The blog continues at suszter.com/ReversingOnWindows

Windbg Notes


Common
!heap -p -a <addr> - Dump all page heaps. Figure out what heap block the ADDR belongs to
.logopen c:\trace.log - Open log file
.logclose - Close log file
p - step over
t - step into
pa <stop address> - Executing the program until the stop address is reached, displaying each step (doesn’t step into calls)
ta <stop address> - Same as "pa" but step into calls
pt - Executing until return instruction reaches
gu - Go until the current function returns
lm - List loaded modules
!dh <imagebase> - info involving PE header
.writemem c:\test\dmp a80e0c L186a0 - dump memory content out
.readmem c:/test/file.dmp <address> L0n140 - read memory from file to address
s ebp L1000 d0 40 34 01 - search from ebp with length 1000 bytes using the pattern specified
ub - Unassembles starting at a location prior to the address specified
.childdbg - For debugging child processes
!for_each_module - List of modules loaded
dt _PEB @$peb - Process Environment Block via pseudo register
!address - info about the memory
!vprot - virtual memory protection information
x <module>!* -Displays all symbols of the module
dds <StackLimit> <StackBase>
ed <address> <value> - Write dword value at address
.dvalloc <size> - Allocate memory in the target process
!gle - Calls GetLastError

 .NET
sxe ld:mscorlib OR sxe ld:clrjit - Break when JIT is being loaded
.loadby sos mscorwks OR .loadby sos clr - Load SOS extension
!bpmd mscorlib.dll System.Reflection.Assembly.Load; g; db ecx; .writemem dump.dmp ecx+8 <length> - Used for dumping MZ EXE loaded by reflection
!dumpheap -strings - Dump strings on the .NET heap

 Scripting
$$>a< <filename> - Execute script file with parameter
Load SOS according to the version (seen on Stackoverflow)
!for_each_module .if($sicmp("@#ModuleName", "mscorwks") = 0) {.loadby sos mscorwks} .elsif ($sicmp("@#ModuleName" , "clr") = 0) {.loadby sos clr}

 Extensions
!load msec.dll - !exploitable
!load sdbgext.dll - debugger extension containing the feature to load a dll into a process

 Breakpoints
sxe ld <module name> - … if a module is being loaded (if no parameter Windbg will break on every dll)
sxe ud <module name> - … if a module is being unloaded
sxe cpr:java.exe - stop on process creation (java.exe)
bp <addr> "<comm1>; <comm2>; gc" - Set breakpoint and execute command
bp <addr> "j @eax=<addr2>; gc" - Set a conditional breakpoint

 GFlags
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
gflags /p /enable <exe name> /full - Enable full page heap verification
gflags /p - List which page heap verification is enabled
ntsd -g -x <exe name> - launch debugge program

 Other
Example for sign-extension: .if ((@eip & 0x0`ffffffff) > 0x0`6600000)
LSize range specifier - Use L?<Size> to remove the debugger’s range limit check
register as JIT debugger: Windbg.exe -I
cdb -xn gp <filename>: notification at guard page exception but no break into the debugger
Windbg Workspace Settings: HKEY_CURRENT_USER\Software\Microsoft\Windbg\Workspaces
Symbols settings: _NT_SYMBOL_PATH=SRV*http://msdl.microsoft.com/download/symbols
Restoring context exception: http://blogs.msdn.com/carlos/archive/2008/12/10/heap-corruption-a-case-study.aspx
  This blog is written and maintained by Attila Suszter. Read in Feed Reader.