.NET DEBUGGING

OOPS

OOAD

SOLID

DP

DS

SQL

XML

FAQ

↑↓

Prerequisites

Windows Tools

Basic Concepts

Environment Setup

Windows Fundamentals

Windows Internals

Debugger Essentials

PE Anatomy

Standard Debugging

.NET Fundamentals

.NET Internals

.NET Metadata

CLR Data Structure

C# Programming

C# Compilation

IL Programming

CUI Debugging

↑↓

Module 9 - Native Techniques

System Status

Status Information of System

For Instance Mode etc.
How To
Dump System Status	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) CDB@ || . 0 Live user mode: <Local> ... 4) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol || : Standard Command, To Display System Status <Local> : Output, Local Machine qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; ||; qd

Process Status

Status Information of Process

For Instance Id, Name etc.
How To
Dump Process Status	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) CDB@ | . 0 id: 2ab0 create name: notepad.exe ... 4) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol | : Standard Command, To Display Process Status 2ab0 : Output, Process Identifier notepad.exe : Output, Application Name qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; |; qd

Process Environment Block

PEB Information of Process

For Instance PEB, Image Base Address, Ldr etc.
How To
Dump PEB	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) CDB@ !peb PEB at 0000005749cd6000 ... ImageBaseAddress: 00007ff741d00000 ... Ldr 00007ffb491953e0 ... 4) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol !peb : Extension Command, To Display PEB 0000005749cd6000 : Output, PEB Address 00007ff741d00000 : Output, Image Base Address 00007ffb491953e0 : Output, Loader Address qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; !peb; qd

Thread Status

Status Information of Thread

For Instance Id, TEB etc.
How To
Dump Thread Status	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) DBG@ ~ . 0 Id: 2ab0.1ffc Suspend: 1 Teb: 00000061`cd49a000 Unfrozen ... 4) DBG@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol ~ : Standard Command, To Display Thread Status 2ab0 : Output, Process Identifier 1ffc : Output, Thread Identifier 00000061`cd49a000 : Output, TEB Address qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; ~; qd

Thread Environment Block

TEB Information of Thread

For Instance TEB, Stack Base, Stack Limit, PEB Address etc.
How To
Dump TEB	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) CDB@ !teb TEB at 000000a8b3ad3000 ... StackBase: 000000a8b3890000 StackLimit: 000000a8b387f000 ... PEB Address: 000000a8b3ad2000 ... 4) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol !teb : Extension Command, To Display TEB 000000a8b3ad3000 : Output, TEB Address 000000a8b3890000 : Output, Stack Base Address 000000a8b387f000 : Output, Stack Limit Address 000000a8b3ad2000 : Output, PEB Address qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; !teb; qd

Top Next Module

↑↓

AMD

Advanced Micro Devices

CDB

Console Debugger

CUI

Character User Interface

DBG

Debugger

EXE

Executable

ID

Identifier

LDR

Loader

NT

New Technology

PEB

Process Environment Block

QD

Quit Detach

TEB

Thread Environment Block

WIN

Windows

Home

About

Contact

Page Last Updated on 4th Nov 2024

© 2024