谈谈CEDebugX的使用和命令(押宝游戏被坑了10000分，发个帖子发泄一下)

第一次玩押宝游戏，才知道原来是个大坑，给得答案明显不对也行，坑了我10000分。算了，还是来谈谈技术吧

用CE的人经常觉得CE上面没有很好的debug工具，就像桌面的windbg那样好用的工具来跟踪问题，其实CE上也提

供了一个类似的东西，虽然没有windbg那么强大，但是也提供了很多有用的功能，那就是cedebugx.也许有些人

还不了解这个工具，我这里简单介绍一下它的几个常用命令。
在CE6的PB里面，cedebugx已经被自动装载了，但是在CE5的pb里，你需要手动的从菜单里面通过load debug

extension装载.

cedebugx的命令和其他target control中的命令一样，都只要在target control中运行该命令就可以了。但是这

个工具和windbg一样，都是在系统被断下来的情况下进行分析的，而不像很多target control中的其他命令，只

能在系统运行的时候调用。另外就是，由于cexdebugx是debug extension,所以它所有命令之前都要加一个感叹

号。
我们先可以在target control中用!help看一下该工具包含的命令，可以看到这里面包含的所有命令:

COMMANDS:
To see detailed help type the command followed by /?

Extension Information and Control:

help - display this list
version - display version information for this extension
refresh - refresh cached info (must call after any run/break cycle).
xml - capture debug info in an xml file and display formatted data.
save - prompts the user for a location in which to save all files generated

in the session.
getworkingpath - display the path to the debugger extension's current working folder.
setworkingpath - specify a path to use as a new destination for saved files (working

folder)

General Information:

exception - exception info and current call stack
kinfo - prints the UserKInfo table
toc - prints ROM table of contents
oat - prints OEM Address Table
disasm - retrieve disassembly for a given address
getsym - list nearest symbol at addr
checksymbols - validate that correct symbols are in use.
dd - dump data at given address
ll - prints linked lists generically
expr - evaluate an expression
getsizeof - get the size, in bytes, of a type or expression
d2x - convert a decimal integer to a hex value.
x2i - convert a hex value to a singed integer.
x2u - convert a hex value to an unsigned integer.
ms2t - display a value in milliseconds as hours, minutes, and seconds.

Diagnostics:

diagnose - provide detailed information about hangs or crashes

Threads:

thread - prints thread information from thread ptr
threadh - prints thread information from thread handle
threadlist - enumerate all threads (basic info). use "threadlist ?" for more

options
allthreads - enumerate all threads (extended info)
runlist - enumerate threads on the scheduler's run list.
sleeplist - enumerate threads on the scheduler's sleep list.
context - print context information for a given thread.
stackeval - prints all values on a thread's stack, looking for potential symbols

and known objects
stacktrace - prints stack ptr and frame ptrs with PC and ret addr for a given

thread

Processes and Modules:

proc - prints process information
proclist - lists all processes
module - prints module information
modlist - lists all loaded modules

Handles:

handlelist - prints active handle list
handle - evaluates a handle to determine type
h2p - get kernel object ptr from a handle
p2h - get a handle from a kernel object ptr

Blocked Threads:

proxy - prints detailed information about a particular proxy (i.e. blocking

object)
proxylist - lists all of the proxies in the system or owned by a particualr

process
blocked - prints list of blocking objects (proxies) and the threads they are

blocking
cslist - prints a list of critical sections that are currently blocking

threads
eventlist - prints a list of events that are currently blocking threads
sending - prints a list of threads blocked in SendMessage calls

Memory:

heaplist - prints summary information about all heaps in the system
heapwalk - print extended heap information
walkthisheap - print heap information for specific heap
meminfo - prints system memory information
heapitem - finds a heap item spanning an address and dumps item contents
dumpitem - prints contents of a heap item
valist - prints virtual allocations associated with a process
fsmaplist - prints summary information about all memory-mapped files
fsmap - prints information about a memory-mapped file
fsviewlist - prints summary information about all memory-mapped views
fsview - prints information about a memory-mapped view
pgpool - prints information about the page pools

GWES:

win - enumerate all windows (use it without arguments for more options)
winh - prints the window information for a handle (can use p|c|n|d|a) for

navigation
gditable - enumerate all GDI entries
gdih - prints the information of the GDI entity related to the provided

handle
gdiobj - prints the information of the GDI entity related to the provided gdi

object
screenshot - creates and shows a screenshot of the current UI state of the device
msgqueues - lists active message queues

注意如果你release目录下的文件和你的设备中的文件(包括pdb文件)不匹配的话，会报以下错误：
Error resolving expression <{,,kernel.dll}g_pprcNK->dwId>
ERROR in ReadStruct, can't read {,,kernel.dll}g_pprcNK->dwId
Symbols for NK.EXE are incorrect. Attempting to reload symbols ...
Error resolving expression <{,,kernel.dll}g_pprcNK->dwId>
ERROR in ReadStruct, can't read {,,kernel.dll}g_pprcNK->dwId

Unable to resolve NK.EXE symbols.
这是说你的NK.exe和你的NK.pdb不匹配，这种情况下上述命令是用不了的，所以你要至少保证您的设备上的

NK.exe和release下的nk.pdb是匹配的，一般我都是要求设备上的image就是通过当前release目录里的文件生成

的。
所有这些命令当中一般都是先打一个!diagnose all看一看，它会帮你自动分析系统可能存在的hang和crash的问

题。如果找到了，它会列出它认为存在的问题，然后你可以用!diagnose <index>来看它列出的问题的详细信息

。
当然diagnose不是万能的，你也许要自己手工去查问题，那么首先要显示进程列表，线程列表,装载的模块列表以及窗口列表：
proclist,threadlist,modlist，win
当然相关的process, thread,module可以显示指定对象的详细信息。
如果要查询堆栈上的东西，那么可以用stackeval，当然前提是你需要对堆栈的结构熟悉。它的好处是它会帮你自动匹配所有可能匹配的数据，所以匹配结果只是个参考，但省去了好多麻烦。
disasm是用来反汇编用的，这在需要分析汇编代码的时候很有用。
runlist可以用来显示当前运行的线程，当系统非正常的busy的时候，可以用它来查看系统中哪个线程占了大量的CPU时间。
dd，getsizeof可以用来查看结构内容和大小，当你从栈上得到一个结构的地址，但是不知道怎么看里面的内容时就可以用上了。