Debugger Command and Script Tips

Find out which modules, in a user or kernel memory dump, have been patched
!for_each_module "!chkimg -d @#ModuleName"

Display all the files an application is attempting to write to
bp kernel32!CreateFileW ".if ( ( poi(@esp+8) & 0x40000000 ) != 0x0) {du /c 100 poi(@esp+4);g;} .else {g;}"

Display information about the virtual addresses that contain the value 0x12345678
.foreach ( MyHits { s -[1]d 0x0 L?0x20000000 0x12345678 } ) {.echo MyHits ; !address MyHits }

Load symbols for all user and kernel modules in a complete memory dump
!for_each_process ".process @#Process; .reload -f -user"

Find the pool tag "Abcd" within all loaded kernel mode drivers on a system
!for_each_module s-a @#Base @#End "Abcd"

Use an external command to process the output of the debugger
.shell -i - -ci "!process 0 6" findstr "THREAD Ticks"
The above command displays the amount of time each waiting thread in the system has been in the wait state

Display the number of threads in every process in the system
!for_each_process "dt @#Process nt!_EPROCESS -c -o UniqueProcessId ActiveThreads"

Script to display a list of critical sections in a process (similar to !locks and !cs)
r $t0 = ntdll!RtlCriticalSectionList ;
.for( r $t1 = poi(@$t0) ; (@$t1 != 0) & (@$t1 != @$t0) ; r $t1 = poi(@$t1) )
    r? $t2 = #CONTAINING_RECORD(@$t1, ntdll!_RTL_CRITICAL_SECTION_DEBUG, ProcessLocksList);
    r? $t3 = (ntdll!_RTL_CRITICAL_SECTION *) @@c++(@$t2->CriticalSection);
    .printf "CS=%p Owner=%p LockCount=%N\n", @$t3 , @@c++(@$t3->OwningThread), @@c++(@$t3->LockCount);