leberechtreinhold/Windbg scratchpad

## Windbg scratchpad
// ------------------------------- GENERAL ---------------------------------

!address mem => info de mem
!analyze -v => analyze crash
r => registers
dS => print UNICODE_STRING
db 0x1245 => dump binary memory at address 0x1245
poi() => Reference point. Ex db poi(poi(Thing)+0x18) => Dump info of something in the +0x18 pointed by Thing
cls => clear screen
~~[6a28]s => switch to thread
k => callstack

// Reference of common
// http://windbg.info/doc/1-common-cmds.html

// ------------------------- CONTROL FLOW ----------------------------------

// Set breakpoint with symbols loaded
bp module!myfunction

// Set breakpoint when the symbols can be resolved, ex, before driver load
bu module!myfunction

// Remove breakpoint n
bc <n>

// Skip Driver entry, if it's bsoding or anything :)
// Can use this to skip other functions
bu myDriver!DriverEntry "r eip = poi(@esp); r esp = @esp + 0xC; .echo myDriver!DriverEntry skipped; g"


// ----------------------------- SYMBOLS -----------------------------------

// Symbol path
.sympath cache*D:\custom\cache\path;srv*\\CUSTOM_SYMBOL\SERVER;srv*https://msdl.microsoft.com/download/symbols;

// If they don't fit exactly, you can use this
// Beware this can cause the stack trace to be a a bit of a mess
.symopt+0x40

// Reload symbols, always use name of the module with extensions
.reload /f driver.sys

// Symbol debugging, can use quiet to reverse
!sym noisy

// Info about module
lmv m program
.reload /i program.exe

// Verification, note no extension!
!lmi nt => verify symbols loaded

// See all modules
x *!


// ---------------------------- MEMORY LEAKS -------------------------------
// gflags
!gflag => flags enabled, ie 0x00001000 => userspace stack trace enabled

// Enable stack traces
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\gflags.exe" /i LeakExample.exe +ust

!address -summary => list usage
!heap -s => Not super realiable, but list heaps
!heap -stat -h #heapadrr => lists usage of top allocs, by block size/reps (hex!)
!heap -flt s #size
!heap -flt s #size => lists allocs of blocks of given size, including usrptr
!heap -p -a #usrptr => if available, lists stack trace of said alloc
u #addr => search asm y source if possible. #addr may be module relative.

// Display stack when reserving memory
// Check the heap you want, ex  0x12345678, with esp
// And filter for certain allocations sizes with esp, ex 0x123
// After the alloc, continue
bp ntdll!RtlAllocateHeap "j ((poi(@esp+4) = 0x12345678) & (poi(@esp+c) = 0x123) )'k';'gc'"

// View Nonpaged by amount of bytes
!poolused /t 5  0x2
!vm
!memusage
!for_each_module s -a @#Base @#End "Proc "
ln 8096c909
lm a 8096c909
!for_each_module s -d @#Base @#End 8096c8cc

// Memory POOLs. BEWARE, in xp, you must activate it with gflags
!poolused

// ------------------------------- UTILITIES -----------------------------------
// Dump dump's information (heh)
.dumpdebug

// Reg
!reg q \registry\machine\system\controlset001
!reg q \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\myDriver
// hive then subkey
!reg keyinfo e1036b60 d1402e8c

// Enable dbgprint
ed Kd_DEFAULT_Mask 0x8
!dbgprint

// Services, nonwindbg. Note the spaces!
sc create FsFilter type= filesys binPath= c:\FSFilter.sys
sc start FsFilter
sc stop FsFilter
sc delete FsFilter.sympath cache*C:\symbols;C:\symbolsaux\symbolsforcleaning;srv*https://msdl.microsoft.com/download/symbols

// W32
!wow64exts.k => load wow64mode (64 bit dumps of 32 bit processes)
sw => switch mode
	// ------------------------------- GENERAL ---------------------------------

