SETUP

------------------------------------------------------
To set windbg as your default post-mortem debugger (run on crash
of programs),
simply run windbg from the command line with the -I option:

C:\wherever\windbg.exe -I

------------------------------------------------------
CONTROL FLOW
g - go / continue / run
p - step over
t - step into

(All further commands also work as ta, tc, tt, tct, th -

stepping in insted of over)

pa 0xaddress - step to address

pc - step to next call
pt - step to next return
pct - step to next call or return
ph - step to next branching instruction

------------------------------------------------------
BREAKPOINTS

bp 0xaddress - Set breakpoint

bl - List breakpoints
bd num - disable breakpoint num
bc num - clear breakpoitn num
ba [e|r|w] 1 0xaddress - break on access [execution|read|write]
size address

sxe ld:dllname - Break on load of module dllname

------------------------------------------------------
DUMP MEMORY

d[d|w|b|a] 0xaddress - dump [dword|word|byte|ascii] at address

d[d|w|b|a] 0xaddress L5 - option L argument defines how many of
them to dump
dd register - dump contents of a register
ddp 0xaddress - dump contents of address, and whatever
it points to
dda 0xaddress - dump contents of address, and print
the string if it exists
u 0xaddress L5 - disassemble at 0xaddress, L
instructions
------------------------------------------------------
EDIT MEMORY

e[d|w|b] 0xaddress newbytes - edit memory

------------------------------------------------------
SEARCH MEMORY

s -[d|w|b|a] 0x00000000 L?0xffffffff searchval

- first option is size (dword, word, byte,
ascii string)
- second option is start address
- third option is end address
- last option is the value to search for
- ex dword: 0x41414141
- ex word 0x4241
- ex byte ff e3 (can be as many as you
like!)
- ex ascii: avacado!

------------------------------------------------------
SYMBOL SETUP - to dump symbols in C:\sym

.sympath .SRV*C:\sym*http://msdl.microsoft.com/download/symbols/
.reload /f

------------------------------------------------------
DUMP STRUCTURES

!teb - dump thread environment block

!peb - dump process environment block
!vadump - dump list of memory pages and info
!lmi modulename - dump the info for module modulename
lm - show loaded modules
k - show call stack
r - show registers
dt structName 0xaddress - display a structure in proper format
if you have symbols

------------------------------------------------------
SUGGESTED SETUP

----------------------------------------------
| | |
| | |
| | |
| | |
| DISASSEMBLY | REGISTERS |
| | |
| |----------------------|
| | |
| | |
| | |
|-----------------------| COMMAND |
| | |
| | |
| | |
| MEMORY | |
| | |
| |- - - - - - - - - - - |
| | |
| | MEMORY / STACK |
| | |
-----------------------------------------------

MEMORY - Virtual: set to esp to show the stack

If you want a generic memdump AND a constant stack, put another
memory window under
command - yes, you can have as many as you like

REGISTERS - I usually check both boxes in the configuration -

changes show up on top and
in red