WinDbg : .expr, ?, ??
WinDbg understands two different type of expressions. MASM and C++. We need to set the debugger to the current mode to evaluate expressions. To find out the current mode the debugger is running in, use the .expr command.
kd> .expr
Current expression evaluator: MASM - Microsoft Assembler expressions
To set the debugger to use c++ evaluator instead use the /s switch.
kd> .expr /s c++
Current expression evaluator: C++ - C++ source expressions
kd> .expr /s masm
Current expression evaluator: MASM - Microsoft Assembler expressions
To evaluate an expression use the ? command.
kd> ? 5 + 5
Evaluate expression: 10 = 0000000a
kd> ? 10 + 5
Evaluate expression: 21 = 00000015
The debugger is by default in hex mode. Hence the expression above is treated as 10h and not 10 decimal.
To quickly check the value of a literal in hex and decimal format.
kd> ? 0x3628
Evaluate expression: 13864 = 00003628
The .formats command can also be used instead.
The ?? is the C++ style expression evaluator for WinDBg. It helps us pass C++ style syntaxes for evaluation and output even though the current expression evaluation mode might be set to MASM.
The below example shows how to quickly find the size of a structure inside of WinDbg.
kd> ?? sizeof(nt!_KPRCB)
unsigned int 0x3628
WinDbg understands two different type of expressions. MASM and C++. We need to set the debugger to the current mode to evaluate expressions. To find out the current mode the debugger is running in, use the .expr command.
kd> .expr
Current expression evaluator: MASM - Microsoft Assembler expressions
To set the debugger to use c++ evaluator instead use the /s switch.
kd> .expr /s c++
Current expression evaluator: C++ - C++ source expressions
kd> .expr /s masm
Current expression evaluator: MASM - Microsoft Assembler expressions
To evaluate an expression use the ? command.
kd> ? 5 + 5
Evaluate expression: 10 = 0000000a
kd> ? 10 + 5
Evaluate expression: 21 = 00000015
The debugger is by default in hex mode. Hence the expression above is treated as 10h and not 10 decimal.
To quickly check the value of a literal in hex and decimal format.
kd> ? 0x3628
Evaluate expression: 13864 = 00003628
The .formats command can also be used instead.
The ?? is the C++ style expression evaluator for WinDBg. It helps us pass C++ style syntaxes for evaluation and output even though the current expression evaluation mode might be set to MASM.
The below example shows how to quickly find the size of a structure inside of WinDbg.
kd> ?? sizeof(nt!_KPRCB)
unsigned int 0x3628
No comments:
Post a Comment