Windows Process Internals with WinDbg
Last modified: 2024-05-21
We can examine the Windows process using WinDbg.
Preparation
Here we’re going to start notepad process as example.
Click File → Launch Executable then select C:\Windows\System32\notepad.exe.
After that, if we’ve not already set symbol file path, run the following commands:
.sympath SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
.reload /f
Examine DOS Header
1. Get Address of Module Base Address
Firstly, we need to get the module (notepad here) base address. To do that, list loaded modules with the following command:
lm
Output:
start end module name
00007ff6`52990000 00007ff6`529ea000 notepad (pdb symbols) C:\ProgramData\Dbg\sym\notepad.pdb\123456789ABCDEF123456789ABCDEF123\notepad.pdb
00007ffb`0e1a0000 00007ffb`0e433000 COMCTL32 (deferred)
00007ffb`29c10000 00007ffb`29d21000 ucrtbase (deferred)
As output above, the address of the notepad is 00007ff6`52990000 so take a note of this address.
2. Examine IMAGE_DOS_HEADER Structure
To get inside the DOS header, run the following command with specified address that we retrieved in the previous section:
dt ntdll!_IMAGE_DOS_HEADER 00007ff6`52990000
Output:
+0x000 e_magic : 0x5a4d
...
+0x03c e_lfanew : 0n240
Maybe what data we should check are e_magic and e_lfanew .
e_magic: It contains 2-byte (0x5A4D:MZin ASCII) data.e_lfanew: It holds an offset of NT Headers.
3. Examine e_magic
dd 00007ff6`52990000 L1
Output:
00007ff6`52990000 00905a4d
As above, we can see the value contains 5A4D.
4. Examine e_lfanew
To see the value of e_lfanew, run the following command with specifying the offset 0x03C:
dd 00007ff6`52990000+0x03C L1
Output:
00007ff6`5299003c 000000f0
As above, we get 000000f0 . This value is an offset of PE Header.
5. Examine PE Header
To get information of PE header, run the following command with specifying the offset 0x0F0:
dd 00007ff6`52990000+0x0F0 L1
Output:
00007ff6`529900f0 00004550
The result value is 00004550 that is \0\0EP (little-endian, so it means PE\0\0 in ASCII.
Examine PEB (Process Environment Block)
1. Get Address of PEB
At first, we need to know the PEB (Process Environment Block) address with the following command:
!peb
Output:
PEB at 00000055d7905000
...
Although the output is large, we can get the address at the first line as above.
2. PEB Structure
To see the inside of the PEB, run dt command with the specified address:
dt _PEB 00000055d7905000
Output:
ntdll!_PEB
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
...
+0x018 Ldr : 0x00007ffb`2ca76440 _PEB_LDR_DATA
...
What we should pay attention to is the Ldr line because the Ldr has important roles in loading APIs required by the executable file when the process is started.
So take a note of this LDR address (0x00007ffb`2ca76440 here).
3. Examine Ldr Structure
Same ways as above, run dt command to see the Ldr structure. Please note that we should specify the _PEB_LDR_DATA .
dt _PEB_LDR_DATA 0x00007ffb`2ca76440
Output:
ntdll!_PEB_LDR_DATA
+0x000 Length : 0x58
+0x004 Initialized : 0x1 ''
+0x008 SsHandle : (null)
+0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x000001c4`b1ef28c0 - 0x000001c4`b1eff510 ]
+0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x000001c4`b1ef28d0 - 0x000001c4`b1eff520 ]
+0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x000001c4`b1ef2740 - 0x000001c4`b1ef75e0 ]
+0x040 EntryInProgress : (null)
+0x048 ShutdownInProgress : 0 ''
+0x050 ShutdownThreadId : (null)
We’re going to see the details of InLoadOrderModuleList in the next, so take a note of the address (0x000001c4`b1ef28c0).
4. Examine InLoadOrderModuleList Structure
To see the information in the InLoadOrderModuleList , run dt command as below. Please note that we should set _LDR_DATA_TABLE_ENTRY instead of _LIST_ENTRY to see the desired information.
dt _LDR_DATA_TABLE_ENTRY 0x000001c4`b1ef28c0
Output:
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x000001c4`b1ef2720 - 0x00007ffb`2ca76450 ]
+0x010 InMemoryOrderLinks : _LIST_ENTRY [ 0x000001c4`b1ef2730 - 0x00007ffb`2ca76460 ]
+0x020 InInitializationOrderLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x030 DllBase : 0x00007ff6`52990000 Void
+0x038 EntryPoint : 0x00007ff6`529919a0 Void
+0x040 SizeOfImage : 0x5a000
+0x048 FullDllName : _UNICODE_STRING "C:\Windows\System32\notepad.exe"
+0x058 BaseDllName : _UNICODE_STRING "notepad.exe"
...
As above, the notepad.exe itself is loaded in here by seeing the BaseDllName line.
5. Examine Next InLoadOrderModuleList Structure
To examine the next loaded module, we should get the next InLoadOrderModuleList structure. To do that, run the following command with specifying the address of the InLoadOrderModuleList that we took a note of in the previous section. Please note that we should set _LIST_ENTRY to see the next entry:
dt _LIST_ENTRY 0x000001c4`b1ef28c0
Output:
ntdll!_LIST_ENTRY
[ 0x000001c4`b1ef2720 - 0x00007ffb`2ca76450 ]
+0x000 Flink : 0x000001c4`b1ef2720 _LIST_ENTRY [ 0x000001c4`b1ef75c0 - 0x000001c4`b1ef28c0 ]
+0x008 Blink : 0x00007ffb`2ca76450 _LIST_ENTRY [ 0x000001c4`b1ef28c0 - 0x000001c4`b1eff510 ]
This output contains the next entry (Flink) and the last entry (Blink). Naturally, what we want is the Flink!. So please take a note of this address (0x000001c4`b1ef2720)
Now we can get the next data entry with the following command:
dt _LDR_DATA_TABLE_ENTRY 0x000001c4`b1ef2720
Output:
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x000001c4`b1ef75c0 - 0x000001c4`b1ef28c0 ]
+0x010 InMemoryOrderLinks : _LIST_ENTRY [ 0x000001c4`b1ef75d0 - 0x000001c4`b1ef28d0 ]
+0x020 InInitializationOrderLinks : _LIST_ENTRY [ 0x000001c4`b1ef7bd0 - 0x00007ffb`2ca76470 ]
+0x030 DllBase : 0x00007ffb`2c8f0000 Void
+0x038 EntryPoint : (null)
+0x040 SizeOfImage : 0x217000
+0x048 FullDllName : _UNICODE_STRING "C:\Windows\SYSTEM32\ntdll.dll"
+0x058 BaseDllName : _UNICODE_STRING "ntdll.dll"
...
Seeing at the BaseDllName line, it loads the ntdll.dll module.
If we repeat the steps above, we should see that the KERNEL32.DLL is loaded in the next entry.
6. Examine BaseDllName Structure
Up to this point, we have been able to see the information of InloadOrderModuleList structure. Next, let's take a look inside the BaseDllName.
With the example above, the offset of the BaseDllName from the InLoadOrderModuleList is +0x058 . So we can use this in the following command:
dt _UNICODE_STRING 000001c4`b1ef2720+0x058
Output:
ntdll!_UNICODE_STRING
"ntdll.dll"
+0x000 Length : 0x12
+0x002 MaximumLength : 0x14
+0x008 Buffer : 0x00007ffb`2ca2e5f0 "ntdll.dll"