Cheat Sheet for Dump Analysis and Live Debugging with WinDbg

# Set cache and symbol store (replace)
.sympath cache*C:\Users\kash1064\Documents\symbols;srv*C:\Users\kash1064\Documents\symbols*https://msdl.microsoft.com/download/symbols

# Add symbol store setting
.sympath+ C:\Users\kash1064\Downloads

# Confirm current settings
.sympath

# Load symbol files
.reload /f HEVD.sys
.reload /f

# To confirm detailed logs when loading symbols
!sym noisy
.reload /f HEVD.sys
!sym quiet

# Enumerate modules
lm

# Enumerate modules starting with a
lm m a*

# Display module information, can also display timestamps, etc.
# !lmi can also be used to get detailed module information
lm Dvm <modulename>

# Resolve the address of the main function of the module from symbols
x modulename!*main*

# Enumerate function names starting with a
x /D /f modulename!a*

# Resolve symbol name from address
ln address

# Display list of registers
r

# Display specific registers, multiple registers
r eip
r zf
r eax,ebx,ecx,edx,ebp,eip

# Rewrite register values
r eax=00000001
r zf=0

# Display registers assigned to the second thread
# Or switch the current thread with ~1s and then output
~1 r

# Display registers associated with all threads
~* r eax

# Display xmm0 as unsigned 16-byte, xmm1 as double-precision floating-point
r xmm0:16ub, xmm1:d

# Display pseudo registers
r $peb,$teb

# Copy the value of ebx to eax
r eax = @ebx

# Output Hex and ASCII in memory range or offset
dc 0x1000 0x1200

# L indicates object count
# dc @addr L1 is 1 DWORD, dq @addr L1 is 1 QWORD
dc @eip L1
dc 0x1000 L20

# Can also reference addresses or registers holding addresses
dc 0x1000
dc eax

# dps, dqs display values in pointer size and symbols if resolvable
dps rsp
dqs rsp

# Display memory in 32bit(ddp), 64bit(dqp)
ddp 0x1000
dqp 0x1000

# Display as ASCII string
da 0x1000

# Display as UNICODE string
du rsp+0x40

# Rewrite byte values
eb 0x1000 

# Rewrite ASCII string
ea 0x1000 "change ascii"

# Using pseudo registers, $p holds the result of the most recent d* command
dd r11 L1 ; ? $p

# Search for DWORD value H in the range from RSP address to 1000000 bytes
s -d @rsp L1000000 'H'

# Search for ASCII string Hello in the range from RSP address to 10000000 bytes
s -a @rsp L10000000 "Hello"  

# Search for ASCII string Hello in a wide range from 0 to 0x7fffffff
# L? specification is mandatory when searching ranges larger than 256 MB
s -a 0 L?7fffffff "Hello"

# Unicode strings can also be searched similarly
s -u @rsp L1000000 'Hello'
s -u 0 L?7fffffff "Hello"

# Search for "ASCII strings longer than 4 characters" in the range from RSP address to 400 bytes
s -[l4]sa @rsp L400

# Search for "ASCII strings longer than 4 characters" from "writable addresses" in the range from RSP address to 400 bytes
s -[wl4]sa @rsp L400

# Save 0x100 bytes of memory data from address 0xb3f668 to C:\Temp\output.bin
.writemem C:\Temp\output.bin 0xb3f668 L0x100

# Save 0x1ce00 bytes of memory data from binary offset 3000 to C:\Temp\output.exe
.writemem C:\Temp\output.exe binary+3000 L0x1ce00

# Output assembly code from EIP (ub outputs in reverse direction)
u
ub

# Output 10 lines of assembly code from specified address
u 0x1000 L10

# Can also use registers containing addresses
u eax L10
u eip L20

# Output the entire code of a specific function from function address or symbol name
uf 0x1000
uf module!function

# Extract only call instructions in the target routine
uf /c 0x1000

# Output local variables in current scope (/t displays type names)
dv
dv /t

# Variable type names can also be resolved with dt command
dt local_val_name

# Resolve structures from symbol names or addresses
dt MyStruct

# To enumerate substructures recursively, use -r or -b
dt -r MyStruct

# You can specify the hierarchy of structures to display recursively with -r1 -r2, etc.
dt -r2 MyStruct

# Can enumerate type information of kernel structures
dt nt!_*
dt nt!*PEB*

# To get actual values, specify the address of the structure
dt nt!_EPROCESS <EPROCESS address>

# Can extract only specific values by specifying subtype names
dt nt!_EPROCESS ImageFileName <EPROCESS address>

# -l option traverses linked lists to dump structure information
# -y option outputs lines that start with the specified string
# -o option hides offsets
# -i option does not indent subtypes
dt nt!_EPROCESS -l ActiveProcessLinks.Flink  -y Ima -yoi Uni <EPROCESS address>

