KDB,ReactOS的内核调试器,内置ntoskrnl。 为每个异常是由内核KDB有机会处理它两次。 一旦内核之前试图找到并执行异常处理程序,一旦事后发现的没有处理或处理不处理异常。 当调用KDB异常处理程序之前调用它第一次机会,当之后调用异常处理程序最后一次机会

为每个类型的异常被KDB KDB应该进去的时候你可以设置条件分别为第一和最后的机会。 可能的设置条件从来没有,umode,kmode总是从来没有意味着KDB永远不会进入异常时,umode意味着它将进入异常在usermode长大时,kmode意味着进入KDB异常在kmode长大,和总是意味着总是输入KDB。

使KDBG建立之前

KDBG由配置选项自动启用或禁用脚本(cmake / config.cmake)。

KDBG是默认配置为支持引导装载程序条目“ReactOS(调试) ”和“ReactOS(RosDbg)ISO映像。 另请参阅调试#闯入内置的内核调试器

KDBinit

尽快KDB负载和解释KDBinit文件(\ \ etc \ KDBinit SystemRoot \ system32系统\驱动程序)

KDBinit文件可以包含所有可用的命令的命令行界面KDB加上打破命令。 当一个打破从KDBinit文件读取输入KDB -您可以使用它来启动时自动进入KDB。

这是默认的KDBinit文件(打破被注释掉了):

# Example KDBinit file
#

# Set the disassembly flavor to "intel" (default is "at&t")
set syntax intel

# Change the condition to enter KDB on INT3 to "always" (default is "kmode")
#set condition INT3 first always

# This is a special command available only in the KDBinit file - it breaks into
# KDB when it is interpreting the init file at startup.
#break

命令参考

吗?

语法:吗? 表达式

评估表达式。 结果显示在十六进制和无符号十进制格式。 如果是< 0也显示在签署了十进制格式。

kdb:> ? eip
0xc00a1535  3221886261  -1073081035

支持以下操作数:+、-、*、/、%、= =、! =、>、<、> =、< =
支持括号。
括号可以间接引用的内存使用。 内存大小(字节、字、双字或qword)可以作为一个指定前缀开幕前支架。 默认值是一个指针的大小(dword IA32)

kdb:> ? 1+2*3
0x00000007           7
kdb:> ? (1+2)*3
0x00000009           9
kdb:> ? [eip]
0xffbe16e8  4290647784    -4319512
kdb:> ? word[eip]
0x000016e8        5864
kdb:> ? byte[eip]
0x000000e8         232         -24
kdb:> ? byte[eip+1]
0x00000016          22
kdb:> ? [0]
        ^ Couldn't access memory at 0x0

公元前

语法:公元前(断点)

清除断点。

双相障碍

语法:bd(断点)

禁用断点。

语法:是(断点)

启用断点。

提单

语法:提单

断点列表。

bpm

语法:bpm[r w | | rw | x][字节字| |词](地址)

设置内存断点地址。

bpx

语法:bpx(地址)

设置软件执行断点地址。

注意:别忘了类型”设置条件INT3第一次总是当你设置一个断点usermode或KDB不会进入断点。

英国电信

语法:bt(* frameaddr)

打印当前回溯或从给定的帧的地址。

kdb:> bt
Frames:
<ntoskrnl.exe:d9dc>
<c00a248f>
<ntoskrnl.exe:1140>

bugcheck

语法:bugcheck

系统崩溃。

语法:

调试器继续执行(离开)。

cregs

语法:cregs

显示控制寄存器。

kdb:> cregs
CR0  0x8001003b  PE MP TS ET NE WP PG
CR2  0xccc91000
CR3  0x002f9000  Pagedir-Base 0x002f9000
CR4  0x00000680  PGE OSFXSR OSXMMEXCPT
GDTR  Base 0xc00bb100  Size 0x0058
LDTR  Base 0x00000000  Size 0x0000
IDTR  Base 0xc0122ac0  Size 0x0800

disasm

语法:disasm(地址)(L计数)

拆卸数指令地址。

kdb:> disasm
<c00a1535>: call   <0xC009D350>
<c00a153a>: call   <0xC009D110>
<c00a153f>: call   <ntoskrnl.exe:2e990>
<c00a1544>: call   <0xC009DDD0>
<c00a1549>: mov    0xc0104d40,%eax
<c00a154e>: cmpb   $0x0,(%eax)
<c00a1551>: je     <0xC00A1597>
<c00a1553>: lea    0x0(%esi),%esi
<c00a1559>: lea    0x0(%edi,1),%edi
<c00a1560>: sub    $0x8,%esp

