{"id":19504291,"url":"https://github.com/f1zm0/windbg-cheatsheet","last_synced_at":"2026-06-19T09:32:21.108Z","repository":{"id":134057043,"uuid":"347749055","full_name":"f1zm0/WinDBG-Cheatsheet","owner":"f1zm0","description":"WinDBG notes and commands cheatsheet","archived":false,"fork":false,"pushed_at":"2022-04-17T17:09:25.000Z","size":24,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-25T21:47:01.408Z","etag":null,"topics":["debugging","windbg","windows","windows-internals"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/f1zm0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-14T20:40:59.000Z","updated_at":"2025-02-05T23:51:28.000Z","dependencies_parsed_at":"2024-06-15T07:02:34.391Z","dependency_job_id":null,"html_url":"https://github.com/f1zm0/WinDBG-Cheatsheet","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/f1zm0/WinDBG-Cheatsheet","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f1zm0%2FWinDBG-Cheatsheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f1zm0%2FWinDBG-Cheatsheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f1zm0%2FWinDBG-Cheatsheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f1zm0%2FWinDBG-Cheatsheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/f1zm0","download_url":"https://codeload.github.com/f1zm0/WinDBG-Cheatsheet/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f1zm0%2FWinDBG-Cheatsheet/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34526065,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-19T02:00:06.005Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debugging","windbg","windows","windows-internals"],"created_at":"2024-11-10T22:25:14.387Z","updated_at":"2026-06-19T09:32:21.086Z","avatar_url":"https://github.com/f1zm0.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# WinDBG Cheatsheet\n\n\n\u003c!-- vim-markdown-toc GFM --\u003e\n\n* [Setup](#setup)\n    * [Symbols](#symbols)\n* [Command Reference](#command-reference)\n    * [Registers](#registers)\n    * [Memory](#memory)\n    * [Strings](#strings)\n    * [Breakpoints](#breakpoints)\n    * [Tracing](#tracing)\n    * [Disassembly](#disassembly)\n    * [Modules](#modules)\n* [NTAPI Structures](#ntapi-structures)\n\n\u003c!-- vim-markdown-toc --\u003e\n\n## Setup\n\n### Symbols\n\nDownload symbols locally\n```\n.symfix+ c:\\symbols\n.reload\n```\n\n## Command Reference\n\n### Registers\n\n| Function              | Command           | Examples    |\n| --------------------- | ----------------- | ----------- |\n| show all registers    | `r`               | -           |\n| show registry content | `r \u003creg\u003e,[\u003creg\u003e]` | `r rax,rsp` |\n| set registry value    | `r @\u003creg\u003e=\u003cval\u003e`  | `r @rax=0`  |\n\n\n### Memory\n\n| Function                                    | Command                       | Type / Size                                                                | Examples          |\n| ------------------------------------------- | --------------------          | ---------------------                                                      | --------------    |\n| display memory at address                   | `d* \u003caddr\u003e [format]`          | bytes: `db`\u003cbr\u003ewords:`dw`\u003cbr\u003edwords: `dd`\u003cbr\u003eqwords: `dq`\u003cbr\u003epointer: `dp` | `db @rax L4`      |\n| edit memory at address                      | `e* \u003caddr\u003e \u003cval\u003e [\u003cval\u003e ...]` | bytes: `eb`\u003cbr\u003eword: `ew`\u003cbr\u003edword: `ed`\u003cbr\u003eqword: `eq`\u003cbr\u003epointer `ep`    | `eb @ip a3 b6 c9` |\n| show protection attributes                  | `!vprot \u003caddr\u003e`               | memory page                                                                |                   |\n| dereference memory at address               | `d* poi(\u003caddr\u003e)`              |                                                                            | `dq poi(@rax)`    |\n\n### Strings\n\n| Function                                    | Command                       | Type / Size                 | Examples                 |\n| ------------------------------------------- | --------------------          | ---------------------       | --------                 |\n| display string at address                   | `d* \u003caddr\u003e`                   | ascii: `da`\u003cbr\u003eunicode:`du` | `da 7ffe040d0110`        |\n| edit string at address                      | `e* \u003caddr\u003e \u003cval\u003e [\u003cval\u003e ...]` | ascii: `ea`\u003cbr\u003eunicode:`eu` | `ea 7ffe040d0110 \"AAAA\"` |\n\n### Breakpoints\n\n| Function                                                           | Command | Examples                    |\n| ------------------------------------------------------------------ | ------- | -------------------------- |\n| set a breakpoint                                                   | `bp`    | `bp kernel32!VirtualAlloc` |\n| set unresolved breakpoint (becomes `bp` when the module is loaded) | `bu`    | `bu test!TestFunc`         |\n| set breakpoint on module function[s] using pattern                 | `bm`    | `bm wow64!*`               |\n| clear all breakpoints                                              | `bc`    | `bc *`                     |\n\n\n### Tracing\n\n| Function                                    | Command    |\n| ------------------------------------------- | ---------- |\n| go (or resume execution)                    | `g` (F5)   |\n| single step                                 | `p` (F10)  |\n| step to address                             | `p \u003caddr\u003e` |\n| toggle display of registers after each step | `pr`       |\n\n\n### Disassembly\n\n| Function                           | Command         | Examples                        |\n| --------------------------------   | --------------  | ------------------------------ |\n| unassemble                         | `u \u003cname/addr\u003e` | `u kernel32!VirtualAlloc+0x4f` |\n| unassemble from address at pointer | `u poi(\u003caddr\u003e)` | `u poi(777a9228)`              |\n| unassemble function with offsets   | `uf /o [addr]`  | `uf /o amsi!AmsiOpenSession`   |\n\n\n### Modules\n\n| Function                                          | Command              | Examples              |\n| ---------------------------------                 | -----------------    | -------------        |\n| list loaded (or deferred) modules                 | `lm`                 | -                    |\n| check if a module is loaded                       | `lm m \u003cmodule\u003e`      | `lm m amsi`          |\n| break when a module is loaded                     | `sxe ld \u003cmodule\u003e`    | `sxe ld amsi`        |\n| show functions exported by the module (reads EAT) | `x \u003cmodule\u003e!\u003cregex\u003e` | `x ntdll!*Allocate*` |\n\n\n## NTAPI Structures\n\n| Command                                               | Function                                                            | Examples                                                       |\n| -----------------                                     | ---------------------------------                                   | -------------                                                 |\n| `r $teb`                                              | display TEB base address                                            | -                                                             |\n| `r $peb`                                              | display PEB base address                                            | -                                                             |\n| `dt ntdll!_PEB @$peb`                                 | display type `ntdll!_PEB` starting from address stored in `$peb`    | -                                                             |\n| `dt ntdll!_PEB @$peb \u003cstruct\u003e-\u003e\u003cpointed struct\u003e-\u003e...` | display sub structures starting from PEB                            | `dt ntdll!_PEB @$peb Ldr-\u003eInMemoryOrderModuleList`            |\n| `!list -x  \"dt \u003ctype\u003e \u003cattribute[s]\u003e\" \u003cbase_addr\u003e`    | use link extension to traverse linked list starting at base address | `!list -x \"dt _LDR_DATA_TABLE_ENTRY BaseDllName\" 0x0001ed...` |\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff1zm0%2Fwindbg-cheatsheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff1zm0%2Fwindbg-cheatsheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff1zm0%2Fwindbg-cheatsheet/lists"}