WinDbg Debugger
The WinDbg debugger plugin uses Microsoft's Debugging Engine COM interfaces from the Debugging Tools package.
In order to use the WinDbg debugger plugin, please download the latest debugging tools from https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools.
The WinDbg debugger can be used to debug local programs as well as remote programs. This is controlled via the connection string in the "Process Option" dialog. If it is left blank, it means that a local debugging is in effect. Otherwise, a debug engine compatible connection string is expected. IDA will display an error message if the connection string could not be accepted: in that case, try using the same connection string with "cdb", or "windbg" and see if it works.
Configuration options
Debugger-specific options can be changed from Debugger -> Debugger options -> Set specific options.
Windbg debugger plugin has the following configuration options:
Debugging mode
User mode - Check this option to debug MS Windows applications.
Kernel mode debugging - Check this option when debugging the kernel.
Non-Invasive user-mode process attach - Check this option to enable attaching to user-mode processes non-invasively.
Kernel mode debugging with reconnect and initial break - Select this option when debugging a kernel and when the connection string contains 'reconnect'. This option will assure that the debugger breaks as soon as possible after a reconnect.
Output flags - These flags tell the debugging engine which kind of output messages to display and which to omit.
ida.cfg options
WinDbg debugger plugin has the following options that can be configured in cfg/ida.cfg (in the installation folder):
DBGTOOLS - This should be configured to point to the same folder where Microsoft Debugging Tools are installed. The plugin will try to guess where the tools are, but if it fails, a manual intervention will be required. If this option is not set, then the plugin will try to use dbgeng.dll from MS Windows system folder, while normal debug operations will work, extensions will not.
Features
Send commands to the debugger engine
After the debugging session is started, you can send commands to the debugger engine.
Use the "." key to switch to the command line and start typing commands.
Please note that while it is possible to send any command to the engine, commands that change the execution status should not be used: go ("g"), step ("t"), step into ("p"), etc...
The WinDbg debugger module adds a new menu item: Debugger -> WinDbg command. It can be used to send arbitrary commands to the debugger engine. The command output is displayed in the output window.
Symbol information
If the symbol path is configured properly, then the debugger engine will fetch debug symbols from the appropriate location (symbol server, cache, etc.)
Example: if the following environment variable is set windbg will download the symbols from the specified paths:
Multi-processor support
Debugger Engine will create a virtual thread for each processor that it finds. Similarly, IDA will present these processors as threads.
Remote debugging support
It is possible to use the process server "dbgsrv.exe" to enable remote debugging. For example:
Run
dbgsrv -t tcp:port=PORT_NUM,server=HOST_NAMEVerify that the server is correctly running by listing all process servers on the given HOST_NAME:
Finally, run IDA and specify the following connection string:
Use WinDbg extensions
It is possible to use the extension commands that usually work with WinDbg. Make sure that the "Debugging Tools folder" setting is properly set so that this feature works.
Kernel debugging
It is possible to debug the kernel the same way as it is done with WinDbg. Simply setup the target kernel and configure the WinDbg plugin by checking the "kernel mode debugging" option and by typing a correct connection string.
If the user detaches from a kernel session (using Debugger -> Detach from process), the debugged kernel will resume. However, if the user selects Debugger -> Terminate process, the kernel will be suspended (it will wait until another client attaches to it).
Dump files support
It is possible to load into IDA dump files generated either manually (using the ".dump" command) or crash dumps generated from a crashed process or kernel. For reference, check the windmp file loader.
After the dump has been loaded, it is possible to run the debugger and investigate the crash by typing WinDbg commands into the command line window. For example, one could check the call-stack or use any other WinDbg extension.
External breakpoints
It is possible to use the command line to create breakpoints that are not supported by IDA but are supported by the debugging engine. In such cases, any unknown (external) breakpoints will cause IDA to suspend execution when triggered.
API
Last updated
Was this helpful?