Difference between revisions of "Kdbg"
(→Command Reference) |
(→cregs) |
||
Line 117: | Line 117: | ||
<b>Syntax:</b> cregs | <b>Syntax:</b> cregs | ||
− | Display control registers. | + | Display control, descriptor table and task segment registers. |
− | <pre>kdb:> cregs | + | <pre> |
+ | kdb:> cregs | ||
CR0 0x8001003b PE MP TS ET NE WP PG | CR0 0x8001003b PE MP TS ET NE WP PG | ||
− | CR2 | + | CR2 0x01720000 |
− | CR3 | + | CR3 0x006ca000 Pagedir-Base 0x006ca000 |
− | CR4 | + | CR4 0x00000619 VME DE PSE OSFXSR OSXMMEXCPT |
− | GDTR | + | GDTR Base 0x806c9000 Size 0x03ff |
− | LDTR | + | LDTR 0x0000 |
− | IDTR | + | IDTR Base 0x806c9400 Size 0x07ff |
+ | TR 0x0028 | ||
+ | </pre> | ||
=== disasm === | === disasm === |
Revision as of 16:34, 3 November 2019
This page was a mirror of the KDBG page (rev 72) on Blight's Wiki
Contents
- 1 Introduction
- 2 Command Reference
- 2.1 ?
- 2.2 bc
- 2.3 bd
- 2.4 be
- 2.5 bl
- 2.6 bpm
- 2.7 bpx
- 2.8 bt
- 2.9 bugcheck
- 2.10 cont
- 2.11 cregs
- 2.12 disasm
- 2.13 dmesg
- 2.14 dregs
- 2.15 dt
- 2.16 filter
- 2.17 gdt
- 2.18 help
- 2.19 idt
- 2.20 kmsg
- 2.21 ldt
- 2.22 mod
- 2.23 next
- 2.24 pcr
- 2.25 proc
- 2.26 regs
- 2.27 set
- 2.28 sregs
- 2.29 step
- 2.30 thread
- 2.31 tss
- 2.32 x
- 2.33 !pool
- 2.34 !poolused
- 2.35 !poolfind
- 2.36 !filecache
- 2.37 !defwrites
- 2.38 !irpfind
- 2.39 !handle
Introduction
KDB, the Kernel DeBugger of ReactOS, is built into ntoskrnl. For each exception which is handled by the kernel, KDB gets up to two chances to handle it. The first chance occurs before the kernel tries to find and execute an exception handler. The last chance occurs after the kernel fails to find an exception handler or the handler did not handle the exception.
For each type of exception known by KDB, you can set the condition when KDB should be entered individually for first and last chance. The possible settings for the conditions are never, umode, kmode and always. never means that KDB will never be entered when the exception is raised, umode means that it will be entered when the exception was raised in user mode, kmode means to enter KDB when the exception was raised in kernel mode, and always means to always enter KDB.
Enabling KDBG before build
KDBG is automatically enabled or disabled by the configuration options script (cmake/config.cmake).
KDBG is by default configured to be enabled for the bootloader entries "ReactOS (Debug)" and "ReactOS (RosDbg)" for all ISO images. See also Debugging#Breaking into the built-in kernel debugger.
KDBinit
As soon as possible KDB loads and interprets the KDBinit file (\SystemRoot\system32\drivers\etc\KDBinit)
The KDBinit file can contain all commands available in the command line interface of KDB plus the break command. When a break is read from the KDBinit file KDB is entered – you can use this to automatically enter KDB when booting.
Here's the default KDBinit file (the break is commented out):
# Example KDBinit file # # Set the disassembly flavor to "intel" (default is "at&t") set syntax intel # Change the condition to enter KDB on INT3 to "always" (default is "kmode") #set condition INT3 first always # This is a special command available only in the KDBinit file - it breaks into # KDB when it is interpreting the init file at startup. #break
Command Reference
?
Syntax: ? expression
Evaluate expression. The result is displayed in hexadecimal and unsigned decimal format. If it is < 0 it is also displayed in signed decimal format.
kdb:> ? eip 0xc00a1535 3221886261 -1073081035
The following operands are supported: +,-,*,/,%,==,!=,>,<,>=,<=
Braces are supported.
