Cheat Sheet for Dump Analysis and Live Debugging with WinDbg

# Set cache and symbol store (replace)
.sympath cache*C:\Users\kash1064\Documents\symbols;srv*C:\Users\kash1064\Documents\symbols*https://msdl.microsoft.com/download/symbols

# Add symbol store setting
.sympath+ C:\Users\kash1064\Downloads

# Confirm current settings
.sympath

# Load symbol files
.reload /f HEVD.sys
.reload /f

# To confirm detailed logs when loading symbols
!sym noisy
.reload /f HEVD.sys
!sym quiet

# Enumerate modules
lm

# Enumerate modules starting with a
lm m a*

# Display module information, can also display timestamps, etc.
# !lmi can also be used to get detailed module information
lm Dvm <modulename>

# Resolve the address of the main function of the module from symbols
x modulename!*main*

# Enumerate function names starting with a
x /D /f modulename!a*

# Resolve symbol name from address
ln address

# Display list of registers
r

# Display specific registers, multiple registers
r eip
r zf
r eax,ebx,ecx,edx,ebp,eip

# Rewrite register values
r eax=00000001
r zf=0

# Display registers assigned to the second thread
# Or switch the current thread with ~1s and then output
~1 r

# Display registers associated with all threads
~* r eax

# Display xmm0 as unsigned 16-byte, xmm1 as double-precision floating-point
r xmm0:16ub, xmm1:d

# Display pseudo registers
r $peb,$teb

# Copy the value of ebx to eax
r eax = @ebx

# Output Hex and ASCII in memory range or offset
dc 0x1000 0x1200

# L indicates object count
# dc @addr L1 is 1 DWORD, dq @addr L1 is 1 QWORD
dc @eip L1
dc 0x1000 L20

# Can also reference addresses or registers holding addresses
dc 0x1000
dc eax

# dps, dqs display values in pointer size and symbols if resolvable
dps rsp
dqs rsp

# Display memory in 32bit(ddp), 64bit(dqp)
ddp 0x1000
dqp 0x1000

# Display as ASCII string
da 0x1000

# Display as UNICODE string
du rsp+0x40

# Rewrite byte values
eb 0x1000 

# Rewrite ASCII string
ea 0x1000 "change ascii"

# Using pseudo registers, $p holds the result of the most recent d* command
dd r11 L1 ; ? $p

# Search for DWORD value H in the range from RSP address to 1000000 bytes
s -d @rsp L1000000 'H'

# Search for ASCII string Hello in the range from RSP address to 10000000 bytes
s -a @rsp L10000000 "Hello"  

# Search for ASCII string Hello in a wide range from 0 to 0x7fffffff
# L? specification is mandatory when searching ranges larger than 256 MB
s -a 0 L?7fffffff "Hello"

# Unicode strings can also be searched similarly
s -u @rsp L1000000 'Hello'
s -u 0 L?7fffffff "Hello"

# Search for "ASCII strings longer than 4 characters" in the range from RSP address to 400 bytes
s -[l4]sa @rsp L400

# Search for "ASCII strings longer than 4 characters" from "writable addresses" in the range from RSP address to 400 bytes
s -[wl4]sa @rsp L400

# Save 0x100 bytes of memory data from address 0xb3f668 to C:\Temp\output.bin
.writemem C:\Temp\output.bin 0xb3f668 L0x100

# Save 0x1ce00 bytes of memory data from binary offset 3000 to C:\Temp\output.exe
.writemem C:\Temp\output.exe binary+3000 L0x1ce00

# Output assembly code from EIP (ub outputs in reverse direction)
u
ub

# Output 10 lines of assembly code from specified address
u 0x1000 L10

# Can also use registers containing addresses
u eax L10
u eip L20

# Output the entire code of a specific function from function address or symbol name
uf 0x1000
uf module!function

# Extract only call instructions in the target routine
uf /c 0x1000

# Output local variables in current scope (/t displays type names)
dv
dv /t

# Variable type names can also be resolved with dt command
dt local_val_name

# Resolve structures from symbol names or addresses
dt MyStruct

# To enumerate substructures recursively, use -r or -b
dt -r MyStruct

# You can specify the hierarchy of structures to display recursively with -r1 -r2, etc.
dt -r2 MyStruct

# Can enumerate type information of kernel structures
dt nt!_*
dt nt!*PEB*

# To get actual values, specify the address of the structure
dt nt!_EPROCESS <EPROCESS address>

# Can extract only specific values by specifying subtype names
dt nt!_EPROCESS ImageFileName <EPROCESS address>

# -l option traverses linked lists to dump structure information
# -y option outputs lines that start with the specified string
# -o option hides offsets
# -i option does not indent subtypes
dt nt!_EPROCESS -l ActiveProcessLinks.Flink  -y Ima -yoi Uni <EPROCESS address>

