[Note] Windbg cheetsheet
https://github.com/hugsy/defcon_27_windbg_workshop/blob/master/windbg_cheatsheet.md .hh: view help file dds poi(nt!KeServiceDescriptorTable) L poi(nt!KeServiceDescriptorTable+8) d*: display command x: examine symbols x nt!KeServiceDescriptor* !process 0 0 .process /p lm u: list dll !chkimg -d -v ntdll.dll lm a [addr]: which modules an addr belongs to s 0 L?80000000/2 38 13 37 13: search hex bytes .reload /f /i /a: reload all symbols !heap -s: list all process heaps dt ntdll!_DPH_BLOCK_INFORMATION 00000214`9f9acf90 #with pageheap enabled bu annots+0003B193 ".if (@ecx==0xD0E0058) {} .else{gc}" bu annots+0003B193 ".printf \"ECX: %x\\n\",@ecx; g" http://geekswithblogs.net/.NETonMyMind/archive/2006/03/14/72262.aspx http://www.reconstructer.org/papers/Hunting%20rootkits%20with%20Windbg.pdf https://www.unknowncheats.me/forum/c-c-c/59147-writing-drivers-perform-kernel-level-ssdt-hooking.html http://blog.tetrane.com/2016/11/reverse-bsod.h...