Friday, 5 August 2011

Some WinDbg commands for memory dump analysis

!analyze - displays information about the current exception (e.g. type, error code, place where it occurred, call stack)
   -v = show verbose output

.ecxr - switches debugger context to the one of the current exception (must be executed before other call stack commands!)

.frame - shows current frame (function) - specifies which local context (scope) will be used to interpret local variables, or displays the current local context.

.frame N - changes current frame to frame N (N is in hexadecimal format!). Frame with number 0 is the one where exception occurred and which is on the top of the stack.

Example:
.frame 0 - switches scope to function which is on the top of the stack
.frame 1- switches scope to function which called function from frame 0

k - displays stack trace for last set context.

kN - displays call stack for last N frames

kP - displays all frames (entire function call chain) from the call stack, with values of function parameters

!for_each_frame - instructs debugger to execute for each frame in the stack of the current thread

dv - Display Value. Displays the values of function parameters and values of local variables
   /t - show type information
   /v - show address

Example:
To show information about parameters and local variables of the last frame (function) in the stack use:
dv /t /v

To show entire function call chain with parameters and local variables we can use: 
!for_each_frame dv /t /v

dt - Display Type. Displays information (value, members, their values...) about variable or type
   /b - display embedded structures recursively

Example:
If myVar is some local variable from the last frame we can examine its members and their values with:
dt -b myVar

To (recursively) display the contents (members, their types and offsets) of some data type (e.g. CMyClass) use:
dt /b CMyClass

To display the state of some variable of type CMyClass which is at the address 0x00a7ab64 (address could have been obtained with dv) we can use:
dt -b CMyClass 0x00a7ab64


If CMyClass has a member of type T and its offset is for example +0x1f90, we can inspect T object with:
dt -b T 0x00a7ab64+0x1f90

db  
- display raw memory (128 bytes) starting from

If some local variable is pointer, we can examine memory it points to by using operator poi() which   returns value of pointer variable:

db poi(pData)
(db pData would output memory starting with address pData, not the one it points to!)

~
- displays brief list of all threads

~*
- displays brief list of threads, including Priority and Priority Class information

.cls - clear screen


References and useful links:

Debugger Reference(MSDN)
Common WinDbg Commands
WinDbg the easy way
Adventures In A 32-bit Minidump
Post a Comment