问题
I see some references and tutorials about the commnads of WinDBG.
Some of them like this lm
, this .echo
, this !running
, and this nt!_PDB
.
What is difference between these categories
- xxx
- .xxx
- !xxx
- xxx!yyy
?
They look so confused.
回答1:
There are built-in commands, meta commands (dot commands) and extension commands (bang commands).
My personal opinion is that you needn't care too much about the difference of built-in commands compared to meta commands, since there are enough examples where those definitions do not match properly. It's sufficient to know that they are always there and don't need an extension to be loaded.
Good examples for built-in commands, which are mainly about controlling and getting information from the debugging target:
g - go
k - call stack
~ - list threads
Examples where IMHO this definition does not really match:
version - show version of the debugger
vercommand - show command line that was used to start the debugger
n - set number base
Good examples for meta commands, which are thought for only affecting the debugger but not the target:
.cls - clear screen
.chain - display loaded extensions
.effmach - change behavior of the debugger regarding the architecture
.prefer_dml - change output format
Example where IMHO this definition does not really match:
.lastevent - show last exception or event that occurred (in the target)
.ttime - display thread times (of the target)
.call - call a function (in the target)
.dvalloc - allocate memory (in the target)
However, it's good to understand that the extension commands are different, especially because the same command may result in different output, depending on which extension is loaded or appears first in the extension list and that you can affect the order (e.g. by .load
, .unload
, .setdll
). Besides the simple form !command
, note that there is also the !extension.command
syntax to specify the extension explicitly. I'll use it in the example below. (There's even !c:\path\to\extension.command
)
The example of a collision of extension commands is given from a kernel debug session where one !heap
does not give any output and the other obviously needs a parameter to work.
0: kd> !ext.heap
0: kd> !exts.heap
Invalid type information
The last format mentioned in your question (xxx!yyy
) is not a command, but a method or type information where xxx denotes the module (DLL) and yyy denotes the method or type name. Often, this is also seen with an additional offset in bytes for locations inside the method (xxx!yyy+0xhhh
)
回答2:
See the following:
xxx - these are built in commands
.xxx - these are meta commands
!xxx - these are extension commands, so they call a command from an extension dll
xxx!yyy - this looks the syntax to reference an exported function from a dll:
<dll_name>!<method_name>
You may find the following useful: http://windbg.info/doc/1-common-cmds.html
来源:https://stackoverflow.com/questions/37441575/the-categories-of-commands-of-windbg