WinDbg

What You Will Learn

  • How to navigate and debug programs with WinDbg
  • How to set breakpoints, inspect registers, and examine memory
  • How to step through code and analyze function calls
  • How to use WinDbg for kernel and malware analysis

What Is It?

WinDbg is Microsoft’s official debugger for Windows. It supports both user-mode and kernel-mode debugging. It is the standard tool for Windows crash dump analysis, malware analysis, and kernel debugging.

Unlike GDB, WinDbg uses a different syntax and has a unique command structure.

Basic Navigation

g                     ; go (continue execution)

Listing Modules

lm                    ; list all loaded modules

Symbols and Addresses

x module!function     ; get address of a function in a module
x ntdll!NtCreateFile  ; example: address of NtCreateFile in ntdll

Call Stack

k                     ; display call stack (backtrace)
kv                    ; verbose call stack with parameters
kb                    ; call stack with first 3 parameters

Disassembly

u $entry              ; unassemble from entry point
uf module!function    ; unassemble entire function
u @rip                ; unassemble from current instruction pointer

Breakpoints

bp $exentry           ; break at entry point
bp 0x00401000         ; break at address
bu module!function    ; breakpoint on unresolved function (set when loaded)
bd <num>              ; disable breakpoint number
be <num>              ; enable breakpoint number
bl                    ; list all breakpoints

Stepping

t                     ; trace — step into one instruction
p                     ; step over one instruction
p 5                   ; step over 5 instructions
gu                    ; go up — run until current function returns
tc                    ; trace until next call instruction

Registers

r                     ; display all registers
r rax = 0xdeadbeef    ; set rax to a value
r ax = 0xf00d, rbx = 0xdeadfacebeefd00d, bl = 0x0f

Memory Examination

# Display memory at address
db <address> L<count>   ; display <count> bytes as hex+ASCII
dd <address> L<count>   ; display <count> doublewords (4 bytes) as hex
dq <address> L<count>   ; display <count> quadwords (8 bytes) as hex
da <address>            ; display as ASCII string until null terminator

# Examples
db 0x00401000 L10       ; 10 bytes from 0x00401000
dq @rsp L8              ; 8 quadwords from stack pointer
da @rdi                 ; ASCII string at rdi

Memory Modification

ed rsp 0xdeadbeef       ; write doubleword to rsp
eq rsp 0xdeadfacebeef   ; write quadword to rsp

Expression Evaluation

? a - b                 ; evaluate expression a minus b
? 0x1000 + 0x100        ; calculate hex arithmetic

Reload Symbols

.reload /f              ; force reload all symbols

Dump from RSP

dq @rsp                 ; dump quadwords from stack pointer

Example: Analyzing a Windows Binary

# 1. Load the binary
windbg -o "C:\target.exe"

# 2. Set symbol path
.sympath SRV*C:\symbols*https://msdl.microsoft.com/download/symbols

# 3. Break at entry
bp $exentry
g

# 4. See where we are
k
u @rip

# 5. Find a specific function
x target!main

# 6. Break at main
bp target!main
g

Kernel Debugging

WinDbg is used for kernel debugging by connecting a debugger machine to the target over a serial cable, network, or virtual machine serial port.

# On target machine
bcdedit /debug on
bcdedit /dbgsettings net hostip:192.168.1.100 port:50000 key:1.1.1.1

# On debugger machine
windbg -k net:port=50000,key=1.1.1.1

Resources


This site uses Just the Docs, a documentation theme for Jekyll.