WinDbg : Pseudo Registers
Yet another powerful tool provided by WinDbg are the pseudo registers. These registers, as the name suggests, can hold temporary values. Pseudo registers can be:
- Automatic : WinDbg sets the values for the automatic pseudo registers automatically to certain useful values.
- User defined : These are integer variables which the user has to read or write to.
Note: When using the MASM expression evaluator we need to add an at (@) sign in front of the dollar ($) sign. This tells the debugger that the following token is a register or pseudo-register and not a symbol. Omitting the at @) sign makes the debugger look up the symbol table, making it slower in response.
Note2 : If a symbol exists with the same name as the pseudo-register, then the at(@) sign MUST be added. If the C++ expression evaluator is being used, the at (@) sing must be used ALWAYS. There are a few exceptions to this rule, and those would be covered in the post related to the registers (r command).
Here is a list of the automatic pseudo-registers supported (taken from the WInDbg Help).
Pseudo-register
|
Description
|
$ea
|
The effective address of the last instruction that was executed. If this instruction does not have
an effective address, the debugger displays "Bad register error". If this instruction has two
effective addresses, the debugger displays the first address.
|
$ea2
|
The second effective address of the last instruction that was executed. If this instruction does
not have two effective addresses, the debugger displays "Bad register error".
|
$exp
|
The last expression that was evaluated.
|
$ra
|
The return address that is currently on the stack.
This address is especially useful in execution commands. For example, g @$ra continues until
the return address is found (although gu (Go Up) is a more precise effective way of
"stepping out" of the current function).
|
$ip
|
The instruction pointer register.
x86-based processors: The same as eip.
Itanium-based processors: Related to iip. (For more information, see the note following this
table.)
x64-based processors: The same as rip.
|
$eventip
|
The instruction pointer at the time of the current event. This pointer typically matches $ip,
unless you switched threads or manually changed the value of the instruction pointer.
|
$previp
|
The instruction pointer at the time of the previous event. (Breaking into the debugger counts
as an event.)
|
$relip
|
An instruction pointer that is related to the current event. When you are branch tracing,
this pointer is the pointer to the branch source.
|
$scopeip
|
The instruction pointer for the current local context (also known as the scope).
|
$exentry
|
The address of the entry point of the first executable of the current process.
|
$retreg
|
The primary return value register.
x86-based processors: The same as eax.
Itanium-based processors: The same as ret0.
x64-based processors: The same as rax.
|
$retreg64
|
The primary return value register, in 64-bit format.
x86 processor: The same as the edx:eax pair.
|
$csp
|
The current call stack pointer. This pointer is the register that is most representative of call
stack depth.
x86-based processors: The same as esp.
Itanium-based processors: The same as bsp.
x64-based processors: The same as rsp.
|
$p
|
The value that the last d* (Display Memory) command printed.
|
$proc
|
The address of the current process (that is, the address of the EPROCESS block).
|
$thread
|
The address of the current thread. In kernel-mode debugging, this address is the address
of the ETHREAD block. In user-mode debugging, this address is the address of the thread
environment block (TEB).
|
$peb
|
The address of the process environment block (PEB) of the current process.
|
$teb
|
The address of the thread environment block (TEB) of the current thread.
|
$tpid
|
The process ID (PID) for the process that owns the current thread.
|
$tid
|
The thread ID for the current thread.
|
$bpNumber
|
The address of the corresponding breakpoint. For example, $bp3 (or $bp03) refers to the
breakpoint whose breakpoint ID is 3. Number is always a decimal number. If no breakpoint
has an ID of Number, $bpNumber evaluates to zero. For more information about breakpoints,
see Using Breakpoints.
|
$frame
|
The current frame index. This index is the same frame number that the .frame (Set Local
Context) command uses.
|
$dbgtime
|
The current time, according to the computer that the debugger is running on.
|
$callret
|
The return value of the last function that .call (Call Function) called or that is used in an
.fnret /s command. The data type of $callret is the data type of this return value.
|
$lastclrex
|
Managed debugging only: The address of the last-encountered common language runtime (CLR) exception object.
|
$ptrsize
|
The size of a pointer. In kernel mode, this size is the pointer size on the target computer.
|
$pagesize
|
The number of bytes in one page of memory. In kernel mode, this size is the page size on
the target computer.
|
Note: Not all of these are available all the time. Example, the $teb and $peb are user mode concepts and wouldn't be available in the kernel mode unless the process context is properly set. Also, these are not available with mini dumps.
There are 20 User Defined pseudo-registers possible. They are named $t0, $t1...$t19. To write to a pseudo register we must use the register (r) command, described here.
No comments:
Post a Comment