circle-info
The docs have been restructured for better navigation. Found a broken link or have feedback to share? Let us know
here.arrow-up-right
search
Ctrlk

Debugging Windows Applications with IDA WinDbg Plugin

hashtag
Debugging Windows Applications with IDA WinDbg Plugin

The WinDbg debugger plugin is an IDA Pro debugger that uses Microsoft's debugging engine (dbgeng) that is used by all Microsoft debuggers (WinDbg, Cdb, Kd, ...)

hashtag
Tools installation

The first step is to download and install the latest Debugging Tools. There are different ways to get them and all the required information can be found (at the time of this writing) herearrow-up-right.

hashtag
IDA debugger configuration for local User Mode Debugging

Once the debugging tools have been installed, start IDA, load the binary to be debugged, then "Debugger \ Select Debugger" and make sure you select "WinDbg debugger" in the "Select a debugger" dialog box:

After the debugger has been selected, specific options can be set with "Debugger \ Debugger options..". The following dialog box is displayed:

In the present case we choose to suspend the execution on process entry point.

Clicking the "Set specific options" will offer the following choices:

hashtag
Debugging mode

  • User mode: for debugging user mode application

  • Kernel mode: for debugging Windows kernel and/or drivers

  • Non Invasive user-mode process attach: More on non invasive debuggingarrow-up-right

  • Kernel mode debugging with reconnect and initial break: Used, for example, when rebooting the target system, the debugging session will be terminated but the debugger will keep waiting for a reconnection and will break execution during system initialization.

It is possible to change the default debugging mode selection (here "User mode") by editing %IDA%\cfg\dbg_windbg.cfg

hashtag
Output flags

These flags are used by the debugging engine to select which kind of output messages should be displayed or omitted.

By default, the debugging tools install directory will be detected using the information stored in the registry during installation. It is possible to bypass it by setting the value for the DBGTOOLS key in %IDA%\cfg\ida.cfg.

Make sure that the "Connection string" is left empty as the debuggee is a local user mode application.

Now, to start debugging press F9, the following warning is displayed:

Click "Yes" to proceed.

The debugger stops in the start entry point.

Once the debugger has broken into the process execution WinDbg commands can be used.

In order take benefit of the symbols publicly made available by Microsoft you can create and set the _NT_SYMBOL_PATH variable environment:

_NT_SYMBOL_PATH=srv*C:\Temp\Symbols*http://msdl.microsoft.com/download/symbols

C:\Temp\Symbols will be the local symbols store (change this path as it suits for you).

If the symbols are not properly loaded or you want to refresh type the following command:

.reload /f

in the WinDbg prompt.

hashtag
IDA debugger configuration for Remote User Mode debugging

For this section we are using two hosts:

  • A Windows host machine running the debugger

  • A Windows Hyper-V guest machine that takes the role of the target, i.e. the machine on which the debugged process runs.

On the machine copy the corresponding debug server:

  • win64_remote64.exe for a 64-bit target OSes

  • win32_remote.exe for a 32-bit target OSes

In this tutorial we will use the 64-bit version of the debug server. Start it with the following command line:

  • win64_remote64 -p 50000

The debugger server starts and listens on port 50000 for incoming connections.

The possible debug server options are:

On the host (debugger) machine, in IDA, go to "Debugger \ Run \ Remote Windows Debugger". We will start notepad.exe under the debugger on the remote machine.

Add the target resolvable hostname or IP address, the port number you start the server process (no password is used in this case so we leave it empty). Click OK.

On the target machine the connection is accepted by the debug server

IDA should break into the process in the process entry point as shown below

From now on it is possible to step over, step into, run to cursor, set breakpoints using the menu or hotkeys.

NOTE: it might be possible that the port needs to be opened on the target machine.

hashtag
IDA debugger configuration for Windows Kernel Debugging with a VM target

For this section we will reuse the same settings (Windows host and an Hyper-V Windows guest). The steps for the kernel debugging for any other virtualization should be the same.

We provide steps to configure the guest for a kdnet kernel debugging session.This method is usually faster than the old COM (named pipe method).

In an elevated command prompt enter the following commands:

  • bcdedit /debug on

  • bcdedit /dbgsettings net hostip:<host-IP> port:<port> key:<key>

For example:

bcdedit /dbgsettings net hostip:192.168.12.30 port:50000 key:1.1.1.1

  • 192.168.12.30 is the IP address of the host (debugger) machine. Make sure you can ping it from the target (debuggee) machine.

It might also be necessary to open the specified port on the target machine. At this stage the target has to be rebooted.

When the target server has restarted, launch IDA then "Debugger \ Attach \ Windbg debugger"

Click "Debugger specific options"

Make sure that "Kernel mode debugging" is selected. Click OK.

The following Information dialog box is displayed

click OK to continue.

Select and click OK. IDA should hit a beakpoint and give you the possibility to enter WinDbg commands. Note that some of the WinDbg commands (like g, ..) can not be passed to the WinDbg plugin directly. The menu should be used instead.

Last updated

Was this helpful?