Brackets can be used to dereference memory. The memory size (byte, word, dword or qword) can be specified as a prefix before the opening bracket. The default is the size of a pointer (dword for IA32)
kdb:> ? 1+2*3 0x00000007 7 kdb:> ? (1+2)*3 0x00000009 9 kdb:> ? [eip] 0xffbe16e8 4290647784 -4319512 kdb:> ? word[eip] 0x000016e8 5864 kdb:> ? byte[eip] 0x000000e8 232 -24 kdb:> ? byte[eip+1] 0x00000016 22 kdb:> ? [0] ^ Couldn't access memory at 0x0
bc
Syntax: bc [breakpoint]
Clear breakpoint.
bd
Syntax: bd [breakpoint]
Disable breakpoint.
be
Syntax: be [breakpoint]
Enable breakpoint.
bl
Syntax: bl
List breakpoints.
bpm
Syntax: bpm [r|w|rw|x] [byte|word|dword] [address]
Set memory breakpoint at address.
bpx
Syntax: bpx [address]
Set software execution breakpoint at address.
Note: Don't forget to type 'set condition INT3 first always' when you set a breakpoint in usermode or KDB will not be entered on the breakpoint.
bt
Syntax: bt [*frameaddr]
Print current backtrace or from given frame address.
kdb:> bt Frames: <ntoskrnl.exe:d9dc> <c00a248f> <ntoskrnl.exe:1140>
bugcheck
Syntax: bugcheck
Crash the system.
cont
Syntax: cont
Continue execution (leave debugger).
cregs
Syntax: cregs
Display control, descriptor table and task segment registers.
kdb:> cregs CR0 0x8001003b PE MP TS ET NE WP PG CR2 0x01720000 CR3 0x006ca000 Pagedir-Base 0x006ca000 CR4 0x00000619 VME DE PSE OSFXSR OSXMMEXCPT GDTR Base 0x806c9000 Size 0x03ff LDTR 0x0000 IDTR Base 0x806c9400 Size 0x07ff TR 0x0028
disasm
Syntax: disasm [address] [L count]
Disassemble count instructions at address.
kdb:> disasm <c00a1535>: call <0xC009D350> <c00a153a>: call <0xC009D110> <c00a153f>: call <ntoskrnl.exe:2e990> <c00a1544>: call <0xC009DDD0> <c00a1549>: mov 0xc0104d40,%eax <c00a154e>: cmpb $0x0,(%eax) <c00a1551>: je <0xC00A1597> <c00a1553>: lea 0x0(%esi),%esi <c00a1559>: lea 0x0(%edi,1),%edi <c00a1560>: sub $0x8,%esp
Intel syntax is also supported:
kdb:> set syntax intel kdb:> disasm <c00a1535>: call <0xC009D350> <c00a153a>: call <0xC009D110> <c00a153f>: call <ntoskrnl.exe:2e990> <c00a1544>: call <0xC009DDD0> <c00a1549>: mov eax,ds:0xc0104d40 <c00a154e>: cmp BYTE PTR [eax],0x0 <c00a1551>: je <0xC00A1597> <c00a1553>: lea esi,[esi] <c00a1559>: lea edi,[edi*1] <c00a1560>: sub esp,0x8
dmesg
Syntax: dmesg
Display debug messages on the screen (with pagination).
dregs
Syntax: dregs
Display debug registers.
kdb:> dregs DR0 0x00000000 DR1 0x00000000 DR2 0x00000000 DR3 0x00000000 DR6 0xffff0ff0 DR7 0x00000400
dt
Syntax: dt [mod] [type] [addr]
Print a struct. The address is optional.
filter
Syntax: filter [error|warning|trace|info|level]+|-[componentname|default]
Enable/disable debug channels.
Example:
kdb:> filter trace+i8042prt
Example:
kdb:> filter +serial
gdt
Syntax: gdt
Display the global descriptor table.
