Practical Reverse Engineering Exercise Solutions: LiveKd / WinDbg Cheat Sheet

Here are a couple of commands I regularly use for reverse engineering:

• uf <function>: Unassemble function
• dt nt!_ktss: Show the definition of the data structure _ktss
• ?? sizeof(_ktss): Show the size the data structure _ktss occupies in memory
• .hh uf: Show help for the function uf
• x nt!*createfile*: Search all functions having the string createfile in its name
• !vtop <PDPT-pointer> <virtualAddress>: Compute physical address of given virtual address and the pointer to the page directory pointer table