Skip to content

Instantly share code, notes, and snippets.

@MangaD

MangaD/windbg.md

Last active October 12, 2025 14:42
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MangaD/3bbeae1b326351b2728d856fb5cd651c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MangaD/3bbeae1b326351b2728d856fb5cd651c to your computer and use it in GitHub Desktop.
Download ZIP
Comprehensive Guide to Using WinDbg (Windows Debugger)
Raw
windbg.md

πŸ“Œ Comprehensive Guide to Using WinDbg (Windows Debugger)

CC0

Disclaimer: ChatGPT generated document.

WinDbg (Windows Debugger) is a powerful debugging tool for Windows that can be used for kernel-mode and user-mode debugging, crash dump analysis, reverse engineering, and performance analysis.

This guide will cover:

βœ… Installation & Setup
βœ… Basic Commands
βœ… User-Mode Debugging
βœ… Kernel Debugging
βœ… Crash Dump Analysis
βœ… Advanced WinDbg Techniques

πŸ“Œ 1. Installing & Setting Up WinDbg

βœ”οΈ Downloading WinDbg

βœ… WinDbg Preview (Recommended for newer versions)
πŸ‘‰ Available via Microsoft Store: WinDbg Preview

βœ… Classic WinDbg (For older versions)
πŸ‘‰ Part of Windows SDK: Windows SDK Download

πŸ“Œ WinDbg Preview is recommended as it has a better UI and new features.

πŸ“Œ 2. Basic WinDbg Commands

Once inside WinDbg, you can use commands to examine memory, breakpoints, stack traces, and variables.

βœ”οΈ Basic Navigation

Command Description
.help Show available commands
.hh command Open help for a command
!help List debugger extensions
.symfix Automatically set symbol path
.reload Reload symbols

βœ”οΈ Attach WinDbg to a Running Process

To attach to a running process, use:

  1. Open WinDbg
  2. Click File β†’ Attach to a Process
  3. Select the target process
  4. Click OK

πŸ“Œ Or, use the command line:

windbg -pn my_program.exe

πŸ“Œ 3. User-Mode Debugging

βœ”οΈ Setting Breakpoints

Command Description
bp <address> Set a breakpoint at an address
bl List all breakpoints
bc <ID> Clear a specific breakpoint
bd <ID> Disable a breakpoint
be <ID> Enable a breakpoint

Example: Break at main()

bp my_program!main

βœ”οΈ Viewing Call Stack

Command Description
k Show call stack
kb Show call stack with arguments
kp Show call stack with function parameters
kv Show call stack with variable info

πŸ“Œ Example: Show a function call stack

kb

βœ”οΈ Inspecting Variables

Command Description
dt <Type> Display structure type information
?? <Variable> Display variable value
dv List local variables
dw <Address> Display memory at address

πŸ“Œ Example: Inspect a C++ object

dt my_program!MyClass my_object

πŸ“Œ 4. Kernel-Mode Debugging

Kernel debugging is useful for analyzing BSODs (Blue Screens of Death), driver issues, and system crashes.

βœ”οΈ Setting Up Kernel Debugging

  1. Enable Debugging Mode

    in Windows:

    bcdedit /debug on

  2. Connect to a Kernel Debugging Session

    :

    kd -k com:port=\\.\pipe\com_1

  3. Run Kernel Debugging Commands

    :

    !analyze -v

βœ”οΈ Viewing Running Threads

Command Description
!process 0 0 List all running processes
!thread Show current thread info
~ List all threads
~#s Switch to thread #

πŸ“Œ 5. Crash Dump Analysis

WinDbg is widely used to analyze crash dumps (BSODs and application crashes).

βœ”οΈ Load a Crash Dump

  1. Open WinDbg
  2. Click File β†’ Open Crash Dump
  3. Select the .dmp file

πŸ“Œ Or, via the command line:

windbg -z C:\Windows\Minidump\memory.dmp

βœ”οΈ Analyze the Crash

Command Description
!analyze -v Perform crash dump analysis
!analyze -hang Analyze application hang
lm List loaded modules
lmv List module details

πŸ“Œ Example: Analyze a BSOD

!analyze -v

πŸ“Œ 6. Advanced WinDbg Techniques

βœ”οΈ Debugging Memory & Registers

Command Description
r Display registers
r eax Show register EAX
r eax=0x1234 Set register EAX
db <Address> Dump memory as bytes
dw <Address> Dump memory as words

πŸ“Œ Example: Dump memory at address 0x1000

db 0x1000 L32

βœ”οΈ Symbol Management

WinDbg uses symbols (.pdb files) to map function names and variables correctly.