英特尔还支持语法:

kdb:> set syntax intel
kdb:> disasm
<c00a1535>: call   <0xC009D350>
<c00a153a>: call   <0xC009D110>
<c00a153f>: call   <ntoskrnl.exe:2e990>
<c00a1544>: call   <0xC009DDD0>
<c00a1549>: mov    eax,ds:0xc0104d40
<c00a154e>: cmp    BYTE PTR [eax],0x0
<c00a1551>: je     <0xC00A1597>
<c00a1553>: lea    esi,[esi]
<c00a1559>: lea    edi,[edi*1]
<c00a1560>: sub    esp,0x8

dmesg命令

语法:dmesg命令

在屏幕上显示调试信息(分页)。

渣滓

语法:渣滓

显示调试寄存器。

kdb:> dregs
DR0  0x00000000
DR1  0x00000000
DR2  0x00000000
DR3  0x00000000
DR6  0xffff0ff0
DR7  0x00000400

dt

语法:dt(mod)[型](addr)

打印一个结构体。

过滤器

语法:过滤器(错误| | | |跟踪信息警告级别)+ | -[componentname |违约)

启用/禁用调试频道。

例子:

kdb:> filter trace+i8042prt

例子:

kdb:> filter +serial

gdt

语法:gdt

显示全局描述符表。

kdb:> gdt
GDT Base: 0x800d2100  Limit: 0x0058
  Idx  Sel.    Type         Base        Limit       DPL  Attribs
  001  0x0008  CODE32       0x00000000  0x0fffffff  00   R/X
  002  0x0010  DATA32       0x00000000  0x0fffffff  00   R/W
  003  0x001b  CODE32       0x00000000  0x0fffffff  03   R/X
  004  0x0023  DATA32       0x00000000  0x0fffffff  03   R/W
  005  0x0028  TSS32(Busy)  0x8012d9f0  0x00002069  00
  006  0x0030  DATA16       0xff000000  0x00001000  00   R/W
  007  0x003b  DATA16       0x00000000  0x00001000  03   R/W
  008  0x0040  UNKNOWN      [NP]        [NP]        00   NP
  009  0x0048  LDT          0x00000000  0x00000001  00
  010  0x0050  TSS32(Avl)   0x80115960  0x00000069  00

帮助

语法:帮助

屏幕显示帮助。

kdb:> help
Kernel debugger commands:
* Data:
  ? expression         - Evaluate expression.
  disasm [address] [L count] - Disassemble count instructions at address.
  x [address] [L count] - Display count dwords, starting at addr.
  regs                 - Display general purpose registers.
  cregs                - Display control registers.
  sregs                - Display status registers.
  dregs                - Display debug registers.
  bt [*frameaddr|thread id] - Prints current backtrace or from given frame addr

* Flow control:
  cont                 - Continue execution (leave debugger)
  step [count]         - Execute single instructions, stepping into interrupts.
  next [count]         - Execute single instructions, skipping calls and reps.
  bl                   - List breakpoints.
  be [breakpoint]      - Enable breakpoint.
  bd [breakpoint]      - Disable breakpoint.
  bc [breakpoint]      - Clear breakpoint.
  bpx [address] [IF condition] - Set software execution breakpoint at address.
  bpm [r|w|rw|x] [byte|word|dword] [address] [IF condition] - Set memory breakpoint at address.

* Process/Thread:
  thread [list[ pid]|[attach ]tid] - List threads in current or specified process, display thread with given id or attach to thread.
  proc [list|[attach ]pid] - List processes, display process with given id or attach to process.

* System info:
  mod [address]        - List all modules or the one containing address.
  gdt                  - Display global descriptor table.
  ldt                  - Display local descriptor table.
  idt                  - Display interrupt descriptor table.
  pcr                  - Display processor control region.
  tss                  - Display task state segment.

* Others:
  bugcheck             - Bugchecks the system.
  set [var] [value]    - Sets var to value or displays value of var.
  help                 - Display help screen.

