Skip to content

Instantly share code, notes, and snippets.

@AxDSan

AxDSan/windbg-net-reversing-cheatsheet.md

Created March 18, 2023 16:58
Show Gist options
  • Save AxDSan/e6d78d71a6b870d6163b976844783479 to your computer and use it in GitHub Desktop.
Save AxDSan/e6d78d71a6b870d6163b976844783479 to your computer and use it in GitHub Desktop.
Download ZIP
Reversing .NET Assemblies - Useful commands
Raw
windbg-net-reversing-cheatsheet.md

Reversing .NET using WinDBG

Here are some useful CLR commands for analyzing and debugging .NET applications. They can be used in various debugging tools like WinDbg, SOS Debugging Extension, and others.

Heap and Memory Commands

These commands can be used to analyze the heap and memory of the managed process.

  • !dumpheap : Displays information about objects on the managed heap.
    • Usage: !dumpheap [-stat] [-type <typename>]
    • Example: !dumpheap -stat to display statistics about all objects on the heap.
    • Example: !dumpheap -type System.String to display information only for objects whose type name matches "System.String".
  • !eeheap : Displays information about the managed heap.
    • Usage: !eeheap [-gc] [-gcHandle] [-loader] [-class] [-stat]
    • Example: !eeheap -gc to display information about the garbage collector heap.
    • Example: !eeheap -class to display information about the classes loaded in the process.
  • !dumpobj : Displays information about a specific object.
    • Usage: !dumpobj <object>
    • Example: !dumpobj 0x12345678 to display information about the object at memory address 0x12345678.
  • !gcroot : Displays information about the roots of an object.
    • Usage: !gcroot <object>
    • Example: !gcroot 0x12345678 to display information about the roots of the object at memory address 0x12345678.
  • !do : Displays information about a specific object.
    • Usage: !do <object>
    • Example: !do 0x12345678 to display information about the object at memory address 0x12345678.
  • !dumpstack : Displays the stack trace for the current thread.
    • Usage: !dumpstack
    • Example: !dumpstack to display the stack trace for the current thread.

Debugging Commands

These commands can be used to set breakpoints and view debugging information.

  • .loadby sos clr : To analyze CLR, use this command in WinDbg.
    • Usage: .loadby sos clr
  • bp : Sets a breakpoint in a method.
    • Usage: bp <module>!<method>
    • Example: bp MyAssembly!MyClass.MyMethod to set a breakpoint on the MyMethod method in the MyClass class in the MyAssembly module.
  • !bpmd : Sets a breakpoint in a method.
    • Usage: !bpmd <module> <method> [ilOffset]
    • Example: !bpmd MyAssembly MyNamespace.MyClass.MyMethod to set a breakpoint on the MyMethod method in the MyClass class in the MyAssembly module.
  • !clrstack : Displays the call stack for the current thread.
    • Usage: !clrstack [-a] [-p] [-l]
    • Example: !clrstack to display the call stack for the current thread.
  • !dumpil : Displays the IL code for a method.
    • Usage: !dumpil <method>
    • Example: !dumpil MyAssembly!MyClass.MyMethod to display the IL code for the MyMethod method in the MyClass class in the MyAssembly module.
  • **!dumpbin**: Displays the binary code for a method. The output includes the binary code and assembly instructions for the specified method. Example usage: !dumpbin -raw <MethodTable>
  • !name2ee: Displays the method table for a method. This command takes a module name and method name as arguments and returns the MethodTable pointer for the specified method. Example usage: !name2ee mscorlib.dll System.String.ToCharArray
  • !ip2md: Displays the method descriptor for a method. This command takes a method pointer as an argument and returns the MethodDesc pointer for the specified method. Example usage: !ip2md 00007ffd5b5b5d5c
  • !dumpmodule: Displays information about a module. This command takes a module name or address as an argument and returns information about the specified module. Example usage: !dumpmodule System.Windows.Forms
  • !dumpassembly: Displays information about an assembly. This command takes an assembly name or address as an argument and returns information about the specified assembly. Example usage: !dumpassembly System.Windows.Forms
  • !dumpclass: Displays information about a class. This command takes a class name or MethodTable pointer as an argument and returns information about the specified class. Example usage: !dumpclass System.Object
  • !dumpinterface: Displays information about an interface. This command takes an interface name or MethodTable pointer as an argument and returns information about the specified interface. Example usage: !dumpinterface System.IDisposable
  • !dumpvc: Displays information about a value class. This command takes a value class name or MethodTable pointer as an argument and returns information about the specified value class. Example usage: !dumpvc System.Decimal
  • !dumparray: Displays information about an array. This command takes an array address as an argument and returns information about the specified array. Example usage: !dumparray 000001e99f7855c0
  • !dumpstack: Displays the stack trace for the current thread. Example usage: !dumpstack
  • !dso: Displays the managed objects on the stack. Example usage: !dso
  • !clrprof: Displays profiling information. Example usage: !clrprof
  • !dumpmd: Displays metadata for a method. This command takes a MethodDesc pointer as an argument and returns metadata information for the specified method. Example usage: !dumpmd 00007ffd5b5b5d5c
  • !dumpmt: Displays the method table for a class. This command takes a class name or MethodTable pointer as an argument and returns the MethodTable pointer for the specified class. Example usage: !dumpmt System.Object
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment