dbg命令使用
1) Built-in help commands CmdVariants / ParamsDescription
Example: .extmatch /D /e uext * (show all exported functions of uext.dll)
?Collapse Go up Go up?Collapse Go up?Collapse Go up?Collapse Go up?Collapse Go up?CollapseWith bp, the breakpoint location is always converted to an address. In contrast, a bu or a bm breakpoint is always associated with the symbolic value.
Simple Examples Go up.step_filter /c
?Collapse Go up?Collapse Go up?Collapse Go up?Collapse Go up?Collapse Go up?Collapse Go upIt seems that the following applies for windows XP SP2:
a) Normal heap
- HeapHandleHeapAddrUserAddr, UserPtrUserSize_HEAP_HEAP_ENTRY_DPH_HEAP_ROOT_DPH_HEAP_BLOCK
?CollapseFrom WinDbg's command line do a !heap -p -a , where is the address of your allocation ***. While !heap -p -a will dump a call-stack, no source information will be included. To get source information you must additionally enable page heap in step 1 (gflags.exe /i +ust +hpa) Do a dt ntdll!_DPH_HEAP_BLOCK StackTrace , where is the DPH_HEAP_BLOCK address retrieved in step 3. Do a dds ", where is the value retrieved in step 5. Note that dds will dump the stack with source information included.
Who created a heap - who called HeapCreate?
- Select "Create user mode stack trace database" and "Enable page heap" for your image in GFlags (gflags.exe /i +ust +hpa) a) From WinDbg's command line do a !heap -p -h , where is the value returned by HeapCreate. You can do a !heap -stat or !heap -p to get all heap handles of your process.
b) Alternatively you can use !heap -p -all to get addresses of all _DPH_HEAP_ROOT's of your process directly. Do a dt ntdll!_DPH_HEAP_ROOT CreateStackTrace , where is the address of a _DPH_HEAP_ROOT retrieved in step 2 Do a dds , where is the value retrieved in step 3.
Finding memory leaks From WinDbg's command line do a !address summary.
If RegionUsageHeap or RegionUsagePageHeap are growing, then you might have a memory leak on the heap. Proceed with the following steps.
- Enable "Create user mode stack trace database" for your image in GFlags (gflags.exe /i +ust) From WinDbg's command line do a !heap -stat, to get all active heap blocks and their handles. Do a !heap -stat -h 0. This will list down handle specific allocation statistics for every AllocSize.
For every AllocSize the following is listed: AllocSize, #blocks, and TotalMem. Take the AllocSize with maximum TotalMem. Do a !heap -flt s . =AllocSize that we determined in the previous step. This command will list down all blocks with that particular size. Do a !heap -p -a to get the stack trace from where you have allocated that much bytes. Use the that you got in step 4. To get source information you must additionally enable page heap in step 1 (gflags.exe /i +ust +hpa) Do a dt ntdll!_DPH_HEAP_BLOCK StackTrace , where is the DPH_HEAP_BLOCK address retrieved in step 5. Do a dds ", where is the value retrieved in step 7.
Note that dds will dump the stack with source information included.
*** What is a ?
- is usually the address returned by HeapAlloc:
Go up Go up-> "Stack Backtrace: (Megs)" -> 10
-> It seems that you sometimes also need to check and specify the "Debugger" field in GFlagsCmdVariants / ParamsDescription?Collapse
Enable 19-ProcessesAndThreads and 22-StringManipulation logging: !logeEnable logging!logc d *Disable all categories!logc p 19Display APIs of category 19logc e 19 22Enable category 19 and 22!logo d vDisable verbose output!logo d tDisable text output!logo e dEnable debugger output