踊跃参与

语法:踊跃参与

显示中断描述符表。

kdb:> idt
IDT Base: 0x8012d1d0  Limit: 0x0800
  Idx  Type        Seg. Sel.  Offset      DPL
  000  TRAPGATE32  0x0008     0x800039bf  00
  001  TRAPGATE32  0x0008     0x800039ce  00
  002  TRAPGATE32  0x0008     0x800039dd  00
  003  TRAPGATE32  0x0008     0x800039ec  03
  004  TRAPGATE32  0x0008     0x800039fb  00
  005  TRAPGATE32  0x0008     0x80003a0a  00
  006  TRAPGATE32  0x0008     0x80003a19  00
  007  TRAPGATE32  0x0008     0x80003a28  00
  008  TASKGATE    0x0050                 00
  009  TRAPGATE32  0x0008     0x80003a3d  00
  010  TRAPGATE32  0x0008     0x80003a4c  00
  011  TRAPGATE32  0x0008     0x80003a59  00
  012  TRAPGATE32  0x0008     0x80003a66  00
  013  TRAPGATE32  0x0008     0x80003a73  00
  014  INTGATE32   0x0008     0x80003a80  00
  015  TRAPGATE32  0x0008     0x80003a8d  00
  016  TRAPGATE32  0x0008     0x80003a9c  00
  017  TRAPGATE32  0x0008     0x80003aab  00
  018  TRAPGATE32  0x0008     0x80003aba  00
  019  TRAPGATE32  0x0008     0x80003ac9  00
  020  TRAPGATE32  0x0008     0x80003ad8  00
  ...
  044  TRAPGATE32  0x0008     0x80003ad8  00
  045  TRAPGATE32  0x0008     0x8006ef9f  03
  046  TRAPGATE32  0x0008     0x80003b79  03
  047  TRAPGATE32  0x0008     0x80003ad8  00
  ...

kmsg

语法:kmsg

dmesg命令的别名。

ldt

语法:ldt

显示本地描述符表。

kdb:> ldt
Local descriptor table is empty.

国防部

语法:国防部(地址)

所有的模块或一个包含地址列表。

kdb:> mod
  Base      Size      Name
  c0000000  00096ca0  ntoskrnl.exe
  c039c000  00007de0  hal.dll

下一个

语法:下一个[数]

执行单一的指令,不调用和代表。

聚合酶链反应

语法:聚合酶链反应

显示处理器控制区域。

kdb:> pcr
Current PCR is at 0xff000000.
  Tib.ExceptionList:         0xffffffff
  Tib.StackBase:             0x00000000
  Tib.StackLimit:            0x00000000
  Tib.SubSystemTib:          0x00000000
  Tib.FiberData/Version:     0x00000000
  Tib.ArbitraryUserPointer:  0x00000000
  Tib.Self:                  0xff000000
  Self:                      0xff000000
  PCRCB:                     0xff000120
  Irql:                      0x00
  IRR:                       0x00000000
  IrrActive:                 0x00000000
  IDR:                       0x00000000
  KdVersionBlock:            0x00000000
  IDT:                       0x8012d1d0
  GDT:                       0x800d2100
  TSS:                       0x8012d9f0
  MajorVersion:              0x0000
  MinorVersion:              0x0000
  SetMember:                 0x00000000
  StallScaleFactor:          0x00000000
  DebugActive:               0x00
  ProcessorNumber:           0x00
  L2CacheAssociativity:      0x00
  VdmAlert:                  0x00000000
  L2CacheSize:               0x00000000
  InterruptMode:             0x00000000

proc

语法:proc[列表|(附加)pid)

进程列表,显示过程与给定id或附加的过程。

kdb:> proc
Current process:
  PID:             0x00000004
  State:           Unknown (0x0)
  Image Filename:  System
kdb:> proc list
  PID         State       Filename
 *0x00000004  Unknown     System
  0x00000058  Active      smss.exe
  0x0000007c  Active      csrss.exe
  0x00000094  Active      winlogon.exe
  0x000000b0  Active      setup.exe

海军学校规则

语法:海军学校规则

显示通用寄存器。

kdb:> regs
CS:EIP  0x0008:0xc00b880a
SS:ESP  0xd754:0x00000000
   EAX  0x01c634d3   EBX  0x0000940e
   ECX  0x00000000   EDX  0x00000000
   ESI  0x002ff000   EDI  0x00000000
   EBP  0xc0103c70
EFLAGS  0x00200202  IF IOPL0 ID

语法:设置(var)(价值)

集var var值或显示值。

kdb:> set
Available settings:
  syntax [intel|at&t]
  condition [exception|*] [first|last] [never|always|kmode|umode]
kdb:> set syntax
syntax = at&t
kdb:> set condition
Conditions:                 (First)  (Last)
  #00  ZERODEVIDE           never    kmode
  #01  DEBUGTRAP            always   never
  #02  NMI                  never    always
  #03  INT3                 kmode    never
  #04  OVERFLOW             never    kmode
  #05  BOUND                never    kmode
  #06  INVALIDOP            never    kmode
  #07  NOMATHCOP            never    kmode
  #08  DOUBLEFAULT          always   always
  #09  RESERVED(9)          always   always
  #10  INVALIDTSS           never    kmode
  #11  SEGMENTNOTPRESENT    never    kmode
  #12  STACKFAULT           never    kmode
  #13  GPF                  never    kmode
  #14  PAGEFAULT            never    kmode
  #15  RESERVED(15)         always   always
  #16  MATHFAULT            never    kmode
  #17  ALIGNMENTCHECK       never    kmode
  #18  MACHINECHECK         never    kmode
  #19  SIMDFAULT            never    kmode
       OTHERS               never    kmode

例子:使usermode软件断点。

kdb:> set condition int3 first always
kdb:> set condition int3
Condition for exception #03 (INT3): FirstChance always  LastChance never

例子:所有的异常。

kdb:> set condition * first always

sregs

语法:sregs

段显示/选择器注册。

kdb:> sregs
CS  0x0008  Index 0x0001  GDT RPL0
DS  0x0010  Index 0x0002  GDT RPL0
ES  0x0010  Index 0x0002  GDT RPL0
FS  0x0030  Index 0x0006  GDT RPL0
GS  0x0010  Index 0x0002  GDT RPL0
SS  0xd754  Index 0x1aea  LDT RPL0

一步

语法:步骤(计数)

执行单指令,步进中断(即EIP点的时候出现int 0 x2eKDB中断处理程序的地址,设置一个INT3并继续执行)

线程

语法:线程(列表(pid)|(附加)tid)

单线程在当前或指定的过程中,显示线程与线程id或附加。

kdb:> thread
Current Thread:
  TID:            0x00000000
  State:          Running (0x2)
  Priority:       8
  Affinity:       0x00000001
  Initial Stack:  0x8011f5a0
  Stack Limit:    0x8011c5a0
  Stack Base:     0x8011f5a0
  Kernel Stack:   0x8011f5a0
  Trap Frame:     0x00000000
  NPX State:      Invalid (0x1)
kdb:> thread list
  TID         State        Prior.  Affinity    EBP         EIP
 *0x00000000  Running        8     0x00000001  0x00000000  0x00000000
  0x00000008  Blocked       16     0xffffffff  0x9cdcbd38  0x8001009e
  0x0000000c  Blocked       16     0xffffffff  0x9cdced38  0x8001009e
  0x00000010  Blocked       16     0xffffffff  0x9cdd1d38  0x8001009e
  0x00000014  Blocked       16     0xffffffff  0x9cdd4d38  0x8001009e
  0x00000018  Blocked       16     0xffffffff  0x9cdd7d38  0x8001009e
  0x0000001c  Ready          0     0xffffffff  0x00000000  0x00000000
  0x00000020  Ready          0     0xffffffff  0x00000000  0x00000000
  0x00000024  Ready          0     0xffffffff  0x00000000  0x00000000
  0x00000028  Ready          0     0xffffffff  0x00000000  0x00000000
  0x0000002c  Ready          0     0xffffffff  0x00000000  0x00000000
  0x00000030  Blocked       31     0xffffffff  0x9cde9d38  0x8001009e
  0x00000034  Blocked       31     0xffffffff  0x9cdecd38  0x8001009e
  0x00000038  Blocked       31     0xffffffff  0x9cdefd38  0x8001009e
  0x0000003c  Blocked       31     0xffffffff  0x9cdf2d38  0x8001009e
  0x00000040  Blocked       31     0xffffffff  0x9cdf5d38  0x8001009e
  0x00000044  Blocked        8     0xffffffff  0x9cdf8d28  0x8001009e
  0x00000048  Ready          0     0xffffffff  0x00000000  0x00000000
  0x0000004c  Blocked       17     0xffffffff  0x9cdfed08  0x8001009e
  0x00000050  Ready          1     0xffffffff  0x00000000  0x00000000
  0x00000054  Blocked       16     0xffffffff  0x9ce04d28  0x8001009e

tss

语法:tss

显示任务状态。

kdb:> tss
Current TSS is at 0x8012d9f0.
  PreviousTask:  0x00000000
  Ss0:Esp0:      0x0010:0x80137df0
  Ss1:Esp1:      0x0000:0x00000000
  Ss2:Esp2:      0x0000:0x00000000
  Cr3:           0x00000000
  Eip:           0x00000000
  Eflags:        0x00000000
  Eax:           0x00000000
  Ecx:           0x00000000
  Edx:           0x00000000
  Ebx:           0x00000000
  Esp:           0x00000000
  Ebp:           0x00000000
  Esi:           0x00000000
  Edi:           0x00000000
  Es:            0x0000
  Cs:            0x0000
  Ss:            0x0000
  Ds:            0x0000
  Fs:            0x0000
  Gs:            0x0000
  Ldt:           0x0048
  Trap:          0x0000
  IoMapBase:     0xffff

x

语法:x(地址)(L计数)

显示计数dword,addr开始。

kdb:> x ebp
<c0103c70>: c0103c80 c000fbec 00000000 012ff000
<c0103c80>: c0103de0 c00b91e6 00000001 c011bc90
<c0103c90>: 00000014 c0103dc4 00000000 00000000
<c0103ca0>: 00000000 c03c6000 c0397000 c0125000





KDB, the Kernel DeBugger of ReactOS, is built into ntoskrnl. For each exception which is handled by the kernel KDB gets a chance to handle it twice. Once before the kernel tries to find and execute an exception handler, and once afterwards of there was no handler found or the handler didn't handle the exception. When KDB is called before the exception handler it is called first chance, when called after the exception handler it is last chance.