kdb:> gdt GDT Base: 0x806c9000 Limit: 0x03ff Idx Sel. Type Base Limit DPL Attribs 001 0x0008 CODE32 0x00000000 0x0fffffff 00 R/X A 002 0x0010 DATA32 0x00000000 0x0fffffff 00 R/W A 003 0x001b CODE32 0x00000000 0x0fffffff 03 R/X A 004 0x0023 DATA32 0x00000000 0x0fffffff 03 R/W A 005 0x0028 TSS32(Busy) 0x8009c000 0x000020ac 00 006 0x0030 DATA32 0xffdff000 0x00001fff 00 R/W A 007 0x003b DATA32 0x00000000 0x00001000 03 R/W A 008 0x0043 DATA16 0x00000400 0x00010000 03 R/W 009 0x0048 LDT 0x00000000 0x00000001 00 010 0x0050 TSS32(Avl) 0x80a10ca0 0x00000069 00 011 0x0058 TSS32(Avl) 0x80a10c20 0x00000069 00 012 0x0060 DATA16 0x00020000 0x00010000 00 R/W 013 0x0068 DATA16 0x000b8000 0x00004000 00 R/W 014 0x0070 DATA16 0xffff7000 0x00000400 00 R/W 015 0x0078 UNKNOWN [NP] [NP] 00 NP
help
Syntax: help
Display help screen.
kdb:> help Kernel debugger commands: * Data: ? expression - Evaluate expression. disasm [address] [L count] - Disassemble count instructions at address. x [address] [L count] - Display count dwords, starting at addr. regs - Display general purpose registers. cregs - Display control registers. sregs - Display status registers. dregs - Display debug registers. bt [*frameaddr|thread id] - Prints current backtrace or from given frame addr * Flow control: cont - Continue execution (leave debugger) step [count] - Execute single instructions, stepping into interrupts. next [count] - Execute single instructions, skipping calls and reps. bl - List breakpoints. be [breakpoint] - Enable breakpoint. bd [breakpoint] - Disable breakpoint. bc [breakpoint] - Clear breakpoint. bpx [address] [IF condition] - Set software execution breakpoint at address. bpm [r|w|rw|x] [byte|word|dword] [address] [IF condition] - Set memory breakpoint at address. * Process/Thread: thread [list[ pid]|[attach ]tid] - List threads in current or specified process, display thread with given id or attach to thread. proc [list|[attach ]pid] - List processes, display process with given id or attach to process. * System info: mod [address] - List all modules or the one containing address. gdt - Display global descriptor table. ldt - Display local descriptor table. idt - Display interrupt descriptor table. pcr - Display processor control region. tss - Display task state segment. * Others: bugcheck - Bugchecks the system. set [var] [value] - Sets var to value or displays value of var. help - Display help screen.
idt
Syntax: idt
Display the interrupt descriptor table.
kdb:> idt IDT Base: 0x8012d1d0 Limit: 0x0800 Idx Type Seg. Sel. Offset DPL 000 TRAPGATE32 0x0008 0x800039bf 00 001 TRAPGATE32 0x0008 0x800039ce 00 002 TRAPGATE32 0x0008 0x800039dd 00 003 TRAPGATE32 0x0008 0x800039ec 03 004 TRAPGATE32 0x0008 0x800039fb 00 005 TRAPGATE32 0x0008 0x80003a0a 00 006 TRAPGATE32 0x0008 0x80003a19 00 007 TRAPGATE32 0x0008 0x80003a28 00 008 TASKGATE 0x0050 00 009 TRAPGATE32 0x0008 0x80003a3d 00 010 TRAPGATE32 0x0008 0x80003a4c 00 011 TRAPGATE32 0x0008 0x80003a59 00 012 TRAPGATE32 0x0008 0x80003a66 00 013 TRAPGATE32 0x0008 0x80003a73 00 014 INTGATE32 0x0008 0x80003a80 00 015 TRAPGATE32 0x0008 0x80003a8d 00 016 TRAPGATE32 0x0008 0x80003a9c 00 017 TRAPGATE32 0x0008 0x80003aab 00 018 TRAPGATE32 0x0008 0x80003aba 00 019 TRAPGATE32 0x0008 0x80003ac9 00 020 TRAPGATE32 0x0008 0x80003ad8 00 ... 044 TRAPGATE32 0x0008 0x80003ad8 00 045 TRAPGATE32 0x0008 0x8006ef9f 03 046 TRAPGATE32 0x0008 0x80003b79 03 047 TRAPGATE32 0x0008 0x80003ad8 00 ...
kmsg
Syntax: kmsg
Alias for dmesg.
ldt
Syntax: ldt
Display the local descriptor table.
kdb:> ldt Local descriptor table is empty.
mod
Syntax: mod [address]
List all modules or the one containing address.
