WinDgb Basics
Unassemble from Memory:
We can display the assembly translation of a specified program code in memory with ”u” command.
0:006> **u kernel32!GetCurrentThread**
KERNEL32!GetCurrentThread:
77542620 b8feffffff mov eax,0FFFFFFFEh
77542625 c3 ret
77542626 cc int 3
77542627 cc int 3
77542628 cc int 3
77542629 cc int 3
7754262a cc int 3
7754262b cc int 3“u” command accepts either single memory address or range of memory as an argument
Reading from Memory using Display commands:
Display bytes through the db command
0:006> db esp
0638fe6c f9 9b 94 77 31 43 21 9e-c0 9b 94 77 c0 9b 94 77 ...w1C!....w...w
0638fe7c 00 00 00 00 70 fe 38 06-00 00 00 00 e4 fe 38 06 ....p.8.......8.
0638fe8c 90 73 91 77 e9 86 81 ef-00 00 00 00 ac fe 38 06 .s.w..........8.
0638fe9c 64 95 53 77 00 00 00 00-40 95 53 77 a4 a1 20 b1 [email protected].. .
0638feac f4 fe 38 06 3c 29 8e 77-00 00 00 00 5d 43 21 9e ..8.<).w....]C!.
0638febc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0638fecc 00 00 00 00 00 00 00 00-00 00 00 00 5d 43 21 9e ............]C!.
0638fedc b8 fe 38 06 00 00 00 00-fc fe 38 06 90 73 91 77 ..8.......8..s.wDisplay data in a larger size format:
dw prints WORDs (two bytes)
0:006> dw esp
0638fe6c 9bf9 7794 4331 9e21 9bc0 7794 9bc0 7794
0638fe7c 0000 0000 fe70 0638 0000 0000 fee4 0638
0638fe8c 7390 7791 86e9 ef81 0000 0000 feac 0638
0638fe9c 9564 7753 0000 0000 9540 7753 a1a4 b120
0638feac fef4 0638 293c 778e 0000 0000 435d 9e21
0638febc 0000 0000 0000 0000 0000 0000 0000 0000
0638fecc 0000 0000 0000 0000 0000 0000 435d 9e21
0638fedc feb8 0638 0000 0000 fefc 0638 7390 7791Display DWORDs (four bytes) with dd:
0:006> dd esp
0638fe6c 77949bf9 9e214331 77949bc0 77949bc0
0638fe7c 00000000 0638fe70 00000000 0638fee4
0638fe8c 77917390 ef8186e9 00000000 0638feac
0638fe9c 77539564 00000000 77539540 b120a1a4
0638feac 0638fef4 778e293c 00000000 9e21435d
0638febc 00000000 00000000 00000000 00000000
0638fecc 00000000 00000000 00000000 9e21435d
0638fedc 0638feb8 00000000 0638fefc 77917390Display QWORDs (eight bytes) with dq
0:006> dq 0638fe6c
0638fe6c 9e214331`77949bf9 77949bc0`77949bc0
0638fe7c 0638fe70`00000000 0638fee4`00000000
0638fe8c ef8186e9`77917390 0638feac`00000000
0638fe9c 00000000`77539564 b120a1a4`77539540
0638feac 778e293c`0638fef4 9e21435d`00000000
0638febc 00000000`00000000 00000000`00000000
0638fecc 00000000`00000000 9e21435d`00000000
0638fedc 00000000`0638feb8 77917390`0638fefcWe can display ASCII characters in memory along with WORDs or DWORDs with dW and dc, respectively.
0:006> dc KERNELBASE
74cc0000 00905a4d 00000003 00000004 0000ffff MZ..............
74cc0010 000000b8 00000000 00000040 00000000 ........@.......
74cc0020 00000000 00000000 00000000 00000000 ................
74cc0030 00000000 00000000 00000000 000000f0 ................
74cc0040 0eba1f0e cd09b400 4c01b821 685421cd ........!..L.!Th
74cc0050 70207369 72676f72 63206d61 6f6e6e61 is program canno
74cc0060 65622074 6e757220 206e6920 20534f44 t be run in DOS
74cc0070 65646f6d 0a0d0d2e 00000024 00000000 mode....$.......
0:006> dW KERNELBASE
74cc0000 5a4d 0090 0003 0000 0004 0000 ffff 0000 MZ..............
74cc0010 00b8 0000 0000 0000 0040 0000 0000 0000 ........@.......
74cc0020 0000 0000 0000 0000 0000 0000 0000 0000 ................
74cc0030 0000 0000 0000 0000 0000 0000 00f0 0000 ................
74cc0040 1f0e 0eba b400 cd09 b821 4c01 21cd 6854 ........!..L.!Th
74cc0050 7369 7020 6f72 7267 6d61 6320 6e61 6f6e is program canno
74cc0060 2074 6562 7220 6e75 6920 206e 4f44 2053 t be run in DOS
74cc0070 6f6d 6564 0d2e 0a0d 0024 0000 0000 0000 mode....$.......
0:006> dW KERNELBASE+40
74cc0040 1f0e 0eba b400 cd09 b821 4c01 21cd 6854 ........!..L.!Th
74cc0050 7369 7020 6f72 7267 6d61 6320 6e61 6f6e is program canno
74cc0060 2074 6562 7220 6e75 6920 206e 4f44 2053 t be run in DOS
74cc0070 6f6d 6564 0d2e 0a0d 0024 0000 0000 0000 mode....$.......
74cc0080 257d 47ae 4439 14c0 4439 14c0 4439 14c0 }%.G9D..9D..9D..
74cc0090 3c30 1453 443d 14c0 4439 14c1 475e 14c0 0<S.=D..9D..^G..
74cc00a0 264a 15c1 443c 14c0 264a 15c5 4429 14c0 J&..<D..J&..)D..
74cc00b0 264a 15c3 4431 14c0 264a 15c4 475c 14c0 J&..1D..J&..\\G..The default length when displaying data is 0x80 bytes. We can change this value by using the L parameter
L parameter change this value with display commands
0:006> dd esp L4
0638fe6c 77949bf9 9e214331 77949bc0 77949bc0Examining the memory contents at the address stored in the
espregister (the stack pointer) and displaying the next 4 double words (32-bit values) from that location
Few Other example with Length parameter:
0:006> dd esp L10
0638fe6c 77949bf9 9e214331 77949bc0 77949bc0
0638fe7c 00000000 0638fe70 00000000 0638fee4
0638fe8c 77917390 ef8186e9 00000000 0638feac
0638fe9c 77539564 00000000 77539540 b120a1a4
; /* The dW L2 command outputs two WORDS */
0:006> dW KERNELBASE L2
74cc0000 5a4d 0090 MZ..
; /* The db L2 outputs two bytes. */
0:006> db KERNELBASE L2
74cc0000 4d 5a MZPointer to Data:
It is used to display the value stored at a memory address pointed to by a given pointer variable or expression.
0:006> dd esp L1
0638fe6c 77949bf9
0:006> dd 77949bf9
77949bf9 c03307eb 658bc340 fc45c7e8 fffffffe
77949c09 e0e8006a ccfff98d cccccccc cccccccc
77949c19 cccccccc 8bcccccc ec8b55ff 180d8b64
77949c29 8b000000 81890845 00000f24 0004c25d
77949c39 cccccccc 8bcccccc ec8b55ff 0018a164
77949c49 b0ff0000 00000f24 e80875ff fffc49e7
77949c59 0004c25d cccccccc cccccccc cccccccc
77949c69 cccccccc 8bcccccc ec8b55ff 640875ffAbove output can be achieved using below single command
Last updated