For each type of exception known by KDB you can set the condition when KDB should be entered individually for first and last chance. The possible settings for the conditions are never, umode, kmode and always. never means that KDB will never be entered when the exception is raised, umode means that it will be entered when the exception was raised in usermode, kmode means to enter KDB when the exception was raised in kmode, and always means to always enter KDB.

Enabling KDBG before build

KDBG is automatically enabled or disabled by the configuration options script (cmake/config.cmake).

KDBG is by default configured to be enabled for the bootloader entries "ReactOS (Debug)" and "ReactOS (RosDbg) for all ISO images. See also Debugging#Breaking into the built-in kernel debugger.

KDBinit

As soon as possible KDB loads and interprets the KDBinit file (\SystemRoot\system32\drivers\etc\KDBinit)

The KDBinit file can contain all commands available in the command line interface of KDB plus the break command. When a break is read from the KDBinit file KDB is entered – you can use this to automatically enter KDB when booting.

Here's the default KDBinit file (the break is commented out):

# Example KDBinit file
#

# Set the disassembly flavor to "intel" (default is "at&t")
set syntax intel

# Change the condition to enter KDB on INT3 to "always" (default is "kmode")
#set condition INT3 first always

# This is a special command available only in the KDBinit file - it breaks into
# KDB when it is interpreting the init file at startup.
#break

Command Reference

?

Syntax: ? expression

Evaluate expression. The result is displayed in hexadecimal and unsigned decimal format. If it is < 0 it is also displayed in signed decimal format.

kdb:> ? eip
0xc00a1535  3221886261  -1073081035

The following operands are supported: +,-,*,/,%,==,!=,>,<,>=,<=
Braces are supported.
Brackets can be used to dereference memory. The memory size (byte, word, dword or qword) can be specified as a prefix before the opening bracket. The default is the size of a pointer (dword for IA32)

kdb:> ? 1+2*3
0x00000007           7
kdb:> ? (1+2)*3
0x00000009           9
kdb:> ? [eip]
0xffbe16e8  4290647784    -4319512
kdb:> ? word[eip]
0x000016e8        5864
kdb:> ? byte[eip]
0x000000e8         232         -24
kdb:> ? byte[eip+1]
0x00000016          22
kdb:> ? [0]
       ^ Couldn't access memory at 0x0

bc

Syntax: bc [breakpoint]

Clear breakpoint.

bd

Syntax: bd [breakpoint]

Disable breakpoint.

be

Syntax: be [breakpoint]

Enable breakpoint.

bl

Syntax: bl

List breakpoints.

bpm

Syntax: bpm [r|w|rw|x] [byte|word|dword] [address]

Set memory breakpoint at address.

bpx

Syntax: bpx [address]

Set software execution breakpoint at address.

Note: Don't forget to type 'set condition INT3 first always' when you set a breakpoint in usermode or KDB will not be entered on the breakpoint.

bt

Syntax: bt [*frameaddr]

Print current backtrace or from given frame address.

kdb:> bt
Frames:
<ntoskrnl.exe:d9dc>
<c00a248f>
<ntoskrnl.exe:1140>

bugcheck

Syntax: bugcheck

Crash the system.

cont

Syntax: cont

Continue execution (leave debugger).

cregs

Syntax: cregs

Display control registers.

kdb:> cregs
CR0  0x8001003b  PE MP TS ET NE WP PG
CR2  0xccc91000
CR3  0x002f9000  Pagedir-Base 0x002f9000
CR4  0x00000680  PGE OSFXSR OSXMMEXCPT
GDTR  Base 0xc00bb100  Size 0x0058
LDTR  Base 0x00000000  Size 0x0000
IDTR  Base 0xc0122ac0  Size 0x0800

disasm

Syntax: disasm [address] [L count]

Disassemble count instructions at address.

kdb:> disasm
<c00a1535>: call   <0xC009D350>
<c00a153a>: call   <0xC009D110>
<c00a153f>: call   <ntoskrnl.exe:2e990>
<c00a1544>: call   <0xC009DDD0>
<c00a1549>: mov    0xc0104d40,%eax
<c00a154e>: cmpb   $0x0,(%eax)
<c00a1551>: je     <0xC00A1597>
<c00a1553>: lea    0x0(%esi),%esi
<c00a1559>: lea    0x0(%edi,1),%edi
<c00a1560>: sub    $0x8,%esp

