[Windows] WinDbg Skill


Command

$ !stacks 2 wlan6ex
$ .thread $address // This can jump to specific thread for stack and local variable
$ db 0x ← 記憶體位置 可以看記憶體內容
$ !wmitrace.logger mtkwl
$ !wmitrace.logsave 0x10 C:\Windows\Temp\wifi.etl
$ bp wlan6ex!WdiOidRequest # 設中斷點在wlan6ex裡的WdiOidRequest (知道記憶體位置時使用)
$ bu wlan6ex!WdiOidRequest # 設中斷點在wlan6ex裡的WdiOidRequest (還不知道記憶體位置時使用)
$ CTRL + ATL + K #重開機時, 會中斷讓你設斷點
$ dt struct #查看資料結構裡的BYTE
$ x wl6ex !WdiOidRequest # 查詢在wl6ex symbol裡的是否有WdiOidRequest 要在前後加*
$ .crash #手動產生BSOD
$ kn #Dump Kernal Call Stack
$ r @rcx @rdx @r8 @r9 #dump Registry
$ pt #跳到這個function的最後
$ r @rax=0 #將rax這個回傳直的registry改成0
$ ed nt!Kd_DEFAULT_MASK 0xFFFFFFFF #顯示來自目標系統的所有偵錯訊息,類似從DbgView開啟”verbose kernel messages”
也可以從Registry 裡面去修改,如下圖

Replace driver with WinDbg

  1. Create map file for replacing specify driver file.
    Example:
    Create d:\map.ini
    And local build driver at D:\wlan6ex.sys
    # Use the
    # for comments like this one
    #
    # kd> .kdfiles d:\map.ini
    #
    map
    wlan6ex.sys
    D:\wlan6ex.sys
  2. Load the driver replacement map file by doing one of the following
    Set environment variable _NT_KD_FILES=d:\map.ini
    Use the “.kdfiles” command on WinDBG
  3. Disable / Enable device or Reboot DUT (Debuggee) platform

Windbg with symbol

Use the path without pdb as Windbg path.
For exmaple:
C:\Symbols ==> OK
C:\Symbols\ xxx.pdb ==> NG

Add MSFT Public symbol

https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/microsoft-public-symbols

Reference

發佈留言