kd: kernel mode debugger
windbg: GUI wrapp for ntsd and kd
最基本命令
.hh: 查看help
k: show call stack
r: show register
Q: quit dbg
bp: set breakpoint
- bp foo!main
- bp `source.c:31` ba: set data breakpoint
p: step
pc: step to next call
kb: Dump the stack with Params
kn: Dump the stack with Frame #
kd: Dump stack dissassembly
~#s: Change to thread (Example: ~3s)
dd # - Dump the data (Example: dd 01f056548)
bl: list breakpoints
bd: disable breakpoint
bc: remove breakpoint
lm: system modules
x foo!*: 查看所有module foo的symbol
.sympath: 查看当前sympath
!sympath+“\\your_computer\path\to\your\pdb”: 添加路径到sympath中
!sym noisy/quiet: Generate verbose output from symbol loader
.srcpath: 查看当前srcpath
!srcpath+"\\your_computer\path\to\your\pdb": 添加路径到srcpath中
Kernel Mode Extension
!symfix: 碰到说nt symbols are incorrect please fix的时候运行
!reload: 重新读入symbols 包括kernel symbols, private symbols, user symbols.
!reload foo.sys: 重新读入foo.sys这个driver的symbols
!process: 查看所有进程
!process 0 0 myprocess.exe: 查看叫myprocess.exe的进程
!thread: 查看所有线程
!driveinfo: 驱动信息
!irp: IRP
!irpfind
读取symbol
!symfix !reload Connected to Windows 7 7601 x64 target at (Tue Jun 21 13:22:28.221 2011 (UTC - 7:00)), ptr64 TRUE Loading Kernel Symbols ............................................................... ................................................................ ............................ Loading User Symbols ................................................................ ......................... Loading unloaded module list ..........显示driver object (比如kbdclass)
!drvobj kbdclass Driver object (fffffa8007370870) is for: \Driver\kbdclass Driver Extension List: (id , addr)显示driver object (比如kbdclass)的dispatch routines
!drvobj kbdclass 7 Driver object (fffffa8007370870) is for: \Driver\kbdclass Driver Extension List: (id , addr) Device Object list: fffffa8007a31ce0 fffffa800743d6c0 DriverEntry: fffff8800440becc kbdclass!GsDriverEntry DriverStartIo: 00000000 DriverUnload: 00000000 AddDevice: fffff880044083b4 kbdclass!KeyboardAddDevice Dispatch routines: [00] IRP_MJ_CREATE fffff88004401dd4 kbdclass!KeyboardClassCreate [01] IRP_MJ_CREATE_NAMED_PIPE fffff800034b58ac nt!IopInvalidDeviceRequest [02] IRP_MJ_CLOSE fffff8800440217c kbdclass!KeyboardClassClose [03] IRP_MJ_READ fffff88004402804 kbdclass!KeyboardClassRead [04] IRP_MJ_WRITE fffff800034b58ac nt!IopInvalidDeviceRequest [05] IRP_MJ_QUERY_INFORMATION fffff800034b58ac nt!IopInvalidDeviceRequest [06] IRP_MJ_SET_INFORMATION fffff800034b58ac nt!IopInvalidDeviceRequest [07] IRP_MJ_QUERY_EA fffff800034b58ac nt!IopInvalidDeviceRequest [08] IRP_MJ_SET_EA fffff800034b58ac nt!IopInvalidDeviceRequest [09] IRP_MJ_FLUSH_BUFFERS fffff88004401ce0 kbdclass!KeyboardClassFlush [0a] IRP_MJ_QUERY_VOLUME_INFORMATION fffff800034b58ac nt!IopInvalidDeviceRequest [0b] IRP_MJ_SET_VOLUME_INFORMATION fffff800034b58ac nt!IopInvalidDeviceRequest [0c] IRP_MJ_DIRECTORY_CONTROL fffff800034b58ac nt!IopInvalidDeviceRequest [0d] IRP_MJ_FILE_SYSTEM_CONTROL fffff800034b58ac nt!IopInvalidDeviceRequest [0e] IRP_MJ_DEVICE_CONTROL fffff88004408a40 kbdclass!KeyboardClassDeviceControl [0f] IRP_MJ_INTERNAL_DEVICE_CONTROL fffff880044082b4 kbdclass!KeyboardClassPassThrough [10] IRP_MJ_SHUTDOWN fffff800034b58ac nt!IopInvalidDeviceRequest [11] IRP_MJ_LOCK_CONTROL fffff800034b58ac nt!IopInvalidDeviceRequest [12] IRP_MJ_CLEANUP fffff88004401afc kbdclass!KeyboardClassCleanup [13] IRP_MJ_CREATE_MAILSLOT fffff800034b58ac nt!IopInvalidDeviceRequest [14] IRP_MJ_QUERY_SECURITY fffff800034b58ac nt!IopInvalidDeviceRequest [15] IRP_MJ_SET_SECURITY fffff800034b58ac nt!IopInvalidDeviceRequest [16] IRP_MJ_POWER fffff88004409fd4 kbdclass!KeyboardClassPower [17] IRP_MJ_SYSTEM_CONTROL fffff8800440a364 kbdclass!KeyboardClassSystemControl [18] IRP_MJ_DEVICE_CHANGE fffff800034b58ac nt!IopInvalidDeviceRequest [19] IRP_MJ_QUERY_QUOTA fffff800034b58ac nt!IopInvalidDeviceRequest [1a] IRP_MJ_SET_QUOTA fffff800034b58ac nt!IopInvalidDeviceRequest [1b] IRP_MJ_PNP fffff88004403368 kbdclass!KeyboardPnP
列出当前所有irp
!irpfind Scanning large pool allocation table for Tag: Irp? (fffffa8005481000 : fffffa8005781000) Irp [ Thread ] irpStack: (Mj,Mn) DevObj [Driver] MDL Process fffffa8007375930 [00000000] Irp is complete (CurrentLocation 4 > StackCount 3) fffffa8004f19520 [00000000] Irp is complete (CurrentLocation 2 > StackCount 1) 0x0000000000000000 fffffa8007dcfe10 [fffffa80081438f0] irpStack: ( e,2d) fffffa8006e6eb10 [ \Driver\AFD] fffffa8007ecdbc0 [fffffa80088a9b60] irpStack: ( e, 0) fffffa8006aa4da0 [ \Driver\Beep] ...
特别查看某个irp (比如地址是fffffa8007dcfe10的这个)
!irp fffffa8007dcfe10 Irp is active with 4 stacks 4 is current (= 0xfffffa8007dcffb8) No Mdl: System buffer=fffffa8008dc7d80: Thread fffffa80081438f0: Irp stack trace. cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 >[ e,2d] 5 1 fffffa8006e6eb10 fffffa80086bfa30 00000000-00000000 pending \Driver\AFD Args: fffffa80081844b0 fffffa80081844b0 fffff88003f03150 fffffa8007ecf810最后一行显示出这个irp的major function是e 也就是IRP_MJ_DEVICE_CONTROL
查看namespace里\Driver里的内容:
!object \Driver Object: fffff8a00008b7f0 Type: (fffffa8004e83a90) Directory ObjectHeader: fffff8a00008b7c0 (new version) HandleCount: 0 PointerCount: 107 Directory Object: fffff8a000004dc0 Name: Driver Hash Address Type Name ---- ------- ---- ---- 00 fffffa8006fbae70 Driver nvlddmkm fffffa80069eae70 Driver fvevol fffffa8005d2e890 Driver iaStorV ...
查看_DRIVER_OBJECT的结构
dt nt!_DRIVER_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT +0x010 Flags : Uint4B +0x018 DriverStart : Ptr64 Void +0x020 DriverSize : Uint4B +0x028 DriverSection : Ptr64 Void +0x030 DriverExtension : Ptr64 _DRIVER_EXTENSION +0x038 DriverName : _UNICODE_STRING +0x048 HardwareDatabase : Ptr64 _UNICODE_STRING +0x050 FastIoDispatch : Ptr64 _FAST_IO_DISPATCH +0x058 DriverInit : Ptr64 long +0x060 DriverStartIo : Ptr64 void +0x068 DriverUnload : Ptr64 void +0x070 MajorFunction : [28] Ptr64 long