Intel syntax is also supported:

kdb:> set syntax intel
kdb:> disasm
<c00a1535>: call   <0xC009D350>
<c00a153a>: call   <0xC009D110>
<c00a153f>: call   <ntoskrnl.exe:2e990>
<c00a1544>: call   <0xC009DDD0>
<c00a1549>: mov    eax,ds:0xc0104d40
<c00a154e>: cmp    BYTE PTR [eax],0x0
<c00a1551>: je     <0xC00A1597>
<c00a1553>: lea    esi,[esi]
<c00a1559>: lea    edi,[edi*1]
<c00a1560>: sub    esp,0x8

dmesg

Syntax: dmesg

Display debug messages on the screen (with pagination).

dregs

Syntax: dregs

Display debug registers.

kdb:> dregs
DR0  0x00000000
DR1  0x00000000
DR2  0x00000000
DR3  0x00000000
DR6  0xffff0ff0
DR7  0x00000400

dt

Syntax: dt [mod] [type] [addr]

Print a struct.

filter

Syntax: filter [error|warning|trace|info|level]+|-[componentname|default]

Enable/disable debug channels.

Example:

kdb:> filter trace+i8042prt

Example:

kdb:> filter +serial

gdt

Syntax: gdt

Display global descriptor table.

kdb:> gdt
GDT Base: 0x800d2100  Limit: 0x0058
 Idx  Sel.    Type         Base        Limit       DPL  Attribs
 001  0x0008  CODE32       0x00000000  0x0fffffff  00   R/X
 002  0x0010  DATA32       0x00000000  0x0fffffff  00   R/W
 003  0x001b  CODE32       0x00000000  0x0fffffff  03   R/X
 004  0x0023  DATA32       0x00000000  0x0fffffff  03   R/W
 005  0x0028  TSS32(Busy)  0x8012d9f0  0x00002069  00
 006  0x0030  DATA16       0xff000000  0x00001000  00   R/W
 007  0x003b  DATA16       0x00000000  0x00001000  03   R/W
 008  0x0040  UNKNOWN      [NP]        [NP]        00   NP
 009  0x0048  LDT          0x00000000  0x00000001  00
 010  0x0050  TSS32(Avl)   0x80115960  0x00000069  00

help

Syntax: help

Display help screen.

kdb:> help
Kernel debugger commands:
* Data:
 ? expression         - Evaluate expression.
 disasm [address] [L count] - Disassemble count instructions at address.
 x [address] [L count] - Display count dwords, starting at addr.
 regs                 - Display general purpose registers.
 cregs                - Display control registers.
 sregs                - Display status registers.
 dregs                - Display debug registers.
 bt [*frameaddr|thread id] - Prints current backtrace or from given frame addr

* Flow control:
 cont                 - Continue execution (leave debugger)
 step [count]         - Execute single instructions, stepping into interrupts.
 next [count]         - Execute single instructions, skipping calls and reps.
 bl                   - List breakpoints.
 be [breakpoint]      - Enable breakpoint.
 bd [breakpoint]      - Disable breakpoint.
 bc [breakpoint]      - Clear breakpoint.
 bpx [address] [IF condition] - Set software execution breakpoint at address.
 bpm [r|w|rw|x] [byte|word|dword] [address] [IF condition] - Set memory breakpoint at address.

* Process/Thread:
 thread [list[ pid]|[attach ]tid] - List threads in current or specified process, display thread with given id or attach to thread.
 proc [list|[attach ]pid] - List processes, display process with given id or attach to process.

* System info:
 mod [address]        - List all modules or the one containing address.
 gdt                  - Display global descriptor table.
 ldt                  - Display local descriptor table.
 idt                  - Display interrupt descriptor table.
 pcr                  - Display processor control region.
 tss                  - Display task state segment.

* Others:
 bugcheck             - Bugchecks the system.
 set [var] [value]    - Sets var to value or displays value of var.
 help                 - Display help screen.

idt

Syntax: idt

Display interrupt descriptor table.

