Extension Commands
!a (assemble physical address)!pte (display page-level address and entries)!db, !dc, !dd, !dq (read physical memory)!eb, !ed, !eq (edit physical memory)!sb, !sd, !sq (search physical memory)!u, !u64, !u2, !u32 (disassemble physical address)!dt (display and map physical memory to structures)!track (track and map function calls and returns to the symbols)!epthook (hidden hook with EPT - stealth breakpoints)!epthook2 (hidden hook with EPT - detours)!monitor (monitor read/write/execute to a range of memory)!syscall, !syscall2 (hook system-calls)!sysret, !sysret2 (hook SYSRET instruction execution)!mode (detect kernel-to-user and user-to-kernel transitions)!cpuid (hook CPUID instruction execution)!msrread (hook RDMSR instruction execution)!msrwrite (hook WRMSR instruction execution)!tsc (hook RDTSC/RDTSCP instruction execution)!pmc (hook RDPMC instruction execution)!vmcall (hook hypercalls)!exception (hook first 32 entries of IDT)!interrupt (hook external device interrupts)!dr (hook access to debug registers)!ioin (hook IN instruction execution)!ioout (hook OUT instruction execution)!hide (enable transparent-mode)!unhide (disable transparent-mode)!measure (measuring and providing details for transparent-mode)!va2pa (convert a virtual address to physical address)!pa2va (convert physical address to virtual address)!dump (save the physical memory into a file)!pcitree (show PCI/PCIe device tree)!pcicam (dump the PCI/PCIe configuration space)!idt (show Interrupt Descriptor Table entries)!apic (dump local APIC entries in XAPIC and X2APIC modes)!ioapic (dump I/O APIC)
Last updated