Skip to content

Instantly share code, notes, and snippets.

@MangaD

MangaD/windbg.md

Last active October 12, 2025 14:42
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MangaD/3bbeae1b326351b2728d856fb5cd651c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MangaD/3bbeae1b326351b2728d856fb5cd651c to your computer and use it in GitHub Desktop.
Download ZIP
Comprehensive Guide to Using WinDbg (Windows Debugger)
Raw
windbg.md

📌 Comprehensive Guide to Using WinDbg (Windows Debugger)

CC0

Disclaimer: ChatGPT generated document.

WinDbg (Windows Debugger) is a powerful debugging tool for Windows that can be used for kernel-mode and user-mode debugging, crash dump analysis, reverse engineering, and performance analysis.

This guide will cover:

Installation & Setup
Basic Commands
User-Mode Debugging
Kernel Debugging
Crash Dump Analysis
Advanced WinDbg Techniques

📌 1. Installing & Setting Up WinDbg

✔️ Downloading WinDbg

WinDbg Preview (Recommended for newer versions)
👉 Available via Microsoft Store: WinDbg Preview

Classic WinDbg (For older versions)
👉 Part of Windows SDK: Windows SDK Download

📌 WinDbg Preview is recommended as it has a better UI and new features.

📌 2. Basic WinDbg Commands

Once inside WinDbg, you can use commands to examine memory, breakpoints, stack traces, and variables.

✔️ Basic Navigation

Command Description
.help Show available commands
.hh command Open help for a command
!help List debugger extensions
.symfix Automatically set symbol path
.reload Reload symbols

✔️ Attach WinDbg to a Running Process

To attach to a running process, use:

  1. Open WinDbg
  2. Click File → Attach to a Process
  3. Select the target process
  4. Click OK

📌 Or, use the command line:

windbg -pn my_program.exe

📌 3. User-Mode Debugging

✔️ Setting Breakpoints

Command Description
bp <address> Set a breakpoint at an address
bl List all breakpoints
bc <ID> Clear a specific breakpoint
bd <ID> Disable a breakpoint
be <ID> Enable a breakpoint

Example: Break at main()

bp my_program!main

✔️ Viewing Call Stack

Command Description
k Show call stack
kb Show call stack with arguments
kp Show call stack with function parameters
kv Show call stack with variable info

📌 Example: Show a function call stack

kb

✔️ Inspecting Variables

Command Description
dt <Type> Display structure type information
?? <Variable> Display variable value
dv List local variables
dw <Address> Display memory at address

📌 Example: Inspect a C++ object

dt my_program!MyClass my_object

📌 4. Kernel-Mode Debugging

Kernel debugging is useful for analyzing BSODs (Blue Screens of Death), driver issues, and system crashes.

✔️ Setting Up Kernel Debugging

  1. Enable Debugging Mode

    in Windows:

    bcdedit /debug on

  2. Connect to a Kernel Debugging Session

    :

    kd -k com:port=\\.\pipe\com_1

  3. Run Kernel Debugging Commands

    :

    !analyze -v

✔️ Viewing Running Threads

Command Description
!process 0 0 List all running processes
!thread Show current thread info
~ List all threads
~#s Switch to thread #

📌 5. Crash Dump Analysis

WinDbg is widely used to analyze crash dumps (BSODs and application crashes).

✔️ Load a Crash Dump

  1. Open WinDbg
  2. Click File → Open Crash Dump
  3. Select the .dmp file

📌 Or, via the command line:

windbg -z C:\Windows\Minidump\memory.dmp

✔️ Analyze the Crash

Command Description
!analyze -v Perform crash dump analysis
!analyze -hang Analyze application hang
lm List loaded modules
lmv List module details

📌 Example: Analyze a BSOD

!analyze -v

📌 6. Advanced WinDbg Techniques

✔️ Debugging Memory & Registers

Command Description
r Display registers
r eax Show register EAX
r eax=0x1234 Set register EAX
db <Address> Dump memory as bytes
dw <Address> Dump memory as words

📌 Example: Dump memory at address 0x1000

db 0x1000 L32

✔️ Symbol Management

WinDbg uses symbols (.pdb files) to map function names and variables correctly.

📌 Set Symbol Path:

.sympath srv*c:\symbols*https://msdl.microsoft.com/download/symbols
.reload

📌 Check if symbols are loaded:

lm

📌 7. Summary & Quick Reference

Task Command
Attach to a Process windbg -pn my_program.exe
Set a Breakpoint bp my_program!main
View Call Stack kb
Inspect a Variable ?? myVar
Analyze a Crash Dump !analyze -v
Dump Memory db 0x1000 L32

Visual Studio’s "Debug -> Attach to Process" vs WinDbg

Visual Studio’s "Debug -> Attach to Process" does not use WinDbg directly. Instead, it uses its own debugging engine (DbgEng), which is part of the Visual Studio Debugger (VS Debugger).

📌 How Does Visual Studio’s "Attach to Process" Work?

  1. Uses the Microsoft Visual Studio Debugger

    • The VS Debugger is separate from WinDbg but shares some underlying Windows debugging components (DbgHelp.dll, DbgEng.dll).

  2. Provides a UI-friendly Debugging Experience

    • Unlike WinDbg (which is command-line heavy), Visual Studio offers GUI tools like breakpoints, watch windows, call stack navigation, and variable inspection.

  3. Supports Different Debugging Types

    • Managed Debugging (for .NET apps)
    • Native Debugging (for C/C++ apps)
    • Mixed-Mode Debugging (for apps using both .NET & native code)

  4. Can Attach to Running Processes

    • This allows debugging without restarting an application.

📌 Does Visual Studio Use WinDbg Internally?

No, Visual Studio does not call WinDbg when attaching to a process.
However, both WinDbg and Visual Studio use the same Windows Debug API (DbgEng.dll), meaning they can both debug user-mode and kernel-mode applications.

📌 When Should You Use WinDbg Instead of Visual Studio?

Scenario Use Visual Studio Debugger Use WinDbg
Debugging a .NET or C++ App ✅ Yes ❌ Not Ideal
Debugging Kernel (BSODs) ❌ No ✅ Yes
Debugging Large Crash Dumps ❌ No ✅ Yes
Debugging Malware/Reverse Engineering ❌ No ✅ Yes
Debugging a Process Without Symbols ❌ Harder ✅ Easier
Debugging in Production ❌ No ✅ Yes

📌 WinDbg is preferred for deep system debugging, reverse engineering, and crash dump analysis.
📌 Visual Studio is preferred for application development and interactive debugging.

WinDbg vs OllyDbg

CC0

Disclaimer: ChatGPT generated document.

📌 WinDbg vs. OllyDbg – A Comprehensive Comparison

Both WinDbg and OllyDbg are powerful debugging tools, but they serve different purposes.

WinDbg → Used for Windows system debugging, crash dump analysis, kernel debugging, and large-scale application debugging.
OllyDbg → Used for reverse engineering, malware analysis, and analyzing compiled binaries without source code.

📌 1. High-Level Comparison

Feature WinDbg OllyDbg
Purpose System debugging, kernel debugging, crash dump analysis Reverse engineering, binary analysis, malware analysis
Type Symbolic debugger Disassembler/debugger
User Interface Command-line + GUI Graphical with interactive assembly view
Supported Platforms x86, x64 Primarily x86 (OllyDbg 2.0 supports x64)
Kernel Debugging ✅ Yes ❌ No
User-Mode Debugging ✅ Yes ✅ Yes
Crash Dump Analysis ✅ Yes ❌ No
Debugging Without Source Code ✅ Yes (with symbols) ✅ Yes (without symbols)
Dynamic Analysis (Hooking, API Monitoring, Code Injection) ❌ Limited ✅ Yes
Breakpoints ✅ Software & Hardware Breakpoints ✅ Software & Hardware Breakpoints
Graphical Disassembly View ❌ No ✅ Yes
Plugins & Extensibility ✅ Yes (via WinDbg Extensions) ✅ Yes (OllyDbg Plugins)

📌 Conclusion:

  • Use WinDbg if you are analyzing Windows internals, kernel bugs, system crashes, or large applications.
  • Use OllyDbg if you are reverse engineering, analyzing malware, or modifying compiled binaries.

