WinDbg的好教程？

Question

有没有很好的教程来展示如何使用WinDbg？

Answer 1

基础教程和使用演示

• 安装和配置WinDbg(Windows调试工具)
• Mike Taulty - WinDbg的一个词
• WinDbg教程
• Windows调试器:第1部分:WinDbg教程

"开始"/附加WinDbg的不同方法

• 使用WinDbg开始调试(包括如何调试.msi)
• 如何调试Windows服务
• 设置Windows调试
• 调试SQL Server ... 在这里,这里,这里,这里

工作区(了解它们的工作原理)

• Pimp up你的调试器:为WinDbg调试创建一个自定义工作区
• 揭示WinDbg中工作区的工作原理

Cmdtree

允许您定义调试器命令的"菜单",以便轻松访问常用命令,而无需记住简洁命令名称.不必将所有命令定义放在同一个cmdtree文本文件中....您可以将它们分开并加载多个(然后它们将获得自己的窗口).

• 惊人的助手.cmdtree
• 如何在WinDbg中启动时使cmdtree窗口停靠
• 使用.cmdtree可以更轻松地在WinDbg中调试.NET转储
• Microshaoft Cmdtree
• 来自具有.cmdtree的自定义用户界面的特殊命令执行命令

启动脚本

您可以在命令行上使用-c选项在启动WinDbg时自动运行WinDbg脚本.

Gives opportunity to turn on DML (Debugger Markup Language) mode, load particular extensions, set .NET exception breakpoints, set kernel flags (e.g. when kernel debugging you might need to change the DbgPrint mask so you see tracing information....ed nt!Kd_DEFAULT_Mask 0xFFFFFFFF), load cmdtrees, etc.

• http://yeilho.blogspot.co.uk/2012/10/windbg-init-script.html
• Take Control of WinDbg

An example script:

$$ Include a directory to search for extensions
$$ (point to a source controlled or UNC common directory so that all developers get access)
.extpath+"c:\svn\DevTools\WinDBG\Extensions"
$$ When debugging a driver written with the Windows Driver Framework/KMDF
$$ load this extension that comes from the WinDDK.
!load C:\WinDDK\7600.16385.1\bin\x86\wdfkd.dll
!wdftmffile C:\WinDDK\7600.16385.1\tools\tracing\i386\wdf01009.tmf
$$ load some extensions
.load msec.dll
.load byakugan.dll
.load odbgext.dll
.load sosex
.load psscor4
$$ Make commands that support DML (Debugger Markup Language) use it
.prefer_dml 1
.dml_start
$$ Show NTSTATUS codes in hex by default
.enable_long_status 1
$$ Set default extension
.setdll psscor4
$$ Show all loaded extensions
.chain /D
$$ Load some command trees
.cmdtree c:\svn\DevTools\WinDBG\cmdtree\cmdtree1.txt
.cmdtree c:\svn\DevTools\WinDBG\cmdtree\cmdtree2.txt
$$ Show some help for the extensions
!wdfkd.help
!psscor4.help
.help /D

Command Cheat Sheets

• Crash Dump Analysis Poster v3.0
• SOS Cheat Sheet (.NET 2.0/3.0/3.5)
• WinDbg cheat sheet (Art of Dev)
• WinDbg Kernel-Mode Extension Commands Flashcards

Extensions (extend the range of commands/features supported)

• AddSym
  - allows transfer of symbol names between IDA and WinDbg
• bigLasagne (bldbgexts & blwdbgue)
  - assembly syntax highlighting and a driver mapping tool)
• BigLib Number Reader
• 的Byakugan
  -检测反调试方法,远景堆可视化/仿真,轨道缓冲器存储器
• CmdHist
  - 记录您在调试会话中执行的每个命令,以便您可以轻松地重新执行
• 核心分析器
  - 检查堆结构是否损坏,检测线程共享的对象等.
• dom WinDbg扩展
  - (!stlpvector,!idt,!unhex,!grep等)
• dumppe
  - 从内存中转储PE文件
• 图像查看器扩展(Vladimir Vukicevic)
• 英特尔UEFI开发套件调试工具
  - 调试UEFI固件
• leaktrap
  - GDI/USER处理跟踪器以帮助检测泄漏
• Mona(需要PyKD)
  - 一组命令,以帮助进行高级分析/查找漏洞利用
• MSEC
  - provides automated crash analysis and security risk assessment
• narly
  - lists info about loaded modules such as if using SafeSEH, ASLR, DEP, /GS (Buffer Security Checks)
• netext (Rodney Viana)
  - (!wservice - list WCF service objects, !wconfig - show .config lines, !whttp - list HttpContexts, !wselect/!wfrom - support SQL like queries on arrays)
• ODbgExt
  - open debugger extensions
• OllyMigrate
  - pass debuggee to another debugger without restarting
• Psscor2
  - a superset of SOS for assisting in debugging .NET 2.0 managed code
• Psscor4
  - a superset of SOS for assisting in debugging .NET 4 managed code
• PyDBGExt
  - allows Python scripting to be used
• PyKD
  - allows Python to be used to script WinDbg
• sdbgext (Nynaeve)
  -(!valloc, !vallocrwx, !heapalloc, !heapfree, !remotecall, !remotecall64, !loaddll, !unloaddll, !close, !killthread, !adjpriv, !ret)
• SieExtPub
  -legacy extension...now built into WinDbg in ext.dll
• SOSEX
  - more commands for helping to debug managed NET 2.0 or 4.0 code
• SPT/SDBGExt2 (Steve Niemitz)
  - (!DumpHttpContext, !DumpASPNetRequests, !DumpSqlConnectionPools, !DumpThreadPool, etc.)
• Uniqstack
  - source to a debugger extension (need an OSR Online account to access it)
• viscope
  - code coverage graph
• Wait Chain Traversal/wct.dll (CodePlex Debugging Extensions
  - display wait chains of application threads (helps find deadlocks)
• windbgshark
  - integrates the Wireshark protocol analyser to enable VM traffic manipulation and analysis
• WinDbg Extensions (Sasha Goldstein)
  - Tracer, WCT, heap_stat, bkb, traverse_map, traverse_vector)
• WinDbg Highlight (ColorWindbg.dll) (Use Google Translate to translate link)
  - assembly language syntax highlighting

