WINDBG

INSTALLATION: CLASSIC WINDBG

PS C:\sre> BROWSER > https://developer.microsoft.com/en-us/windows/downloads/sdk-archive/
 Download Name: Windows 10 SDK, version 2004 (10.0.19041.0)
 Download Location: https://go.microsoft.com/fwlink/?linkid=2312004
 Download File: 19041.5609.250311-1926.vb_release_svc_im_WindowsSDK (WinDBG Classic).iso
 
PS C:\sre> Mount > 19041.5609.250311-1926.vb_release_svc_im_WindowsSDK (WinDBG Classic).iso
PS C:\sre> .\WinSDKSetup.exe
 Debugging Tools for Windows
 
 * uncheck everything except "Debugging Tools for Windows"
 
PS C:\sre> Right-Click Desktop > New > Shortcut
 Location of Item: "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe"
 Shortcut Name: "windbg (classic).exe"

SETTING BREAKPOINTS

#identify debugging symbols
PS C:\sre> WinDBG
 ...
 
WinDBG > File > Open anti-debug.exe
WinDBG > Command
 0:000> x anti*!*
 
 * anti is only the partial name of the program
 * x → Examine Symbols: This command lists symbols (functions, variables, etc.) that match a given pattern.
 * anti*!* → This specifies a symbol pattern:
 * anti! → Searches for symbols in a module named anti (e.g., anti.dll or anti.exe).
 * !* → The wildcard (*) matches all symbols within that module.
 
 0:000> x anti*!mai*

 * x → Examine Symbols: Lists symbols (functions, variables, etc.) matching a given pattern.
 * anti*!mai* → Symbol Pattern Specification:
 * anti! → Search for symbols in the module named anti (e.g., anti.dll or anti.exe).
 * mai* → Wildcard search: Matches any symbol that starts with "mai".
    - this will look for "main"
    
 0:000> x anti*!check*
 
 * x → Examine Symbols: Lists symbols (functions, global variables, etc.) that match a pattern.
 * anti*!check* → Symbol pattern specification:
 * anti! → Searches in the module named anti (e.g., anti.dll or anti.exe).
 * check* → Matches any symbol starting with "check" (e.g., CheckDebugger, CheckProcess).
 
#set breakpoints
 0:00> right-click on "main" > select "Set Breakpoint [bp]
 0:00> right-click on each of the identified functions > select "Set Breakpoint [bp]

ALT METHOD

PS C:\sre> .\WinDBG
WinDBG > Command
 bl
 
 * bl represents breakpoint list
WinDBG > Command
 bp {address obtained from ghidra}

 * bp represents setting breakpoint

PreviousDEBUGGERSNextGDB/GEF

Last updated