# dt cannot get substructure information, so use -r or -b switch
dt ntdll!_EPROCESS -r <EPROCESS address>
dt ntdll!_EPROCESS -b <EPROCESS address>

# Reference table information
!dh -f !<module_name>

# Enumerate import table information from identified address and size
dps !<module_name>+<IAT address> !<module_name>+<IAT address>+<IAT size>

# Enumerate DOS header
dt /r _IMAGE_DOS_HEADER @@masm(!<module_name>)

# Enumerate NT header (FileHeader / OptionalHeader)
# e_lfanew is obtained from the PE header pointer at 0x3C of DOS header
dt /r _IMAGE_NT_HEADERS64 @@masm(!<module_name>+<e_lfanew value>)

# Get the first SectionHeader by adding the size of NT header FileHeader to the address where SizeOfOptionalHeader value is added
dt /r _IMAGE_SECTION_HEADER @@masm(!<module_name>+0xF8+0x018+<SizeOfOptionalHeader>)

# By adding the size of _IMAGE_SECTION_HEADER which is 0x28, you can refer to the information of the next section (need to load structure symbols in advance)
dt /r _IMAGE_SECTION_HEADER @@masm(!<module_name>+0xF8+0x018+<<SizeOfOptionalHeader>+0x28>)

# Set breakpoint at offset
bp module+0x123
bu dllmodule!DLLMain

# Set breakpoints collectively on multiple modules starting with mem
bm myprogram!mem*

# Stop execution on the 7th time the processing set with breakpoint is called
bp MyTest+0xb 7

# After matching the breakpoint, output EAX and variable MyVar, then automatically resume execution
bp ntdll!RtlRaiseException "r eax; dt MyVar; gc"

# Output arbitrary string with echo and continue processing
bp module!myFunction ".echo myFunction executed; gc"

# Basic syntax of IF conditional expression
bp module!myFunction ".if () {} .else {}"

# Dereference var address with poi, compare with decimal 10
# If matches, do nothing and break; if not, continue processing
bp module!myFunction ".if ( poi(var) == 0n10 ) {} .else { gc }"

# The following achieves the same result
bp module!myFunction "j ( poi(var) == 0n10 ) ''; 'gc'"

# Clear all breakpoints
bc *

# Set one-shot breakpoint with /1 (breaks only once)
bp /1 nt!IoCreateDevice

# Break when read access occurs on 4-byte area from variable name or variable address
ba r4 myVar
ba r4 0x1000

# Break when write access occurs on target
ba w4 0x1000

# Break when I/O occurs on ports from 3f8 to 3f8+4 (kernel debugging only)
ba i4 3f8

# Enumerate currently set breakpoints
# The breakpoint ID displayed here can be used to specify targets in other management commands
bl

# Disable all breakpoints
bd *

# Disable only breakpoint with ID 1
bd 1

# Enable all breakpoints
be *

# Enable only breakpoint with ID 1
be 1

# List the commands used for current breakpoint settings in order from top
.bpcmds

# Change breakpoint ID
# Can also batch change multiple IDs
br OldID NewID
br OldID NewID OldID2 NewID2 OldID3 NewID3 

# Can modify the command part of the breakpoint
bs ID ["CommandString"] 

# Can change breakpoint condition statements
bsc ID Condition ["CommandString"] 

# Break when loading HEVD.sys driver
sxe ld HEVD.sys

# Set one-shot breakpoint on nt!IoCreateDevice after load break
bp /1 nt!IoCreateDevice

# Perform step over operation
p (or F10)

# Execute 5 lines of step over
p 5

# Execute WinDbg command after step over
p "k;r eax"

# Repeat Step Over until reaching specified address
pa StopAddress

# Step Over until next call instruction line
pc

# pc can also execute count
pc 3

# Step Over until next ret instruction line
pt

# Step Over until next call or ret instruction line
pct

# Step Over until next branching instruction
ph

# Record command output in arbitrary log file (ASCII text)
.logopen C:\Users\Public\windbg.log

# Record in arbitrary log file with process ID and current date/time (/t)
.logopen /t C:\Users\Public\windbg.log

# Automatically determine file name from process or file information and save
.logopen /d

# Append to existing log file
.logappend C:\Users\Public\windbg.log

# Close and end recording
.logclose

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe -logo  C:\Users\Public\debug.log

