WinDbg_Scripts
hwnd
wtrace
Dependencies
dprobe
krabsetw
BPerf

Advanced Windows NT
Debugging Applications for Windows

AeDebug
adplus/vsjitdebugger
adplus -hang/-crash

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
Image File Execution Options
Debugger

lm
x console!
x urtbased!

本地内核调试
https://learn.microsoft.com/zh-cn/windows-hardware/drivers/debugger/performing-local-kernel-debugging
https://learn.microsoft.com/zh-cn/windows-hardware/drivers/debugger/setting-up-local-kernel-debugging-of-a-single-computer-manually
bcdedit /debug on
bcdedit /dbgsettings local
windbg -kl
kd -kl

IsDebuggerPresent
esp + 0x4

Windows 提供了 Heap Manager 完成上述功能。HeapAlloc 函数是 Heap Manager 的分配函数。
HeapAlloc -> VirtualAlloc
PageHeap & Gflag
幸运的是, HeapManager 的确提供了上述的主动错误检查功能。只需要在注册表里面做对应
的修改,操作系统就会根据设置来改变 HeapManager 的行为

PageHeap -> like macOS guard malloc
gflags -> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\GlobalFlag]
[HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Image File Execution Options\ ImageFileName\ GlobalFlag]

内存泄露
https://www.jianshu.com/p/ad41c2e074e5
_CrtDumpMemoryLeaks

Windows 平台定位C语言工程内存泄漏
https://zhuanlan.zhihu.com/p/443548463

bp ntdll!NtWriteFile “r $t0=@$t0+1;.printf "function executes:%d times ",@$t0;.echo;g”
bp msvcrt!printf “r $t0=@$t0+1;.printf "function executes:%d times ",@$t0;.echo;g”

hello

1
2
3
4
5
6
7
8
9
10
11
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char const *argv[])
{
	puts("Hello");
	char* s=(char*)malloc(100);
	memcpy(s, "world", 10);
	printf("%s\n", s);
	return 0;
}
1
2
3
cdb test.exe
bp test!printf
g
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
!address -summary
Base Address
--- Largest Region by Usage ----------- Base Address -------- Region Size ----------
Free                                    1fc`cc4d0000     7df7`53fa0000 ( 125.966 TB)
<unknown>                              7ff4`20570000        1`00020000 (   4.000 GB)
Image                                  7ffb`e8ec0000        0`001c3000 (   1.762 MB)
Heap                                    1fc`cc3dd000        0`000f2000 ( 968.000 kB)
Stack                                    e4`d5a50000        0`000fa000 (1000.000 kB)
Other                                   1fc`cc200000        0`0001f000 ( 124.000 kB)
TEB                                      e4`d5d5b000        0`00002000 (   8.000 kB)
PEB                                      e4`d5d5a000        0`00001000 (   4.000 kB)

||1:1:001> s -a 1fc`cc200000 l1000000 "world"
000001fc`cc3da0b0  77 6f 72 6c 64 00 00 00-ff ff ad ba 0d f0 ad ba  world...........
||1:1:001> s -a e4`d5a50000 l100000 "Hello"
000000e4`d5b4e210  48 65 6c 6c 6f 0d 0a 00-d6 d8 86 eb fb 7f 00 00  Hello...........
.dump test.dump
.opendump test.dump
g
1
2
3
!address -f:Heap -c:"s -a %1 %2 \"world\""
!address -f:Stack -c:"s -a %1 %2 \"Hello\""
.writemem d:\blog.txt 07288600 L2000

WinDbg数据搜索技巧 —《格蠹汇编-从堆里抢救丢失的博客》

https://www.cnblogs.com/luzhlon/p/7055363.html

Windbg调试—-Windbg入门

https://blog.csdn.net/tonychan129/article/details/127136283

1
2
cdb -z ieblog.dmp
.writemem test.txt 001b5936 L1456

https://dbgtech.github.io/Tools/lldb-using.html
http://advdbg.org/books/swdbg2e/v2toc.aspx
https://files-cdn.cnblogs.com/files/lixiong/userdbg_msinternal.pdf

DbgEng扩展
WdbgExts
EngExtCpp

r eip=0042d9e

符号链接symlink_什么是符号链接或符号链接? 如何为Windows和Linux创建Symlink?
https://blog.csdn.net/cunjiu9486/article/details/109076948

bootmgr -> WinLoad -> ntoskrnl -> smss -> win32k.sys/csrss -> WinLogon
WinLogon –> NtUserCreateWindowStation/NtUserCreateDesktop
-> Services.exe/LSASS.exe
-> userinit.exe -> Explorer.exe

1
2
3
4
5
6
7
8
dtrace -n "syscall:::entry /execname == \"notepad.exe\"/ {printf(\"%s\",execname);}" -c notepad.exe
dtrace -n "syscall::*Write*:entry /execname == \"lsd.exe\"/ {printf(\"%s\",execname);}" -c lsd.exe

x console!main
uf
wt =
kv
kn/.frame