument every time the GetProcAddress function is called without actually stopping the program’s execution.
bp GetProcAddress "da dwo(esp+8); g"
The example will print the function name being requested for every call to GetProcAddress. This is a useful feature because the breakpoint will be executed much faster than if it returned control to the user and waited for the user to issue the command. The command string can become fairly sophisticated with support for conditional statements, such as .if statements and .while loops. WinDbg supports scripts that use these commands.
Note
Commands sometimes attempt to access invalid memory locations. For example, the second argument to GetProcAddress can be either a string or an ordinal number. If the argument is an ordinal number, WinDbg will try to dereference an invalid memory location. Luckily, it won’t crash and will simply print ???? as the value at that address.
WinDbg does not have a feature similar to OllyDbg’s memory map that lays out all the memory segments and loaded modules. Alternatively, WinDbg’s lm command will list all the modules loaded into a process, including the executables and DLLs in user space and the kernel drivers in kernel mode. The starting address and ending address for each module are listed as well.
Войти в систему
Войти с помощью соц. сетей:
