Some fewer used WinDbg commands

When you dump raw stack using dds and see followings:

04fdf814  76ff158e ntdll!ZwRaiseException+0x12
04fdf818  76fe012a ntdll!KiUserExceptionDispatcher+0x2a
04fdf81c  04fdf828 <- address to exception record
04fdf820  04fdf878 <- address to exception context
04fdf824  00000000

You can dump exception record and context from first and second parameter passed to ntdll!KiUserExceptionDispatcher:

0:013> .exr 04fdf828
ExceptionAddress: 74cb1b90 (urlmon!_DllMainCRTStartup)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 74cb1b90
Attempt to execute non-executable address 74cb1b90
0:013> .cxr 04fdf878
eax=00000000 ebx=00000001 ecx=04fdfbc8 edx=00000020 esi=04fdfb70 edi=04fdfbec
eip=74cb1b90 esp=04fdfb60 ebp=04fdfb7c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
74cb1b90 8bff            mov     edi,edi

If you see kernel32!UnhandledExceptionFilter in stack:

0a9afa80 7c83ab50 0a9afaa8 7c839b39 0a9afab0 kernel32!UnhandledExceptionFilter+0x1c7

The first parameter passed to it is a pointer to EXCEPTION_POINTERS and .exptr can be used to dump it out:

0:075> .exptr 0a9afaa8

—– Exception record at 0a9afb9c:
ExceptionAddress: 08925aac
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: ea00cd67
Attempt to read from address ea00cd67

—– Context record at 0a9afbb8:
eax=8cda5b28 ebx=00000000 ecx=08923468 edx=01e20001 esi=00000007 edi=00000000
eip=08925aac esp=0a9afe84 ebp=0a9afebc iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010283
08925aac d8883f72265d    fmul    dword ptr [eax+5D26723Fh] ds:0023:ea00cd67=????????

Some other useful WinDbg commands:

  • !dlls – it lists user mode dlls.
  • .lastevent – eh, it displays last event.
  • !gle – it displays last error saved in current thread’s TEB, e.g. !for_each_thread “.thread /r /p @#Thread; .if (@$teb != 0) {!teb; !gle;}” shows last error from threads have user mode stack.
  • !chkimg – useful when suspecting functions were hooked.
  • .imgscan – scan full memory for image headers, useful for unknown modules.

Posted on March 26, 2012, in Uncategorized. Bookmark the permalink. 1 Comment.

  1. For printing Get Last Error for every thread i found that shorter command:
    ~*e !gle

    Only this one worked for me. !for_each_thread … didn’t work

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: