Debugging Tools for Windows Exploit Research
Last updated: 2026-04-10
Related: Reversing, Architecture, Dynamic Analysis
Tags:kernel-mode,user-mode
Summary
Mastery of Windows debugging tools — especially WinDbg — is non-negotiable for exploit research. This page covers the essential tools, their setup, and the most important commands and workflows for exploit development.
WinDbg / WinDbg Preview
The primary kernel and user-mode debugger for Windows. Available via WDK or as WinDbg Preview (Microsoft Store).
Setup: Kernel Debugging via KDNET (Recommended)
KDNET is the easiest network debugging setup — auto-detects network adapter and adjusts busparams:
// On TARGET VM:
mkdir C:\kdnet
copy "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\kdnet.exe" C:\kdnet
copy "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\VerifiedNICList.xml" C:\kdnet
cd C:\kdnet
kdnet // list supported network interfaces
bcdedit /set key 1.2.3.4 // set connection key explicitly
kdnet 192.168.0.96 50008 -k // configure kernel debugging (-k), reboot
// Set symbol path (both target and host):
_NT_SYMBOL_PATH=srv*c:\symbols*https://msdl.microsoft.com/download/symbols
// On HOST:
windbg -k net:port=50008,key=1.2.3.4
// Or: WinDbg Preview → File | Attach to Kernel | Net → port + key
KDNET flags: -k kernel, -h hypervisor, -b bootmgr, -w winload. Combine: -kh for kernel+hypervisor simultaneous debugging.
Alternative (bcdedit directly):
bcdedit /debug on
Get-NetAdapterHardwareInfo // get busparams (PowerShell)
bcdedit /dbgsettings net hostip:192.168.0.96 port:50008 busparams:3.0.0 key:1.2.3.4
shutdown -r -t 0
Troubleshooting: Use NAT (not bridged) network interface; DHCP (not static); enable “Windows GUI Symbolic Debugger” inbound firewall rule.
Setup: Kernel + Hyper-V Debugging
// Enable both kernel and hypervisor debugging simultaneously:
kdnet 192.168.0.96 50008 -kh
// OR:
bcdedit /dbgsettings net hostip:192.168.0.96 port:50008 busparams:3.0.0 key:1.2.3.4
// On host:
windbg -k net:port=50008,key=1.2.3.4
// Debugger sees both NT and Hyper-V (hvix64.exe) execution
Hyper-V specific setup: Requires nested virtualization. Recommended: physical host → VMware VM (L1) → Hyper-V VM (L2). Serial or network debugging between L0 and L1; Hyper-V events visible in the same session.
IDA Pro + WinDbg Synchronization (ret-sync)
ret-sync keeps IDA Pro’s disassembly view synchronized with WinDbg execution in real time:
// Install:
git clone https://github.com/bootleg/ret-sync
cd ret-sync\ext_ida
copy SyncPlugin.py %APPDATA%\Hex-Rays\IDA Pro\plugins\
mkdir %APPDATA%\Hex-Rays\IDA Pro\plugins\retsync
copy retsync\*.py %APPDATA%\Hex-Rays\IDA Pro\plugins\retsync\
// Build sync.dll from ret-sync\ext_windbg\sync\sync.sln (Release x64)
copy sync.dll "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\"
// (WinDbg Preview: %LOCALAPPDATA%\Microsoft\WindowsApps\Microsoft.WinDbg_*/...)
// Configuration file (.sync) in WinDbg's home directory:
[INTERFACE]
host=192.168.0.96
port=9100
[ALIASES]
ntoskrnl.exe=ntkrnlmp.exe
// WinDbg:
.load sync
!sync
// IDA Pro:
// Edit → Plugins → ret-sync (Alt-Shift-S)
// Enable: "Synchronization enabled" + "Hex-Rays Synchronization"
Once synchronized: stepping through WinDbg (t, p) updates IDA Pro’s cursor automatically. Set IDA breakpoints that trigger in WinDbg. Disable: !syncoff in WinDbg.
Required files in IDA database (scp from target): ntoskrnl.exe, kernelbase.dll, ntdll.dll, driver being analyzed.