# dt cannot get substructure information, so use -r or -b switch
dt ntdll!_EPROCESS -r <EPROCESS address>
dt ntdll!_EPROCESS -b <EPROCESS address>

# Reference table information
!dh -f !<module_name>

# Enumerate import table information from identified address and size
dps !<module_name>+<IAT address> !<module_name>+<IAT address>+<IAT size>

# Enumerate DOS header
dt /r _IMAGE_DOS_HEADER @@masm(!<module_name>)

# Enumerate NT header (FileHeader / OptionalHeader)
# e_lfanew is obtained from the PE header pointer at 0x3C of DOS header
dt /r _IMAGE_NT_HEADERS64 @@masm(!<module_name>+<e_lfanew value>)

# Get the first SectionHeader by adding the size of NT header FileHeader to the address where SizeOfOptionalHeader value is added
dt /r _IMAGE_SECTION_HEADER @@masm(!<module_name>+0xF8+0x018+<SizeOfOptionalHeader>)

# By adding the size of _IMAGE_SECTION_HEADER which is 0x28, you can refer to the information of the next section (need to load structure symbols in advance)
dt /r _IMAGE_SECTION_HEADER @@masm(!<module_name>+0xF8+0x018+<<SizeOfOptionalHeader>+0x28>)

# Set breakpoint at offset
bp module+0x123
bu dllmodule!DLLMain

# Set breakpoints collectively on multiple modules starting with mem
bm myprogram!mem*

# Stop execution on the 7th time the processing set with breakpoint is called
bp MyTest+0xb 7

# After matching the breakpoint, output EAX and variable MyVar, then automatically resume execution
bp ntdll!RtlRaiseException "r eax; dt MyVar; gc"

# Output arbitrary string with echo and continue processing
bp module!myFunction ".echo myFunction executed; gc"

# Basic syntax of IF conditional expression
bp module!myFunction ".if () {} .else {}"

# Dereference var address with poi, compare with decimal 10
# If matches, do nothing and break; if not, continue processing
bp module!myFunction ".if ( poi(var) == 0n10 ) {} .else { gc }"

# The following achieves the same result
bp module!myFunction "j ( poi(var) == 0n10 ) ''; 'gc'"

# Clear all breakpoints
bc *

# Set one-shot breakpoint with /1 (breaks only once)
bp /1 nt!IoCreateDevice

# Break when read access occurs on 4-byte area from variable name or variable address
ba r4 myVar
ba r4 0x1000

# Break when write access occurs on target
ba w4 0x1000

# Break when I/O occurs on ports from 3f8 to 3f8+4 (kernel debugging only)
ba i4 3f8

# Enumerate currently set breakpoints
# The breakpoint ID displayed here can be used to specify targets in other management commands
bl

# Disable all breakpoints
bd *

# Disable only breakpoint with ID 1
bd 1

# Enable all breakpoints
be *

# Enable only breakpoint with ID 1
be 1

# List the commands used for current breakpoint settings in order from top
.bpcmds

# Change breakpoint ID
# Can also batch change multiple IDs
br OldID NewID
br OldID NewID OldID2 NewID2 OldID3 NewID3 

# Can modify the command part of the breakpoint
bs ID ["CommandString"] 

# Can change breakpoint condition statements
bsc ID Condition ["CommandString"] 

# Break when loading HEVD.sys driver
sxe ld HEVD.sys

# Set one-shot breakpoint on nt!IoCreateDevice after load break
bp /1 nt!IoCreateDevice

# Perform step over operation
p (or F10)

# Execute 5 lines of step over
p 5

# Execute WinDbg command after step over
p "k;r eax"

# Repeat Step Over until reaching specified address
pa StopAddress

# Step Over until next call instruction line
pc

# pc can also execute count
pc 3

# Step Over until next ret instruction line
pt

# Step Over until next call or ret instruction line
pct

# Step Over until next branching instruction
ph

# Record command output in any log file (ASCII text)
.logopen C:\Users\Public\windbg.log

# Record command output in any log file with the process ID and current date/time added (/t)
.logopen /t C:\Users\Public\windbg.log

