The categories of commands of WinDBG?
Asked Answered
M

2

7

I see some references and tutorials about the commnads of WinDBG. Some of them like this lm, this .echo, this !running, and this nt!_PDB.

What is difference between these categories

  • xxx
  • .xxx
  • !xxx
  • xxx!yyy

?

They look so confused.

Mutable answered 25/5, 2016 at 15:27 Comment(1)
For a partial answer, see this question.Sagesagebrush
H
14

There are built-in commands, meta commands (dot commands) and extension commands (bang commands).

My personal opinion is that you needn't care too much about the difference of built-in commands compared to meta commands, since there are enough examples where those definitions do not match properly. It's sufficient to know that they are always there and don't need an extension to be loaded.

Good examples for built-in commands, which are mainly about controlling and getting information from the debugging target:

g - go
k - call stack
~ - list threads

Examples where IMHO this definition does not really match:

version    - show version of the debugger
vercommand - show command line that was used to start the debugger
n          - set number base

Good examples for meta commands, which are thought for only affecting the debugger but not the target:

.cls        - clear screen
.chain      - display loaded extensions
.effmach    - change behavior of the debugger regarding the architecture
.prefer_dml - change output format

Example where IMHO this definition does not really match:

.lastevent  - show last exception or event that occurred (in the target)
.ttime      - display thread times (of the target)
.call       - call a function (in the target)
.dvalloc    - allocate memory (in the target)

However, it's good to understand that the extension commands are different, especially because the same command may result in different output, depending on which extension is loaded or appears first in the extension list and that you can affect the order (e.g. by .load, .unload, .setdll). Besides the simple form !command, note that there is also the !extension.command syntax to specify the extension explicitly. I'll use it in the example below. (There's even !c:\path\to\extension.command)

The example of a collision of extension commands is given from a kernel debug session where one !heap does not give any output and the other obviously needs a parameter to work.

0: kd> !ext.heap
0: kd> !exts.heap
Invalid type information

The last format mentioned in your question (xxx!yyy) is not a command, but a method or type information where xxx denotes the module (DLL) and yyy denotes the method or type name. Often, this is also seen with an additional offset in bytes for locations inside the method (xxx!yyy+0xhhh)

Headsman answered 25/5, 2016 at 19:13 Comment(1)
Great answer. Glad you pointed out that there isn't actually a strict distinction between built-in commands and meta commands. There are plenty more examples where those types of commands don't fit their categorization.Mccowan
L
2

See the following:

xxx - these are built in commands
.xxx - these are meta commands
!xxx - these are extension commands, so they call a command from an extension dll
xxx!yyy - this looks the syntax to reference an exported function from a dll:

<dll_name>!<method_name>

You may find the following useful: http://windbg.info/doc/1-common-cmds.html

Leslie answered 25/5, 2016 at 15:31 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.