(opens MDMP files natively)
Matrix
| Goal | Command | What It Gives | Why It Matters |
|---|---|---|---|
| Analyze dump | !analyze -v | Full dump summary | First triage / crash reason / suspicious context |
| List loaded modules | lm | DLLs / EXEs loaded | Detect injected / suspicious modules |
| Detailed module info | lmv | Full module metadata | Timestamp, path, symbols |
| Process Environment Block | !peb | Command line, loaded modules, env | Excellent malware context |
| Thread Environment Block | !teb | Thread state | Thread-level analysis |
| List threads | ~ | All threads | Find suspicious thread count |
| Switch thread | ~<id>s | Focus thread | Thread investigation |
| Thread stack | k | Call stack | Execution path |
| Full stack | kv | Stack + params | API tracing |
| All thread stacks | ~* k | Every thread stack | Spot injected thread |
| Registers | r | CPU registers | Instruction state |
| Disassemble current | u | Assembly around RIP/EIP | Immediate execution context |
| Disassemble range | u <addr> | Code block | Manual reversing |
| Dump memory bytes | db <BaseAddress> | Raw bytes | Inspect shellcode |
| Dump dwords | dd <addr> | Structured memory | Pointers / values |
| Dump qwords | dq <addr> | 64-bit values | Pointer-rich analysis |
| Dump unicode string | du <addr> | UTF-16 strings | File paths / URLs |
| Dump ascii string | da <addr> | ASCII strings | Commands / payload text |
| Search memory ascii | s -a 0 L?ffffffff "http" | Find text | URLs / C2 |
| Search memory unicode | s -u 0 L?ffffffff "powershell" | Unicode search | Script traces |
| Memory map | !address | VAD regions | RWX / suspicious allocations |
| VAD summary | !vadump | Memory regions | Injection detection |
| Heap info | !heap -s | Heap structures | Heap abuse |
| Handle list | !handle | Open handles | Mutexes / files / events |
| File handles | !handle 0 f | File-only handles | Open payloads |
| Object types | !object | Kernel objects | IPC clues |
| PEB modules | !dlls | Loaded DLLs via PEB | Compare with lm |
| Exception chain | !exchain | SEH chain | Exploit / shellcode patterns |
| Show current process | !process 0 0 | Process context | Dump scope |
| List all processes | !process 0 1 | All processes | Full context in full dump |
| Switch process | .process /r /p <EPROCESS> | Process context switch | Cross-process work |
| Evaluate symbol | x module!* | Export lookup | API mapping |
| Breakpoint | bp <addr> | Execution stop | Dynamic reversing |
| Hardware breakpoint | ba e 1 <addr> | Watch access | Stealth tracing |
| Continue | g | Resume execution | Dynamic run |
| Step into | t | Single-step | Precise reversing |
| Step over | p | Skip calls | Faster navigation |
| Show current symbols | ln <addr> | Symbol resolution | API identification |
| Dump import table | !dh module -sigmapof | PE headers | Imports / sections |
| Section headers | !dh module | PE structure | Packed / suspicious sections |
| Show PEB command line | dt _PEB @$peb ProcessParameters | Raw command line | Malware launch params |
| Show command line string | du poi(poi(@$peb+20)+70) | Command line direct | Quick extraction |
| Find last created thread | !runaway | Per-thread user/kernel execution time | Lowest runtime often identifies newest or injected thread when exact CreateTime is unavailable |