# Automatically determine the file name from process or file information and save it
.logopen /d

# Append to an existing log file
.logappend C:\Users\Public\windbg.log

# Close the file and stop recording
.logclose

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe -logo  C:\Users\Public\debug.log

# Output help for the ext extension
!ext.help

analyze [-v][level]        - Analyzes current exception or bugcheck (levels are 0..9)
owner [symbol!module]      - Displays the Owner for current exception or bugcheck
comment                    - Displays the Dump's Comment(s)

error [errorcode]          - Displays Win32 or NTSTATUS error string
gle [-all]                 - Displays the Last Error & Last Status of the current thread

address [address]          - Displays the address space layout
        [-UsageType]       - Displays the address space regions of the given type

cpuid [processor]          - Displays the CPU information for a specific or all CPUs

exchain                    - Displays exception chain for the current thread

for_each_process <cmd>     - Executes command for each process
for_each_thread <cmd>      - Executes command for each thread
for_each_frame <cmd>       - Executes command for each frame in the current thread
for_each_local <cmd> $$<n> - Executes command for each local variable in the current frame,
                             substituting the fixed-name alias $u<n> for each occurrence of $$<n>

imggp <imagebase>          - Displays GP directory entry for 64-bit image
imgreloc <imagebase>       - Relocates modules for an image

str <address>              - Displays ANSI_STRING or OEM_STRING
ustr <address>             - Displays UNICODE_STRING

list [-? | parameters]     - Displays lists

cppexr <exraddress>        - Displays a C++ EXCEPTION_RECORD
obja <address>             - Displays OBJECT_ATTRIBUTES[32|64]
rtlavl <address>           - Displays RTL_AVL_TABLE
std_map <address>          - Displays a std::map<>

# Run the main analysis
!analyze -v

# Global flags
NTGLOBALFLAG

# Information related to the process or application is recorded
PROCESS_BAM_CURRENT_THROTTLED
PROCESS_BAM_PREVIOUS_THROTTLED
APPLICATION_VERIFIER_FLAGS

# EXCEPTION_RECORD contains information about the exception and the process that crashed
EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffce5c60910 (ntdll!LdrpDoDebuggerBreak+0x0000000000000030)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000

# The call stack at the time of the exception is recorded
# The same content can also be output with the command ~0s ; .cxr ; kb
STACK_TEXT

# Display the problem category
FAILURE_BUCKET_ID

# Output information for each memory block
!address

# Output information for the specified address
!address <Address>

# Output memory statistics in user-mode debugging
!address -summary

# Obtain handle information
!handle

# Dump detailed information for all handles
!handle 0 0xf

# Obtain detailed information for the handle whose handle ID is 430
!handle 430 0xf

# Dump TEB information
!teb

# Dump PEB information
!peb

# Download the built binary in advance from https://kashiwaba-yuki.com/file/dumpext.dll.
.load C:\Users\User\Downloads\dumpext.dll

# Export the PE binary from a process dump as dump.out to "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64"
!dumpext.dump_pe !<module_name>

# Check symbol settings
.sympath

# Set the symbol cache and source
.sympath cache*C:\symbols;srv*https://msdl.microsoft.com/download/symbols
.reload

# Output or suppress detailed information when loading symbols
!sym noisy
!sym quiet

# Force-load mismatched symbols (not recommended)
.reload /f /i <modulename>

# Output the list of loaded extensions
.chain

# Load an additional extension
.load <Extension DLL path>

# Display extension details
.extmatch /D /e <Module> *

# Open the help window
.hh

# Save as a dump file
# https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/-dump--create-dump-file-
.dump [options] FileName

# ?<Hex> can convert to decimal
?ff
> Evaluate expression: 255 = 000000ff

# You can also evaluate arithmetic results like this
?ffff-f
> Evaluate expression: 65520 = 0000fff0

# Display the status of the current process in user-mode debugging
|

# Display the systems being debugged
||

# Run the script defined in the file
$<C:\windbgcmd.txt

# Run as a single command block (better if you use breakpoints)
$><C:\windbgcmd.txt

# Set command arguments (not standard input)
# Can be used with commands such as .echo argument is ${$arg1}
$$>a<C:\windbgcmd.txt test_text

