Examine environment

Command
k (kn, kM, knL)
dv

Description
View call stack
Display local variables

Sample usage
kn 10
dv v

.frame N

Switch context to frame N

.frame 1

r (rReg)

Display registry information

x Symbol

Examine Symbol

reax
X user32!SendMessageA

X this
x user32!SendMessage*

.for (op1;op2;op3)
{Commands}

Executes a for loop using a

virtual register

.for (r $t1 = 0; @$t1 < 0x10 ;

r $t1 = @$t1 + 1) { r$t1; }

db Address (dw, dd, dq)

Display memory contents of

Address

db 0x012345 0x012345 +
0x10

Dd 0x012345 0x012345 +
0x10

dt Type Address

? or ??

Displays contents of
Address as a structure of
type Type
Evaluate Expression

dt vWM_COMMAND
0037ef48
?0n20

??this->msg

eb Address Value

Writes Value byte to

Address

eb 0x1234 3
eza 0x012345 hello world

ezu 0x012345 hello world

u (uf Method)

Unassemble

Comments
Shows top 0x10 frames
Display local variables and
show registry or address
Switch context to frame 1
(topmost frame is 0)
Displays all registry values
including current line
executed
Displays value of registry eax
Shows address and signature
of function
user32!SendMessageA
Shows address and value of
this pointer
Shows address and signature
of all functions beginning in
user32!SendMessage (e.g. x
user32!SendMessageW)
Loops virtual register $t1
from value 0 to value 0x10, in
steps of 1 and for each step
runs the command r$t1,
which displays the value of
the register.
Displays all memory contents
between addresses 0x012345
and 0x012345 + 0x10
inclusively
Displays all memory contents
between addresses 0x012345
and 0x012345 + 0x10
inclusively as DWORD values
(32bit)
Display contents of address
0037ef48 as type
vWM_COMMAND
Evaluates expression 0x20 to
0x14 (using default
evaluator, which is ASM)
Evaluates C++ expression
this->msg, which displays the
field msg of object this.
Writes byte value 3 to
Address 0x1234
Writes zero-terminated ASCII
value hello world to
Address 0x012345
Writes zero-terminated
Unicode value hello world
to Address 0x012345
Unassemble the next eight
instructions

uf user32!SendMessageA

lm (lmvm, lmfsm) Module

List Loaded Modules

lmvm user32

lmfsm

!lmi Module

Loaded Module Info

!lmi user32.dll

Unassemble the complete

function
user32!SendMessageA
Displays detailed information
about loaded module
user32.dll
List all loaded modules (lm),
show full path (f) and sort by
module name (sm).
List detailed information
about module user32.dll,
including GUID of PDB.

Control execution
p (pc)

Step over

pc

t (tc)

Step into

tc

Continue execution

gu

Step out

gu

wt

Trace and watch data

t;wt

Step over until next

function call
Step into until next function
call
Continue execution until
next breakpoint
Step out of current
function, break on return
Steps into a function and
executes wt. This traces all
function calls until the
initial function returns and
logs number of calls for
each method

Breakpoints
bp Method

Add a breakpoint on
method call

bp user32!MessageBoxW

bp USER32!DialogBox2 ".if
(poi(fOwnerIsActiveWindow)==1)
{.echo One;gc;} .else {.echo
Zero;gc;}"

ba R/W Size Address

Add a breakpoint when

Address is Read
from/Written to

ba w4 0x0abcdef

ba r4 0x01234567

bm Pattern

Add a breakpoint on all

methods matching Pattern

bm user32!Meth*d

be N
bd N

Enable breakpoint N
Disable breakpoint N

be1
bd*

Add breakpoint when

function
user32!MessageBoxW is
called
Break when method
USER32!DialogBox2 is
called. Execute the
following command after
breaking: if the value of
local variable
fOwnerIsActiveWindow is
1, display One and
continue. Else display
Zero and continue.
Break when address
0x0abcdef is written to
Break when address
0x01234567 is read from
or written to
Break on all methods that
start with user32!Meth
and end with d
Enable breakpoint 1
Disable all breakpoints

Memory
!heap Options Address

Heap usage information

!heap s

!heap stat h 0x04e00000

!heap -flt s 800

!heap p a 0a7f9000

!address Options

Display stats about the

memory of the current
process
Display virtual memory
protection infromation

!address summary

!peb

Process Execution Block

!peb

!teb

Thread Execution Block

!teb

!gle
!runaway

Get Last Error

Time consumed by each
thread

!runaway

~N e Command

Execute command on thread

~1kn

!vprot Address

!vprot 30c191c

Displays heap summary

information, including
Reserved and Committed
bytes for all Heap handles
Displays usage statistics for
heap 0x04e00000,
including block size total
consumption
Displays allocated blocks of
size 800
Display page heap
information about the
block that contains address
0a7f9000 and display call
stack of allocation if
available
Display memory usage
summary like memory
usage breakdown
Shows information about
address 30c191c, including
State (Reserved,
commited), Protection
(READ, WRITE, EXECUTE)
and Type (Image, Free,
Stack, Heap)

