This page has been machine-translated from the original page.
All content in this book is based on information from official documentation, other websites, or publicly available books and similar sources. For that reason, when I refer to technical topics, I cite the source in footnotes whenever possible. In addition, everything written in this book reflects my personal views and does not represent the company or organization I belong to.
I am publishing the contents of Magical WinDbg -雰囲気で楽しむ Windows ダンプ解析とトラブルシューティング-, which I distributed for free at Tech Book Fest 15.
The PDF edition is still available for download from the Tech Book Fest online market page linked above.
Table of contents
- Preface
- Chapter 1: Environment Setup
- Chapter 2: Basic WinDbg Operations
- Chapter 3: Prerequisites for Analysis
- Chapter 4: Analyzing Application Crash Dumps
- Chapter 5: Analyzing Full Memory Dumps from System Crashes
- Chapter 6: Investigating User-Mode Application Memory Leaks from Process Dumps
- Chapter 7: Investigating User-Mode Memory Leaks from Full Memory Dumps
- Appendix A: WinDbg Tips
- Appendix B: Analyzing Crash Dumps with Volatility 3
About this book
Thank you very much for picking up this book. I’m Kashiwaba (@kash1064).
My main interests are in reverse engineering and digital forensics, and in my spare time I participate in security competitions known as Capture The Flag (CTF).
The goal of this book is to provide Japanese-language information—in the format of a self-published technical book—that can serve as a starting point for people tackling Windows dump analysis for the first time. With that in mind, it introduces knowledge for troubleshooting Windows systems, mainly centered on analyzing Windows dump files.
That said, please note in advance that this book is not intended to be a comprehensive beginner’s guide to Windows dump analysis.
For introductory topics, the book points readers to useful reference sources while structuring the material around reading Windows dump files with a variety of tools.
Why I wrote this book
When I first started working on Windows dump analysis, the first thing I felt was how little information there was about it.
The official documentation had a fair amount of tutorials and command references, but at the time it was still somewhat difficult for me to actually proceed with dump file analysis based on that information.
Also, much of the information I could find online only went as far as saying things like “load the dump file into a debugger and run !analyze -v,” so I had a hard time finding the information I really wanted in order to analyze dump files myself.
What helped me somehow keep going more than anything else was the existence of the book “Windows ダンプの極意 エラーが発生したら、まずダンプ解析!”1.
Unfortunately, that book was already out of print by the time I wrote this one, but as far as I know it is the only Japanese-language book that explains Windows dump analysis in detail.
Another book translated into Japanese, “インサイド Windows 第 6 版 下”2, included a roughly 50-page chapter on crash dump analysis, but unfortunately that chapter was removed starting with the 7th edition.
So, at least as far as I know, there are currently no Japanese-language books in print that provide introductory information on Windows dump analysis.
It is also difficult to find good Japanese articles online that collect useful information on the topic.
It is very unfortunate when people who have the chance to work on Windows dump analysis cannot find an accessible starting point because so little information is available, and end up stepping away from it altogether.
That is why I wrote this book: to provide a starting point for people working on Windows dump analysis, and to give as many people as possible a reason to become interested in analyzing Windows dump files.
Now that you have picked up this book, it would not be an exaggeration to say that more than 90% of my goal in writing it has already been achieved.
Thank you again.
I hope you will enjoy exploring Windows dump analysis with me through this book.
What this book covers
As mentioned above, this book mainly introduces knowledge for troubleshooting Windows systems, centered on analyzing Windows dump files. However, it is not intended to be a comprehensive introductory book on Windows dump analysis.
Analyzing Windows dump files requires broad prerequisite knowledge about how operating systems and programs work, but there are already many good beginner-friendly resources for that background, so this book does not go into those topics in detail.
Also, the tool used for dump analysis in this book is WinDbg, and the bundled help plus the official documentation3 already cover how to use WinDbg and its commands thoroughly.
For that reason, this book assumes that you will refer to the books and web pages listed as references for introductory knowledge and tool usage, and I would like to focus as much as possible on Windows dump analysis itself.
Also, because everything I want to cover will not fit into a single volume, I plan to write it in multiple parts.
This first volume covers the following topics.
- Analyze user-mode process dumps captured when an application crash occurs
- Analyze user-mode process memory leaks using both process dumps and full memory dumps
- Analyze full memory dumps captured when a system crash occurs
In this book, analysis is performed in an environment prepared on Windows 10 22H2, using the following tools.
