# Debugging Windows Applications with IDA WinDbg Plugin

## Debugging Windows Applications with IDA WinDbg Plugin

The WinDbg debugger plugin is an IDA Pro debugger that uses Microsoft's debugging engine (dbgeng) that is used by all Microsoft debuggers (WinDbg, Cdb, Kd, ...)

### Tools installation

The first step is to download and install the latest Debugging Tools. There are different ways to get them and all the required information can be found (at the time of this writing) [here](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools).

### IDA debugger configuration for local User Mode Debugging

Once the debugging tools have been installed, start IDA, load the binary to be debugged, then "Debugger \ Select Debugger" and make sure you select "WinDbg debugger" in the "Select a debugger" dialog box:

![](/files/YSZg0TNabjJx5E0ExXO2)

After the debugger has been selected, specific options can be set with "Debugger \ Debugger options..". The following dialog box is displayed:

![](/files/fvd2dKXWOTBesNlzM0pz)

In the present case we choose to suspend the execution on process entry point.

Clicking the "Set specific options" will offer the following choices:

![](/files/dCJXirnc2sATRmBEnAp1)

#### Debugging mode

* User mode: for debugging user mode application
* Kernel mode: for debugging Windows kernel and/or drivers
* Non Invasive user-mode process attach: [More on non invasive debugging](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/noninvasive-debugging--user-mode-)
* Kernel mode debugging with reconnect and initial break: Used, for example, when rebooting the target system, the debugging session will be terminated but the debugger will keep waiting for a reconnection and will break execution during system initialization.

It is possible to change the default debugging mode selection (here "User mode") by editing `%IDA%\cfg\dbg_windbg.cfg`

#### Output flags

These flags are used by the debugging engine to select which kind of output messages should be displayed or omitted.

By default, the debugging tools install directory will be detected using the information stored in the registry during installation. It is possible to bypass it by setting the value for the `DBGTOOLS` key in `%IDA%\cfg\ida.cfg`.

![](/files/3FKgnxweQglLh5PnlT87)

Make sure that the "Connection string" is left empty as the debuggee is a local user mode application.

Now, to start debugging press F9, the following warning is displayed:

![](/files/GDzzIj7gDewvwlIU6Uy1)

Click "Yes" to proceed.

The debugger stops in the start entry point.

![](/files/2iWHivaFvLPQQQ88vRRT)

Once the debugger has broken into the process execution WinDbg commands can be used.

In order take benefit of the symbols publicly made available by Microsoft you can create and set the `_NT_SYMBOL_PATH` variable environment:

`_NT_SYMBOL_PATH=srv*C:\Temp\Symbols*http://msdl.microsoft.com/download/symbols`

`C:\Temp\Symbols` will be the local symbols store (change this path as it suits for you).

If the symbols are not properly loaded or you want to refresh type the following command:

`.reload /f`

in the WinDbg prompt.

### IDA debugger configuration for Remote User Mode debugging

For this section we are using two hosts:

* A Windows host machine running the debugger
* A Windows Hyper-V guest machine that takes the role of the target, i.e. the machine on which the debugged process runs.

On the machine copy the corresponding debug server:

* **win64\_remote64.exe** for a 64-bit target OSes
* **win32\_remote.exe** for a 32-bit target OSes

In this tutorial we will use the 64-bit version of the debug server. Start it with the following command line:

* `win64_remote64 -p 50000`

The debugger server starts and listens on port 50000 for incoming connections.

![](/files/cwNmYu2XmXZHZeHiJ3Cm)

The possible debug server options are:

```
  -p ...  (--port-number ...) Port number
  -i ...  (--ip-address ...) IP address to bind to (default to any)
  -c ...  (--certchain-file ...) TLS certificate chain file
  -k ...  (--privkey-file ...) TLS private key file
  -v      (--verbose) Verbose mode
  -t      (--no-tls) Use plain, unencrypted TCP connections
  -P ...  (--password ...) Password
  -k      (--on-broken-connection-keep-session) Keep debugger session alive when connection breaks
  -K      (--on-stop-kill-process) Kill debuggee when closing session
```

On the host (debugger) machine, in IDA, go to "Debugger \ Run \ Remote Windows Debugger". We will start notepad.exe under the debugger on the remote machine.

![](/files/dJCJTY9ozkc6wUILzSfD)

Add the target resolvable hostname or IP address, the port number you start the server process (no password is used in this case so we leave it empty). Click OK.

On the target machine the connection is accepted by the debug server

![](/files/VGLa88l7TcVq93sIY644)

IDA should break into the process in the process entry point as shown below

![](/files/hQhFfqGKl5mDuOUuQoli)

From now on it is possible to step over, step into, run to cursor, set breakpoints using the menu or hotkeys.

NOTE: it might be possible that the port needs to be opened on the target machine.

## IDA debugger configuration for Windows Kernel Debugging with a VM target

For this section we will reuse the same settings (Windows host and an Hyper-V Windows guest). The steps for the kernel debugging for any other virtualization should be the same.

We provide steps to configure the guest for a kdnet kernel debugging session.This method is usually faster than the old COM (named pipe method).

In an elevated command prompt enter the following commands:

* `bcdedit /debug on`
* `bcdedit /dbgsettings net hostip:<host-IP> port:<port> key:<key>`

For example:

`bcdedit /dbgsettings net hostip:192.168.12.30 port:50000 key:1.1.1.1`

* `192.168.12.30` is the IP address of the host (debugger) machine. Make sure you can ping it from the target (debuggee) machine.

It might also be necessary to open the specified port on the target machine. At this stage the target has to be rebooted.

When the target server has restarted, launch IDA then "Debugger \ Attach \ Windbg debugger"

![](/files/UYTmXlvJSbN97Vu9TVdm)

Click "Debugger specific options"

![](/files/wBdDEaAOigPtrC6qu1rB)

Make sure that "Kernel mode debugging" is selected. Click OK.

![](/files/Hl1hyBC5ksQ6fv7hmv4f)

The following Information dialog box is displayed

![](/files/R544loBdkWnaPaUq2xpg)

click OK to continue.

![](/files/GFOb8c2xGTPQKBCTeDXN)

Select and click OK. IDA should hit a beakpoint and give you the possibility to enter WinDbg commands. Note that some of the WinDbg commands (like g, ..) can not be passed to the WinDbg plugin directly. The menu should be used instead.

![](/files/ko6KNREXAoMsyAAeqWDh)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.hex-rays.com/core/debugger/tutorials/windbg_tut.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.