PMA 430: WinDbg Preview (15 pts)

What you need

Purpose

To use WinDbg Preview for user-land debugging.

Installing WinDbg Preview

If you are using the Windows 10 with Tools machine from your instructor, WinDbg Preview is already installed.

If you are using some other machine, follow the steps below to install it.

On Windows 10, at the lower left of the desktop, click the magnifing glass. Type STORE

Open Microsoft Store.

In Microsoft Store, search for WinDbg, as shown below.

When it finds "WinDbg Preview", click the blue Get button.

A "Use across your devices" box pops up. Click "No, thanks".

Click Launch.

Launching WinDbg Preview as Administrator

Close WinDbg.

Click the Start button and type WINDBG. Right-click "WinDbg Preview" and click "Run as Administrator". Approve the privilege escalation.

Debugging Notepad

In WinDbg, click File, "Launch executable".

Navigate to:

C:\Windows\System32\notepad.exe

and open it.

Loading DLLs

In WinDbg Preview, in the center pane, scroll up to the start.

Here you see Notepad loading the DLLs it uses.

Notice the address shown for ntdll, the user-mode face of the Windows kernel, outlined in red in the image below.

Launch Process Explorer as Administrator and click notepad.exe. If you can't find the "notepad.exe" process, just skip the usage of Process Explorer.

Click View, "Show Lower Pane".

Click View, "Lower Pane View", DLLs.

In the lower pane, right-click ntdll and click Properties.

As shown below, the load address shown here matches the first address shown in WinDbg.

In WinDbg Preview, in the center pane, scroll down to the bottom.

Here you can see that the program has stopped at a break instruction inside the ntdll module, as shown below.

From the menu bar, click View, Stack.

The lower right pane shows the stack frames, indicating that we are five calls deep, all within ntdll.

Viewing Symbols

In the lower center command-line (to the right of 0:00>), execute this command:
x notepad!*
You see a long list of symbols used by Notepad.

To see the symbols containing the word main, execute this command:

x notepad!*main*
You see a few symbols, including the entry point WinMain, as shown below.

Note: when I did this on Oct 18, 2022, the name had changed to wWinMain. If you see that name, use it in the commands below instead of "WinMain".

Setting a Breakpoint

Execute these commands to set a breakpoint at WinMain, and display breakpoints:
bu notepad!WinMain
bl
The breakpoint is set, as shown below.

Running to the Breakoint

To resume execution, execute this command:
g
The program stops at the WinMain breakpoint, as shown below.

Viewing Loaded Modules

To view the loaded modules for Notepad (the process WinDbg is attached to), execute this command:
lm
You see a list of loaded modules. Some of them have .pdb files shown on the right, including ntdll, as shown below.

Those are symbol files that make debugging easier.

Stack Trace

To see a stack trace, execute this command:
k
You see a list of the functions that are in progress at this point, as shown below.

This is the same list as the one that appears in the lower right pane, with more detail.

Finding API Calls that Create Files

Let's find the start of the ZwWriteFile method in the ntdll module execute this command:
x ntdll!*CreateFile*
You see a few symbols, including ntdll!ZwCreateFile, as shown below.

Setting a Breakpoint and Resuming

Execute these commands to set a breakpoint atntdll!ZwCreateFile and resume execution.
bu ntdll!ZwCreateFile
g
Notepad hits the breakpoint, as shown below.

Stack Trace

Execute this command to see the stack trace:
k
Notepad hits the breakpoint.

Scroll back up to see the start of the k output, as shown below.

Viewing Threads

Notice the numbers before the k, outlined in green in the image above.

The first number is the processor number, and the second is the thread number.

When I did it, the breakpoint was hit by thread 8, running on processor 2. Your numbers may be different.

To see all the threads in the Notepad process, execute this command (the tilde character, a Shift+Backtick):

~
On my system, only one thread was running, as shown below.

Deleting Breakpoints

To see all the breakpoints, execute this command:
bl
There are two breakpoints, as shown below.

In the line for breakpoint 1, click Clear.

The system executes the bc 1 command for you.

Repeat the process to delete breakpoint 0.

Running Notepad

At the top of the window, click the Home tab. In the top left, click the green Go arrow.

PMA 430.1 Parent Process (15 pts)

Launch Process Explorer as Administrator. Scroll to the bottom and find the Notepad process. (There may be more than one, as shown below.)

The flag is the name of the parent process, covered by a green box in the image below.

References

Debugging Using WinDbg Preview
Common WinDbg Commands (Thematically Grouped)
Getting Started with WinDbg (User-Mode)

Posted 10-13-20
Process Explorer instructions updated 10-14-20
Bugs fixed 4-13-2021
Minor edits 11-2-21
Note about wWinMain added 10-18-22