# WinDbg Kernel ### Kernel exploration #### CheatSheet **Symbols and types** | Command | Usage | Examples | Description | | ------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | | [lm (List Loaded Modules)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/lm--list-loaded-modules-) |

lm

lm \

| `lm nt*` | Displays all or the specified loaded modules. | | [x (Examine Symbols)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/x--examine-symbols-) |

x \!\*

x \!\

|

x nt!\*

x nt!*process*

| Displays the symbols in the specified module. | | [ln (List Nearest Symbols)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/ln--list-nearest-symbols-) | `ln
` | `ln fffff80705d4c9d4` | Displays the symbol(s) at or near the specified address. | | [dt (Display Type)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/dt--display-type-) |

dt \

dt nt!*\*

| `dt nt!_EPROCESS` | Displays information about a local variable, global variable or data type. | | [.printf](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-printf) | `.printf [] ` |

.printf "%y", \


displays the eventual symbol associated with the given address.

| C printf-like function. | **Memory exploration** | Command | Usage | Examples | Description | | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [dds, dps, dqs (Display Words and Symbols)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/dds--dps--dqs--display-words-and-symbols-) | `d*s
` |

dqs fffff80705d1a410

dqs fffff80705d1a410 fffff80705d1a418

|

Displays the contents of memory in the given range.

The dds command displays DWORD (4 byte) values.

The dqs command displays QWORD (8 byte) values.

The dps command displays pointer-sized values (4 byte or 8 byte depending on the system architecture) values.

| | [ds, dS (Display String)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/ds--ds--display-string-) |

ds \



dS \

| | Display a `STRING` / `ANSI_STRING` (`ds`) or `UNICODE_STRING` (`dS`) strings. | | [u, ub, uu (Unassemble)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/u--unassemble-) | `u
` |

u 0xfffff8015be478d0

u nt!NtOpenProcessToken

| Displays an assembly translation of the code at the specified memory address or range. | | [uf (Unassemble Function)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/uf--unassemble-function-) | `u
` |

uf fffff80705685060

uf nt!NtOpenProcessTokenEx

| Displays an assembly translation of the function at the specified memory address. | | [!address](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-address) | `!address
` |

!address fffff80705d1a410

!address nt!NtOpenProcessTokenEx

| Displays information on the module to which the specified address belong (module name, path and base start / end ADDRESSs). | |

\[dx advised]
!process

| `!process [/s ] [/m ] <0 \| PROCESS_ADDRESS \| PROCESS_PID> ]` |

!process 0 0
display all the process of the system, with a minimum level of information.

| Displays information about all or the specified processes, including the `EPROCESS` block. | |

\[dx advised]
!thread

| `!thread [-p] [-t]
` |

!thread 0xffffcb088f0d6840
display all the process of the system, with a minimum level of information.

| Displays summary information about a thread, including the `ETHREAD` block. | | [!acl](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-acl) | `!acl ` | | Displays the contents of an `Access Control List (ACL)`. | | `poi(
)` | | | Dereference pointer | **Display Debugger Object Model Expression (dx)** ``` dx // Displays information about the specified variable (using the variable address directly or the variable eventual symbol). dx ( *)
dx ( *) & // If the variable is a pointer to an object. dx ( **) & // Examples: dx -r1 (ntkrnlmp!_EPROCESS *) 0xffffa10d10c37080 dx (nt!_EPROCESS *) &nt!PsIdleProcess dx *(nt!_OBJECT_TYPE **) &nt!AlpcPortObjectType // Displays the first debugging session processes as a grid view. dx -g Debugger.Sessions.First().Processes // Displays the first debugging session processes as a grid view. dx -g Debugger.Sessions.First().Processes // Displays information about the process PID in the first debugging session. dx Debugger.Sessions.First().Processes[] // Displays the threads of the first or specified process in the first debugging session processes as a grid view. dx -g Debugger.Sessions.First().Processes.First().Threads dx -g Debugger.Sessions.First().Processes[].Threads // Displays the loaded module of the first or specified process in the first debugging session processes as a grid view. dx -g Debugger.Sessions.First().Processes.First().Modules dx -g Debugger.Sessions.First().Processes[].Modules // Retrieve the first or specified thread of the specified process in the first debugging session. dx -r1 Debugger.Sessions.First().Processes[].Threads.First() dx -r1 Debugger.Sessions.First().Processes[].Threads[] // Stores the specified process as a variable, allowing later reference to the process properties. dx @$process = Debugger.Sessions.First().Processes[] dx @$process->Name dx @$process->Threads // Get process Ldr. dx -r2 (_PEB_LDR_DATA *) @$process.Environment.EnvironmentBlock.Ldr // Stores the specified process handles in a variable and display all or selected information about each handle. dx @$processHandles = Debugger.Sessions.First().Processes[].Io.Handles // Display all available information. dx -g @$processHandles // Displays selected information. dx -g @$processHandles->Select(o => new { Handle = o->Handle, Type = o->Type, ObjectName = o->ObjectName}) // Filters handles of type "Directory" and displays selected information. dx -g @$processHandles->Where(o => (o.Type == "Directory"))->Select(o => new { Handle = o->Handle, Type = o->Type, ObjectName = o->ObjectName}) // Get process Ldr first entry (in memory order). dx -r1 @$process.Environment.EnvironmentBlock.Ldr->InMemoryOrderModuleList.Flink ``` **Execution control flow** | Command | Usage | Examples | Description | | ----------------------------------------------------------------------------------------------------------------------------- | ----- | -------- | ----------- | | [bp, bu, bm (Set Breakpoint)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bp--bu--bm--set-breakpoint-) | | | | | [bl (Breakpoint List)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bl--breakpoint-list-) | | | | | [g (Go)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/g--go-) | | | | ### Userland process crashdump / dump analysis | Command | Description | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `!analyze -v` |

Provides an overview of the dump: process name, error code, stack trace, etc.

More useful for crashdump, limited use for voluntarily taken process dump.

| | `!peb` | Parses the `Process Environment Block (PEB)` of the process, notably retrieving: the process image file and command line, current directory, loaded `DLLs`, windows title, environment variables. | | `lm f` | Lists the loaded `DLLs`, with the possibility to click on any `DLL` to retrieve more information on a specific `DLL`: size, file / product version, metadata, etc. | | `lmDv` | Prints verbose information (as mentioned on `lm f`) for all loaded `DLLs`. | | `!address` |

Lists the address pages and associated information:
- Page type (MEM\_IMAGE, MEM\_MAPPED, MEM\_PRIVATE)
- Page state (MEM\_COMMIT, MEM\_RESERVE, MEM\_FREE)
- Page protection (PAGE\_READWRITE, PAGE\_EXECUTE\_READ, PAGE\_EXECUTE\_READWRITE, etc.)
- Eventual associated file on disk

Can be useful to detect a number of suspicious indicators / anomalies:
- In memory PE (MZ header) not backed by an on-disk file.
- Suspicious PAGE\_EXECUTE\_READWRITE protection.
- Modification of modules usually patched to bypass security mechanism (such as the patching of the amsi.dll to bypass AMSI). Indeed a modification of a module memory will result in the page to change from MEM\_IMAGE to MEM\_PRIVATE.

| |

!address -f:\

Examples:

!address -f:PAGE\_EXECUTE\_READWRITE

!address -f:MEM\_PRIVATE,MEM\_COMMIT

|

Filters memory pages based on the specified filter.

All filters in the list are AND-combined.

| *** ### References * Microsoft Windows Debugging Tools official documentation * "Modern Debugging with WinDbg Preview" DEFCON 27 workshop by hugsy and 0vercl0k" * "WinDbg — the Fun Way: Part 1 / 2" by Yarden Shafir --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.qazeer.io/miscellaneous/windbg_kernel.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.