Write your own extension

• Developing WinDbg ExtEngCpp Extension in C++
• Tools of the Trade: Part IV - Developing WinDbg Extension DLLs
• The Basics of Debugger Extensions: Short Term Effort, Long Term Gain

Debugging Managed Code

• Breaking on an Exception
• Breaking on specific CLR Exception
• Debugging .NET framework source code within WinDbg
• Debugging exceptions in managed code using WinDbg
• Debugging managed code using WinDbg and SOS.dll
• Debugging with WinDbg. Deadlocks in Applications.
• MANAGED DEBUGGING with WinDbg. Introduction and Index
• Setting .NET breakpoints in WinDbg for applications that crash on startup

Scripting (C#, PS, Python, and WinDbg)

• KDAR (Kernel Debugger Anti Rootkit)
  - a collection of WinDbg scripts
• Sysnative BSOD Scripts/Processing Apps
• WinDbg Script library
  - a collection of WinDbg scripts
• Scripting MDbg and DbgHostLib
  - allows managed code to script the Managed Debugger (MDBG) and the DbgEng
• ExtCS
  - allows control of WinDbg via C# scripts
• PowerDBG
  - allows control of WinDbg via PowerShell scripts
• Pykd
  - allows control of WinDbg via Python scripts
• windbglib
  - Python wrapper library around the pykd extension for WinDbg, mimicking immlib (so you can use scripts originally written for Immunity Debugger)

Debuggers/Tools that use the dbgeng.dll API/WinDbg Tools

• A Simple Dbgeng Based User Mode Debugger
• Acorns.Debugging NET Deadlock Detector (uses cdb.exe) (download)
• CLR Managed Debugger (MDBG)
• DbgHost - How to control a debugging engine
• Debug Diagnostic Tool v1.2 (DebugDiag), Ver 2.0 + DebugDiag Blog
• Dynamorio - dynamic binary instrumentation tool which can interact with WinDbg
• IDA + WinDbg plugin
• GUI WinDbg
• LeakShell (find managed leaks)
• mdbglib - Managed Debug API
• PyDbgEng
  - Python wrapper for Windows Debugging Engine
• SOSNET - a WinDbg Fork/alternative shell that concentrates on using the SOS extension and supports C# scripting
• SOSNET O2 fork - fork of SOSNET that uses Roslyn for the C# REPL (read-eval-print-loop) scripting engine
• VDB/Vivisect (kenshoto) - provides a cross-platform debugging API layered on WinDbg
• WinAppDbg + Heappie-WinAppDbg
• Writing a basic Windows debugger

Different Ways to Generate Crash Dump Files for Post-Mortem Analysis

• DebugDiag 2.0
• Dump Cheat Sheet
  - includes how to generate dump from Hyper-V, VMware ESX, and XenServer VMs.
• Citrix SystemDump
• Keyboard Keypress Combination
• MiniDumpWriteDump
  - (via Win32 API call inside your application). (Example for C# applications)
• NMI Switch
  (hardware based feature to generate an NMI...usually found on high-end servers e.g. HP or you can obtain an add-in PCI card "Universal PCI Dump Switch"). Microsoft NMI technology background.
• Procdump
• Menu System ? Advanced System Settings ? Startup and Recovery
  (registry info),
  (how to configure a Complete (Full) Memory Dump),
  (how to enable Complete Memory Dump),
  (how to enable Complete Memory Dump on Windows 7 when PC has lots of memory...normally not available when more than 2 GB of memory)
• Task Manager "Create Dump File"
• UserDump, instructions (very old tool)
• UserModeProcessDumper, instructions
• Visual Studio "Save Dump As…"
• WER (Windows Error Reporting....local dumps)
• WinDbg

Dump Analysis Tools

• BlueScreenView - finds the minidump .dmp files saved by Windows after a BSOD, and extracts information about what caused the crash
• Debug.Analyzer (can anal