πŸ“Œ Set Symbol Path:

.sympath srv*c:\symbols*https://msdl.microsoft.com/download/symbols
.reload

πŸ“Œ Check if symbols are loaded:

lm

πŸ“Œ 7. Summary & Quick Reference

Task Command
Attach to a Process windbg -pn my_program.exe
Set a Breakpoint bp my_program!main
View Call Stack kb
Inspect a Variable ?? myVar
Analyze a Crash Dump !analyze -v
Dump Memory db 0x1000 L32

Visual Studio’s "Debug -> Attach to Process" vs WinDbg

Visual Studio’s "Debug -> Attach to Process" does not use WinDbg directly. Instead, it uses its own debugging engine (DbgEng), which is part of the Visual Studio Debugger (VS Debugger).

πŸ“Œ How Does Visual Studio’s "Attach to Process" Work?

  1. Uses the Microsoft Visual Studio Debugger

    • The VS Debugger is separate from WinDbg but shares some underlying Windows debugging components (DbgHelp.dll, DbgEng.dll).

  2. Provides a UI-friendly Debugging Experience

    • Unlike WinDbg (which is command-line heavy), Visual Studio offers GUI tools like breakpoints, watch windows, call stack navigation, and variable inspection.

  3. Supports Different Debugging Types

    • Managed Debugging (for .NET apps)
    • Native Debugging (for C/C++ apps)
    • Mixed-Mode Debugging (for apps using both .NET & native code)

  4. Can Attach to Running Processes

    • This allows debugging without restarting an application.

πŸ“Œ Does Visual Studio Use WinDbg Internally?

❌ No, Visual Studio does not call WinDbg when attaching to a process.
βœ… However, both WinDbg and Visual Studio use the same Windows Debug API (DbgEng.dll), meaning they can both debug user-mode and kernel-mode applications.

πŸ“Œ When Should You Use WinDbg Instead of Visual Studio?

Scenario Use Visual Studio Debugger Use WinDbg
Debugging a .NET or C++ App βœ… Yes ❌ Not Ideal
Debugging Kernel (BSODs) ❌ No βœ… Yes
Debugging Large Crash Dumps ❌ No βœ… Yes
Debugging Malware/Reverse Engineering ❌ No βœ… Yes
Debugging a Process Without Symbols ❌ Harder βœ… Easier
Debugging in Production ❌ No βœ… Yes

πŸ“Œ WinDbg is preferred for deep system debugging, reverse engineering, and crash dump analysis.
πŸ“Œ Visual Studio is preferred for application development and interactive debugging.

WinDbg vs OllyDbg

CC0

Disclaimer: ChatGPT generated document.

πŸ“Œ WinDbg vs. OllyDbg – A Comprehensive Comparison

Both WinDbg and OllyDbg are powerful debugging tools, but they serve different purposes.

βœ… WinDbg β†’ Used for Windows system debugging, crash dump analysis, kernel debugging, and large-scale application debugging.
βœ… OllyDbg β†’ Used for reverse engineering, malware analysis, and analyzing compiled binaries without source code.

πŸ“Œ 1. High-Level Comparison

Feature WinDbg OllyDbg
Purpose System debugging, kernel debugging, crash dump analysis Reverse engineering, binary analysis, malware analysis
Type Symbolic debugger Disassembler/debugger
User Interface Command-line + GUI Graphical with interactive assembly view
Supported Platforms x86, x64 Primarily x86 (OllyDbg 2.0 supports x64)
Kernel Debugging βœ… Yes ❌ No
User-Mode Debugging βœ… Yes βœ… Yes
Crash Dump Analysis βœ… Yes ❌ No
Debugging Without Source Code βœ… Yes (with symbols) βœ… Yes (without symbols)
Dynamic Analysis (Hooking, API Monitoring, Code Injection) ❌ Limited βœ… Yes
Breakpoints βœ… Software & Hardware Breakpoints βœ… Software & Hardware Breakpoints
Graphical Disassembly View ❌ No βœ… Yes
Plugins & Extensibility βœ… Yes (via WinDbg Extensions) βœ… Yes (OllyDbg Plugins)

πŸ“Œ Conclusion:

  • Use WinDbg if you are analyzing Windows internals, kernel bugs, system crashes, or large applications.
  • Use OllyDbg if you are reverse engineering, analyzing malware, or modifying compiled binaries.

πŸ“Œ 2. Use Cases: When to Use WinDbg vs. OllyDbg

Scenario Use WinDbg? Use OllyDbg?
Debugging a running Windows process βœ… Yes βœ… Yes
Debugging Windows kernel or drivers βœ… Yes ❌ No
Analyzing a crash dump (BSOD, minidump) βœ… Yes ❌ No
Reverse engineering a compiled program (no source code) ❌ No βœ… Yes
Debugging malware behavior ❌ No βœ… Yes
Debugging a large application with symbols βœ… Yes ❌ No
Stepping through a disassembled binary ❌ No βœ… Yes
Viewing Assembly Instructions βœ… Yes (limited) βœ… Yes (graphical)

πŸ“Œ Summary:

  • WinDbg is the tool of choice for system debugging, crash dump analysis, and Windows internals.
  • OllyDbg is best for reverse engineering, malware analysis, and low-level binary manipulation.

πŸ“Œ 3. Features in Detail

βœ”οΈ WinDbg: Strengths & Weaknesses

βœ… Strengths

βœ”οΈ Kernel Debugging – Can debug Windows drivers and kernel crashes.
βœ”οΈ Crash Dump Analysis – Used for analyzing BSODs and application crashes.
βœ”οΈ Symbolic Debugging – Works well with .pdb symbol files to display function names and variables.
βœ”οΈ Multi-threaded Debugging – Can debug complex multi-threaded applications.
βœ”οΈ Microsoft-Supported – Used for official debugging in Windows development.

❌ Weaknesses

❌ Difficult to Use – Command-line heavy; requires deep Windows internals knowledge.
❌ No Disassembler View – Unlike OllyDbg, it lacks a graphical assembly view.
❌ Not Great for Reverse Engineering – Harder to analyze binaries without symbols.

βœ”οΈ OllyDbg: Strengths & Weaknesses

βœ… Strengths

βœ”οΈ Graphical Assembly View – Shows disassembled binary code with function calls.
βœ”οΈ Great for Reverse Engineering – Used for cracking, binary patching, and malware analysis.
βœ”οΈ No Source Code Required – Can analyze any compiled executable.
βœ”οΈ Plugins & Extensibility – Supports third-party plugins for additional functionality.
βœ”οΈ Dynamic Analysis – Can hook functions, patch executables, and trace API calls.

❌ Weaknesses

❌ No Kernel Debugging – Cannot debug Windows drivers or analyze BSODs.
❌ No Symbol Support – Unlike WinDbg, it does not load .pdb files for debugging with symbols.
❌ Not Ideal for Large Applications – Better suited for small-to-medium binaries rather than system-level debugging.

πŸ“Œ 4. How They Work Internally

βœ”οΈ How WinDbg Works

  1. Uses Windows Debug API (DbgEng.dll) to interact with processes.
  2. Loads symbol files (.pdb) to map function names and variables.
  3. Provides both user-mode and kernel-mode debugging.
  4. Can analyze memory dumps (Minidumps, Full Dumps, Kernel Dumps).
  5. Executes commands via WinDbg Extensions (e.g., !analyze -v).

πŸ“Œ Example: Attach to a process in WinDbg:

windbg -pn my_program.exe

βœ”οΈ How OllyDbg Works

  1. Loads an executable file (EXE, DLL) directly into memory.
  2. Disassembles the binary into assembly instructions.
  3. Hooks API calls and modifies memory at runtime.
  4. Uses breakpoints to analyze execution flow.
  5. Allows manual patching of instructions in the executable.

πŸ“Œ Example: Open an EXE in OllyDbg:

  • File β†’ Open β†’ Select my_program.exe
  • Press F9 to start debugging.

πŸ“Œ 5. Conclusion: Which One Should You Use?

Use Case Best Tool
Debugging Windows crashes (BSOD, minidumps) WinDbg
Debugging a running Windows process with symbols WinDbg
Kernel-mode debugging (drivers, system analysis) WinDbg
Debugging malware, reverse engineering, or cracking software OllyDbg
Analyzing an EXE without source code OllyDbg
Debugging user-mode applications without symbols OllyDbg

πŸ“Œ Final Verdict:

  • Use WinDbg for Windows system debugging, BSOD analysis, and debugging large applications with symbols.
  • Use OllyDbg for reverse engineering, malware analysis, and debugging compiled binaries without source code.

πŸ“Œ Step-by-Step Guide: Using WinDbg for Reverse Engineering

WinDbg is not the best tool for reverse engineering (compared to tools like OllyDbg, IDA Pro, or x64dbg), but it can still be used to analyze binaries, set breakpoints, inspect memory, and modify execution flow.

This guide will show step-by-step how to reverse engineer a Windows application using WinDbg, including: βœ… Attaching to a Running Process
βœ… Setting Breakpoints
βœ… Inspecting Memory & Registers
βœ… Disassembling Code
βœ… Modifying Execution Flow

πŸ“Œ 1. Setup: Install & Open WinDbg

βœ”οΈ Download WinDbg

βœ… Use WinDbg Preview (recommended) from the Microsoft Store
πŸ‘‰ Download WinDbg Preview

βœ… Alternatively, download the classic WinDbg from the Windows SDK
πŸ‘‰ Windows SDK Download

βœ”οΈ Open WinDbg

  1. Run WinDbg as Administrator (Right-click β†’ Run as Admin).
  2. Go to "File" β†’ "Attach to a Process".
  3. Select the target application (e.g., notepad.exe or my_target.exe).
  4. Click OK to start debugging.