kdb:> mod Base Size Name c0000000 00096ca0 ntoskrnl.exe c039c000 00007de0 hal.dll
next
Syntax: next [count]
Execute single instructions, skipping calls and reps.
pcr
Syntax: pcr
Display the processor control region.
kdb:> pcr Current PCR is at 0xFFDFF000. Tib.ExceptionList: 0xffffffff Tib.StackBase: 0x00000000 Tib.StackLimit: 0x00000000 Tib.SubSystemTib: 0x8009c000 Tib.FiberData/Version: 0x000282ed Tib.ArbitraryUserPointer: 0x00000001 Tib.Self: 0x00000000 SelfPcr: 0xffdff000 PCRCB: 0xffdff120 Irql: 0x00 IRR: 0x00000000 IrrActive: 0x00000000 IDR: 0xffff20b8 KdVersionBlock: 0x00000000 IDT: 0x806c9400 GDT: 0x806c9000 TSS: 0x8009c000 MajorVersion: 0x0001 MinorVersion: 0x0001 SetMember: 0x00000001 StallScaleFactor: 0x00000473 Number: 0x00 L2CacheAssociativity: 0x08 VdmAlert: 0x00000000 L2CacheSize: 0x00040000 InterruptMode: 0x00000000
proc
Syntax: proc [list|[attach ]pid]
List processes, display process with given id or attach to process.
kdb:> proc Current process: PID: 0x00000004 State: Unknown (0x0) Image Filename: System
kdb:> proc list PID State Filename *0x00000004 Unknown System 0x00000058 Active smss.exe 0x0000007c Active csrss.exe 0x00000094 Active winlogon.exe 0x000000b0 Active setup.exe
regs
Syntax: regs
Display general purpose registers.
kdb:> regs CS:EIP 0x0008:0xc00b880a SS:ESP 0xd754:0x00000000 EAX 0x01c634d3 EBX 0x0000940e ECX 0x00000000 EDX 0x00000000 ESI 0x002ff000 EDI 0x00000000 EBP 0xc0103c70 EFLAGS 0x00200202 IF IOPL0 ID
set
Syntax: set [var] [value]
Sets var to value or displays value of var.
kdb:> set Available settings: syntax [intel|at&t] condition [exception|*] [first|last] [never|always|kmode|umode] kdb:> set syntax syntax = at&t kdb:> set condition Conditions: (First) (Last) #00 ZERODEVIDE never kmode #01 DEBUGTRAP always never #02 NMI never always #03 INT3 kmode never #04 OVERFLOW never kmode #05 BOUND never kmode #06 INVALIDOP never kmode #07 NOMATHCOP never kmode #08 DOUBLEFAULT always always #09 RESERVED(9) always always #10 INVALIDTSS never kmode #11 SEGMENTNOTPRESENT never kmode #12 STACKFAULT never kmode #13 GPF never kmode #14 PAGEFAULT never kmode #15 RESERVED(15) always always #16 MATHFAULT never kmode #17 ALIGNMENTCHECK never kmode #18 MACHINECHECK never kmode #19 SIMDFAULT never kmode OTHERS never kmode
Example: Enabling usermode software breakpoints.
kdb:> set condition int3 first always kdb:> set condition int3 Condition for exception #03 (INT3): FirstChance always LastChance never
Example: Catching all exceptions.
kdb:> set condition * first always
sregs
Syntax: sregs
Display segment/selector registers.
kdb:> sregs CS 0x0008 Index 0x0001 GDT RPL0 DS 0x0010 Index 0x0002 GDT RPL0 ES 0x0010 Index 0x0002 GDT RPL0 FS 0x0030 Index 0x0006 GDT RPL0 GS 0x0010 Index 0x0002 GDT RPL0 SS 0xd754 Index 0x1aea LDT RPL0
step
Syntax: step [count]
Execute single instructions, stepping into interrupts (i.e. when EIP points to int 0x2e KDB gets the address of the interrupt handler, sets a INT3 there and continues execution)
thread
Syntax: thread [list[ pid]|[attach ]tid]
List threads in current or specified process, display thread with given id or attach to thread.