📌 2. Use Cases: When to Use WinDbg vs. OllyDbg

Scenario Use WinDbg? Use OllyDbg?
Debugging a running Windows process ✅ Yes ✅ Yes
Debugging Windows kernel or drivers ✅ Yes ❌ No
Analyzing a crash dump (BSOD, minidump) ✅ Yes ❌ No
Reverse engineering a compiled program (no source code) ❌ No ✅ Yes
Debugging malware behavior ❌ No ✅ Yes
Debugging a large application with symbols ✅ Yes ❌ No
Stepping through a disassembled binary ❌ No ✅ Yes
Viewing Assembly Instructions ✅ Yes (limited) ✅ Yes (graphical)

📌 Summary:

  • WinDbg is the tool of choice for system debugging, crash dump analysis, and Windows internals.
  • OllyDbg is best for reverse engineering, malware analysis, and low-level binary manipulation.

📌 3. Features in Detail

✔️ WinDbg: Strengths & Weaknesses

Strengths

✔️ Kernel Debugging – Can debug Windows drivers and kernel crashes.
✔️ Crash Dump Analysis – Used for analyzing BSODs and application crashes.
✔️ Symbolic Debugging – Works well with .pdb symbol files to display function names and variables.
✔️ Multi-threaded Debugging – Can debug complex multi-threaded applications.
✔️ Microsoft-Supported – Used for official debugging in Windows development.

Weaknesses

Difficult to Use – Command-line heavy; requires deep Windows internals knowledge.
No Disassembler View – Unlike OllyDbg, it lacks a graphical assembly view.
Not Great for Reverse Engineering – Harder to analyze binaries without symbols.

✔️ OllyDbg: Strengths & Weaknesses

Strengths

✔️ Graphical Assembly View – Shows disassembled binary code with function calls.
✔️ Great for Reverse Engineering – Used for cracking, binary patching, and malware analysis.
✔️ No Source Code Required – Can analyze any compiled executable.
✔️ Plugins & Extensibility – Supports third-party plugins for additional functionality.
✔️ Dynamic Analysis – Can hook functions, patch executables, and trace API calls.

Weaknesses

No Kernel Debugging – Cannot debug Windows drivers or analyze BSODs.
No Symbol Support – Unlike WinDbg, it does not load .pdb files for debugging with symbols.
Not Ideal for Large Applications – Better suited for small-to-medium binaries rather than system-level debugging.

📌 4. How They Work Internally

✔️ How WinDbg Works

  1. Uses Windows Debug API (DbgEng.dll) to interact with processes.
  2. Loads symbol files (.pdb) to map function names and variables.
  3. Provides both user-mode and kernel-mode debugging.
  4. Can analyze memory dumps (Minidumps, Full Dumps, Kernel Dumps).
  5. Executes commands via WinDbg Extensions (e.g., !analyze -v).

📌 Example: Attach to a process in WinDbg:

windbg -pn my_program.exe

✔️ How OllyDbg Works

  1. Loads an executable file (EXE, DLL) directly into memory.
  2. Disassembles the binary into assembly instructions.
  3. Hooks API calls and modifies memory at runtime.
  4. Uses breakpoints to analyze execution flow.
  5. Allows manual patching of instructions in the executable.

📌 Example: Open an EXE in OllyDbg:

  • File → Open → Select my_program.exe
  • Press F9 to start debugging.

📌 5. Conclusion: Which One Should You Use?

Use Case Best Tool
Debugging Windows crashes (BSOD, minidumps) WinDbg
Debugging a running Windows process with symbols WinDbg
Kernel-mode debugging (drivers, system analysis) WinDbg
Debugging malware, reverse engineering, or cracking software OllyDbg
Analyzing an EXE without source code OllyDbg
Debugging user-mode applications without symbols OllyDbg

📌 Final Verdict:

  • Use WinDbg for Windows system debugging, BSOD analysis, and debugging large applications with symbols.
  • Use OllyDbg for reverse engineering, malware analysis, and debugging compiled binaries without source code.

📌 Step-by-Step Guide: Using WinDbg for Reverse Engineering

WinDbg is not the best tool for reverse engineering (compared to tools like OllyDbg, IDA Pro, or x64dbg), but it can still be used to analyze binaries, set breakpoints, inspect memory, and modify execution flow.