πŸ“Œ Alternatively, attach via the command line:

windbg -pn my_target.exe

πŸ“Œ 2. Attach to a Running Process

βœ”οΈ Find the Target Process

Use:

.tlist

This will list all running processes.

Example output:

   1234 my_target.exe
   5678 explorer.exe
   9101 cmd.exe

βœ”οΈ Attach to the Process

Use:

.attach 1234

πŸ“Œ Replace 1234 with the PID of the target process.

πŸ“Œ 3. Set Breakpoints

Now, we need to find a function of interest and set a breakpoint.

βœ”οΈ Set a Breakpoint on a Function

To break at MessageBoxA (commonly used in Windows applications):

bp user32!MessageBoxA

πŸ“Œ If unsure of the module name, use:

x user32!*MessageBox*

βœ”οΈ List Breakpoints

bl

βœ”οΈ Remove a Breakpoint

bc 0

πŸ“Œ This removes breakpoint ID 0.

πŸ“Œ 4. Run & Hit the Breakpoint

Run the program:

g

Once the breakpoint hits, execution will pause, allowing you to inspect registers, memory, and stack.

πŸ“Œ 5. Inspecting Memory & Registers

βœ”οΈ View Register Values

r

Example output:

eax=00000000 ebx=12345678 ecx=87654321 edx=abcdef12

To inspect a specific register:

r eax

βœ”οΈ View Stack Memory

dps esp

πŸ“Œ Shows function arguments in the stack.

βœ”οΈ Dump Memory at a Specific Address

db 0x00400000 L16

πŸ“Œ Dumps 16 bytes at address 0x00400000.

πŸ“Œ 6. Disassemble Code & Modify Execution

βœ”οΈ Disassemble Current Instruction

u

Example output:

00401000  push ebp
00401001  mov ebp,esp
00401003  sub esp,0x10
00401006  call 0x00402000

βœ”οΈ Disassemble a Specific Address

u 0x00401000

βœ”οΈ Modify Execution Flow

(1) Skip a Function Call

If execution reaches:

call 0x00402000

You can skip it by modifying the EIP register:

r eip=0x00401006
g

This makes execution jump past the function call.

(2) Modify Register Values

If eax contains a return value that needs to be changed:

r eax=1
g

This forces a function to return 1 instead of 0.

πŸ“Œ 7. Dump & Modify Strings in Memory

βœ”οΈ Find & Dump Strings

Use:

!strings -a

This lists all ASCII strings in memory.

To dump memory at a specific location:

db 0x12345678 L32

πŸ“Œ Shows 32 bytes at address 0x12345678.

βœ”οΈ Modify Memory (Patch a Value)

To modify a specific memory address, use:

eb 0x12345678 90 90 90

πŸ“Œ This overwrites the first 3 bytes with NOP instructions (0x90).

πŸ“Œ 8. Export & Analyze Debugging Data

βœ”οΈ Save Debugging Session

.dump /f my_debug.dmp

πŸ“Œ Saves current session for later analysis.

βœ”οΈ Export Loaded Modules

lm

πŸ“Œ Lists all loaded DLLs and EXEs.

βœ”οΈ Save Log Output

To log all commands:

.logopen my_log.txt

πŸ“Œ 9. Summary & Cheat Sheet

Task Command
Attach to process .attach <PID>
Set a breakpoint bp user32!MessageBoxA
List breakpoints bl
Run program g
Disassemble code u
View registers r
Modify register value r eax=1
Dump memory db 0x12345678 L32
Modify memory (patch) eb 0x12345678 90 90 90
List loaded modules lm

πŸ“Œ 10. When to Use WinDbg for Reverse Engineering

βœ… When debugging applications with symbols (.pdb)
βœ… When analyzing Windows internals (API calls, system behavior)
βœ… When analyzing crash dumps and minidumps
❌ Not ideal for malware analysis or packed binaries (use OllyDbg, x64dbg, or IDA Pro instead)

@DealsBeam
Copy link

DealsBeam commented Jun 24, 2025

Genuine question, what prompt did you use for this guide?

@MangaD
Copy link
Author

MangaD commented Jun 24, 2025

@DealsBeam The prompts are similar to the titles:

  • Give me a comprehensive guide on WinDbg
  • How does Visual Studio’s "Debug -> Attach to Process" compare to WinDbg?
  • How does WinDbg compare to OllyDbg?
  • How to use WinDbg for Reverse Engineering?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment