Uninformed: Informative Information for the Uninformed

Vol 1» 2005.May


WinDBG Windows

WinDBG provides a variety of windows, which are listed beneath the View toolbar option, that provide the reader with a variety of information. Of these windows, we will be utilizing Registers, Disassembly, and Command. The information contained within these three windows is fairly self describing.

The Registers window contains a list of all processor registers and their associated values. Note, as register values change during execution the color of this value will turn red as a notification to the reader. For the purpose of this document, we will briefly elaborate on only the following registers: eip, ebp, esp, eax, ebx, ecx, edx, esi, and edi.

  1. eip Contains the address of the next instruction to be executed
  2. ebp Contains the address of the current stack frame
  3. esp Contains the address of the top of the stack4.3
The remaining listed registers are for general use. How each of these registers are utilized is dependant on the specific instruction. For specific register usage on a per instruction basis, the reader is encouraged to reference the IA-32 Command References [7].

The Disassembly window will contain the assembly instructions residing at a given address, defaulting at the value stored within the eip register.

The Command window will contain the results of requests made of the debugger. Note, at the bottom of the Command window is a text box. This is where the user issues commands to the debugger. Additionally, to the left of this box is another box. When this box is blank the debugger is either detached from a process, processing a request, or the debugee is running. When debugging a single local process in user-mode, this box will contain a prompt that resembles "0:001>". For more information on interpreting this prompt, the reader is encouraged to read the related documentation in the reference section [9].

There exists three classes of commands that we can issue in the Command window; regular, meta, and extension. Regular commands are those commands designed to allow the reader to interface with the debugee. Meta commands are those commands prefaced with a period (.) and are designed to configure or query the debugger itself. Extension commands are those commands prefaced with an exclamation point (!) and are designed to invoke WinDBG plug-ins.