WinDgb Basics

Unassemble from Memory:

We can display the assembly translation of a specified program code in memory with ”u” command.

0:006> **u kernel32!GetCurrentThread**
KERNEL32!GetCurrentThread:
77542620 b8feffffff      mov     eax,0FFFFFFFEh
77542625 c3              ret
77542626 cc              int     3
77542627 cc              int     3
77542628 cc              int     3
77542629 cc              int     3
7754262a cc              int     3
7754262b cc              int     3

“u” command accepts either single memory address or range of memory as an argument

Reading from Memory using Display commands:

Display bytes through the db command

0:006> db esp
0638fe6c  f9 9b 94 77 31 43 21 9e-c0 9b 94 77 c0 9b 94 77  ...w1C!....w...w
0638fe7c  00 00 00 00 70 fe 38 06-00 00 00 00 e4 fe 38 06  ....p.8.......8.
0638fe8c  90 73 91 77 e9 86 81 ef-00 00 00 00 ac fe 38 06  .s.w..........8.
0638fe9c  64 95 53 77 00 00 00 00-40 95 53 77 a4 a1 20 b1  [email protected].. .
0638feac  f4 fe 38 06 3c 29 8e 77-00 00 00 00 5d 43 21 9e  ..8.<).w....]C!.
0638febc  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0638fecc  00 00 00 00 00 00 00 00-00 00 00 00 5d 43 21 9e  ............]C!.
0638fedc  b8 fe 38 06 00 00 00 00-fc fe 38 06 90 73 91 77  ..8.......8..s.w

Display data in a larger size format:

dw prints WORDs (two bytes)

0:006> dw esp
0638fe6c  9bf9 7794 4331 9e21 9bc0 7794 9bc0 7794
0638fe7c  0000 0000 fe70 0638 0000 0000 fee4 0638
0638fe8c  7390 7791 86e9 ef81 0000 0000 feac 0638
0638fe9c  9564 7753 0000 0000 9540 7753 a1a4 b120
0638feac  fef4 0638 293c 778e 0000 0000 435d 9e21
0638febc  0000 0000 0000 0000 0000 0000 0000 0000
0638fecc  0000 0000 0000 0000 0000 0000 435d 9e21
0638fedc  feb8 0638 0000 0000 fefc 0638 7390 7791

Display DWORDs (four bytes) with dd:

0:006> dd esp
0638fe6c  77949bf9 9e214331 77949bc0 77949bc0
0638fe7c  00000000 0638fe70 00000000 0638fee4
0638fe8c  77917390 ef8186e9 00000000 0638feac
0638fe9c  77539564 00000000 77539540 b120a1a4
0638feac  0638fef4 778e293c 00000000 9e21435d
0638febc  00000000 00000000 00000000 00000000
0638fecc  00000000 00000000 00000000 9e21435d
0638fedc  0638feb8 00000000 0638fefc 77917390

Display QWORDs (eight bytes) with dq

0:006> dq 0638fe6c  
0638fe6c  9e214331`77949bf9 77949bc0`77949bc0
0638fe7c  0638fe70`00000000 0638fee4`00000000
0638fe8c  ef8186e9`77917390 0638feac`00000000
0638fe9c  00000000`77539564 b120a1a4`77539540
0638feac  778e293c`0638fef4 9e21435d`00000000
0638febc  00000000`00000000 00000000`00000000
0638fecc  00000000`00000000 9e21435d`00000000
0638fedc  00000000`0638feb8 77917390`0638fefc

We can display ASCII characters in memory along with WORDs or DWORDs with dW and dc, respectively.

