{"componentChunkName":"component---src-templates-post-template-js","path":"/windows-windbg-001-index-en","result":{"data":{"markdownRemark":{"id":"5c281737-c78b-5428-8766-43e49fa1dcf8","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/windows-windbg-001-index\">original page</a>.</p>\n</blockquote>\n<p>I started writing this article because I wanted to organize resources for learning Windows debugging and dump analysis with WinDbg from the ground up.</p>\n<p>In my day job, I often have to analyze memory dumps and process dumps for troubleshooting, but I feel there is still very little clear information on effective investigation techniques for identifying the root cause of each problem.</p>\n<p>Because of that, I often end up analyzing things by trial and error, and I kept wishing there were a richer body of knowledge on analysis techniques using WinDbg.</p>\n<p>However, since I couldn’t find many useful resources, I decided to start sharing the information myself and publish organized notes on analysis techniques with WinDbg.</p>\n<p>As of 2021/10/02, there are still only a few articles, but my goal is to eventually organize posts by purpose and cover various WinDbg analysis methods and troubleshooting techniques.</p>\n<p>All published articles are organized below.</p>\n<h2 id=\"article-categories\" style=\"position:relative;\"><a href=\"#article-categories\" aria-label=\"article categories permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Article Categories</h2>\n<h3 id=\"getting-started-with-windbg\" style=\"position:relative;\"><a href=\"#getting-started-with-windbg\" aria-label=\"getting started with windbg permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Getting Started with WinDbg</h3>\n<ol>\n<li><a href=\"/windows-windbg-002-tutorial-en\">Trying the WinDbg User-Mode Debugging Tutorial</a></li>\n<li><a href=\"/windows-windbg-004-kernel-debug-en\">First Steps in Kernel Debugging with WinDbg on Windows 10</a></li>\n<li><a href=\"/windows-windbg-003-ui-en\">Overview of Each WinDbg Window</a></li>\n<li><a href=\"/windows-windbg-005-kernel-dump-en\">How to Manually Capture a Kernel Memory Dump on Windows and Analyze It with WinDbg</a></li>\n<li><a href=\"/windows-windbg-008-time-travel-debugging-en\">A New Debugging Approach with Time Travel Debugging</a></li>\n</ol>\n<h3 id=\"user-mode-debugging-with-windbg\" style=\"position:relative;\"><a href=\"#user-mode-debugging-with-windbg\" aria-label=\"user mode debugging with windbg permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>User-Mode Debugging with WinDbg</h3>\n<ol>\n<li><a href=\"/windows-windbg-002-tutorial-en\">Trying the WinDbg User-Mode Debugging Tutorial</a></li>\n<li><a href=\"/windows-windbg-007-memory-spoofing-en\">Overwriting the Memory Pointed to by the Stack Pointer in WinDbg to Execute an Arbitrary Function</a></li>\n<li><a href=\"/windows-windbg-009-base64-en\">Analyzing a Base64 Program Implemented in C with WinDbg Time Travel Debugging</a></li>\n<li><a href=\"/windows-windbg-010-socket-en\">Reversing a Program that Implements TCP and UDP Communication with Windows Sockets</a></li>\n</ol>\n<h3 id=\"kernel-mode-debugging-with-windbg\" style=\"position:relative;\"><a href=\"#kernel-mode-debugging-with-windbg\" aria-label=\"kernel mode debugging with windbg permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Kernel-Mode Debugging with WinDbg</h3>\n<ol>\n<li><a href=\"/windows-windbg-004-kernel-debug-en\">First Steps in Kernel Debugging with WinDbg on Windows 10</a></li>\n<li><a href=\"/windows-windriver-001-tutorial-en\">Writing Your Own Windows Kernel Driver and Analyzing It with WinDbg</a></li>\n<li><a href=\"/windows-windriver-002-irp-en\">Writing Your Own Windows Kernel Driver and Inspecting IRP Requests with WinDbg</a></li>\n</ol>\n<h3 id=\"process-dump-analysis-with-windbg\" style=\"position:relative;\"><a href=\"#process-dump-analysis-with-windbg\" aria-label=\"process dump analysis with windbg permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Process Dump Analysis with WinDbg</h3>\n<p>There are no articles in this category yet.