WinDBG-Usermode

Hi, In this post I’m going to explain how to use windbg debugger in user mode. Windbg is one of the potent debuggers in SDK debugger set which can be used in both kernel and user mode. SDK is a set of powerful debuggers in user(CDB) and kernel mode(KD). Although Windbg is very powerful in kernel mode, it is also a favorite debugger for reverse engs in user mode. When I wanted to use this debugger in user mode for the first time , I was faced with different documents which was not straightforward. So in this post, I aim at helping you to use this debugger in user mode. At first lets try to open a simple executable file in windbg. When open your EXE file in windbg, you should jump to the entrypoint of the program. you can do this task with a simple command.

By this command you set a breakpoint at entrypoint. after pressing enter, you should type g command and press enter. it runs till reaches the entrypoint.

If you type the command g again, your program will be executed, but if you want to run your program step by step you can run t and p command. There is big difference between these two commands. While you are tracing your program, you face function calls, you want to step into these functions you should use t command, but if you just jump over these function calls you should use p command.

You can see the result of these commands as below.

As you can see, by running these commands windbg let you see all registers. By running t command when you face function call, you can trace that function.

If you want to save the output of this trace in a file your can use this command. you can open you log file by using the below command.

after typing this command all of the commands and their results will be saved in the file. In addition, you can append a log file to a currently existing file by the command .logappend.

For closing the log file we can use .logclose.

If you want to use this debugger in your code you can use CDB debugger. If you address the path of this debugger in your system, you can ask it to trace your executable file.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.