kdb:> idt
IDT Base: 0x8012d1d0  Limit: 0x0800
 Idx  Type        Seg. Sel.  Offset      DPL
 000  TRAPGATE32  0x0008     0x800039bf  00
 001  TRAPGATE32  0x0008     0x800039ce  00
 002  TRAPGATE32  0x0008     0x800039dd  00
 003  TRAPGATE32  0x0008     0x800039ec  03
 004  TRAPGATE32  0x0008     0x800039fb  00
 005  TRAPGATE32  0x0008     0x80003a0a  00
 006  TRAPGATE32  0x0008     0x80003a19  00
 007  TRAPGATE32  0x0008     0x80003a28  00
 008  TASKGATE    0x0050                 00
 009  TRAPGATE32  0x0008     0x80003a3d  00
 010  TRAPGATE32  0x0008     0x80003a4c  00
 011  TRAPGATE32  0x0008     0x80003a59  00
 012  TRAPGATE32  0x0008     0x80003a66  00
 013  TRAPGATE32  0x0008     0x80003a73  00
 014  INTGATE32   0x0008     0x80003a80  00
 015  TRAPGATE32  0x0008     0x80003a8d  00
 016  TRAPGATE32  0x0008     0x80003a9c  00
 017  TRAPGATE32  0x0008     0x80003aab  00
 018  TRAPGATE32  0x0008     0x80003aba  00
 019  TRAPGATE32  0x0008     0x80003ac9  00
 020  TRAPGATE32  0x0008     0x80003ad8  00
 ...
 044  TRAPGATE32  0x0008     0x80003ad8  00
 045  TRAPGATE32  0x0008     0x8006ef9f  03
 046  TRAPGATE32  0x0008     0x80003b79  03
 047  TRAPGATE32  0x0008     0x80003ad8  00
 ...

kmsg

Syntax: kmsg

Alias for dmesg.

ldt

Syntax: ldt

Display local descriptor table.

kdb:> ldt
Local descriptor table is empty.

mod

Syntax: mod [address]

List all modules or the one containing address.

kdb:> mod
 Base      Size      Name
 c0000000  00096ca0  ntoskrnl.exe
 c039c000  00007de0  hal.dll

next

Syntax: next [count]

Execute single instructions, skipping calls and reps.

pcr

Syntax: pcr

Display processor control region.

kdb:> pcr
Current PCR is at 0xff000000.
 Tib.ExceptionList:         0xffffffff
 Tib.StackBase:             0x00000000
 Tib.StackLimit:            0x00000000
 Tib.SubSystemTib:          0x00000000
 Tib.FiberData/Version:     0x00000000
 Tib.ArbitraryUserPointer:  0x00000000
 Tib.Self:                  0xff000000
 Self:                      0xff000000
 PCRCB:                     0xff000120
 Irql:                      0x00
 IRR:                       0x00000000
 IrrActive:                 0x00000000
 IDR:                       0x00000000
 KdVersionBlock:            0x00000000
 IDT:                       0x8012d1d0
 GDT:                       0x800d2100
 TSS:                       0x8012d9f0
 MajorVersion:              0x0000
 MinorVersion:              0x0000
 SetMember:                 0x00000000
 StallScaleFactor:          0x00000000
 DebugActive:               0x00
 ProcessorNumber:           0x00
 L2CacheAssociativity:      0x00
 VdmAlert:                  0x00000000
 L2CacheSize:               0x00000000
 InterruptMode:             0x00000000

proc

Syntax: proc [list|[attach ]pid]

List processes, display process with given id or attach to process.

kdb:> proc
Current process:
 PID:             0x00000004
 State:           Unknown (0x0)
 Image Filename:  System
kdb:> proc list
 PID         State       Filename
*0x00000004  Unknown     System
 0x00000058  Active      smss.exe
 0x0000007c  Active      csrss.exe
 0x00000094  Active      winlogon.exe
 0x000000b0  Active      setup.exe

regs

Syntax: regs

Display general purpose registers.

kdb:> regs
CS:EIP  0x0008:0xc00b880a
SS:ESP  0xd754:0x00000000
  EAX  0x01c634d3   EBX  0x0000940e
  ECX  0x00000000   EDX  0x00000000
  ESI  0x002ff000   EDI  0x00000000
  EBP  0xc0103c70
EFLAGS  0x00200202  IF IOPL0 ID

set

Syntax: set [var] [value]

Sets var to value or displays value of var.

kdb:> set
Available settings:
 syntax [intel|at&t]
 condition [exception|*] [first|last] [never|always|kmode|umode]
kdb:> set syntax
syntax = at&t
kdb:> set condition
Conditions:                 (First)  (Last)
 #00  ZERODEVIDE           never    kmode
 #01  DEBUGTRAP            always   never
 #02  NMI                  never    always
 #03  INT3                 kmode    never
 #04  OVERFLOW             never    kmode
 #05  BOUND                never    kmode
 #06  INVALIDOP            never    kmode
 #07  NOMATHCOP            never    kmode
 #08  DOUBLEFAULT          always   always
 #09  RESERVED(9)          always   always
 #10  INVALIDTSS           never    kmode
 #11  SEGMENTNOTPRESENT    never    kmode
 #12  STACKFAULT           never    kmode
 #13  GPF                  never    kmode
 #14  PAGEFAULT            never    kmode
 #15  RESERVED(15)         always   always
 #16  MATHFAULT            never    kmode
 #17  ALIGNMENTCHECK       never    kmode
 #18  MACHINECHECK         never    kmode
 #19  SIMDFAULT            never    kmode
      OTHERS               never    kmode

