windbgtips

#ProTip Some handy #Github repo for a better #WinDbg experience: - github.com/microsoft/WinD… - github.com/TimMisiak/WinD… by @timmisiak - github.com/yardenshafir/W… by @yarden_shafir - github.com/0vercl0k/windb… by @0vercl0k - github.com/hugsy/windbg_j… by @_hugsy_ Got more? Add here 👇

If you update WinDbg today (1.2504.15001.0), you might notice another icon in the View tab of the ribbon, one called "Parallel Stacks". While incredibly useful in its own right, this isn't just a parallel stacks view. It's the introduction of graph visualization for extensions!

@jvert @markrussinovich Well... It's not quite KD, but WinDbg has supported debugging the Linux kernel via an EXDI connection for some time. Easiest setup is to enable the gdbserver on QEMU and use EXDI in WinDbg selecting "Linux" as the OS. I've source level stepped the Linux kernel doing that...

It's been a minute since we have released a new version of TTD! New version is now available (1.11.410) which fixes module selective recording, enables large queries via .Calls() and fixes some emulator bugs reported by our customers. aka.ms/ttd

I know I'll catch flack for not knowing this, but the Mex WinDbg extension is so cool! During dynamic analysis I needed to grab the exact version of a module from a target but didn't want to resume execution to fetch it since hitting the breakpoint was tricky. !writemodule FTW!

This trick is particularly useful if you do not/cannot use `.ToDisplayString` 🙂

WinDbg has a few but very useful (undocumented) intrinsics directly usable from `dx`, such as: __iserror, __ignoreerror, __isnovalue. Also some functions in dbgeng.dll can be used for quick (wstr, str, mem) comparison , like _wcsnicmp, _wcsicmp, _stricmp, memicmp, etc.

#WinDbg 1.2402.24001.0 is out on #winget with #GDB remote protocol support 🔥 All documented here 👇

If you spin your gdbserver with --multi (e.g.: gdbserver --multi localhost:1234), you can connect to it via the "Connect to Process Server" (same protocol string) and then see the process list and attach...

You can even tell us how to pull sources automatically from GitHub for your source level debugging... !addsourcemap <module> <local spec> <remote spec> as highlighted below. The db77...1c13 is the commit on master from which I built vim for this example.

Once you've connected, things should work very similarly to what you expect debugging a live Windows process. You can set breakpoints, single step, get locals, etc...

If you've ever wanted to live debug user mode Linux processes (e.g.: in WSL) from WinDbg, with 1.2402.24001.0, you can! Start up a gdbserver in WSL (e.g.: gdbserver localhost:1234 ./vim) and connect to it via WinDbg's "Connect to remote debugger"

I'm starting a series of WinDbg tutorial videos starting with the absolute basics. The first two videos cover how to install WinDbg and how to start a debugging session. augmend.com/replay/886e1f2… augmend.com/replay/8e1ecc0…

Here is a small WinDbg extension written in Rust 🦀 I am hoping it can serve as a template for people to get started 💪 github.com/0vercl0k/snaps…

Example (just record msvcrt.dll): ttd.exe -module msvcrt.dll ping.exe

🙌

Thanks to @_hugsy_'s contributions, the kdmp-parser library is now available on PyPI and also supports the new kernel dump types (8, 9, 10) that appeared in WinDbg around ~2022 😱 Go check it out: github.com/0vercl0k/kdmp-… / pypi.org/project/kdmp-p… 🔥

WinDbgX tip: If you press Ctrl+Shift+B, you can open a hex viewer for a file. The data is virtualized so that it can handle any size file. Like this 334MB Windows.UI.Xaml.pdb file. It's somewhat undocumented because it was just a test bed for the memory window, but still useful.

`winget` FTW 🚀

📢 @_hugsy_ added Python (>=3.8) bindings to udmp-parser (github.com/0vercl0k/udmp-…) and we think they are ready for testing! Go try them out 🔥 pypi.org/project/udmp-p…

This is insanely cool: TTD + Binja ! Once again, an amazing piece of work by the team of @vector35