What do the first three columns stand for after entering the following command
uf nt!KiSwapContext ?
Here is the result displayed in the Windbg command prompt:
lkd> uf nt!KiSwapContext
nt!KiSwapContext:
fffff803`5c143fa0 4881ec38010000 sub rsp,138h
fffff803`5c143fa7 488d842400010000 lea rax,[rsp+100h]
fffff803`5c143faf 0f29742430 movaps xmmword ptr [rsp+30h],xmm6
fffff803`5c143fb4 0f297c2440 movaps xmmword ptr [rsp+40h],xmm7
fffff803`5c143fb9 440f29442450 movaps xmmword ptr [rsp+50h],xmm8
fffff803`5c143fbf 440f294c2460 movaps xmmword ptr [rsp+60h],xmm9
fffff803`5c143fc5 440f29542470 movaps xmmword ptr [rsp+70h],xmm10
.....
Taking for example the following line as shown above what does the first three column addresses stand for ? Could someone also recommend a good place to start learning about the output rendered by Windbg if I wanted to try other Windbg commands ?
fffff803`5c143fa0 4881ec38010000 sub rsp,138h
The first column (fffff803`5c143fa0) is the 64 bit instruction address, the backtick in the middle is only there to make the address easier to read by separating the upper and lower 32 bits of the address. More specifically it's the address of the first byte of the instruction.
The second column (4881ec38010000) is the bytes that make up the instruction, and the remainder of the line (sub rsp,138h) is the instruction decoded into the corresponding assembly (Intel syntax).