# Output ext extension help
!ext.help

analyze [-v][level]        - Analyzes current exception or bugcheck (levels are 0..9)
owner [symbol!module]      - Displays the Owner for current exception or bugcheck
comment                    - Displays the Dump's Comment(s)

error [errorcode]          - Displays Win32 or NTSTATUS error string
gle [-all]                 - Displays the Last Error & Last Status of the current thread

address [address]          - Displays the address space layout
        [-UsageType]       - Displays the address space regions of the given type

cpuid [processor]          - Displays the CPU information for a specific or all CPUs

exchain                    - Displays exception chain for the current thread

for_each_process <cmd>     - Executes command for each process
for_each_thread <cmd>      - Executes command for each thread
for_each_frame <cmd>       - Executes command for each frame in the current thread
for_each_local <cmd> $$<n> - Executes command for each local variable in the current frame,
                             substituting the fixed-name alias $u<n> for each occurrence of $$<n>

imggp <imagebase>          - Displays GP directory entry for 64-bit image
imgreloc <imagebase>       - Relocates modules for an image

str <address>              - Displays ANSI_STRING or OEM_STRING
ustr <address>             - Displays UNICODE_STRING

list [-? | parameters]     - Displays lists

cppexr <exraddress>        - Displays a C++ EXCEPTION_RECORD
obja <address>             - Displays OBJECT_ATTRIBUTES[32|64]
rtlavl <address>           - Displays RTL_AVL_TABLE
std_map <address>          - Displays a std::map<>

# Perform main analysis
!analyze -v

# Global flags
NTGLOBALFLAG

# Information recorded for processes or applications
PROCESS_BAM_CURRENT_THROTTLED
PROCESS_BAM_PREVIOUS_THROTTLED
APPLICATION_VERIFIER_FLAGS

# EXCEPTION_RECORD records information on the process that caused the exception and crash
EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffce5c60910 (ntdll!LdrpDoDebuggerBreak+0x0000000000000030)
	ExceptionCode: 80000003 (Break instruction exception)
	ExceptionFlags: 00000000

# Stack callback at exception occurrence is recorded
# ~0s ; .cxr ; kb can output the same content
STACK_TEXT

# Display failure category
FAILURE_BUCKET_ID

# Output information on each memory block 
!address

# Output information on specified address
!address <Address>

# Output statistical information on memory in user mode debugging
!address -summary 

# Obtain handle information
!handle

# Dump detailed information on all handles
!handle 0 0xf

# Obtain detailed information on handle with handle ID 430
!handle 430 0xf

# Dump TEB information
!teb

# Dump PEB information
!peb

# Download pre-built binary from https://kashiwaba-yuki.com/file/dumpext.dll.
.load C:\Users\User\Downloads\dumpext.dll

# Export PE binary from process dump to "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64" as dump.out
!dumpext.dump_pe !<module_name>

# Confirm symbol settings
.sympath

# Set symbol cache and source
.sympath cache*C:\symbols;srv*https://msdl.microsoft.com/download/symbols
.reload

# Output/suppress details when loading symbols
!sym noisy
!sym quiet

# Force loading of mismatched symbols (not recommended)
.reload /f /i <modulename>

# Output list of loaded extensions
.chain

# Load additional extensions
.load <Extension DLL path>

# Display extension details
.extmatch /D /e <Module> *

# Launch help window
.hh

# Save as dump file
# https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/-dump--create-dump-file-
.dump [options] FileName

# ?<Hex> allows decimal conversion
?ff
> Evaluate expression: 255 = 000000ff

# Display status of current process in user mode debugging
|

# Display debugging system
||

# Execute script defined in file
$<C:\windbgcmd.txt

# Execute as single command block (better for using breakpoints)
$><C:\windbgcmd.txt

# Set command arguments (not standard input)
# Can be used when using commands like .echo argument is ${$arg1}
$$>a<C:\windbgcmd.txt test_text

# Recursively call the script eaxstep that continues execution until 1234 is contained in eax register
# .if (@eax == 1234) { .echo 1234 } .else { t "$<eaxstep" }
t "$<C:\\eaxstep"

# Using IF token
.if (Condition) { Commands } 
.if (Condition) { Commands } .else { Commands } 
.if (Condition) { Commands } .elsif (Condition) { Commands } 
.if (Condition) { Commands } .elsif (Condition) { Commands } .else { Commands }

# $scmp performs evaluation equivalent to C++ strcmp, returns 0 when strings match
.if ($scmp("${$ImageName}","notepad.exe")) {  } .else { .echo match }