Example: Enabling usermode software breakpoints.

kdb:> set condition int3 first always
kdb:> set condition int3
Condition for exception #03 (INT3): FirstChance always  LastChance never

Example: Catching all exceptions.

kdb:> set condition * first always

sregs

Syntax: sregs

Display segment/selector registers.

kdb:> sregs
CS  0x0008  Index 0x0001  GDT RPL0
DS  0x0010  Index 0x0002  GDT RPL0
ES  0x0010  Index 0x0002  GDT RPL0
FS  0x0030  Index 0x0006  GDT RPL0
GS  0x0010  Index 0x0002  GDT RPL0
SS  0xd754  Index 0x1aea  LDT RPL0

step

Syntax: step [count]

Execute single instructions, stepping into interrupts (i.e. when EIP points to int 0x2e KDB gets the address of the interrupt handler, sets a INT3 there and continues execution)

thread

Syntax: thread [list[ pid]|[attach ]tid]

List threads in current or specified process, display thread with given id or attach to thread.

kdb:> thread
Current Thread:
 TID:            0x00000000
 State:          Running (0x2)
 Priority:       8
 Affinity:       0x00000001
 Initial Stack:  0x8011f5a0
 Stack Limit:    0x8011c5a0
 Stack Base:     0x8011f5a0
 Kernel Stack:   0x8011f5a0
 Trap Frame:     0x00000000
 NPX State:      Invalid (0x1)
kdb:> thread list
 TID         State        Prior.  Affinity    EBP         EIP
*0x00000000  Running        8     0x00000001  0x00000000  0x00000000
 0x00000008  Blocked       16     0xffffffff  0x9cdcbd38  0x8001009e
 0x0000000c  Blocked       16     0xffffffff  0x9cdced38  0x8001009e
 0x00000010  Blocked       16     0xffffffff  0x9cdd1d38  0x8001009e
 0x00000014  Blocked       16     0xffffffff  0x9cdd4d38  0x8001009e
 0x00000018  Blocked       16     0xffffffff  0x9cdd7d38  0x8001009e
 0x0000001c  Ready          0     0xffffffff  0x00000000  0x00000000
 0x00000020  Ready          0     0xffffffff  0x00000000  0x00000000
 0x00000024  Ready          0     0xffffffff  0x00000000  0x00000000
 0x00000028  Ready          0     0xffffffff  0x00000000  0x00000000
 0x0000002c  Ready          0     0xffffffff  0x00000000  0x00000000
 0x00000030  Blocked       31     0xffffffff  0x9cde9d38  0x8001009e
 0x00000034  Blocked       31     0xffffffff  0x9cdecd38  0x8001009e
 0x00000038  Blocked       31     0xffffffff  0x9cdefd38  0x8001009e
 0x0000003c  Blocked       31     0xffffffff  0x9cdf2d38  0x8001009e
 0x00000040  Blocked       31     0xffffffff  0x9cdf5d38  0x8001009e
 0x00000044  Blocked        8     0xffffffff  0x9cdf8d28  0x8001009e
 0x00000048  Ready          0     0xffffffff  0x00000000  0x00000000
 0x0000004c  Blocked       17     0xffffffff  0x9cdfed08  0x8001009e
 0x00000050  Ready          1     0xffffffff  0x00000000  0x00000000
 0x00000054  Blocked       16     0xffffffff  0x9ce04d28  0x8001009e

tss

Syntax: tss

Display task state segment.

kdb:> tss
Current TSS is at 0x8012d9f0.
 PreviousTask:  0x00000000
 Ss0:Esp0:      0x0010:0x80137df0
 Ss1:Esp1:      0x0000:0x00000000
 Ss2:Esp2:      0x0000:0x00000000
 Cr3:           0x00000000
 Eip:           0x00000000
 Eflags:        0x00000000
 Eax:           0x00000000
 Ecx:           0x00000000
 Edx:           0x00000000
 Ebx:           0x00000000
 Esp:           0x00000000
 Ebp:           0x00000000
 Esi:           0x00000000
 Edi:           0x00000000
 Es:            0x0000
 Cs:            0x0000
 Ss:            0x0000
 Ds:            0x0000
 Fs:            0x0000
 Gs:            0x0000
 Ldt:           0x0048
 Trap:          0x0000
 IoMapBase:     0xffff

x

Syntax: x [address] [L count]

Display count dwords, starting at addr.

kdb:> x ebp
<c0103c70>: c0103c80 c000fbec 00000000 012ff000
<c0103c80>: c0103de0 c00b91e6 00000001 c011bc90
<c0103c90>: 00000014 c0103dc4 00000000 00000000
<c0103ca0>: 00000000 c03c6000 c0397000 c0125000