TheMalwareGuardian/WinDbg_Scripting

GitHub: TheMalwareGuardian/WinDbg_Scripting

WinDbg 脚本编写入门资源库,涵盖原生脚本、JavaScript 和 PyKD 示例及常用命令参考。

Stars: 3 | Forks: 3

# ***🕵️‍♂️ 你好 WinDbg Scripting***

本仓库作为 WinDbg 脚本编写的起点,涵盖了 WinDbg 原生脚本、JavaScript 以及 PyKD (Python)。

## ***📑 目录*** * [你将在这里找到什么](#what-youll-find-here) * [WinDbg 命令参考](#windbg-commands-reference) * [更多 WinDbg 命令与信息](#more-windbg-commands-and-information)
## ***📋 你将在这里找到什么*** - **基础的 Hello World 脚本**,用于入门 WinDbg 脚本编写。 - **WinDbg 原生脚本**示例,用于自动化调试任务。 - **JavaScript 和 Python (pykd)** 示例,用于扩展 WinDbg 的功能。 - **完整的 pykd 包**,包含 DLL 和必需的文件以确保其正常运行。 - **官方 WinDbg 文档的副本**,方便快速参考。 - **一系列实用的 WinDbg 命令**,帮助你高效地进行导航和操作。 - **指向更多 Windows Kernel 调试资源的链接**,供深入学习探索。
## ***📜 WinDbg 命令参考*** 用于调试、逆向工程和恶意软件分析的基本 WinDbg 命令分类列表。 | **类别** | **命令** | **描述** | **示例用法** | |-------------|------------|-----------------|--------------------| | 🔹 **帮助与文档** | | | | | | `.help` | 显示命令的帮助菜单 | `.help` | | | `.hh` | 打开特定命令的 WinDbg 帮助文档 | `.hh lm` | | | `!help` | 显示扩展命令的帮助 | `!help` | | 🔹 **调试器状态与脚本** | | | | | | `dx Debugger.State` | 显示调试器状态 | `dx Debugger.State` | | | `dx -r2 Debugger.State.Scripts` | 显示已加载的脚本 | `dx -r2 Debugger.State.Scripts` | | | `.scriptrun ` | 运行 JavaScript 脚本 | `.scriptrun myscript.js` | | | `.scriptload ` | 将 JavaScript 脚本加载到调试器中 | `.scriptload myscript.js` | | | `.scriptunload ` | 卸载已加载的脚本 | `.scriptunload myscript.js` | | | `.scriptlist` | 列出所有已加载的脚本 | `.scriptlist` | | 🔹 **日志与输出管理** | | | | | | `.logopen ` | 打开日志文件以存储会话输出 | `.logopen C:\debug.log` | | | `.logfile` | 显示当前活动日志文件的路径 | `.logfile` | | | `.logclose` | 停止记录调试输出 | `.logclose` | | 🔹 **通用命令** | | | | | | `? expression` | 计算表达式 | `? 0x100 + 0x200` | | | `.chain` | 显示已加载的扩展 DLL | `.chain` | | | `.time` | 显示调试会话的时间戳 | `.time` | | | `.cls` | 清除屏幕 | `.cls` | | 🔹 **执行控制** | | | | | | `g` | 继续执行目标进程 | `g` | | | `gh` | 继续执行,但在下一个硬编码断点处中断 | `gh` | | | `gn` | 继续执行,忽略下一个异常 | `gn` | | | `gu` | 继续执行直到函数返回 | `gu` | | | `t` | 单步步入 | `t` | | | `p` | 单步步过 | `p` | | 🔹 **断点** | | | | | | `bp
` | 在内存地址处设置断点 | `bp fffff80079966b90` | | | `bp !` | 在函数上设置断点 | `bp nt!NtCreateFile` | | | `bm !*` | 在所有函数上设置断点 | `bm nt!*` | | | `bl` | 列出所有断点 | `bl` | | | `bc ` | 清除特定断点 | `bc 1` | | | `bc *` | 清除所有断点 | `bc *` | | 🔹 **模块与符号** | | | | | | `lm` | 列出所有已加载的模块 | `lm` | | | `lm m ` | 显示模块的详细信息 | `lm m nt` | | | `x !*` | 列出模块中的所有符号 | `x nt!*` | | | `x !` | 查找函数或符号 | `x nt!ExAllocatePoolWithTag` | | | `!sym` | 显示符号加载状态 | `!sym` | | | `.reload` | 重新加载所有符号 | `.reload` | | | `.symfix` | 重置符号路径 | `.symfix` | | 🔹 **进程与线程管理** | | | | | | `!process 0 0` | 列出所有进程及其详细信息 | `!process 0 0` | | | `!process
1` | 显示进程的详细信息 | `!process ffffab0c5a691040 1` | | | `.process
` | 切换到特定进程 | `.process ffffab0c60a9e080` | | | `dt _EPROCESS` | 显示进程结构 | `dt _EPROCESS` | | | `!handle -p` | 显示进程句柄 | `!handle -p` | | | `!token` | 显示访问令牌 | `!token` | | | `!peb` | 显示进程环境块 (PEB) | `!peb` | | | `!thread` | 显示当前线程的详细信息 | `!thread` | | | `!teb` | 显示线程环境块 (TEB) | `!teb` | | | `!running` | 显示系统中所有正在运行的线程 | `!running` | | | `!stacks` | 显示所有线程的调用堆栈 | `!stacks` | | 🔹 **内存分析** | | | | | | `!address` | 显示内存使用统计信息 | `!address` | | | `!vad` | 显示虚拟地址描述符 (VAD) 树 | `!vad` | | | `!pte
` | 显示页表项 | `!pte fffff80079a4af5c` | | | `dq
` | 以 **QWORD** 格式转储内存 | `dq ffffbe8e8c5a4080+0x1d8 L2` | | | `dd
` | 以 **DWORD** 格式转储内存 | `dd ffffbe8e8c5a4080+0x1d8 L2` | | | `dw
