Home > Disassembly, Tech > WinDbg for the OllyDbg user

WinDbg for the OllyDbg user

November 12, 2013 Leave a comment Go to comments

I’ll start off by saying that just about anything Alexander writes on his blog, you should read. Seriously.

He’s written an excellent and thorough blog post on how an analyst familiar with OllyDbg can learn to use WinDbg.

In the example in his post, he explains how to use WinDbg to unpack a UPX’d executable. To borrow his phrase, it’s the “Hello World” of malware analysis.

From the blog post:

One of the difficult parts of learning Windbg is enumerating useful commands. Ollydbg is great because you can see all the useful commands by selecting a drop down. This isn’t the case for Windbg. The best place to look up commands is Windbg Help file. It’s surprisingly useful. Below is a list of commands that I enumerated that are commonly used in debugging malware.

  • .tlist
    • list all running processes
  • lm
    • list all loaded modules
  • lmf
    • list all loaded modules – full path
  • !dlls
    • list all loaded modules – more detailed
  • !dh address
    • displays the headers for the specified image
  • !dh -options address
    • no options, display all
    • -f  display file headers
    • -s display sections headers
    • -a display all header
  • @$exentry
    • location of entry point
  • u!SaveModule startaddress path
    • unassemble
  • !SaveModule startaddress path
  • ~
    • thread status for all threads
  • |
    • proces status
  • !gle
    • get last error
  • r
    • dump registers
  • r reg=value
    • assign register value
  • rF
    • dump Floating point
  • k
    • display call stack for current thread
  • !peb!address
    • dump process block
  • !address
  • .lastevent
  • .imgscan
    • dump al
  • bl
    • list breakpoints
  • bc
    • clear breakpoint, * or #
  • bd
    • disable breakpoints
  • bp
    • breakpoint
  • ba
    • r/write/execute (r,w,e) size addr
  • sxe cpr
    • break on process creation
  • sxe epr
    • break on process exit
  • sxe ct
    • break on thread creation
  • sxe et
    • break on thread exit
  • sxe ld
    • break on loading of module
  • sxe ud
    • break on unloading of module
  • $$
    • print string
  • p
    • step over
  •  t
    • step into
  • restart
    • restarts the debugging of the executable process
  • q
    • quit
Categories: Disassembly, Tech
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s