0:006> dc KERNELBASE
74cc0000  00905a4d 00000003 00000004 0000ffff  MZ..............
74cc0010  000000b8 00000000 00000040 00000000  ........@.......
74cc0020  00000000 00000000 00000000 00000000  ................
74cc0030  00000000 00000000 00000000 000000f0  ................
74cc0040  0eba1f0e cd09b400 4c01b821 685421cd  ........!..L.!Th
74cc0050  70207369 72676f72 63206d61 6f6e6e61  is program canno
74cc0060  65622074 6e757220 206e6920 20534f44  t be run in DOS 
74cc0070  65646f6d 0a0d0d2e 00000024 00000000  mode....$.......

0:006> dW KERNELBASE
74cc0000  5a4d 0090 0003 0000 0004 0000 ffff 0000  MZ..............
74cc0010  00b8 0000 0000 0000 0040 0000 0000 0000  ........@.......
74cc0020  0000 0000 0000 0000 0000 0000 0000 0000  ................
74cc0030  0000 0000 0000 0000 0000 0000 00f0 0000  ................
74cc0040  1f0e 0eba b400 cd09 b821 4c01 21cd	 6854  ........!..L.!Th
74cc0050  7369 7020 6f72 7267 6d61 6320 6e61 6f6e  is program canno
74cc0060  2074 6562 7220 6e75 6920 206e 4f44 2053  t be run in DOS 
74cc0070  6f6d 6564 0d2e 0a0d 0024 0000 0000 0000  mode....$.......

0:006> dW KERNELBASE+40
74cc0040  1f0e 0eba b400 cd09 b821 4c01 21cd 6854  ........!..L.!Th
74cc0050  7369 7020 6f72 7267 6d61 6320 6e61 6f6e  is program canno
74cc0060  2074 6562 7220 6e75 6920 206e 4f44 2053  t be run in DOS 
74cc0070  6f6d 6564 0d2e 0a0d 0024 0000 0000 0000  mode....$.......
74cc0080  257d 47ae 4439 14c0 4439 14c0 4439 14c0  }%.G9D..9D..9D..
74cc0090  3c30 1453 443d 14c0 4439 14c1 475e 14c0  0<S.=D..9D..^G..
74cc00a0  264a 15c1 443c 14c0 264a 15c5 4429 14c0  J&..<D..J&..)D..
74cc00b0  264a 15c3 4431 14c0 264a 15c4 475c 14c0  J&..1D..J&..\\G..

The default length when displaying data is 0x80 bytes. We can change this value by using the L parameter

L parameter change this value with display commands

0:006> dd esp L4
0638fe6c  77949bf9 9e214331 77949bc0 77949bc0

Examining the memory contents at the address stored in the esp register (the stack pointer) and displaying the next 4 double words (32-bit values) from that location

Few Other example with Length parameter:

0:006> dd esp L10
0638fe6c  77949bf9 9e214331 77949bc0 77949bc0
0638fe7c  00000000 0638fe70 00000000 0638fee4
0638fe8c  77917390 ef8186e9 00000000 0638feac
0638fe9c  77539564 00000000 77539540 b120a1a4

; /* The dW L2 command outputs two WORDS */

0:006> dW KERNELBASE L2
74cc0000  5a4d 0090                                MZ..

; /* The db L2 outputs two bytes. */

0:006> db KERNELBASE L2
74cc0000  4d 5a                                            MZ

Pointer to Data:

It is used to display the value stored at a memory address pointed to by a given pointer variable or expression.

0:006> dd esp L1
0638fe6c  77949bf9

0:006> dd 77949bf9
77949bf9  c03307eb 658bc340 fc45c7e8 fffffffe
77949c09  e0e8006a ccfff98d cccccccc cccccccc
77949c19  cccccccc 8bcccccc ec8b55ff 180d8b64
77949c29  8b000000 81890845 00000f24 0004c25d
77949c39  cccccccc 8bcccccc ec8b55ff 0018a164
77949c49  b0ff0000 00000f24 e80875ff fffc49e7
77949c59  0004c25d cccccccc cccccccc cccccccc
77949c69  cccccccc 8bcccccc ec8b55ff 640875ff

Above output can be achieved using below single command

NextDisplay Type

Last updated 2 years ago