This guide will show step-by-step how to reverse engineer a Windows application using WinDbg, including: ✅ Attaching to a Running Process
Setting Breakpoints
Inspecting Memory & Registers
Disassembling Code
Modifying Execution Flow

📌 1. Setup: Install & Open WinDbg

✔️ Download WinDbg

✅ Use WinDbg Preview (recommended) from the Microsoft Store
👉 Download WinDbg Preview

✅ Alternatively, download the classic WinDbg from the Windows SDK
👉 Windows SDK Download

✔️ Open WinDbg

  1. Run WinDbg as Administrator (Right-click → Run as Admin).
  2. Go to "File" → "Attach to a Process".
  3. Select the target application (e.g., notepad.exe or my_target.exe).
  4. Click OK to start debugging.

📌 Alternatively, attach via the command line:

windbg -pn my_target.exe

📌 2. Attach to a Running Process

✔️ Find the Target Process

Use:

.tlist

This will list all running processes.

Example output:

   1234 my_target.exe
   5678 explorer.exe
   9101 cmd.exe

✔️ Attach to the Process

Use:

.attach 1234

📌 Replace 1234 with the PID of the target process.

📌 3. Set Breakpoints

Now, we need to find a function of interest and set a breakpoint.

✔️ Set a Breakpoint on a Function

To break at MessageBoxA (commonly used in Windows applications):

bp user32!MessageBoxA

📌 If unsure of the module name, use:

x user32!*MessageBox*

✔️ List Breakpoints

bl

✔️ Remove a Breakpoint

bc 0

📌 This removes breakpoint ID 0.

📌 4. Run & Hit the Breakpoint

Run the program:

g

Once the breakpoint hits, execution will pause, allowing you to inspect registers, memory, and stack.

📌 5. Inspecting Memory & Registers

✔️ View Register Values

r

Example output:

eax=00000000 ebx=12345678 ecx=87654321 edx=abcdef12

To inspect a specific register:

r eax

✔️ View Stack Memory

dps esp

📌 Shows function arguments in the stack.

✔️ Dump Memory at a Specific Address

db 0x00400000 L16

📌 Dumps 16 bytes at address 0x00400000.

📌 6. Disassemble Code & Modify Execution

✔️ Disassemble Current Instruction

u

Example output:

00401000  push ebp
00401001  mov ebp,esp
00401003  sub esp,0x10
00401006  call 0x00402000

✔️ Disassemble a Specific Address

u 0x00401000

✔️ Modify Execution Flow

(1) Skip a Function Call

If execution reaches:

call 0x00402000

You can skip it by modifying the EIP register:

r eip=0x00401006
g

This makes execution jump past the function call.

(2) Modify Register Values

If eax contains a return value that needs to be changed:

r eax=1
g

This forces a function to return 1 instead of 0.

📌 7. Dump & Modify Strings in Memory

✔️ Find & Dump Strings

Use:

!strings -a

This lists all ASCII strings in memory.

To dump memory at a specific location:

db 0x12345678 L32

📌 Shows 32 bytes at address 0x12345678.

✔️ Modify Memory (Patch a Value)

To modify a specific memory address, use:

eb 0x12345678 90 90 90

📌 This overwrites the first 3 bytes with NOP instructions (0x90).

📌 8. Export & Analyze Debugging Data

✔️ Save Debugging Session

.dump /f my_debug.dmp

📌 Saves current session for later analysis.

✔️ Export Loaded Modules

lm

📌 Lists all loaded DLLs and EXEs.

✔️ Save Log Output

To log all commands:

.logopen my_log.txt

📌 9. Summary & Cheat Sheet

Task Command
Attach to process .attach <PID>
Set a breakpoint bp user32!MessageBoxA
List breakpoints bl
Run program g
Disassemble code u
View registers r
Modify register value r eax=1
Dump memory db 0x12345678 L32
Modify memory (patch) eb 0x12345678 90 90 90
List loaded modules lm

📌 10. When to Use WinDbg for Reverse Engineering

When debugging applications with symbols (.pdb)
When analyzing Windows internals (API calls, system behavior)
When analyzing crash dumps and minidumps
Not ideal for malware analysis or packed binaries (use OllyDbg, x64dbg, or IDA Pro instead)

@MangaD
Copy link
Author

MangaD commented Jun 24, 2025

@DealsBeam The prompts are similar to the titles:

  • Give me a comprehensive guide on WinDbg
  • How does Visual Studio’s "Debug -> Attach to Process" compare to WinDbg?
  • How does WinDbg compare to OllyDbg?
  • How to use WinDbg for Reverse Engineering?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment