1.7. WineDbg Command Reference

1.7.1. Misc

Table 1-1. WineDbg misc. commands

abortaborts the debugger
quitexits the debugger
attach N attach to a W-process (N is its ID, numeric or hexadecimal (0xN)). IDs can be obtained using the info process command. Note the info process command returns hexadecimal values.
detachdetach from a W-process.
helpprints some help on the commands
help infoprints some help on info commands

1.7.2. Flow control

Table 1-2. WineDbg flow control commands

cont, c continue execution until next breakpoint or exception.
passpass the exception event up to the filter chain.
step, s continue execution until next "C" line of code (enters function call)
next, n continue execution until next "C" line of code (doesn't enter function call)
stepi, si execute next assembly instruction (enters function call)
nexti, ni execute next assembly instruction (doesn't enter function call)
finish, f execute until current function is exited

cont, step, next, stepi, nexti can be postfixed by a number (N), meaning that the command must be executed N times.

1.7.3. Breakpoints, watch points

Table 1-3. WineDbg break & watch points

enable Nenables (break|watch)point N
disable Ndisables (break|watch)point N
delete Ndeletes (break|watch)point N
cond N removes any existing condition to (break|watch)point N
cond N expr adds condition expr to (break|watch)point N. expr will be evaluated each time the breakpoint is hit. If the result is a zero value, the breakpoint isn't triggered.
break * N adds a breakpoint at address N
break id adds a breakpoint at the address of symbol id
break id N adds a breakpoint at line N inside symbol id
break N adds a breakpoint at line N of current source file
break adds a breakpoint at current $PC address
watch * N adds a watch command (on write) at address N (on 4 bytes)
watch id adds a watch command (on write) at the address of symbol id
info break lists all (break|watch)points (with state)

You can use the symbol EntryPoint to stand for the entry point of the DLL.

When setting a break/watch-point by id, if the symbol cannot be found (for example, the symbol is contained in a not yet loaded module), winedbg will recall the name of the symbol and will try to set the breakpoint each time a new module is loaded (until it succeeds).

1.7.4. Stack manipulation

Table 1-4. WineDbg stack manipulation

btprint calling stack of current thread
bt N print calling stack of thread of ID N (note: this doesn't change the position of the current frame as manipulated by the up and dn commands)
up goes up one frame in current thread's stack
up N goes up N frames in current thread's stack
dn goes down one frame in current thread's stack
dn N goes down N frames in current thread's stack
frame N set N as the current frame for current thread's stack
info local prints information on local variables for current function frame

1.7.5. Directory & source file manipulation

Table 1-5. WineDbg directory & source file manipulation

show dir prints the list of dirs where source files are looked for
dir pathname adds pathname to the list of dirs where to look for source files
dir deletes the list of dirs where to look for source files
symbolfile pathnameloads external symbol definition
symbolfile pathname N loads external symbol definition (applying an offset of N to addresses)
list lists 10 source lines forwards from current position
list - lists 10 source lines backwards from current position
list N lists 10 source lines from line N in current file
list path:N lists 10 source lines from line N in file path
list idlists 10 source lines of function id
list * Nlists 10 source lines from address N

You can specify the end target (to change the 10 lines value) using the ','. For example:

Table 1-6. WineDbg list command examples

list 123, 234 lists source lines from line 123 up to line 234 in current file
list foo.c:1, 56 lists source lines from line 1 up to 56 in file foo.c

1.7.6. Displaying

A display is an expression that's evaluated and printed after the execution of any winedbg command.

winedbg will automatically detect if the expression you entered contains a local variable. If so, display will only be shown if the context is still in the same function as the one the debugger was in when the display expression was entered.

Table 1-7. WineDbg displays

info display lists the active displays
display print the active displays' values (as done each time the debugger stops)
display expradds a display for expression expr
display /fmt expr adds a display for expression expr. Printing evaluated expr is done using the given format (see print command for more on formats)
del display N, undisplay N deletes display N

1.7.7. Disassembly

Table 1-8. WineDbg dissassembly

disasdisassemble from current position
disas exprdisassemble from address expr
disas expr, expr disassembles code between addresses specified by the two exprs

1.7.8. Memory (reading, writing, typing)

Table 1-9. WineDbg memory management

x exprexamines memory at expr address
x /fmt expr examines memory at expr address using format fmt
print expr prints the value of expr (possibly using its type)
print /fmt expr prints the value of expr using format fmt
set lval=expr writes the value of expr in lval
whatis exprprints the C type of expression expr
set ! symbol_picker interactive when printing a value, if several symbols are found, ask the user which one to pick (default)
set ! symbol_picker scoped when printing a value, give precedence to local symbols over global symbols

fmt is either letter or count letter (without a space between count and letter), where letter can be

san ASCII string
ua Unicode UTF16 string
iinstructions (disassemble)
x32-bit unsigned hexadecimal integer
d32-bit signed decimal integer
w16-bit unsigned hexadecimal integer
ccharacter (only printable 0x20-0x7f are actually printed)
b8-bit unsigned hexadecimal integer

1.7.9. Information on Wine internals

Table 1-10. WineDbg Win32 objects management

info class lists all Windows classes registered in Wine
info class idprints information on Windows class id
info share lists all the dynamic libraries loaded in the debugged program (including .so files, NE and PE DLLs)
info share N prints information on module at address N
info regs prints the value of the CPU registers
info all-regs prints the value of the CPU and Floating Point registers
info segment N prints information on segment N (i386 only)
info segment lists all allocated segments (i386 only)
info stack prints the values on top of the stack
info map lists all virtual mappings used by the debugged program
info map N lists all virtual mappings used by the program of wpid N
info wnd Nprints information of Window of handle N
info wnd lists all the window hierarchy starting from the desktop window
info process lists all w-processes in Wine session
info threadlists all w-threads in Wine session
info exception lists the exception frames (starting from current stack frame)

1.7.10. Debug channels

It is possible to turn on and off debug messages as you are debugging using the set command (only for debug channels specified in WINEDEBUG environment variable). See Chapter 2 for more details on debug channels.

Table 1-11. WineDbg debug channels management

set + warn channel turn on warn on channel
set + channelturn on warn/fixme/err/trace on channel
set - channel turn off warn/fixme/err/trace on channel
set - fixme turn off the "fixme" class