- WinDbg x64 (Classic)
- WinDbg (Windows app)
- GFlags
- PowerShell
- Process Monitor
- Process Explorer
- ProcDump
- VMMap
- RAMMap
- Resource Monitor
- Task Manager
- Registry Editor
- Ghidra version 10.2.3
To make dump analysis feel as approachable as possible, this book aims to let you enjoy the analysis from multiple angles using several different tools.
Because of that, please note that the book includes several tools that you might not actually use when performing Windows dump analysis in day-to-day work.
Detailed environment setup steps are explained in Chapter 1.
Unfortunately, Vol.1 does not cover live debugging of applications or the kernel with WinDbg.
I would have loved to introduce interesting troubleshooting techniques unique to live debugging—such as setting breakpoints with specific conditions, using gflags, and altering memory contents—but I have omitted them from Vol.1.
However, for readers more interested in live debugging than dump file analysis, I will introduce a few references below, so please take a look if you are interested.4567
“解析魔法少女美咲ちゃん マジカル・オープン!”4 and “デバッガによるx86プログラム解析入門 x64 対応版”5 do not use WinDbg, but both clearly explain introductory user-mode debugging topics.
“Inside Windows Debugging”6 and “Advanced Windows Debugging”7 are both in English, but they provide detailed explanations of debugging techniques with WinDbg, including kernel debugging.
“Advanced Windows Debugging” is somewhat old, but it still covers Windows Vista, and much of its information can still be used as-is on modern OS environments.
Target readers
That concludes the overview of what this book covers.
This book is aimed at readers like the following.
- People who know a little about C and assembly language but are new to Windows dump analysis
- People who are interested in reverse engineering CTF challenges and want to try WinDbg
- People who have done Windows dump analysis before but still feel vaguely uncomfortable with it
On the other hand, please understand in advance that this book is unlikely to meet the expectations of readers like the following.
- People who already have sufficient knowledge of troubleshooting and dump analysis and are looking for more specialized information
- People who want to learn in detail about the internal behavior of Windows systems
About the author
I’m Kashiwaba (@kash1064).
I love security, and I am especially interested in reverse engineering and digital forensics.
My main certifications are CISSP and OSCP.
I also participate as a hobby in security competitions called Capture The Flag (CTF) with a team named 0nePadding.
Every day I study binary and log analysis and troubleshooting techniques, and among those topics I especially enjoy analyzing Windows programs and system dump files.
I work at Microsoft Japan, but everything written in this book reflects my personal views. It does not represent the company or organization I belong to, nor is it stealth marketing for any specific product or service.
Also, all content in this book is based on information from official documentation, other websites, or publicly available books and similar sources.
Whenever I refer to technical topics in this book, I cite the source in footnotes whenever possible.
Acknowledgements
I received tremendous support from the members of the CTF team 0nePadding while writing this book.
I would like to express my sincere thanks to @r1k0t3k1, @salty_byte, and @t0m3y, members of 0nePadding, for helping with proofreading.
Links to each chapter
- Preface
- Chapter 1: Environment Setup
- Chapter 2: Basic WinDbg Operations
- Chapter 3: Prerequisites for Analysis
- Chapter 4: Analyzing Application Crash Dumps
- Chapter 5: Analyzing Full Memory Dumps from System Crashes
- Chapter 6: Investigating User-Mode Application Memory Leaks from Process Dumps
- Chapter 7: Investigating User-Mode Memory Leaks from Full Memory Dumps
- Appendix A: WinDbg Tips
- Appendix B: Analyzing Crash Dumps with Volatility 3
-
Windows ダンプの極意 エラーが発生したら、まずダンプ解析! (by 上原 祥市 / アスキーメディアワークス / 2008)
↩ -
インサイド Windows 第 6 版 下 (by Mark E. Russinovich, David A. Solomon, Alex Ionescu / translated by 株式会社クイープ / 日系 BP 社 / 2013)
↩ -
Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/
↩ -
解析魔法少女美咲ちゃん マジカル・オープン! (by やねう解析チーム / 秀和システム / 2004)
↩ -
デバッガによるx86プログラム解析入門 x64 対応版 (by Digital Travesia管理人 うさぴょん / 集和システム / 2018)
↩ -
Inside Windows Debugging (by Tarik Soulami / Microsoft Press / 2012)
↩ -
Advanced Windows Debugging (by Daniel Hewardt, Mario Pravat / 2007)
↩