切换32位
.load wow64exts
.effmach x86
查看文件版本
lmvm ntdll
!chksym ntdll
非托管堆内存分析
!heap -s 内存块列表
!heap -a 全部内存块
!heap -stat -h [addr] 内存块中size的百分比
!heap -flt s [size] 列出所有对应size的所有记录
!heap -p -a [addr] 列出具体地址的内存单元
!address -summary 内存按类别的整理表
好用的Foreach打印
.foreach(myVal {!DumpHeap -d -mt [mt addr] -short}){!dumpobj /d myVal}
Example:
.foreach(control {!dumpheap -short -type System.Windows.Control+ControlNativeWindows}) {!DumpObj /d control}
~*e!clrstack //打印所有线程的clr栈
.foreach (obj {!dumpheap -type System.Byte[] -short}) {.echo obj;!gcroot obj} 打印所有该对象的gcroot
打印对象信息
kn 打印call stack,附带frame号
.frame 05 将当前的执行指针指到05行的stack上
dv 看看当前的this指针和临时变量
dt pThis (或this)打印这个对象的详细信息
dt g_gfxApp 可以打印某些全局变量
.Net dead lock
!locks
!cs [address]
!deadlock
List all objects of "SendOrPostCallback"
Select one and see the detail
○ !DumpObj /d xxxxxxx
○ Get _target
○ Get _methodPtr
Show target
○ !dumpObj /d [_target]
Get method address
○ dd [_methodPtr]
○ xxxxxxxx yyyyyyyy zzzzzzzz dddddddd ……..
List all method addresses of target
○ !dumpmt -md [MD Addr]
○ Find [dddddddd] from list
关于UMDH
打开关闭gflag,需要重启电脑
gflags -i displayclient.exe +ust (gflags -i displayclient.exe -ust)
关闭LFH
gflags +htg
禁用BSTR缓存
环境变量,OANOCACHE=1
UMDH
Umdh.exe -p:[pid] -f:C:o1.log
Umdh.exe -d -v o1.log o2.log > cmp.txt
Steps:
1. Copy folder UMDH to local directory C:
2. Add or delete target process name to C:UMDPProcessList.txt, such as DisplayClient.exe
3. Run gFlagsSetting.cmd to set gFlags
a. cd "C:Program Files (x86)Debugging Tools for Windows"
b. c:
c. for /F %%e in (c:umdpProcessList.txt) do gflags -i %%e +ust
d. pause
4. Add WinDBG path to environment path.
5. Set symbol path at Environment variables of target computer, such as _NT_SYMBOL_PATH=C:MySymbols, OANOCACHE=1
6. Reboot computer
7. Run UMDH command to catch log once, run for a while run command to catch another log.
8. Run UMDH cmpare command to compare existed log files:
Umdh.exe -d -v o1.log o2.log > cmp.txt