Setup: Kernel Debugging (legacy bcdedit method)
// Target VM (serial/network/USB):
bcdedit /debug on
bcdedit /dbgsettings net hostip:192.168.1.1 port:50000 key:1.2.3.4
// Host debugger:
windbg -k net:port=50000,key=1.2.3.4
// Or via VirtualKD-Redux (VMware shared memory): much faster than serial
Symbol Setup
// Set symbol path to Microsoft symbol server:
.sympath srv*C:\Symbols*https://msdl.microsoft.com/download/symbols
.reload /f // force reload all symbols
!sym noisy // verbose symbol loading (debugging symbol issues)
Essential WinDbg Commands
Navigation
g // go (continue)
p // step over
t // step into
gu // go up (run until return)
bl // list breakpoints
bp addr // software breakpoint
ba e1 addr // hardware execute breakpoint
ba w4 addr // hardware write breakpoint (4 bytes)
ba r4 addr // hardware read/write breakpoint
bc * // clear all breakpoints
Memory Inspection
dd addr // display DWORDs
dq addr // display QWORDs
da addr // display ASCII string
du addr // display Unicode string
db addr L20 // display 0x20 bytes
dp addr // display pointers
dps addr // display pointers + symbols
Structure Inspection
dt nt!_EPROCESS // display type definition
dt nt!_EPROCESS @$proc // display current process structure
dt nt!_EPROCESS poi(gs:[188]+220) // dereference and display
!process 0 0 // list all processes
!process 0 7 // list all processes, full detail
!thread // current thread
dt nt!_KTHREAD @$thread // current KTHREAD
Pool / Heap Analysis
!pool addr // identify pool chunk at address
!pool addr 2 // verbose pool chunk info
!poolused // pool tag statistics
!heap -p -a addr // identify heap allocation (user-mode)
!heap -l // list all heaps
!heap -stat // heap statistics
Kernel-Specific
!idt // dump IDT
!pcr // dump PCR
!pte addr // page table entry for virtual address
!vtop base addr // virtual to physical
lm // list loaded modules
lmvm ntoskrnl // verbose info for ntoskrnl
!object \ // browse object manager namespace
!handle // display handles
Crash Analysis
!analyze -v // analyze crash dump (verbose)
.bugcheck // display bugcheck info
!stacks // all thread stacks (crash dump)
.exr -1 // display last exception record
.cxr addr // set context to exception record
Time Travel Debugging (TTD)
WinDbg Preview supports Time Travel Debugging — record execution and replay forward/backward. Invaluable for UAF and race condition analysis.
Setup
// Attach TTD to process:
windbg -accepteula -o ttd target.exe -out trace.run
// Open trace:
windbg -accepteula trace.run
TTD Commands
!tt 0 // travel to start of trace
!tt 100 // travel to end of trace
g- // step backward
p- // step backward (step over)
t- // step backward (step into)
// Data breakpoint in reverse — find who wrote a value:
ba w8 addr // set write breakpoint
g- // travel backward to find last write
TTD Queries (dx / LINQ)
// Find all calls to HeapFree:
dx @$cursession.TTD.Calls("ntdll!RtlFreeHeap").Select(c => c.Parameters[2])
// Find when a specific address was written:
dx @$cursession.TTD.Memory(addr, addr+8, "w")
// Trace specific function arguments over all calls:
dx @$cursession.TTD.Calls("ntdll!NtAllocateVirtualMemory").Select(c => new { Addr = c.Parameters[1], Size = c.Parameters[3] })
WinDbg Scripts / Automation
mona.py (Immunity Debugger, but concepts apply)
- Automatic ROP gadget finding
- Pattern generation for offset calculation
- Heap spray analysis
PyKD / pykd2
Python scripting for WinDbg:
import pykd
# Read memory
val = pykd.loadQWords(addr, 1)[0]
# Walk process list
proc = pykd.typedVar("nt!_EPROCESS", pykd.getImplicitProcess())
WinDbg JavaScript Extensions
.scriptload C:\scripts\exploit_helpers.js
dx Debugger.Utility.Control.ExecuteCommand("!process 0 0")
KD (Kernel Debugger) Command Line
For automation and CI:
kd -k net:port=50000,key=1.2.3.4 -c "bp ntoskrnl!ExAllocatePoolWithTag; g; !pool @rsp"
LiveKD (Non-Disruptive Kernel Analysis)
Sysinternals LiveKD: attach WinDbg to live kernel without halting it:
livekd -w // opens WinDbg on live kernel (snapshot mode)
Useful for inspecting process/pool state without triggering security software.
x64dbg / x32dbg (User-Mode)
Best user-mode debugger for exploit development. Features:
- Plugin ecosystem (xAnalyzer, ScyllaHide — anti-anti-debug)
- Scriptable via Python/JavaScript
- Better UI than WinDbg for user-mode work
Key x64dbg Features for Exploit Dev
- Hardware breakpoints: right-click address → breakpoint → hardware
- Memory map: shows all regions + permissions → find RWX regions
- Heap view:
View → Heap— browse heap chunks - Dump window: persistent memory watch during execution
- Conditional breakpoints:
bcwith expression — break only when register meets condition
Useful WinDbg Extensions
| Extension | Purpose |
|---|---|
!pte | Page table entry analysis |
!pool | Pool chunk identification |
!object | Object manager browsing |
!handle | Handle table inspection |
!token | Token inspection |
!exploitable (MSEC) | Automatic exploitability assessment of crash |
SwishDbgExt | Additional pool, object commands |
MEX | Microsoft’s internal extension, leaked |
Crash Dump Analysis Workflow
1. Configure kernel dump:
wmic recoveros set FullDumpEnabled=1
or: System Properties → Advanced → Startup & Recovery → Complete memory dump
2. Capture dump:
NotMyFault.exe /crash (or trigger bug)
3. Analyze:
windbg -z C:\Windows\MEMORY.DMP
!analyze -v
!stacks 2
lm
dt nt!_EPROCESS <address from !analyze>
Exploit Relevance
WinDbg + TTD is the single most powerful tool in a kernel exploit developer’s arsenal. Master dt, !pool, !process, hardware breakpoints, and TTD queries. The ability to reverse-trace “who freed this object?” with TTD turns 3-day UAF root cause investigations into 30-minute sessions.
References
- “WinDbg Primer” — Andrea Allievi
- “Time Travel Debugging” — Microsoft Docs
- “WinDbg Tips for Kernel Exploit Development” — Connor McGarr
- Corelan WinDbg guides — corelan.be
- “Windows Kernel Debugging” — Alex Ionescu (Winsider)