` | 以 **WORD** 格式转储内存 | `dw ffffbe8e8c5a4080+0x1d8 L2` | | | `db
` | 以 **字节** 格式转储内存 | `db ffffbe8e8c5a4080+0x1d8 L2` | | | `dc
` | 以 **ANSI 字符** 格式转储内存 | `dc ffffbe8e8c5a4080+0x338` | | | `du
` | 以 **Unicode 字符** 格式转储内存 | `du ffffbe8e8c5a4080+0x338` | | 🔹 **代码反汇编** | | | | | | `u
` | 反汇编特定地址处的代码 | `u fffff80079966b90` | | | `ub
` | 从地址开始向后反汇编代码 | `ub fffff80079966b90` | | | `uf ` | 反汇编整个函数 | `uf nt!NtCreateFile` | | 🔹 **注册表分析** | | | | | | `!reg hivelist` | 显示系统中注册表配置单元的列表 | `!reg hivelist` | | | `!reg querykey ` | 转储注册表项的子项和值 | `!reg querykey \Registry\Machine\SYSTEM` | | 🔹 **对象与设备分析** | | | | | | `!drvobj ` | 显示驱动程序对象详细信息 | `!drvobj ntfs` | | | `!devobj ` | 显示设备对象详细信息 | `!devobj \Device\HarddiskVolume1` | | | `!irpfind` | 列出内存中所有活动的 IRP | `!irpfind` | | | `!irp
` | 显示 IRP 详细信息 | `!irp fffffa8004e9b460` |
点击展开 WinDbg .help 命令输出 ``` lkd> .help A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All . commands: .allow_bp_ba_convert [0|1] - Control bp/bm/bu breakpoints to use hardware debug register support .allow_exec_cmds [0|1] - control execution commands .allow_image_mapping [0|1] - control on-demand image file mapping .apply_dbp [] - add current data breakpoint state to a register context .asm [] - set disassembly options .asm- [] - clear disassembly options .attach - attach to at next execution .block { } - brackets a set of commands for nested execution .break - break out of the enclosing loop .bugcheck - display the bugcheck code and parameters for a crashed system .cache [] - virtual memory cache control .catch { } - catch failures in commands .chain - list current extensions .clients - list currently active clients .codearch
- determine the architecture of code at the given address .context [
] - set page directory base .continue - continue the enclosing loop .copysym [] - copy current symbol files to a directory .cordll [] - control CLR debug DLL .crash - cause target to bugcheck .create - create a new process .createdir [] [] - control process creation options .cxr
- dump context record at specified address k* after this gives cxr stack .dbgdbg - attach a debugger to the current debugger .debug_sw_wow [0|1] - allow interaction with software WOW emulation .detach - detach from the current process/dump .dml_file - output DML content from file .dml_flow - show basic block code flow .dml_start [] - navigable overview of debugger activities .do { } () - execute until is zero .drivers - This command was removed -- use 'lm' or .reload -l) .dump [] - create a dump file on the host system .echo [""|] - echo string .echocpunum [0|1] - toggle DbgPrint processor number output .echotime - output debugger time .echotimestamps [0|1] - toggle timestamp output on events .ecxr - dump context record for current exception .excr - dump context record for current exception .effmach [] - change current machine type .else { } - if/then/else conditional execution .elsif () { } [] - if/then/else conditional execution .enable_long_status [0|1] - dump LONG types in default base .enable_unicode [0|1] - dump USHORT array/pointers and unicode strings .endsrv - disable the given engine server .endpsrv - cause the current session's remote server to exit .enumtag - enumerate available tagged data .event_code - display cached event instructions .eventlog - display log of recent events .events - display and select available events .eventstr - display any event strings registered by debuggee .exepath [[;...]] - set executable search path .exepath+ [[;...]] - append executable search path .expr - control expression evaluator .exptr
- do .exr and .cxr for EXCEPTION_POINTERS .exr
- dump exception record at specified address .extmatch [] - display all extensions matching pattern .extpath [[;...]] - set extension search path .extpath+ [[;...]] - append extension search path .f+ - set current stack frame to caller of current frame .f- - set current stack frame to callee of current frame .fiber
- sets context of fiber at address resets context if no address specified .fiximports - attempts to link imports for images .fnent
- dump function entry for the given code address .fnret [] - display formatted return value .for ( ; ; ) { } - execute and until is zero .force_chpe_effmach [0|1] - force CHPE locals to be relative to the effective machine .force_radix_output [0|1] - dump integer types in default base .force_system_init [] - force pending systems to initialize if possible .force_tb - forcibly allow branch tracing .foreach [opts] ( { } ) { } - execute for each token in the output of .fpo - control override FPO information .frame [] - set current stack frame for locals .formats - displays expression result in many formats .help [] - display this help .holdmem [range] - hold and compare memory data .if () { } [] - if/then/else conditional execution .ignore_missing_pages [0|1] - control kernel summary dump missing page error message .ignore_wow_kd_context [0|1] - control WOW64 kernel debugging partial context error message .imgscan - scan memory for PE images .jdinfo [/u] - interpret AeDebug information .kframes - set default stack trace depth .lastevent - display the last event that occurred .leave - exit the enclosing .catch .lines - toggle line symbol loading .load - add this extension DLL to the extension chain .loadby - add the extension DLL in the module directory to the extension chain .locale [] - set the current locale .logfile - display log status .logopen [] - open new log file .logappend [] - append to log file .logclose - close log file .netsyms [0|1] - allow/disallow net symbol paths .netuse [] - manage net connections .noshell - disable shell commands .noversion - disable extension version checking .nvlist - display the set of .NATVIS files loaded into the debugger .nvload - load a .NATVIS file .nvunload - unload a .NATVIS file .nvunloadall - unload all .NATVIS files .ofilter - filter debuggee output against the given pattern .opendump - open a dump file .outmask - set bits in the current output mask .outmask- - clear bits in the current output mask .pacmask [] - display or override current PAC mask .pcmd [] - control per-prompt command .pop [] - pop state .prefer_dml [0|1] - control DML mode default .printf "", - formatted output .process [
] - sets implicit process resets default if no address specified .prompt_allow [] - control what information can be displayed at the prompt .push [] - push state .quit_lock [] - locks session against unexpected quit .readmem - read raw memory from a file .record_branches [0|1] - controls recording of processor branching .reload [[=
,]] - reload symbols .restart - request a session restart .remote - start remote.exe server .secure [0|1] - disallow operations dangerous for the host .scriptdebug [