Processes and threads

~16e .frame 2;dv

~3s
.lastevent

Display Last Event

Displays the process

execution block, which
includes environment
variables, command line
and list of loaded modules
Displays the Thread
Execution Block, which
contains the last error,
Stack base and Stack limit
Displays User mode time
consumed by each thread,
sorted in decreasing order
Run kn (display call stack)
on thread 1
On Thread 16, run the
commands .frame 2 and dv
Set active thread to thread
3

Symbols
ln Address

List nearest symbol

ln mso + 0x00abe98

.symopt Flags

Set current symbol options

.symopt +40

!sym Option

Set symbol loading options

!sym noisy

.reload Options Module

Reload symbols for

module

!sym quiet
.reload /f /s user32.dll

Displays the nearest symbol to

load address of MSO plus the
offset 0x000abe98. This is useful
to determine which method
caused an exception at faulting
offset 0x000abe98, faulting
module MSO (logged in Event List)
Set symbol options to 0x40
(SYMOPT_LOAD_ANYTHING) to
load closes symbols when exact
PDB is not available.
Set symbol loading options to
noisy to track loading paths, GUIDs
and permission errors.
Disable !sym noisy
Reload symbols for module
user32.dll immediately
(disregarding lazy symbol loading)

Extensions
.load Path

Load extension from Path

.load wow64exts; !sw

.chain

List Debugger Extensions

.chain

!idna.tt Percent

Time travel to position

!idna.tt 50

.time

Shows current time (system

uptime, user time) and TTT
Position

.time -s

!idna.position

Display current position info

!idna.position -a

!idna.index

p-

Commits memory index to

.RUN file
Continue execution
backwards to next breakpoint
Step over backwards

p-c

t-

Step into backwards

t-c

Loads extension
wow64exts.dll from default
extension path
(C:\debuggers\winext,
C:\debuggers\winxp).
Execute command sw from
first extension in search
chain.
The command sw switches
context between 32bit and
64bit.
Shows extension search
path and search chain

Time Travel Tracing

g-

Moves context to position

50% in the IDNA trace
Shows current time (system
uptime, user time) and TTT
Position only for current
thread
Display current position
info for the active thread

Step over until last function

call
Step into until last function
call

MEX
!mex.help
!mex.update
!mex.olanalyze
!mex.wdanalyze

!mex.err Code
!mex.rop Code
!mex.dumpconnections

Shows full list of available

commands in MEX
Updates MEX extension to
latest build
Basic Outlook/MAPI dump
analysis
Displays Word-specific
information (open
documents, active
document, last fetch, etc.)
Interprets an error code
(including MAPI)
Interprets a ROP

!mex.ddt Address Type

Dumps Outlook's
connection list
Dump type with DML

!mex.fos

Fix Office Sources

!mex.err 0x80040115
!mex.rop 9

!mex.ddt 0x0c9aee08
user32!Message

Interprets 0x80040115 =
MAPI_E_NETWORK_ERROR
Interprets ROP 9 to
ropGetPropList

Similar to dt but uses DML to

highlight member structure so
you can just click on them to run
ddt again.
Adds \\daddev paths for Office
modules to Source Path

Managed
!psscor2.help

!psscor4.help

!Analysis

!CLRStack
!dumpstack
!printexeption
!psscor.threads

Shows full list of available

commands in psscor2 .NET 2.0
Shows full list of available
commands in psscor4 .NET 4.0
Performs a full .NET
analysis, including
exceptions
View managed call stack
View combined managed
and unmanaged call stack
View information on most
recent exception
View managed threads

Prototype Debugger Extension (former ProcDump Extension)

!pde.deep N

!pde.help
!pde.seek Symbol Command

!pde.analyze -v

View call stacks from all

threads longer than N
frames
Displays full list of
supported commands
Execute Command against
stacks that contain Symbol

Exception analysis

!pde.deep 30

View call stacks from all threads

longer than 30 frames

!seek ReadFile dv

Find all stacks that contain at

least a frame with substring
ReadFile, set current thread to
the thread containing that stack
and execute command dv

!pde.vmem
!pde.dpx

Processes address space

!pde.dpx -dt

Displays Data Types in Registers.

You can see class type of
interface pointer.