# Recursively call the eaxstep script that continues execution until eax contains 1234
# .if (@eax == 1234) { .echo 1234 } .else { t "$<eaxstep" }
t "$<C:\\eaxstep"

# Using the IF token
.if (Condition) { Commands }
.if (Condition) { Commands } .else { Commands }
.if (Condition) { Commands } .elsif (Condition) { Commands }
.if (Condition) { Commands } .elsif (Condition) { Commands } .else { Commands }

# $scmp evaluates like C++ strcmp, so it returns 0 when the strings match
.if ($scmp("${$ImageName}","notepad.exe")) {  } .else { .echo match }

# Reassign to pseudo-register $t1 the value pointed to by the address in $t1
r $t1 = poi(@$t1)

# WinDbg for syntax (separated with semicolons, not commas)
.for (InitialCommand ; Condition ; IncrementCommands) { Commands }

# foreach syntax
.foreach [Options] ( Variable  { InCommands } ) { OutCommands }
.foreach [Options] /s ( Variable  "InString" ) { OutCommands }
.foreach [Options] /f ( Variable  "InFile" ) { OutCommands }

# If you want to keep looping
.while (1) { Commands }

# Run a for loop using pseudo-registers
.for (r $t1 = 0; $t1 < 7; r $t1 = $t1 + 1) { r $t1 }

# Jump to the next loop with continue
.for (r $t1 = 0; $t1 < 7; r $t1 = $t1 + 1) { .if ( $t1 == 3 ) { .echo skip ; .continue } ; r $t1 }

# Stop the loop with break
.for (r $t1 = 0; $t1 < 7; r $t1 = $t1 + 1) { .if ( $t1 == 3 ) { .echo stop ; .break } ; r $t1 }

.logopen /t C:\Users\Public\windbg.log
.while (1) { pc;.echo rcd;dc @rcx L10;.echo rdx; dc @rdx L10;.echo r8; dc @r8 L10;.echo r9; dc @r9 L10;.echo stack; dc @rsp L10;.echo rip; u rip L1 }

Commands ; .block { Commands } ; Commands

# Define a string or number
as Name 10
aS Name "Test Value" ; .block { .echo Name }

# Define an ASCII string from Address up to the null terminator
as /ma Name Address

# Define a Unicode string from Address up to the null terminator
as /mu Name Address

# Define a 64-bit value from Address
as /x Name Expression

# Define a value equivalent to the contents of a file
aS /f Name File

# Define a value from command output
as /c Name CommandString

# Output the value of a pseudo-register
? $ip
? @$ip
r $ip
r @$ip

# Define an arbitrary pseudo-register
r $t0 = 7

# Use a pseudo-register to dereference a pointer at an arbitrary address with poi
r $t0 = nt!PsActiveProcessHead;r $t1 = poi(@$t0);r $t1

# Perform arithmetic using pseudo-registers
?? @$t0+10

# Define a pseudo-register with a type using the r command
r? $t15 = * (UNICODE_STRING*) 0x12ffbc

# Stop execution only when the current thread calls ntopenfile
bp /t @$thread nt!ntopenfile

$$  Get process list LIST_ENTRY in $t0.
r $t0 = nt!PsActiveProcessHead

$$  Iterate over all processes in list.
.for (r $t1 = poi(@$t0);
      (@$t1 != 0) & (@$t1 != @$t0);
      r $t1 = poi(@$t1))
{
    r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
    as /x Procc @$t2

    $$  Get image name into $ImageName.
    as /ma $ImageName @@c++(&@$t2->ImageFileName[0])

    .block
    {
.if ($scmp("notepad.exe","${$ImageName}")) { } .else {.echo ${$ImageName} at ${Procc}}
    }

    ad $ImageName
    ad Procc
}

g ;p ;.if (@zf == 1) { .printf "Solver: R8 is %d\n", @r8 ; $$< C:\CTF\script.txt } .else { .echo "Fail." ; .kill }

# In user-mode debugging or process dump analysis, dump the call stacks of all threads
~*k

# Set thread number 3 as the current context
~3s

# Dump TEB information
!teb

# Output the structure using the TEB address identified by !teb
dt ntdll!_TEB <TEB address>

# Dump PEB information
!peb

# Output the structure using the PEB address identified by !peb
dt ntdll!_PEB <PEB address>

# Display the stack backtrace (the leading number is the frame number)
# Display it together with the frame number (n), frame pointer (v), and memory size used by the frame (f)
kvnf

# Display the stack backtrace of all threads
~*kvnf

# Display only the stack backtrace of a specific thread
~1kvnf

# Display the call stacks of all threads in the current process
!uniqstack

# Display local variables for the specified frame number
# /t displays variable types, and /V displays relative addresses of local variables
.frame 01;dv
.frame 01;dv /t /V

# Display register information for the specified frame number
.frame /r 9

# Specify a frame number and set that frame as the current context
.frame /c 9

# Enumerate information about NT kernel structures
dt nt!_*
dt nt!_*interrupt*

# Dump information about a kernel structure
dt nt!_KINTERRUPT

# Enumerate all processes in the system
!process 0 0

# Get full detailed information for a specific process
!process 0 7 notepad.exe

# Get information about the EPROCESS structure for the specified process
dt nt_EPROCESS <address of the EPROCESS block identified by !process>

# Change the debugger context to the specified process (so that commands like !peb become available)
.process /r /P <address of the EPROCESS block identified by !process>

# Traverse all processes (you can also issue commands to all processes)
!for_each_process

# Get the pointer address to ActiveProcessLinks of the System process
r $t0 = nt!PsActiveProcessHead;r $t1 = poi(@$t0);r $t1

# Check the offset of ActiveProcessLinks.Flink
dt nt!_EPROCESS ActiveProcessLinks
> +0x448 ActiveProcessLinks

# Dump _EPROCESS (output equivalent to .process 0 0)
dt nt!_EPROCESS -l ActiveProcessLinks.Flink -y Ima -yoi Uni $t1-0x448

# Reference TEB information
!teb <TEB address>

!handle notepad.exe

# Output physical memory usage statistics
!memusage

# Output virtual memory usage statistics
!vm

# Identify the memory region used by a specific process
!address <address of the EPROCESS block identified by !process>

.cxr <Address> ; kb

# Get a list of active sessions
!session

# Set session ID 1 as the current active session
!session -s 1

# Enumerate processes in the current session
!sprocess

# View detailed information for the session
dt nt!_MM_SESSION_SPACE ffffd080ba83d000

# You can also output memory usage for each session region
!vm 4

# Output KPRCB information for the specified processor
!prcb <CPU number>

# Dump KPCR information
dt nt!_KPCR @$pcr

# Investigate a pool tag name
!poolused 0 <tag name>

# Investigate pool
!pool <address of pool region>

# Find the pool address from a pool tag (very slow, so use PoolHitTag in live debugging)
!poolfind -tag "<tag name>"

# Display a managed code stack trace
!clrstack

# Switch to a specific thread context and display a managed code stack trace
~9s ; !clrstack

# Display the managed stacks of all threads
~*e !clrstack

# Display a managed code stack trace together with parameter and local variable information
!clrstack -p -l
!clrstack -a

# DumpStackObjects: display all managed objects found within the current stack range
!dso

# DumpObj: display information about the object at the specified address
!do <object address>

# Display all managed threads in the process
!threads

# Host side
dbgsrv.exe -t tcp:port=1234

# Client side (after WinDbg starts, you can attach to a process and so on)
WinDbgX.exe -premote tcp:port=1234,server=192.168.50.8

# Start the notepad.exe process in the virtual machine and debug it
WinDbgX.exe -premote tcp:port=1234,server=192.168.50.8 C:\Windows\System32\notepad.exe

# Enumerate filter driver information (the fltmc command is also useful)
!fltkd.filters 1

# Get detailed information for a specific filter by specifying that filter's FLT_FILTER address
!fltkd.filter ffffac8ce4df1010

# Use the DeviceObject address identified here to display detailed information
dt nt!_DRIVER_OBJECT ffffac8ce357c850
>
+0x000 Type             : 0n4
+0x030 DriverExtension  : 0xffffac8c`e357c9a0 _DRIVER_EXTENSION
+0x070 MajorFunction    : [28] 0xfffff800`65e72000     long  +fffff80065e72000

# Next, identify the offset to MajorFunction in DeviceObject and display information for MajorFunction
# You can also get similar information by clicking the MajorFunction link
dps ffffac8ce357c850 + 0x70 L0n28

# You can also investigate the structure from the DRIVER_EXTENSION address
dt nt!_DRIVER_EXTENSION ffffac8ce357c850+0x30

# Output detailed information when loading nt symbols
!sym noisy; .reload /f nt