Magical WinDbg 2 - Learn User-Mode & Kernel Debugging Through CTFs - (Web Edition)

This page has been machine-translated from the original page.

All content in this book is based on information from official documentation and other websites, or from publicly available books and similar sources. For that reason, when I refer to technical topics, I cite sources in footnotes whenever possible. In addition, everything written in this book reflects my personal views and does not represent any company or organization I belong to.

I am publishing the contents of Magical WinDbg 2 - Learn User-Mode & Kernel Debugging Through CTFs -, which I distributed for free at Tech Book Fest 16.

Table of Contents

• Preface
• Chapter 1: Environment Setup
• Chapter 2: Surface Analysis of DoPClient and DoPDriver
• Chapter 3: Static Analysis of DoPClient
• Chapter 4: Dynamic Analysis of DoPClient
• Chapter 5: Static Analysis of DoPDriver
• Chapter 6: Dynamic Analysis of DoPDriver

About This Book

Thank you very much for picking up this book. My name is Kashiwaba (@kash1064).

My main areas of interest are reverse engineering and digital forensics, and as a hobby I participate in security competitions called Capture The Flag (CTF).

In this book, I use a CTF Reversing challenge as the theme to introduce Windows user-mode and kernel-mode debugging techniques with WinDbg.

In a typical Reversing challenge in a CTF, the goal is to analyze a given executable using various tools and techniques and obtain the correct keyword (Flag).

In a typical Reversing challenge, analysis proceeds roughly through the following steps.

1. First, examine the target program at a high level using its file type, metadata, header information, and similar clues. (Surface analysis)
2. Next, use a disassembler tool (or decompiler) to reconstruct the target program into assembly code or pseudo-C code and understand its implementation without actually running it. (Static analysis)
3. Then, run the program and observe its behavior. You can also use a debugger such as WinDbg or gdb to pause execution and inspect or modify CPU registers and memory in order to understand how the program works. (Dynamic analysis)
4. Finally, combine the results from each step to uncover the full picture of the program and identify information that the user would not normally know, such as a password, in order to obtain the correct keyword (Flag).

This book follows those same steps to analyze the program and obtain the Flag, while introducing Windows user-mode and kernel-mode debugging techniques with WinDbg along the way.

Like “Magical WinDbg - Enjoying Windows Dump Analysis and Troubleshooting by Feel -” ¹, which I distributed at Tech Book Fest 15, this book is not intended to comprehensively cover introductory Windows debugging topics.

Instead, it is structured as a hands-on guide for enjoying Windows debugging, while also pointing readers to useful sources for foundational topics.

Why I Wrote This Book

In this book, I introduce debugger scripts available in the latest WinDbg and methods for analyzing kernel driver modules with a kernel debugger.

There is currently plenty of information about debugging Windows executables, but I feel that there is still very little information available in Japanese about how to use WinDbg as a debugger or about Windows kernel debugging.

In particular, the latest installable version of WinDbg provides powerful features such as JavaScript debugger scripts ², but I feel that knowledge about these relatively new capabilities is still limited.

Information about Windows kernel debugging is also scarce because the prerequisite knowledge required for analysis is more advanced, and as far as I know there are almost no books written in Japanese on the topic.

Given that situation, I wrote this book in the hope of increasing the amount of Japanese-language information about WinDbg-based debugging techniques and Windows kernel debugging, even if only a little.

This book does not comprehensively cover introductory Windows debugging knowledge with WinDbg, but I hope it will help people who are interested in WinDbg and Windows kernel debugging and want to start working with them.

About the Content of This Book

As mentioned above, this book uses a CTF Reversing challenge as its theme to introduce Windows user-mode and kernel-mode debugging techniques with WinDbg.

Windows debugging, especially kernel debugging, requires broad prerequisite knowledge about how Windows OS and programs work.

However, since there are already several high-quality introductory resources covering those prerequisites, this book does not discuss them in detail.

Likewise, I do not go into detail about how to operate WinDbg itself, such as its debugger commands, because the built-in help and the official documentation³ already cover those topics well.

That said, for prerequisite knowledge that is needed for analysis, I introduce reference sources in footnotes whenever possible.

In short, this book treats prerequisite knowledge and tool operation details as supporting references and focuses as much as possible on Windows debugging itself.

This book analyzes an executable program and a kernel driver module modeled after a CTF Reversing challenge through the following steps.

• In Chapter 2, we perform surface analysis of the target programs to understand their overall nature and file types.
• In Chapter 3, we use analysis tools such as Binary Ninja to perform static analysis of the user-mode program.
• In Chapter 4, based on the results of Chapter 3, we use WinDbg to debug the user-mode program and obtain the correct Flag.
• In Chapter 5, we again use tools such as Binary Ninja to perform static analysis of the kernel driver module.
• In Chapter 6, based on the results of Chapter 5, we use WinDbg to perform Windows kernel debugging and obtain the correct Flag.

Reference Books for Windows Debugging

Here I would like to introduce several reference books for readers who are interested in debugging Windows programs, including topics not covered in this book.

I cannot cover everything, but I hope these references will be helpful for readers who are just getting started with Windows program debugging.

“Analysis Magical Girl Misaki-chan: Magical Open!” ⁴ and “An Introduction to x86 Program Analysis with a Debugger: x64-Compatible Edition” ⁵ do not use WinDbg, but I recommend them because they clearly explain introductory topics in Windows user-mode debugging.

In addition, “Inside Windows Debugging” ⁸ and “Advanced Windows Debugging” ⁹ are both English-language books, but they are among the few books that explain debugging techniques using WinDbg in detail, including kernel debugging.

“Advanced Windows Debugging” is somewhat old, but it supports parts of Windows Vista, and much of its information can still be used as-is on modern operating systems.

In addition, “インサイド Windows 第 7 版 上・下” ^{10 11} is also one of the most useful books for examining the details of Windows components.

Furthermore, “Practical Malware Analysis” ¹² and “The Art of Memory Forensics” ¹³ also cover kernel debugging with WinDbg and undocumented Windows internals in detail, making them extremely valuable references.

About the Author

I am Kashiwaba (@kash1064).

I love security, and I am particularly interested in reverse engineering and digital forensics.

My main certifications are CISSP and OSCP.

As a hobby, I participate in security competitions called Capture The Flag (CTF) on a team called 0nePadding.

I spend my time learning about binary analysis, log analysis, and troubleshooting techniques, and among those I especially enjoy analyzing Windows programs and system dump files.

I also introduced Windows dump analysis techniques in “Magical WinDbg -雰囲気で楽しむ Windows ダンプ解析とトラブルシューティング-” ¹, which I distributed at Tech Book Fest 15.

I also introduced Windows dump analysis techniques in “Magical WinDbg - Enjoying Windows Dump Analysis and Troubleshooting by Feel -” ¹, which I distributed at Tech Book Fest 15.

Although I belong to Microsoft Japan, everything written in this book reflects my personal views and does not represent the views of the company or organization I belong to, nor is it stealth marketing for any particular product or service.

All content in this book is based on information from official documentation and other websites, or from publicly available books and similar sources.

Whenever I refer to technical topics in this book, I cite sources in footnotes whenever possible.

Acknowledgements

I received tremendous support from the members of the CTF team 0nePadding while writing this book.

I would like to express my sincere gratitude to @r1k0t3k1 and @salty_byte, both members of 0nePadding, for helping with proofreading.