# WinDbg Kernel ### Kernel exploration #### CheatSheet **Symbols and types** | Command | Usage | Examples | Description | | ------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | | [lm (List Loaded Modules)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/lm--list-loaded-modules-) |

lm

lm \

| `lm nt*` | Displays all or the specified loaded modules. | | [x (Examine Symbols)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/x--examine-symbols-) |

x \!\*

x \!\

|

x nt!\*

x nt!*process*

| Displays the symbols in the specified module. | | [ln (List Nearest Symbols)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/ln--list-nearest-symbols-) | `ln
` | `ln fffff80705d4c9d4` | Displays the symbol(s) at or near the specified address. | | [dt (Display Type)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/dt--display-type-) |

dt \

dt nt!*\*

| `dt nt!_EPROCESS` | Displays information about a local variable, global variable or data type. | | [.printf](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-printf) | `.printf [] ` |

.printf "%y", \


displays the eventual symbol associated with the given address.

| C printf-like function. | **Memory exploration** | Command | Usage | Examples | Description | | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [dds, dps, dqs (Display Words and Symbols)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/dds--dps--dqs--display-words-and-symbols-) | `d*s
` |

dqs fffff80705d1a410

dqs fffff80705d1a410 fffff80705d1a418

|

Displays the contents of memory in the given range.

The dds command displays DWORD (4 byte) values.

The dqs command displays QWORD (8 byte) values.

The dps command displays pointer-sized values (4 byte or 8 byte depending on the system architecture) values.

| | [ds, dS (Display String)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/ds--ds--display-string-) |

ds \



dS \

| | Display a `STRING` / `ANSI_STRING` (`ds`) or `UNICODE_STRING` (`dS`) strings. | | [u, ub, uu (Unassemble)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/u--unassemble-) | `u
` |

u 0xfffff8015be478d0

u nt!NtOpenProcessToken

| Displays an assembly translation of the code at the specified memory address or range. | | [uf (Unassemble Function)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/uf--unassemble-function-) | `u
` |

uf fffff80705685060

uf nt!NtOpenProcessTokenEx

| Displays an assembly translation of the function at the specified memory address. | | [!address](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-address) | `!address
` |

!address fffff80705d1a410

!address nt!NtOpenProcessTokenEx

| Displays information on the module to which the specified address belong (module name, path and base start / end ADDRESSs). | |

\[dx advised]
!process

| `!process [/s ] [/m ] <0 \| PROCESS_ADDRESS \| PROCESS_PID> ]` |

!process 0 0
display all the process of the system, with a minimum level of information.

| Displays information about all or the specified processes, including the `EPROCESS` block. | |

\[dx advised]
!thread

| `!thread [-p] [-t]
` |

!thread 0xffffcb088f0d6840
display all the process of the system, with a minimum level of information.

| Displays summary information about a thread, including the `ETHREAD` block. | | [!acl](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-acl) | `!acl ` | | Displays the contents of an `Access Control List (ACL)`. | | `poi(
)` | | | Dereference pointer | **Display Debugger Object Model Expression (dx)** ``` dx // Displays information about the specified variable (using the variable address directly or the variable eventual symbol). dx ( *)
dx ( *) & // If the variable is a pointer to an object. dx ( **) & // Examples: dx -r1 (ntkrnlmp!_EPROCESS *) 0xffffa10d10c37080 dx (nt!_EPROCESS *) &nt!PsIdleProcess dx *(nt!_OBJECT_TYPE **) &nt!AlpcPortObjectType // Displays the first debugging session processes as a grid view. dx -g Debugger.Sessions.First().Processes // Displays the first debugging session processes as a grid view. dx -g Debugger.Sessions.First().Processes // Displays information about the process PID in the first debugging session. dx Debugger.Sessions.First().Processes[] // Displays the threads of the first or specified process in the first debugging session processes as a grid view. dx -g Debugger.Sessions.First().Processes.First().Threads dx -g Debugger.Sessions.First().Processes[].Threads // Displays the loaded module of the first or specified process in the first debugging session processes as a grid view. dx -g Debugger.Sessions.First().Processes.First().Modules dx -g Debugger.Sessions.First().Processes[].Modules // Retrieve the first or specified thread of the specified process in the first debugging session. dx -r1 Debugger.Sessions.First().Processes[].Threads.First() dx -r1 Debugger.Sessions.First().Processes[].Threads[] // Stores the specified process as a variable, allowing later reference to the process properties. dx @$process = Debugger.Sessions.First().Processes[] dx @$process->Name dx @$process->Threads // Get process Ldr. dx -r2 (_PEB_LDR_DATA *) @$process.Environment.EnvironmentBlock.Ldr // Stores the specified process handles in a variable and display all or selected information about each handle. dx @$processHandles = Debugger.Sessions.First().Processes[].Io.Handles // Display all available information. dx -g @$processHandles // Displays selected information. dx -g @$processHandles->Select(o => new { Handle = o->Handle, Type = o->Type, ObjectName = o->ObjectName}) // Filters handles of type "Directory" and displays selected information. dx -g @$processHandles->Where(o => (o.Type == "Directory"))->Select(o => new { Handle = o->Handle, Type = o->Type, ObjectName = o->ObjectName}) // Get process Ldr first entry (in memory order). dx -r1 @$process.Environment.EnvironmentBlock.Ldr->InMemoryOrderModuleList.Flink ``` **Execution control flow** | Command | Usage | Examples | Description | | ----------------------------------------------------------------------------------------------------------------------------- | ----- | -------- | ----------- | | [bp, bu, bm (Set Breakpoint)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bp--bu--bm--set-breakpoint-) | | | | | [bl (Breakpoint List)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bl--breakpoint-list-) | | | | | [g (Go)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/g--go-) | | | | ### Userland process crashdump / dump analysis | Command | Description | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `!analyze -v` |

Provides an overview of the dump: process name, error code, stack trace, etc.

More useful for crashdump, limited use for voluntarily taken process dump.

| | `!peb` | Parses the `Process Environment Block (PEB)` of the process, notably retrieving: the process image file and command line, current directory, loaded `DLLs`, windows title, environment variables. | | `lm f` | Lists the loaded `DLLs`, with the possibility to click on any `DLL` to retrieve more information on a specific `DLL`: size, file / product version, metadata, etc. | | `lmDv` | Prints verbose information (as mentioned on `lm f`) for all loaded `DLLs`. | | `!address` |

Lists the address pages and associated information:
- Page type (MEM\_IMAGE, MEM\_MAPPED, MEM\_PRIVATE)
- Page state (MEM\_COMMIT, MEM\_RESERVE, MEM\_FREE)
- Page protection (PAGE\_READWRITE, PAGE\_EXECUTE\_READ, PAGE\_EXECUTE\_READWRITE, etc.)
- Eventual associated file on disk

Can be useful to detect a number of suspicious indicators / anomalies:
- In memory PE (MZ header) not backed by an on-disk file.
- Suspicious PAGE\_EXECUTE\_READWRITE protection.
- Modification of modules usually patched to bypass security mechanism (such as the patching of the amsi.dll to bypass AMSI). Indeed a modification of a module memory will result in the page to change from MEM\_IMAGE to MEM\_PRIVATE.

| |

!address -f:\

Examples:

!address -f:PAGE\_EXECUTE\_READWRITE

!address -f:MEM\_PRIVATE,MEM\_COMMIT

|

Filters memory pages based on the specified filter.

All filters in the list are AND-combined.

| *** ### References * Microsoft Windows Debugging Tools official documentation * "Modern Debugging with WinDbg Preview" DEFCON 27 workshop by hugsy and 0vercl0k" * "WinDbg — the Fun Way: Part 1 / 2" by Yarden Shafir