WinDBG常用斷點命令

http://blog.csdn.net/vangoals/article/details/4458051

WinDBG提供了多種設斷點的命令：
bp 命令是在某個地址 下斷點， 可以 bp 0x7783FEB 也可以 bp MyApp!SomeFunction 。 對于后者，WinDBG 會自動找到MyApp!SomeFunction 對應的地址并設置斷點。 但是使用bp的問題在于：1）當代碼修改之后，函數地址改變，該斷點仍然保持在相同位置，不一定繼續有效； 2）WinDBG 不會把bp斷點保存工作空間中 。
bu 命令是針對某個符號 下斷點。 比如 bu MyApp!SomeFunction 。 在代碼被修改之后， 該斷點可以隨著函數地址改變而自動更新到最新位置。 ?而且bu 斷點會保存在WinDbg工作空間中， 下次啟動 Windbg 的時候該斷點會自動設置上去。
還bu 可以對還不能識別的符號設置斷點，當系統中有新模塊加載進來時，調試器會對未定斷點再次進行識別，如果找到了匹配的符號則會設置它。而bp 斷點會失敗（因為函數地址不存在），bu 斷點則可以成功。 新版的WinDBG中 bp失敗后會自動被轉成bu 。

bm 命令也是針對符號 下斷點。 但是它支持匹配表達式 。 很多時候你下好幾個斷點。 比如，把MyClass 所有的成員函數都下斷點： bu MyApp!MyClass::* ， 或者把所有以CreateWindow開頭的函數都下斷點： bu user32!CreateWindow* 。

以上三個命令是對代碼下斷點， 我們還可以對數據下斷點。

ba 命令就是針對數據 下斷點的命令， 該斷點在指定內存被訪問時觸發。 命令格式為
ba ?Access ?Size ?[地址]
Access 是訪問的方式， 比如 e (執行)， r (讀/寫)， w (寫)
Size 是監控訪問的位置的大小，以字節為單位。 值為 1、2或4，還可以是 8（64位機）。

比如要對內存0x0483DFE進行寫操作的時候下斷點，可以用命令 ba w4 0x0483DFE

這里順便提以下其他斷點命令：
bl ? 列出所有斷點
bc ? 清除斷點
bd 禁用斷點
be 啟動被bd 命令禁用的斷點
========

windbg常用斷點 (zz)

http://blog.csdn.net/is2120/article/details/7874007

windbg常用斷點
//z 2012-08-16 16:43:36 IS2120@csdn.T3181799596[T8,L144,R4,V335]

攔截窗口：?
bp CreateWindow 創建窗口?
bp CreateWindowEx(A) 創建窗口?
bp ShowWindow 顯示窗口?
bp UpdateWindow 更新窗口?
bp GetWindowText(A) 獲取窗口文本?

攔截消息框：?
bp MessageBox(A) 創建消息框?
bp MessageBoxExA 創建消息框?
bp MessageBoxIndirect(A) 創建定制消息框?
bp IsDialogMessageW?

攔截警告聲：?
bp MessageBeep 發出系統警告聲(如果沒有聲卡就直接驅動系統喇叭發聲)?

攔截對話框：?
bp DialogBox 創建模態對話框?
bp DialogBoxParam(A) 創建模態對話框?
bp DialogBoxIndirect 創建模態對話框?
bp DialogBoxIndirectParam(A) 創建模態對話框?
bp CreateDialog 創建非模態對話框?
bp CreateDialogParam(A) 創建非模態對話框?
bp CreateDialogIndirect 創建非模態對話框?
bp CreateDialogIndirectParam(A) 創建非模態對話框?
bp GetDlgItemText(A) 獲取對話框文本?
bp GetDlgItemInt 獲取對話框整數值?

攔截剪貼板：?
bp GetClipboardData 獲取剪貼板數據?

攔截注冊表：?
bp RegOpenKey(A) 打開子健?
bp RegOpenKeyEx 打開子健?
bp RegQueryValue(A) 查找子健?
bp RegQueryValueEx 查找子健?
bp RegSetValue(A) 設置子健?
bp RegSetValueEx(A) 設置子健?

功能限制攔截斷點：?
bp EnableMenuItem 禁止或允許菜單項?
bp EnableWindow 禁止或允許窗口?

攔截時間：?
bp GetLocalTime 獲取本地時間?
bp GetSystemTime 獲取系統時間?
bp GetFileTime 獲取文件時間?
bp GetTickCount 獲得自系統成功啟動以來所經歷的毫秒數?
bp GetCurrentTime 獲取當前時間（16位）?
bp SetTimer 創建定時器?
bp TimerProc 定時器超時回調函數?
GetDlgItemInt 得指定輸入框整數值?
GetDlgItemText 得指定輸入框輸入字符串?
GetDlgItemTextA 得指定輸入框輸入字符串?

攔截文件：?
bp CreateFileA 創建或打開文件 (32位)?
bp OpenFile 打開文件 (32位)?
bp ReadFile 讀文件 (32位)?
bp WriteFile 寫文件 (32位)?
GetModuleFileNameA?
GetFileSize?
Setfilepointer?
fileopen?
FindFirstFileA?
ReadFile?

攔截驅動器：?
bp GetDriveTypeA 獲取磁盤驅動器類型?
bp GetLogicalDrives 獲取邏輯驅動器符號?
bp GetLogicalDriveStringsA 獲取當前所有邏輯驅動器的根驅動器路徑
//z 2012-08-16 16:43:36 IS2120@csdn.T3181799596[T8,L144,R4,V335]
========

windbg實用技術：windbg斷點操作

windbg命令 ? ? ? ??

bp+address/符號地址 ? ? ? 在address指令處加斷點，但是這個地址所在的模塊必須已經被加載

bu+address/符號地址 ? ? ? ?在address指令處加斷點，但是這個地址所在的模塊可以沒有被加載，即延遲加載的模塊。

ba: 內存訪問斷點，當訪問這個內存地址時（一般是數據），程序會斷住。

bl: 列出所有已經加載的斷點和地址

bc: 清理斷點。 bc *,清理所有的斷點。 bc 1,清理1號斷點。

bd: 使一個斷點無效。

be: 使一個斷點有效，與bd左右相反。
========

WinDBG 調試技巧之設置條件斷點

http://blog.csdn.net/itmes/article/details/38016275 ?

WinDBG調試技巧之設置條件斷點
Setting a Conditional Breakpoint
Conditional breakpoints can be veryuseful when you are trying to find bugs in your code. They cause a break tooccur only if a specific condition is satisfied.
當你在嘗試找到你代碼中的bug時，條件斷點非常有用。當某個特殊條件滿足時它才引起斷點發生
A conditional breakpoint is created by combining a breakpoint command witheither thej (Execute If - Else) command or the.if token, followed by thegc (Go from Conditional Breakpoint)command. This breakpoint causes a break to occur only if a specific conditionis satisfied.
一個條件斷點通過將一個斷點命令和j命令或者.if關鍵字關聯而創建，后面跟著gc命令。只有當某個特殊條件滿足時這個斷點才引起斷點發生
The basic syntax for a conditional breakpoint using thej commandis as follows:
使用j命令的條件斷點的基本命令是:
0:000> bp Address "j (Condition) 'OptionalCommands'; 'gc' "

The basic syntax for a conditional breakpoint using the.if tokenis as follows:
使用.if關鍵字的條件斷點的基本語法是
0:000> bp Address ".if (Condition) {OptionalCommands} .else {gc}"

Conditional breakpoints are best illustrated with an example. Thefollowing command sets a breakpoint at line 143 of theMysource.cppsourcefile. When this breakpoint is hit, the variable MyVar is tested. If thisvariable is less than or equal to 20, execution continues; if it is greaterthan 20, execution stops.
條件斷點最好用一個例子來描述。后面的命令在Mysource.cpp源文件的第143行設置一個條件斷點。當這個斷點命中時，變量MyVar被檢測。如果這個變量小于或等于20，則繼續執行；如果它大于20，停止執行
0:000> bp `mysource.cpp:143` "j (poi(MyVar)>0n20) ''; 'gc' "?
0:000> bp `mysource.cpp:143` ".if (poi(MyVar)>0n20) {} .else {gc}"

The preceding command has a fairly complicated syntax that contains thefollowing elements:
前面的命令有一個相當復雜的語法，包含著后面的元素：
The bp (Set Breakpoint) command sets breakpoints. Although the preceding example uses the bp command, you could also use thebu (Set Unresolved Breakpoint) command. For more information about the differences betweenbp andbu, and for a basic introduction to breakpoints, seeUsing Breakpoints.
Bp命令設置斷點。盡管前面的例子使用了bp命令，你也可以使用bu命令。如果需要查看bp和bu之間的不同，和斷點的簡介，可以查看Using Breakpoints.
Source line numbers are specified by using grave accents ( ` ). For details, seeSource Line Syntax.
源代碼行通過使用沉音符指定，詳見Source Line Syntax.
When the breakpoint is hit, the command in straight quotation marks ( " ) is executed. In this example, this command is aj (Execute If - Else) command or an.if token, which tests the expression in parentheses.
當斷點命中，直引號標記的命令被執行。在這個例子中，這個命令是一個j命令或者一個.if關鍵字，以檢測圓括號中的表達式
In the source program, MyVar is an integer. If you are using C++ expression syntax, MyVar is interpreted as an integer. However, in this example (and in the default debugger configuration), MASM expression syntax is used. In a MASM expression,MyVar is treated as an address. Thus, you need to use the poi operator to dereference it. (If your variable actually is a C pointer, you will need to dereference it twice—for example,poi(poi(MyPtr)).) The0n prefix specifies that this number is decimal. For syntax details, seeMASM Numbers and Operators.
在源程序中，MyVar是一個整數。如果你使用C++表達式語法，MyVar被解釋為一個整數。然而在這個例子中（并且在默認的調試器選項）,使用的是MASM表達式語法。在一個MASM表達式中，MyVar被認為是一個地址。因此你需要使用poi操作符去解引用它。（如果你的變量實際上是一個C指針，你需要兩次解引用它-例如poi(poi(MyPtr)) ）0n前綴指定這個數字是10進制的。語法的詳細內容參見MASM Numbers and Operators.
The expression in parentheses is followed by two commands, surrounded by single quotation marks (' ) for thej command and curly brackets ( {} ) for the.if token. If the expression is true, the first of these commands is executed. In this example, there is no first command, so command execution will end and control will remain with the debugger. If the expression in parentheses is false, the second command will execute. The second command should almost always be agc (Go from Conditional Breakpoint) command, because this command causes execution to resume in the same manner that was occurring before the breakpoint was hit (stepping, tracing, or free execution).
括號中的表達式后跟兩個命令，使用j命令時用單引號括起來，使用.if關鍵字時使用花括號括起來。如果表達式為真，這些命令中的第一個將被執行。在這個例子中，沒有第一個命令，所以命令的執行將會停止并且控制權繼續交給調試器。如果在圓括號中的表達式為假，第二個命令將被執行。第二個命令幾乎永遠都是gc命令，因為這個命令使得執行被恢復到在斷點被命中之前的相同的方式（單步，跟蹤，或者自由執行）
If you want to see a message each time the breakpoint is passed or when itis finally hit, you can use additional commands in the single quotation marksor curly brackets. For example:
如果你想要在斷點每次通過時或者最終命中時看到一個消息，你可以在單引號或花括號中使用附加的命令。例如：
0:000> bp `:143` "j (poi(MyVar)>5) '.echo MyVar Too Big'; '.echo MyVar Acceptable; gc' "?
0:000> bp `:143` ".if (poi(MyVar)>5) {.echo MyVar Too Big} .else {.echo MyVar Acceptable; gc} "?

These comments are especially useful if you have several such breakpointsrunning at the same time, because the debugger does not display its standard"Breakpoint n Hit" messages when you are using a commandstring in thebp command.
如果你在同一時間有幾個這樣的斷點，這些注釋將會特別有用，因為當你在bp命令中使用一個命令字符串時，調試器并不顯示它的標準的"Breakpointn Hit"消息
Conditional Breakpoints and Register Sign Extension
條件斷點和寄存器標記擴展
You can set a breakpoint that is conditional on a register value.
你可以設置一個斷點，其條件是某個寄存器的值
The following command will break at the beginning of themyFunctionfunction if theeax register is equal to 0xA3:
下面的命令將會在eax寄存器等于0xA3時，在myFunction函數的開始處斷下來
0:000> bp mydriver!myFunction "j @eax = 0xa3 ?'';'gc'"?
0:000> bp mydriver!myFunction ".if @eax = 0xa3 ?{} .else {gc}"

However, the following similar command willnot necessarily breakwheneax equals 0xC0004321:
然而，后面相似的命令將不一定會在eax等于0xC0004321時斷下來。
0:000> bp mydriver!myFunction "j @eax = 0xc0004321 ?'';'gc'"?
0:000> bp mydriver!myFunction ".if @eax = 0xc0004321 ?{} .else {gc}"

The reason the preceding command will fail is that the MASM expressionevaluator sign-extends registers whose high bit equals one. Wheneax hasthe value 0xC0004321, it will be treated as 0xFFFFFFFF`C0004321 in computations—eventhougheax will still bedisplayed as 0xC0004321. However, thenumeral0xc0004321 is sign-extended in kernel mode, but not in usermode. Therefore, the preceding command will not work properly in user mode. Ifyou mask the high bits ofeax, the command will work properly in kernelmode—but now it will fail in user mode.
前面命令將會失敗的原因是MASM表達式評估有符號擴展的寄存器時它們的高位等于1.當eax的值為0xC0004321，它將在評估時被認為是0xFFFFFFFF`C0004321-盡管eax仍然顯示為0xC0004321。然而，數字0xc0004321在內核模式中被有符號擴展，用戶模式中卻不是這樣。因此，前面的命令將不會在用戶模式中正常的工作。如果你對eax的高位進行掩碼，該命令則會在內核模式中正常工作-但是現在它在用戶模式中就不行了
You should formulate your commands defensively against sign extension inboth modes. In the preceding command, you can make the command defensive bymasking the high bits of a 32-bit register by using an AND operation to combineit with 0x00000000`FFFFFFFF and by masking the high bits of a numeric constantby including a grave accent ( ` ) in its syntax.
你需要將你的命令公式化以防在兩種模式中的符號擴展。在前面的命令中，你可以通過使用AND操作符將一個32位寄存器的高位與0x00000000`FFFFFFFF組合進行掩碼，并且通過包含一個沉音符將其高位與一個數字常量進行掩碼。
The following command will work properly in user mode and kernel mode:
下面的命令將會在用戶模式和內核模式都正常工作
0:000> bp mydriver!myFunction "j (@eax & 0x0`ffffffff) = 0x0`c0004321 ?'';'gc'"?
0:000> bp mydriver!myFunction ".if (@eax & 0x0`ffffffff) = 0x0`c0004321 ?{} .else {gc}"

For more information about which numbers are sign-extended by thedebugger, seeSign Extension.
如果需要有關數字在調試器中是如何進行符號擴展的，可以查看Sign Extension.
Conditional Breakpoints in WinDbg
WinDbg中的條件斷點
In WinDbg, you can create a conditional breakpoint by clickingBreakpoints from theEdit menu,entering a new breakpoint address into the Command box, and entering acondition into theCondition box.
在WinDbg中，你可以通過在Edit菜單中點擊Breakpoints來創建一個條件斷點，在command框輸入一個新的斷點的地址在Condition框中輸入一個條件
For example, typingmymod!myFunc+0x3A into theCommand boxand myVar < 7 into the Condition box is equivalent to issuingthe following command:
例如，在Command框中輸入mymod!myFunc+0x3A并且在Condition框中輸入myVar < 7等價于下面的命令
0:000> bu mymod!myFunc+0x3A "j(myVar<7) '.echo "Breakpoint hit, condition myVar<7"'; 'gc'"?
0:000> bu mymod!myFunc+0x3A ".if(myVar<7) {.echo "Breakpoint hit, condition myVar<7"} .else {gc}"?

Restrictions on Conditional Breakpoints
條件斷點的限制
If you arecontrolling the user-mode debugger from the kernel debugger,you cannot use conditional breakpoints or any other breakpoint command stringthat contains thegc (Go from Conditional Breakpoint) org (Go) commands. If you use thesecommands, the serial interface might not be able to keep up with the number ofbreakpoint passes, and you will be unable to break back into CDB.
如果你正在使用內核調試器控制用戶態調試器，你就不能夠使用條件斷點或者其它任何包含gc或g命令的條件斷點命令。如果你使用這些命令，當條件斷點到達時串行接口可能不能繼續，并且你將不能再中斷到CDB
========

windbg --內存數據斷點

http://blog.sina.com.cn/s/articlelist_1309247281_7_1.html
ba (Break on Access)
The ba command sets a data breakpoint. This breakpoint is triggered when the specified memory is accessed.
Syntax
User-Mode
[~Thread] ba[ID] Access Size [Options] [Address [Passes]] ["CommandString"]?
Kernel-Mode
ba[ID] Access Size [Options] [Address [Passes]] ["CommandString"]?
Parameters
Thread
Specifies the thread that the breakpoint applies to. For more information about syntax, see Thread Syntax. You can specify threads only in user mode.
ID
Specifies an optional number that identifies the breakpoint. If you do not specify ID, the first available breakpoint number is used. You cannot add space between ba and the ID number. Each processor supports only a limited number of data breakpoints. But there is no restriction on the value of the ID number. If you enclose ID in square brackets ([]), ID can include any expression. For more information about the syntax, see Numerical Expression Syntax.
Access
Specifies the type of access that satisfies the breakpoint. This parameter can be one of the following values.
Option Action
e (execute) Breaks into the debugger when the CPU retrieves an instruction from the specified address.
r (read/write) Breaks into the debugger when the CPU reads or writes at the specified address.
w (write) Breaks into the debugger when the CPU writes at the specified address.
i (i/o) (Microsoft Windows XP and later versions, kernel mode only, x86-based systems only) Breaks into the debugger when the I/O port at the specified Address is accessed.
You cannot add space between Access and Size.
Note ?On Windows Server 2003 with Service Pack 1 (SP1), on an Itanium-based computer that uses WOW64 to emulate x86, data breakpoints do not work with the execute option but they do work with the read and write options.
Size
Specifies the size of the location, in bytes, to monitor for access. On an x86-based processor, this parameter can be 1, 2, or 4. However, if Access equals e, Size must be 1.
On an x64-based processor, this parameter can be 1, 2, 4, or 8. However, if Access equals e, Size must be 1.
On an Itanium-based processor, this parameter can be any power of 2, from 1 to 0x80000000.
You cannot add space between Access and Size.
Options
Specifies breakpoint options. You can use any number of the following options, except as indicated:
/1
Creates a "one-shot" breakpoint. After this breakpoint is triggered, the breakpoint is permanently removed from the breakpoint list.
/f PredNum
(Itanium only, user mode only) Specifies a predicate number. The breakpoint is predicated with the corresponding predicate register (for example, bp /f 4 address sets a breakpoint that is predicated with the p4 predicate register). For more information about predicate registers, see Itanium Architecture.
/p EProcess
(Kernel mode only) Specifies a process that is associated with this breakpoint. EProcess should be the actual address of the EPROCESS structure, not the PID. The breakpoint is triggered only if it is encountered in the context of this process.
/t EThread
(Kernel mode only) Specifies a thread that is associated with this breakpoint. EThread should be the actual address of the ETHREAD structure, not the thread ID. The breakpoint is triggered only if it is encountered in the context of this thread. If you use /p EProcess and /t EThread , you can enter them in either order.
/c MaxCallStackDepth
Causes the breakpoint to be active only when the call stack depth is less than MaxCallStackDepth. You cannot combine this option together with /C.
/C MinCallStackDepth
Causes the breakpoint to be active only when the call stack depth is larger than MinCallStackDepth. You cannot combine this option together with /c.
Address
Specifies any valid address. If the application accesses memory at this address, the debugger stops execution and displays the current values of all registers and flags. This address must be an offset and suitably aligned to match the Size parameter. (For example, if Size is 4, Address must be a multiple of 4.) If you omit Address, the current instruction pointer is used. For more information about the syntax, see Address and Address Range Syntax.
Passes
Specifies the number of times the breakpoint is passed by until it activates. This number can be any 16-bit value. The number of times the program counter passes through this point without breaking is one less than the value of this number. Therefore, omitting this number is the same as setting it equal to 1. Note also that this number counts only the times that the application executes past this point. Stepping or tracing past this point does not count. After the full count is reached, you can reset this number only by clearing and resetting the breakpoint.
CommandString
Specifies a list of commands to execute every time that the breakpoint is encountered the specified number of times. These commands are executed only if the breakpoint is hit after you issue a g (Go) command, instead of after a t (Trace) or p (Step) command. Debugger commands in CommandString can include parameters.
You must enclose this command string in quotation marks, and you should separate multiple commands by semicolons. You can use standard C control characters (such as \n and \"). Semicolons that are contained in second-level quotation marks (\") are intepreted as part of the embedded quoted string.
This parameter is optional
Environment
Modes User mode, kernel mode
Targets Live debugging only
Platforms All
Comments
The debugger uses the ID number to refer to the breakpoint in later bc (Breakpoint Clear), bd (Breakpoint Disable), and be (Breakpoint Enable), commands. Use the bl (Breakpoint List) command to see the ID numbers that are associated with all currently set breakpoints.
The ba command provides the same functionality that the debug registers provide. You can break execution when the particular memory location is read from, written to, or executed.
The breakpoint is satisfied only when the access occurs at the given address and for the specified number of bytes. If the memory that is accessed overlaps the specified area to monitor, the breakpoint is not satisfied.
Although the size is required for all breakpoint types, an execute breakpoint is satisfied only if the address is the first byte in the instruction.
When you debug a multiprocessor system in kernel mode, breakpoints that you set by using bp (Set Breakpoint) or ba apply to all processors. For example, if the current processor is 3 and you type ba e1 MemoryAddress to put a breakpoint at MemoryAddress, any processor (not only processor 3) that executes at that address causes a breakpoint trap.
You cannot set the initial breakpoint in a user-mode process by using the ba command.
You cannot create multiple breakpoints at the same address that differ only in their CommandString values. However, you can create multiple breakpoints at the same address that have different restrictions (for example, different values of the /p, /t, /c, and /C options).
When you debug in kernel mode, the target computer distinguishes between user-mode and kernel-mode data breakpoints. A user-mode data breakpoint cannot affect kernel execution or memory access. A kernel-mode data breakpoint might affect user-mode execution or memory access, depending on whether the user-mode code is using the debug register state and whether there is a user-mode debugger that is attached.
To apply the current process' existing data breakpoints to a different register context, use the .apply_dbp (Apply Data Breakpoint to Context) command.
The following examples show the ba command. The following command sets a breakpoint for read access on 4 bytes of the variable myVar.
0:000> ba r4 myVar
The following command adds a breakpoint on all serial ports with addresses from 0x3F8 through 0x3FB. This breakpoint is triggered if anything is read or written to these ports.
kd> ba i4 3f8
========

總結

以上是生活随笔為你收集整理的windbg断点学习总结的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。