Windbg Notes

search memory region from x to y for a series of bytes:
    s -b 00000000 ffffffff 90 90 90 43 43 43


Display:
    DWORD: dd
    Bytes: db
    ASCII: da
    Type: dt (ie dt _EXCEPTION_REGISTRATION_RECORD 0xffffffff)
    
Conditional breaks:

    bp 0x5050118e ".if @eax = 0x40 {} .else {gc}"  #break if eax == 0x40
    bp 0x5051579a ".if (@eax & 0x0`ffffffff) = 0x80808080 {} .else {gc}" # break if eax == 0x80808080 (signed value which is why the & is necessary)

View Memory Protections:
    
    !vprot 0d55e514

Break on match, multiple breakpoints with wildcards:
bm /a wevtsvc!SomeFunc_or_Class*

Common WinDbg Commands (Thematically Grouped)

PreviousReverse Engineering NextIDA Pro

Last updated 3 years ago

Was this helpful?