WinDbg is the most popular Debugger for Windows. In this course, we will look at how WinDbg can be used for both User and Kernel mode debugging. We will learn how processes and threads work on Windows, and how we can examine memory, modify registers & data, disassemble code etc. among other things. We will also learn a bit of Windows internals, kernel data strucutres and how to analyze rootkits and other malicious code in the form of device drivers.
A non-exhaustive list of topics includes:
- Course Outline
- WinDbg Basics
- Understanding Processes and Threads
- Debugging Multi-processor Systems
- Symbols and Symbol Servers
- User Mode Debugging
- Breakpoints
- Watches
- Examining CPU
- Examining Memory – Stack, Heap and Code
- Threads and associated storage
- Modifying registers, data etc.
- Disassembling Code
- Kernel Mode Debugging
- Kernel Debug Setup
- Windows internals basics
- Device Driver basics
- Kernel data structures
- Process and Thread data structures
- Interesting APIs and Subsystems
- Rootkit Analysis
- Case Studies
- Crashes and Hangs
- Malicious Programs – Local, Network based communication
- Rootkits and Kernel mode backdoors