kdb:> thread Current Thread: TID: 0x00000000 State: Running (0x2) Priority: 8 Affinity: 0x00000001 Initial Stack: 0x8011f5a0 Stack Limit: 0x8011c5a0 Stack Base: 0x8011f5a0 Kernel Stack: 0x8011f5a0 Trap Frame: 0x00000000 NPX State: Invalid (0x1)
kdb:> thread list TID State Prior. Affinity EBP EIP *0x00000000 Running 8 0x00000001 0x00000000 0x00000000 0x00000008 Blocked 16 0xffffffff 0x9cdcbd38 0x8001009e 0x0000000c Blocked 16 0xffffffff 0x9cdced38 0x8001009e 0x00000010 Blocked 16 0xffffffff 0x9cdd1d38 0x8001009e 0x00000014 Blocked 16 0xffffffff 0x9cdd4d38 0x8001009e 0x00000018 Blocked 16 0xffffffff 0x9cdd7d38 0x8001009e 0x0000001c Ready 0 0xffffffff 0x00000000 0x00000000 0x00000020 Ready 0 0xffffffff 0x00000000 0x00000000 0x00000024 Ready 0 0xffffffff 0x00000000 0x00000000 0x00000028 Ready 0 0xffffffff 0x00000000 0x00000000 0x0000002c Ready 0 0xffffffff 0x00000000 0x00000000 0x00000030 Blocked 31 0xffffffff 0x9cde9d38 0x8001009e 0x00000034 Blocked 31 0xffffffff 0x9cdecd38 0x8001009e 0x00000038 Blocked 31 0xffffffff 0x9cdefd38 0x8001009e 0x0000003c Blocked 31 0xffffffff 0x9cdf2d38 0x8001009e 0x00000040 Blocked 31 0xffffffff 0x9cdf5d38 0x8001009e 0x00000044 Blocked 8 0xffffffff 0x9cdf8d28 0x8001009e 0x00000048 Ready 0 0xffffffff 0x00000000 0x00000000 0x0000004c Blocked 17 0xffffffff 0x9cdfed08 0x8001009e 0x00000050 Ready 1 0xffffffff 0x00000000 0x00000000 0x00000054 Blocked 16 0xffffffff 0x9ce04d28 0x8001009e
tss
Syntax: tss
Display task state segment.
kdb:> tss Current TSS is at 0x8012d9f0. PreviousTask: 0x00000000 Ss0:Esp0: 0x0010:0x80137df0 Ss1:Esp1: 0x0000:0x00000000 Ss2:Esp2: 0x0000:0x00000000 Cr3: 0x00000000 Eip: 0x00000000 Eflags: 0x00000000 Eax: 0x00000000 Ecx: 0x00000000 Edx: 0x00000000 Ebx: 0x00000000 Esp: 0x00000000 Ebp: 0x00000000 Esi: 0x00000000 Edi: 0x00000000 Es: 0x0000 Cs: 0x0000 Ss: 0x0000 Ds: 0x0000 Fs: 0x0000 Gs: 0x0000 Ldt: 0x0048 Trap: 0x0000 IoMapBase: 0xffff
x
Syntax: x [address] [L count]
Display count dwords, starting at address.
kdb:> x ebp <c0103c70>: c0103c80 c000fbec 00000000 012ff000 <c0103c80>: c0103de0 c00b91e6 00000001 c011bc90 <c0103c90>: 00000014 c0103dc4 00000000 00000000 <c0103ca0>: 00000000 c03c6000 c0397000 c0125000
!pool
Syntax: !pool [Address [Flags]]
Display information about pool allocations.
!poolused
Syntax: !poolused [flags] [tag]
Display current pool usage (paged and non paged) for all tags.
It is possible to show only a tag, or a subset of tags, thanks to the wildcard '?' (replaces a char).
kdb:> !poolused Pool Used: NonPaged Paged Tag Allocs Used Allocs Used 'ObCI' 3 192 0 0 'VPB ' 8 768 0 0 'ObSc' 0 0 21 2840 'Rqrv' 0 0 121 664 'USTR' 0 0 365 6528 'SCSI' 51 163984 20 384 'RSYM' 6 2271840 0 0 'TOKu' 0 0 2 192
!poolfind
Syntax: !poolfind Tag [Pool]
Search for pool tag allocations.
!filecache
Syntax: !filecache
Display cache usage.
!defwrites
Syntax: !defwrites
Display cache write values.
!irpfind
Syntax: !irpfind [Pool [startaddress [criteria data]]]
Lists IRPs potentially matching criteria.
!handle
Syntax: !handle [Handle]
Displays info about handles.