WinDbg Cheatsheet | Netspooky's Blog

References

Display Bytes

Command	Description
db esp	Display bytes from address in ESP as bytes with ASCII chars on the side (hex dump)
db kernel32!WriteFile	Display bytes in a function
dw esp	Display bytes from address in ESP as words (2 bytes)
dW esp	Display bytes from address in ESP as words with ASCII chars on the side like in db
dd esp	Display bytes from address in ESP as double words (4 bytes)
dd 771bab89	Display bytes from address 0x771bab89 as double words (4 bytes)
dc esp	Display bytes from address in ESP as dobule words with ASCII chars on the side like in db
dq 00faf974	Display bytes from address in ESP as quad words (8 bytes)
da esp	Display bytes from address in ESP as ASCII (This is ASCII with no hex dump)
dd poi(esp)	Display dwords from the pointer that the address ESP points to.
dW KERNELBASE+0x40	Display dwords with ASCII chars at KERNELBASE + 0x40
dd esp L4	Display 4 double words from address in ESP
dW KERNELBASE L2	Display 2 words with ASCII chars from KERNELBASE
db KERNELBASE L2	Display 2 bytes with ASCII chars from KERNELBASE

Program Control

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/controlling-the-target

Command	Description
g	Go. Continues execution
gu	Execute until function is complete.
p	Step. Step Over. If a function call it just keeps going. F10
pa	Step to Address.
pc	Step to Next Call.
pct	Step to Next Call or Return.
ph	Step to Next Branching Instruction. Any branches, calls, rets, or syscalls
pt	Step to Next Return. Go to the end of the function
t	Trace. Step Into. If a function call it steps into it. F8, F11
ta	Trace to address. See docs for full info on this.

Breakpoints

Command	Description
bl	List breakpoints
bd 1	Disable breakpoint 1
bc 2	Clear breakpoint 2
bp wsock32!recv	Break on wsock32!recv
bp WS2_32!recv	Break on WS2_32!recv
br 0xbaf000	Break on reading address 0xbaf000
bw 0xbaf000	Break on writing to address 0xbaf000
be 0xbaf000	Break on executing address 0xbaf000

Hardware Breakpoints

There are only 4 available
Syntax: ba <type of acces r|w|e> <size of memory access> <memory address or symbol>

ba e 1 kernel32!WriteFile – Set a hardware breakpoint when kernel32!WriteFile executes

Symbols

Command	Description
.reload /f	Reload symbols
x WS2_32!recv	Search for symbol. Displays address.
x WS2_32!rec*	Search for symbol with wildcard. Will show recv and recvfrom.
!drvobj name	Find driver
!devobj name	Find device object
!devhandles handle	Find app using driver

Examine Code

Command	Description
u 761ae7b2	Unassemble at address 0x761ae7b2
u kernel32!GetCurrentThread	Unassemble kernel32!GetCurrentThread
u kernel32!GetCurrentThread+0x2	Unassemble kernel32!GetCurrentThread+0x2
u kernel32!GetCurrentThread+0x2 L2	Unassemble kernel32!GetCurrentThread+0x2 and display 2 lines

Dump Structures

Command	Description
k	Dump Call Stack
lm	Show loaded modules
lm m kernel*	Show loaded modules beginning with “kernel”
lmDva 0x724a0000	Get info on the module at address 0x724a0000
ln 77c94d10	Show the closest symbol to the address 0x77C94D10
r	Dump all registers
r ecx	Dump value in ECX
r ecx=41414141	Write 0x41414141 to ECX
!teb	Dump Thread Environment Block
!peb	Dump Process Environment Block
!vadump	Dump memory pages/info
!heap	Dump heap info

Display Type (dt)

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/dt--display-type-

Command	Description
dt ntdll!_TEB	dump the Thread Env Block
dt -r ntdll!_TEB @$teb	-r is recursively dumping structs, @$teb is a pseudo register that represents $teb
?? sizeof(ntdll!_TEB)	Get the size of a structure

Display specific fields:

dt ntdll!_TEB @$teb ThreadLocalStoragePointer

Writing to Memory

Write ascii with ea, write unicode with eu

Command	Description
dd esp L1	Show dword at esp
ed esp 41414141	Write 0x41414141 to pointer in ESP
dd esp L1	Show dword at esp
ea esp “Haha”	Write “Haha” to the pointer at ESP
da esp	Show ASCII from bytes at ESP
eu esp “Ha”	Write “Ha” UTF-16, which is also 4 bytes
da esp	Show ASCII from bytes at ESP

Searching Memory Space

See reference for way more info https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/s--search-memory-

Four parameters

Memory type (if none then it defaults to bytes) -d DWORD -a ASCII -u Unicode
Starting Point
Length of Memory
Pattern

Command	Description
ed esp 41414141	Write 0x41414141 to pointer in ESP
s -d 0 L?80000000 41414141	Search process image for dword 0x41414141
s -d 77a40000 77d00000 41414141	Search address range for dword 0x41414141
s 77a40000 77a60000 41 41 41 41	Search address range for 0x41414141 as bytes

Examples:

Search for DOS header:

s -a 0 L?80000000 "This program cannot be run in DOS mode"

Search for the string “SCADA” as unicode:

s -u 0 L?80000000 "SCADA"
- Example Output: 53 00 43 00 41 00 44 00 41 00 00 00

Expressions

The default representation of numbers in Windbg is hex.

See all the formats of a hex number with .formats

0:000> .formats 41414141
Evaluate expression:
  Hex:     41414141
  Decimal: 1094795585
  Octal:   10120240501
  Binary:  01000001 01000001 01000001 01000001
  Chars:   AAAA
  Time:    Fri Sep 10 01:53:05 2004
  Float:   low 12.0784 high 0
  Double:  5.40901e-315

? evaluates an expression.

0:000> ? 77269bc0 - 77231430
Evaluate expression: 231312 = 00038790
0:000> ? 77269bc0 >> 18
Evaluate expression: 119 = 00000077

Doing the same thing in decimal needs 0n as the prefix.

0:007> ? 0n1000 - 0n250
Evaluate expression: 750 = 000002ee

Binary needs 0y prefix. This is 0x41 + 0x41

0:007> ? 0y01000001 + 0y01000001
Evaluate expression: 130 = 00000082

User defined psuedo registers $t0 to $t19. Useful in scripts.

r@$t0 = 41414141  -- Assign value to $t0
r $t0             -- Examine value in $t0

Previous:
threatland/TL-BOTS

Next:
GDB Cheatsheet