WinDbg Command Cheatsheet - Lukas Kinneberg

| Command | Example | Notes | | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | dx -g | dx -g @$cursession.TTD.Calls("kernel32!CreateProcess*").Select( c => new {TimeStart = c.TimeStart, Function = c.Function, Parameters = c.Parameters,ReturnAddress = c.ReturnAddress}) | (Display Expression) -> -g showing a graph view | | dx -r1 | dx -r1 @$cursession.TTD.Calls("kernel32!CreateProcess*").Select( c => new {TimeStart = c.TimeStart, Parameters = c.Parameters, ReturnAddress =c.ReturnAddress})[0].Parameters | (Display Expression) -> -r1 showing recursive expansion 1 level deep | | !tt | !tt 58243:104D | Navigates to the call event, placing the trace at the beginning of the function. This will allow the stack to now be analyzed to view the arguments. | | dd | dd /c 1 esp+4 L10 | (Display DWORDs).<br><br>Displays the stack with 1 column (/c 1), from the start position of esp+4, showing 10 lines. ESP+4 Is specified because the first argument on the stack will be the return address, not the start of the functions. To determine the number to list, look at MSDN documentation for the API being called. If there is a struct being passed as an argument, this command can be used with that address to view the contents of that struct. | | da | da poi (esp+4) | (Display Ascii)<br><br>poi dereferences the address inside the parenthesis. ESP+4 is pointing to the first argument being passed onto the stack. | | db | db 0x9810af0 | Displays the source buffer | | !dh | !dh 0x9810af0 | Parse header information | | .writemem | .writemem c:\users\flare\Desktop\text.bin 0x984cb10 L0x3b600 | Write Data from memory. Example on the left will dump the .text section. These data values are found within the !dh (data header) to get size and location to dump. |