WinDbg Commands – No opcode

2 Comments

The incredible collection of commands in Windbg never fails to impress me whenever i come across a new one.  Just found a new command to disable opcode display from openrce forum.

I have avoided the opcodes till now or putting it another way the opcodes never bothered me 😉 but windbg provides options to disable opcodes in console during debugging as well.

.asm no_code_bytes

The no_code_bytes option for the .asm command disables display of opcodes. The documentation says that this is for x86 target only. The following dump was from x64 vista so think the document is yet to be updated. here is the example of this command

0:000> u
ntdll!ZwTerminateProcess+0xa:
00000000`7727053a    c3                          ret
00000000`7727053b    666690              xchg    ax,ax
00000000`7727053e    6690                    xchg    ax,ax
ntdll!ZwSetEventBoostPriority:
00000000`77270540   4c8bd1                 mov     r10,rcx
00000000`77270543   b82a000000    mov     eax,2Ah
00000000`77270548   0f05                      syscall

00000000`7727054a    c3                          ret
00000000`7727054b    666690              xchg    ax,ax

0:000> .asm no_code_bytes
Assembly options: no_code_bytes
0:000> u
ntdll!ZwSetEventBoostPriority+0xe:
00000000`7727054e     xchg       ax,ax
ntdll!ZwReadFileScatter:
00000000`77270550    mov        r10,rcx
00000000`77270553    mov        eax,2Bh
00000000`77270558    syscall
00000000`7727055a    ret
00000000`7727055b    xchg       ax,ax
00000000`7727055e    xchg       ax,ax

Also checkout following related command 🙂

.prompt_allow (options)

bye for now

Update: corrected typo of parameter from no_opcode_bytes to no_code_bytes

Advertisements

Kernel Debugging tutorial for WinDbg

4 Comments

One of the difficulties in using a debugger as powerful as WinDbg is the need to know the various commands and when to use them. There are lots of articles about windbg but the most comprehensive for a beginner is the tutorial that comes with the installation of windbg,  the appropriately named “Kernel_debugging_tutorial.doc”.

The document begins with setting up a debugging session between the host and the target system and goes on to explain some the most common commands with good example. Why blog about something that is part of application you ask ? 🙂 here is why, the document is not part of the start menu items nor is it available from the application. In order to open it you have to browse to the windbg installation folder.

This tutorial is a must read for its simplicity and coverage of advanced topics with ease. here is an example for a situation i faced before reading this tutorial. while debugging with windbg i found some local variables to be missing from the locals window and i couldn’t track them.I overcame the limitation temporarily by using globals. later i posted a newsgroup question as to why this happens and Ivan of Microsoft was kind enough to point to me that optimization was causing this. When i was reading through the tutorial i was surprised to find a section titled “Dealing with code optimization” , that goes on to explain that this is usually seen with free build or build with optimizations turned on.

A big thanks for the person(s) who wrote this tutorial, which is a good read for even those with moderate familiarity to Windbg. 🙂

 if you are looking for a step by step guide to use windbg another good starting point is Ilias’s blog post of the same topic

another good referance point is http://windbg.dumpanalysis.org/ , which also has links to download latest versions of Windbg.

bye for now 🙂