</p>\n<h3 id=\"memory-dump-analysis-with-windbg\" style=\"position:relative;\"><a href=\"#memory-dump-analysis-with-windbg\" aria-label=\"memory dump analysis with windbg permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Memory Dump Analysis with WinDbg</h3>\n<ol>\n<li><a href=\"/windows-windbg-005-kernel-dump-en\">How to Manually Capture a Kernel Memory Dump on Windows and Analyze It with WinDbg</a></li>\n</ol>\n<h3 id=\"time-travel-debugging-with-windbg-preview\" style=\"position:relative;\"><a href=\"#time-travel-debugging-with-windbg-preview\" aria-label=\"time travel debugging with windbg preview permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Time Travel Debugging with WinDbg Preview</h3>\n<ol>\n<li><a href=\"/windows-windbg-008-time-travel-debugging-en\">A New Debugging Approach with Time Travel Debugging</a></li>\n<li><a href=\"/windows-windbg-009-base64-en\">Analyzing a Base64 Program Implemented in C with WinDbg Time Travel Debugging</a></li>\n<li><a href=\"/windows-windbg-010-socket-en\">Reversing a Program that Implements TCP and UDP Communication with Windows Sockets</a></li>\n</ol>\n<h2 id=\"use-case-oriented-articles\" style=\"position:relative;\"><a href=\"#use-case-oriented-articles\" aria-label=\"use case oriented articles permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Use-Case-Oriented Articles</h2>\n<h3 id=\"viewing-and-editing-memory-with-windbg\" style=\"position:relative;\"><a href=\"#viewing-and-editing-memory-with-windbg\" aria-label=\"viewing and editing memory with windbg permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Viewing and Editing Memory with WinDbg</h3>\n<ol>\n<li><a href=\"/windows-windbg-007-memory-spoofing-en\">Overwriting the Memory Pointed to by the Stack Pointer in WinDbg to Execute an Arbitrary Function</a></li>\n</ol>\n<h3 id=\"investigating-the-cause-of-application-errors\" style=\"position:relative;\"><a href=\"#investigating-the-cause-of-application-errors\" aria-label=\"investigating the cause of application errors permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Investigating the Cause of Application Errors</h3>\n<ol>\n<li><a href=\"/windows-windbg-008-time-travel-debugging-en\">A New Debugging Approach with Time Travel Debugging</a></li>\n</ol>\n<h2 id=\"notes\" style=\"position:relative;\"><a href=\"#notes\" aria-label=\"notes permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Notes</h2>\n<p>The sample programs used for analysis in each article are all stored in the following repository.</p>\n<p>Sample programs: <a href=\"https://github.com/kash1064/Try2WinDbg\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">kash1064/Try2WinDbg</a></p>\n<p>I also summarized how to compile the sample programs in the repository with symbol files (.pdb files) in the following article.</p>\n<p>Reference: <a href=\"/windows-windbg-006-symbol-en\">How to Generate Symbol Files (.pdb) in a Linux Environment Using llvm-mingw</a></p>\n<h2 id=\"external-references\" style=\"position:relative;\"><a href=\"#external-references\" aria-label=\"external references permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>External References</h2>\n<ul>\n<li><a href=\"https://docs.microsoft.com/ja-jp/windows-hardware/drivers/debugger/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Debugging Tools for Windows (WinDbg, KD, CDB, NTSD) - Windows drivers | Microsoft Docs</a></li>\n<li><a href=\"https://techinfoofmicrosofttech.osscons.jp/index.php?WinDbg\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">WinDbg - Microsoft Technology Wiki</a></li>\n<li><a href=\"http://windbg.info/download/doc/pdf/WinDbg_A_to_Z_color_JP.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">WinDbg. From A to Z!</a></li>\n<li><a href=\"http://windbg.info/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Welcome to WinDbg.info</a></li>\n<li><a href=\"https://amzn.to/3KTG0e9\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Windows Kernel Driver Programming</a></li>\n</ul>","fields":{"slug":"/windows-windbg-001-index-en","tagSlugs":["/tag/win-dbg-en/","/tag/kernel-en/","/tag/reversing-en/","/tag/english/"]},"frontmatter":{"date":"2021-10-04","description":"","tags":["WinDbg (en)","Kernel (en)","Reversing (en)","English"],"title":"Debugging and Troubleshooting Techniques with WinDbg","socialImage":{"publicURL":"/static/d7f81a0f24e562f741aa12fa6912bf82/windows-windbg-001-index.png"}}}},"pageContext":{"slug":"/windows-windbg-001-index-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}