\n\nThis page has been machine-translated from the original page.
\n
In this chapter, I introduce the setup procedure for the environment used in this book.
\nThis book assumes readers are using Windows Home edition machines, so the setup procedure introduced in Chapter 1 does not use virtual machines. However, when applying the settings and installing the tools introduced in this book, I recommend using a virtual machine whenever possible. (Even if you use Windows 10 / 11 Home edition, you can still use third-party virtualization applications such as VirtualBox or VMware.)
\n\nThe content of this book has been verified in the following environment.
\nFirst, the environment used in this book is as follows.
\nThe environment used in this book is shown above, but there is no need to match the hardware and OS exactly.
\nHowever, to work comfortably, I recommend using a machine with at least an Intel Core i3 CPU and 8 GB of RAM.
\nThere are no specific requirements for the Windows OS version or edition.
\nFirst, run vc_redist.x64.exe, which can be downloaded from the URL below, to install the latest redistributable package on the virtual machine.
vc_redist.x64.exe:
\nhttps://aka.ms/vs/17/release/vc_redist.x64.exe
\nInstalling this redistributable package is necessary to run the D4C.exe program used in this book.
\nNext, install Debugging Tools for Windows on the machine that will be used for Windows dump analysis.
\nDebugging Tools for Windows includes debuggers such as WinDbg1 and tools such as GFlags2 that are useful for troubleshooting in Windows environments.
\nThere are several ways to install Debugging Tools for Windows, but in this book I use Windows SDK (10.0.22621) to install it.
\nFirst, access the Windows SDK download page at the URL below and download winsdksetup.exe from [Download the installer].
Windows SDK:
\nhttps://developer.microsoft.com/ja-jp/windows/downloads/windows-sdk/ 3
\nNext, double-click the downloaded winsdksetup.exe to run it.
If you proceed through the installer with the default settings, a screen for selecting packages to install appears near the end.
\nYou can choose any items to download here, but make sure that [Debugging Tools for Windows] is checked.
\nRun the installer with [Debugging Tools for Windows] checked.
\nAfter the installer finishes, confirm that windbg.exe and gflags.exe exist under C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64. (Although this book does not use it, the x86 version of windbg.exe exists under C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86.)
Because these programs are used frequently, it is a good idea to create shortcuts for them if needed.
\nBy the way, there is also a newer Windows app version of WinDbg.
\nCompared with WinDbg (Classic), which is used in this book, the Windows app version of WinDbg offers a more modern UI and powerful features such as Time Travel Debugging (TTD).
\nThis book does not use the Windows app version of WinDbg, but the features and commands used for dump analysis are the same as in WinDbg (Classic).
\nTherefore, there is no problem if you use the Windows app version of WinDbg for dump analysis.
\nAfter Ghidra starts, create a project with any name from [File] > [New Project].
\nNext, download D4C.exe (v0.1), the tool used in this book to generate dump files for analysis, from the repository below.
\nD4C Release Page:
\nhttps://github.com/kash1064/garyu-windbg/releases/tag/v0.111
\nBecause this book does not use symbol files for analyzing binaries or dumps, I recommend not downloading D4C.pdb at first.
Next, on the machine where you will collect dump files, configure full memory dump collection and enable keyboard crash.
\nThe configuration is simple: copy D4C.exe, which you placed in the shared folder earlier, to a local folder on the virtual machine, run it, type 0 at the first menu, and press Enter.
After the system restarts, if a FULL_MEMORY.DMP file roughly the same size as the virtual machine’s physical memory has been created directly under C:\\Windows, you can judge that the full dump setting is working correctly.
Incidentally, the keyboard crash configured by the procedure in this book does not work when you are connected over RDP.
\nIf you can use a physical keyboard, you can trigger a system crash by signing in directly to the local machine and pressing the right Ctrl key while pressing the Space key twice.
\nIf you are using a Hyper-V virtual machine, you can also trigger a keyboard crash by signing in to the machine with Enhanced Session disabled and pressing the right Ctrl key while pressing the Space key twice.
\nIf you are using another virtual machine platform such as VirtualBox, try seeing whether you can trigger a keyboard crash with a software keyboard.
\nIf you are in an environment where keyboard crash cannot be used, you can also intentionally reproduce a system crash with notmyfault.exe, included in the SysinternalsSuite downloaded when installing the Sysinternals utilities.
When you troubleshoot with tools such as WinDbg or Process Monitor (Procmon), obtaining the proper symbols is extremely important.
\nSymbols14 are information such as function names and variable names that are not included in executable files such as EXEs and DLLs.
\nWhen you use tools such as WinDbg, obtaining and referencing the appropriate symbols allows you to analyze things more smoothly.
\nIn general, the symbol information used for dump file analysis can be obtained from the symbol server15 published by Microsoft.
\nHowever, symbol information for some non-public modules, or symbol information for software independently developed by third parties, cannot be downloaded from Microsoft’s public symbol server.
\nIf the program being analyzed was developed by the user, you can also load pdb or dbg files generated when building the program into the debugger and use them as symbol information.
In this section, I configure WinDbg and Process Monitor so they can obtain symbols from the symbol server published by Microsoft.
\nThis book does not require it, but if necessary, it is also a good idea to apply the same settings to Process Explorer.
\nFirst, start WinDbg x64 as administrator and press [Ctrl + S] to open the Symbol Scratch Path window.
\nEnter the following value in the Symbol Scratch Path window and click [OK].
\nsrv*https://msdl.microsoft.com/download/symbolsAfter the setting is complete, click [Save Workspace] under [File] in the upper-left corner.
\nThis saves the setting to the default workspace, so the symbol path configuration will remain in place the next time you start WinDbg.
\nNext, run Procmon64.exe as administrator from the SysinternalsSuite obtained in the earlier “Installing the Sysinternals utilities” section.
From the menu at the top of the Procmon window, click [Options] > [Configure Symbols…].
\nBy default, C:\\WINDOWS\\SYSTEM32\\dbghelp.dll is registered in [DbgHelp.dll path(version 6.0 or later)].
However, C:\\WINDOWS\\SYSTEM32\\dbghelp.dll usually does not satisfy the requirement of version 6.0 or later, so you need to specify the path to a dbghelp.dll that does satisfy that requirement.
A dbghelp.dll that meets this requirement is located directly under C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64, along with WinDbg x64 installed in the earlier “Installing Debugging Tools for Windows” section.
Therefore, specify the following path in [DbgHelp.dll path(version 6.0 or later)].
\nC:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\dbghelp.dllAlso, in [Symbol paths:], specify the address of Microsoft’s symbol server, just as you did for WinDbg.
\nsrv*https://msdl.microsoft.com/download/symbolsThis completes symbol server configuration.
\nIn this chapter, I set up the tools needed for analyzing Windows dump files and for troubleshooting.
\nWhen you analyze dump files for troubleshooting, it is important to understand in advance what kind of information is included in the dump files you collect and roughly how large those files will be.
\nAlso, while dump files certainly contain a great deal of information, the information you can inspect from a dump file is only a snapshot of memory at the instant the dump was collected.
\nSo, to troubleshoot more efficiently, you also need to use various investigation tools to trace system behavior before and after the problem occurs, and to investigate OS and application log files.
\nI do not believe there is a single fixed formula for troubleshooting.
\nAlthough this book focuses on analyzing Windows dump files, when you actually troubleshoot I hope you will use a variety of tools and features and enjoy analyzing the issue from every angle.
\nWhat is WinDbg https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/windbg-overview?source=recommendations
\n↩\nGFlags https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/gflags
\n↩\nWindows SDK - Windows app development https://developer.microsoft.com/ja-jp/windows/downloads/windows-sdk/
\n↩\nProcess Monitor https://learn.microsoft.com/ja-jp/sysinternals/downloads/procmon
\n↩\nProcess Explorer https://learn.microsoft.com/ja-jp/sysinternals/downloads/process-explorer
\n↩\nSysinternals https://learn.microsoft.com/ja-jp/sysinternals
\n↩\nWindows Sysinternals徹底解説 : 無償ツールで極めるトラブルシューティングテクニック (by Mark E. Russinovich, Aaron Margosis / translated by 山内 和朗 / 日経BP社 / 2017)
\n↩\nGhidra https://github.com/NationalSecurityAgency/ghidra
\n↩\nマスタリング Ghidra 基礎から学ぶリバースエンジニアリング完全マニュアル (by Chris Eagle, Kara Nance / technical supervision by 石川 朝久 / translated by 中島 将太, 小竹 泰一, 原 弘明 / オライリー・ジャパン / 2022)
\n↩\nリバースエンジニアリングツール Ghidra 実践ガイド セキュリティコンテスト入門からマルウェア解析まで (by 中島 将太, 小竹 泰一, 原 弘明, 川畑 公平 / マイナビ出版 / 2020)
\n↩\ngaryu-windbg https://github.com/kash1064/garyu-windbg/releases/tag/v0.1
\n↩\nUser-mode dump files https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/user-mode-dump-files
\n↩\nWindows Internals, 7th Edition, Part 2, p.571 (by Andrea Allievi, Mark E. Russinovich, Alex Ionescu, David A. Solomon / translated by 山内和朗 / 日系 BP 社 / 2022)
\n↩\nSymbols and symbol files https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/symbols-and-symbol-files
\n↩\nUsing a symbol server https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/using-a-symbol-server
\n↩\n