i Windbg – All things in moderation


WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft.[1] Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode. [1]

You can download Windbg in here.

Install it.

Click “Next”

You can select operation you want install it.

Install finish.

Run Windbg

You can run windbg with “Excutable file” or “Attach to Process”

Attach to Process
Go to “File” choose “Attach to a Process” or you can use “F6”
Then you select Process you want attach.

Excutable file
Go to “File” choose “Open Excutable” or you can use “Ctrl + E”
Select path file excutable.

Common command line in windbg
dump memory
We can dump memory with Windbg by use command “d [address] or [register]”

with register

with address

We using “g” command to continue debugging.

u (unassemble) followed by the address that was shown before entering.

Search opcode
Command: S address_start l long opcode
Example: If you want find opcode ff4e in dll with address from 01900000 to 01dcd000. We can use command:
s 01900000 l 004cd000 ff 4e
with: 004cd000=01dcd000-01900000

Plugin in Windbg
Example Byakugan.
The functions of byakugan:
– jutsu : set of tools to track buffers in memory, determining what is controlled at crash time, and discover valid return addresses
– pattern_offset
– mushishi : framework for anti-debugging detection and defeating anti-debugging techniques
– tenketsu : vista heap emulator/visualizer.

To add byakugan one can do the following:
– Add 2 dll: byakugan.dll and injectsu.dll to the windbg directory
– Add detoured.dll to the directory: C:\windows\system32

In Winbg, use command load Byakugan:

If you want use Windbg you can refer in here.

[1] https://en.wikipedia.org/wiki/WinDbg

Leave a Reply