You are previewing Windows Debugging: Practical Foundations.
O'Reilly logo
Windows Debugging: Practical Foundations

Book Description

Written by the founder of DumpAnalysis.org this book is not about bugs or debugging techniques but about background knowledge everyone needs to start experimenting with WinDbg, learn from practical experience and read other advanced debugging books. Solid understanding of fundamentals like pointers is needed to analyze stack traces beyond !analyze -v and lmv WinDbg commands. This is the book to help technical support and escalation engineers and Windows software testers without the knowledge of assembly language to master necessary prerequisites to understand and start debugging and crash dump analysis on Windows platforms. It doesn't require any specific knowledge, fills the gap and lowers the learning curve. The book is also useful for software engineers coming from managed code or Java background, engineers coming from non-Wintel environments, Windows C/C++ software engineers without assembly language background, security researchers and beginners learning Windows software disassembling and reverse engineering techniques. This book can also be used as Intel assembly language and Windows debugging supplement for relevant undergraduate level courses.

Table of Contents

  1. Copyright
  2. Preface
  3. Acknowledgements
  4. About the Author
  5. 1. Memory, Registers and Simple Arithmetic
    1. 1.1. Memory and Registers inside an Idealized Computer
    2. 1.2. Memory and Registers inside Intel 32-bit PC
    3. 1.3. "Arithmetic" Project: Memory Layout and Registers
    4. 1.4. "Arithmetic" Project: A Computer Program
    5. 1.5. "Arithmetic" Project: Assigning Numbers to Memory Locations
    6. 1.6. Assigning Numbers to Registers
    7. 1.7. "Arithmetic" Project: Adding Numbers to Memory Cells
    8. 1.8. Incrementing/Decrementing Numbers in Memory and Registers
    9. 1.9. Multiplying Numbers
    10. 1.10. Multiplication and Registers
  6. 2. Debug and Release Binaries
    1. 2.1. "Arithmetic" Project: C/C++ Program
    2. 2.2. Downloading and Configuring WinDbg Debugger
    3. 2.3. WinDbg Disassembly Output – Debug Executable
    4. 2.4. WinDbg Disassembly Output – Release Executable
  7. 3. Number Representations
    1. 3.1. Numbers and Their Representations
    2. 3.2. Decimal Representation (Base Ten)
    3. 3.3. Ternary Representation (Base Three)
    4. 3.4. Binary Representation (Base Two)
    5. 3.5. Hexadecimal Representation (Base Sixteen)
    6. 3.6. Why Hexadecimals are used?
  8. 4. Pointers
    1. 4.1. A Definition
    2. 4.2. "Pointers" Project: Memory Layout and Registers
    3. 4.3. "Pointers" Project: Calculations
    4. 4.4. Using Pointers to Assign Numbers to Memory Cells
    5. 4.5. Adding Numbers Using Pointers
    6. 4.6. Multiplying Numbers Using Pointers
  9. 5. Bytes, Words and Double Words
    1. 5.1. Using Hexadecimal Numbers
    2. 5.2. Byte Granularity
    3. 5.3. Bit Granularity
    4. 5.4. Memory Layout
  10. 6. Pointers to Memory
    1. 6.1. Pointers Revisited
    2. 6.2. Addressing Types
    3. 6.3. Registers Revisited
    4. 6.4. NULL Pointers
    5. 6.5. Invalid Pointers
    6. 6.6. Variables as Pointers
    7. 6.7. Pointer Initialization
    8. 6.8. Note: Initialized and Uninitialized Data
    9. 6.9. More Pseudo Notation
    10. 6.10. "MemoryPointers" Project: Memory Layout
  11. 7. Logical Instructions and EIP
    1. 7.1. Instruction Format
    2. 7.2. Logical Shift Instructions
    3. 7.3. Logical Operations
    4. 7.4. Zeroing Memory or Registers
    5. 7.5. Instruction Pointer
    6. 7.6. Note: Code Section
  12. 8. Reconstructing a Program with Pointers
    1. 8.1. Example of Disassembly Output: No Optimization
    2. 8.2. Reconstructing C/C++ Code: Part 1
    3. 8.3. Reconstructing C/C++ Code: Part 2
    4. 8.4. Reconstructing C/C++ Code: Part 3
    5. 8.5. Reconstructing C/C++ Code: C/C++ program
    6. 8.6. Example of Disassembly Output: Optimized Program
  13. 9. Memory and Stacks
    1. 9.1. Stack: A Definition
    2. 9.2. Stack Implementation in Memory
    3. 9.3. Things to Remember
    4. 9.4. PUSH Instruction
      1. 9.4.1. PUSH r/mem/imm
    5. 9.5. POP instruction
      1. 9.5.1. POP r/mem
    6. 9.6. Register Review
    7. 9.7. Application Memory Simplified
    8. 9.8. Stack Overflow
    9. 9.9. Jumps
    10. 9.10. Calls
    11. 9.11. Call Stack
    12. 9.12. Exploring Stack in WinDbg
  14. 10. Frame Pointer and Local Variables
    1. 10.1. Stack Usage
    2. 10.2. Register Review
      1. 10.2.1. EBP
    3. 10.3. Addressing Array Elements
    4. 10.4. Stack Structure (No Function Parameters)
    5. 10.5. Raw Stack (No Local Variables and Function Parameters)
    6. 10.6. Function Prolog
    7. 10.7. Function Epilog
    8. 10.8. "Local Variables" Project
    9. 10.9. Disassembly of Optimized Executable (Release Configuration)
    10. 10.10. Advanced Topic: FPO
  15. 11. Function Parameters
    1. 11.1. "FunctionParameters" Project
    2. 11.2. Stack Structure
    3. 11.3. Stack Structure with FPO
    4. 11.4. Function Prolog and Epilog
    5. 11.5. Project Disassembled Code with Comments
    6. 11.6. Release Build with FPO Enabled
    7. 11.7. Cdecl Calling Convention
    8. 11.8. Parameter Mismatch Problem
  16. 12. More Instructions
    1. 12.1. CPU Flags Register
    2. 12.2. The Fastest Way to Fill Memory
    3. 12.3. Testing for 0
    4. 12.4. TEST - Logical Compare
    5. 12.5. CMP – Compare Two Operands
    6. 12.6. TEST or CMP?
    7. 12.7. Conditional Jumps
    8. 12.8. The Structure of Registers
    9. 12.9. Function Return Value
    10. 12.10. Using Byte Registers
  17. 13. Function Pointer Parameters
    1. 13.1. "FunctionPointerParameters" Project
    2. 13.2. Commented Disassembly
    3. 13.3. Dynamic Addressing of Local Variables
  18. 14. Summary of Code Disassembly Patterns
    1. 14.1. Function Prolog / Epilog
    2. 14.2. Passing Parameters
    3. 14.3. LEA (Load Effective Address)
    4. 14.4. Accessing Parameters and Local Variables