\n\nThis page has been machine-translated from the original page.
\n
\n\nAll content in this book is based on information from official documentation and other websites, or from publicly available books and similar sources. For that reason, when I refer to technical topics, I cite sources in footnotes whenever possible. In addition, everything written in this book reflects my personal views and does not represent any company or organization I belong to.
\n
I am publishing the contents of Magical WinDbg 2 - Learn User-Mode & Kernel Debugging Through CTFs -, which I distributed for free at Tech Book Fest 16.
\nThank you very much for picking up this book. My name is Kashiwaba (@kash1064).
\nMy main areas of interest are reverse engineering and digital forensics, and as a hobby I participate in security competitions called Capture The Flag (CTF).
\nIn this book, I use a CTF Reversing challenge as the theme to introduce Windows user-mode and kernel-mode debugging techniques with WinDbg.
\nIn a typical Reversing challenge in a CTF, the goal is to analyze a given executable using various tools and techniques and obtain the correct keyword (Flag).
\nIn a typical Reversing challenge, analysis proceeds roughly through the following steps.
\nThis book follows those same steps to analyze the program and obtain the Flag, while introducing Windows user-mode and kernel-mode debugging techniques with WinDbg along the way.
\nLike “Magical WinDbg - Enjoying Windows Dump Analysis and Troubleshooting by Feel -” 1, which I distributed at Tech Book Fest 15, this book is not intended to comprehensively cover introductory Windows debugging topics.
\nInstead, it is structured as a hands-on guide for enjoying Windows debugging, while also pointing readers to useful sources for foundational topics.
\nIn this book, I introduce debugger scripts available in the latest WinDbg and methods for analyzing kernel driver modules with a kernel debugger.
\nThere is currently plenty of information about debugging Windows executables, but I feel that there is still very little information available in Japanese about how to use WinDbg as a debugger or about Windows kernel debugging.
\nIn particular, the latest installable version of WinDbg provides powerful features such as JavaScript debugger scripts 2, but I feel that knowledge about these relatively new capabilities is still limited.
\nInformation about Windows kernel debugging is also scarce because the prerequisite knowledge required for analysis is more advanced, and as far as I know there are almost no books written in Japanese on the topic.
\nGiven that situation, I wrote this book in the hope of increasing the amount of Japanese-language information about WinDbg-based debugging techniques and Windows kernel debugging, even if only a little.
\nThis book does not comprehensively cover introductory Windows debugging knowledge with WinDbg, but I hope it will help people who are interested in WinDbg and Windows kernel debugging and want to start working with them.
\nAs mentioned above, this book uses a CTF Reversing challenge as its theme to introduce Windows user-mode and kernel-mode debugging techniques with WinDbg.
\nWindows debugging, especially kernel debugging, requires broad prerequisite knowledge about how Windows OS and programs work.
\nHowever, since there are already several high-quality introductory resources covering those prerequisites, this book does not discuss them in detail.
\nLikewise, I do not go into detail about how to operate WinDbg itself, such as its debugger commands, because the built-in help and the official documentation3 already cover those topics well.
\nThat said, for prerequisite knowledge that is needed for analysis, I introduce reference sources in footnotes whenever possible.
\nIn short, this book treats prerequisite knowledge and tool operation details as supporting references and focuses as much as possible on Windows debugging itself.
\nThis book analyzes an executable program and a kernel driver module modeled after a CTF Reversing challenge through the following steps.
\nHere I would like to introduce several reference books for readers who are interested in debugging Windows programs, including topics not covered in this book.
\nI cannot cover everything, but I hope these references will be helpful for readers who are just getting started with Windows program debugging.
\n“Analysis Magical Girl Misaki-chan: Magical Open!” 4 and “An Introduction to x86 Program Analysis with a Debugger: x64-Compatible Edition” 5 do not use WinDbg, but I recommend them because they clearly explain introductory topics in Windows user-mode debugging.
\nIn addition, “Inside Windows Debugging” 8 and “Advanced Windows Debugging” 9 are both English-language books, but they are among the few books that explain debugging techniques using WinDbg in detail, including kernel debugging.
\n“Advanced Windows Debugging” is somewhat old, but it supports parts of Windows Vista, and much of its information can still be used as-is on modern operating systems.
\nIn addition, “インサイド Windows 第 7 版 上・下” 10 11 is also one of the most useful books for examining the details of Windows components.
\nFurthermore, “Practical Malware Analysis” 12 and “The Art of Memory Forensics” 13 also cover kernel debugging with WinDbg and undocumented Windows internals in detail, making them extremely valuable references.
\nI am Kashiwaba (@kash1064).
\nI love security, and I am particularly interested in reverse engineering and digital forensics.
\nMy main certifications are CISSP and OSCP.
\nAs a hobby, I participate in security competitions called Capture The Flag (CTF) on a team called 0nePadding.
\nI spend my time learning about binary analysis, log analysis, and troubleshooting techniques, and among those I especially enjoy analyzing Windows programs and system dump files.
\nI also introduced Windows dump analysis techniques in “Magical WinDbg -雰囲気で楽しむ Windows ダンプ解析とトラブルシューティング-” 1, which I distributed at Tech Book Fest 15.
\nI also introduced Windows dump analysis techniques in “Magical WinDbg - Enjoying Windows Dump Analysis and Troubleshooting by Feel -” 1, which I distributed at Tech Book Fest 15.
\nAlthough I belong to Microsoft Japan, everything written in this book reflects my personal views and does not represent the views of the company or organization I belong to, nor is it stealth marketing for any particular product or service.
\nAll content in this book is based on information from official documentation and other websites, or from publicly available books and similar sources.
\nWhenever I refer to technical topics in this book, I cite sources in footnotes whenever possible.
\nI received tremendous support from the members of the CTF team 0nePadding while writing this book.
\nI would like to express my sincere gratitude to @r1k0t3k1 and @salty_byte, both members of 0nePadding, for helping with proofreading.
Magical WinDbg - Enjoying Windows Dump Analysis and Troubleshooting by Feel - https://techbookfest.org/product/bnaHM8sVz6AfEiF8jgpELj
\n↩\nJavaScript Debugger Scripting https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/javascript-debugger-scripting
\n↩\nMicrosoft Learn https://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/
\n↩\nAnalysis Magical Girl Misaki-chan: Magical Open! (Yaneura Analysis Team / Shuwa System / 2004)
\n↩\nAn Introduction to x86 Program Analysis with a Debugger: x64-Compatible Edition (Digital Travesia administrator Usapyon / Shuwa System / 2018)
\n↩\nDetailed Security Contest: Learning Vulnerability Exploitation Techniques through CTFs (Tsubasa Umenai, Yutaro Shimizu, Yudai Fujiwara, Yuto Maeda, Takashi Yoneuchi, Yu Watanabe / Mynavi Publishing / 2021)
\n↩\nInside Windows Debugging (Tarik Soulami 著 / Microsoft Press / 2012 年)
\n↩\nAdvanced Windows Debugging (Daniel Hewardt, Mario Pravat 著 / 2007 年)
\n↩\nインサイド Windows 第 7 版 上 (Pavel Yosifovich, Alex Ionescu, Mark E. Russinovich, David A. Solomon 著 / 山内 和朗 訳 / 日系 BP 社 / 2018 年)
\n↩\nインサイド Windows 第 7 版 下 (Andrea Allievi, Alex Ionescu 著 / 山内 和朗 訳 / 日系 BP 社 / 2022 年)
\n↩\nPractical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software (Michael Sikorski, Andrew Honig 著 / No Starch Press / 2012 年)
\n↩\nThe Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and MAC Memory (Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters 著 / John Wiley & Sons Inc / 2014 年)
\n↩\n