	!address mem => info de mem
	!analyze -v => analyze crash
	r => registers
	dS => print UNICODE_STRING
	db 0x1245 => dump binary memory at address 0x1245
	poi() => Reference point. Ex db poi(poi(Thing)+0x18) => Dump info of something in the +0x18 pointed by Thing
	cls => clear screen
	~~[6a28]s => switch to thread
	k => callstack

	// Reference of common
	// http://windbg.info/doc/1-common-cmds.html

	// ------------------------- CONTROL FLOW ----------------------------------

	// Set breakpoint with symbols loaded
	bp module!myfunction

	// Set breakpoint when the symbols can be resolved, ex, before driver load
	bu module!myfunction

	// Remove breakpoint n
	bc <n>

	// Skip Driver entry, if it's bsoding or anything :)
	// Can use this to skip other functions
	bu myDriver!DriverEntry "r eip = poi(@esp); r esp = @esp + 0xC; .echo myDriver!DriverEntry skipped; g"


	// ----------------------------- SYMBOLS -----------------------------------

	// Symbol path
	.sympath cacheD:\custom\cache\path;srv\\CUSTOM_SYMBOL\SERVER;srv*https://msdl.microsoft.com/download/symbols;

	// If they don't fit exactly, you can use this
	// Beware this can cause the stack trace to be a a bit of a mess
	.symopt+0x40

	// Reload symbols, always use name of the module with extensions
	.reload /f driver.sys

	// Symbol debugging, can use quiet to reverse
	!sym noisy

	// Info about module
	lmv m program
	.reload /i program.exe

	// Verification, note no extension!
	!lmi nt => verify symbols loaded

	// See all modules
	x *!


	// ---------------------------- MEMORY LEAKS -------------------------------
	// gflags
	!gflag => flags enabled, ie 0x00001000 => userspace stack trace enabled

	// Enable stack traces
	"C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\gflags.exe" /i LeakExample.exe +ust

	!address -summary => list usage
	!heap -s => Not super realiable, but list heaps
	!heap -stat -h #heapadrr => lists usage of top allocs, by block size/reps (hex!)
	!heap -flt s #size
	!heap -flt s #size => lists allocs of blocks of given size, including usrptr
	!heap -p -a #usrptr => if available, lists stack trace of said alloc
	u #addr => search asm y source if possible. #addr may be module relative.

	// Display stack when reserving memory
	// Check the heap you want, ex 0x12345678, with esp
	// And filter for certain allocations sizes with esp, ex 0x123
	// After the alloc, continue
	bp ntdll!RtlAllocateHeap "j ((poi(@esp+4) = 0x12345678) & (poi(@esp+c) = 0x123) )'k';'gc'"

	// View Nonpaged by amount of bytes
	!poolused /t 5 0x2
	!vm
	!memusage
	!for_each_module s -a @#Base @#End "Proc "
	ln 8096c909
	lm a 8096c909
	!for_each_module s -d @#Base @#End 8096c8cc

	// Memory POOLs. BEWARE, in xp, you must activate it with gflags
	!poolused

	// ------------------------------- UTILITIES -----------------------------------
	// Dump dump's information (heh)
	.dumpdebug

	// Reg
	!reg q \registry\machine\system\controlset001
	!reg q \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\myDriver
	// hive then subkey
	!reg keyinfo e1036b60 d1402e8c

	// Enable dbgprint
	ed Kd_DEFAULT_Mask 0x8
	!dbgprint

	// Services, nonwindbg. Note the spaces!
	sc create FsFilter type= filesys binPath= c:\FSFilter.sys
	sc start FsFilter
	sc stop FsFilter
	sc delete FsFilter.sympath cacheC:\symbols;C:\symbolsaux\symbolsforcleaning;srvhttps://msdl.microsoft.com/download/symbols

	// W32
	!wow64exts.k => load wow64mode (64 bit dumps of 32 bit processes)
	sw => switch mode