WinDbg Kernel

lm (List Loaded Modules)

lm lm <PATTERN>

lm nt*

Displays all or the specified loaded modules.

x (Examine Symbols)

x <MODULE>!* x <MODULE>!<PATTERN>

x nt!* x nt!*process*

Displays the symbols in the specified module.

ln (List Nearest Symbols)

ln <ADDRESS>

ln fffff80705d4c9d4

Displays the symbol(s) at or near the specified address.

dt (Display Type)

dt <STRUCT> dt nt!*<PATTERN>*

dt nt!_EPROCESS

Displays information about a local variable, global variable or data type.

.printf

.printf [<OPTIONS>] <FORMAT_STRING> <ARGUMENT | ARGUMENT_LIST>

.printf "%y", <ADDRESS> displays the eventual symbol associated with the given address.

C printf-like function.

dds, dps, dqs (Display Words and Symbols)

d*s <ADDRESS | ADDRESS_RANGE>

dqs fffff80705d1a410 dqs fffff80705d1a410 fffff80705d1a418

Displays the contents of memory in the given range. The dds command displays DWORD (4 byte) values. The dqs command displays QWORD (8 byte) values. The dps command displays pointer-sized values (4 byte or 8 byte depending on the system architecture) values.

ds, dS (Display String)

ds <ADDRESS> dS <ADDRESS>

Display a STRING / ANSI_STRING (ds) or UNICODE_STRING (dS) strings.

u, ub, uu (Unassemble)

u <ADDRESS | ADDRESS_RANGE>

u 0xfffff8015be478d0 u nt!NtOpenProcessToken

Displays an assembly translation of the code at the specified memory address or range.

uf (Unassemble Function)

u <ADDRESS>

uf fffff80705685060 uf nt!NtOpenProcessTokenEx

Displays an assembly translation of the function at the specified memory address.

!address

!address <ADDRESS>

!address fffff80705d1a410 !address nt!NtOpenProcessTokenEx

Displays information on the module to which the specified address belong (module name, path and base start / end ADDRESSs).

[dx advised] !process

!process [/s <SESSION>] [/m <MODULE>] <0 | PROCESS_ADDRESS | PROCESS_PID> <INFORMATION_LEVEL_FLAG>]

!process 0 0 display all the process of the system, with a minimum level of information.

Displays information about all or the specified processes, including the EPROCESS block.

[dx advised] !thread

!thread [-p] [-t] <ADDRESS>

!thread 0xffffcb088f0d6840 display all the process of the system, with a minimum level of information.

Displays summary information about a thread, including the ETHREAD block.

!acl

!acl <HEXA_ADDRESS>

Displays the contents of an Access Control List (ACL).

poi(<ADDRESS>)

Dereference pointer

bp, bu, bm (Set Breakpoint)

bl (Breakpoint List)

g (Go)

!analyze -v

Provides an overview of the dump: process name, error code, stack trace, etc. More useful for crashdump, limited use for voluntarily taken process dump.

!peb

Parses the Process Environment Block (PEB) of the process, notably retrieving: the process image file and command line, current directory, loaded DLLs, windows title, environment variables.

lm f

Lists the loaded DLLs, with the possibility to click on any DLL to retrieve more information on a specific DLL: size, file / product version, metadata, etc.

lmDv

Prints verbose information (as mentioned on lm f) for all loaded DLLs.

!address

Lists the address pages and associated information: - Page type (MEM_IMAGE, MEM_MAPPED, MEM_PRIVATE) - Page state (MEM_COMMIT, MEM_RESERVE, MEM_FREE) - Page protection (PAGE_READWRITE, PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE, etc.) - Eventual associated file on disk Can be useful to detect a number of suspicious indicators / anomalies: - In memory PE (MZ header) not backed by an on-disk file. - Suspicious PAGE_EXECUTE_READWRITE protection. - Modification of modules usually patched to bypass security mechanism (such as the patching of the amsi.dll to bypass AMSI). Indeed a modification of a module memory will result in the page to change from MEM_IMAGE to MEM_PRIVATE.

!address -f:<FILTER> Examples: !address -f:PAGE_EXECUTE_READWRITE !address -f:MEM_PRIVATE,MEM_COMMIT

Filters memory pages based on the specified filter. All filters in the list are AND-combined.