Yarden is a senior security researcher at Trail of Bits and a consultant for Winsider Seminars & Solutions Inc., co-teaching security trainings. Previously she worked at CrowdStrike and SentineOne, working on EDR features and Windows research. Outside of her primary work duties, Yarden writes articles and tools and gives talks about various topics such as Pool internals, CET internals, extension host hooking and kernel exploit mitigations. Outside of infosec, Yarden is a circus artist, teaching and performing aerial arts.
Debugging is a crucial skill for any practitioner doing security engineering work or reverse engineering. It serves many purposes: assisting with and automating vulnerability research and malware analysis; application, driver, and OS analysis; general troubleshooting. Unfortunately, many practitioners aren’t using the full capabilities of modern debugging and scripting tools.
This hands-on, three-day class will supply students with the following skills:
1. Debugger Basics: This section will introduce debugging on Windows – where and how to obtain the Windows Debugging Tools and the various flavors of debuggers (legacy WinDbg, modern WinDbg and command line tools). Students will learn about user-mode and kernel-mode debugging techniques and get familiar with WinDbg and its abilities, legacy commands, and built-in extensions. This section will also explain debugger symbols and how to configure and use them when analyzing the OS, applications, and drivers.
2. Kernel Mode Debugging: In this section, we will focus on kernel mode debugging. Students will learn how to attach a kernel debugger to a local or remote system for OS and driver analysis. Beyond live debugging, this section will also introduce crash dumps and memory dumps – how they generate them, different types of dumps and basic debugger commands for initial crash dump analysis.
3. User Mode Debugging: This section will focus on debugging user mode targets. Students will learn how to attach a debugger to an existing process or spawn a new one for application and malware analysis and about the different commands and possibilities in user-mode vs. kernel-mode debugging. Another interesting user mode target that was added in recent years is Time Travel Debugging (TTD) – the ability to record the execution of an application and replay and analyze it. Students will learn how to start a TTD session on a new process or record the execution of an existing process.
4. Debugger Data Model, NatVis, and LINQ: This section will focus on modern WinDbg features and how those can be used to improve and accelerate security research. The debugger data model is a powerful engine embedded in the debugger that allows complex data visualization through NatVis. When paired with LINQ, which allows running SQL-like queries on debugger objects, debugging is taken to a new level. The section will also cover some of the more interesting debugger namespace methods and extensions, which allow writing logs to disk, introducing new symbols into the debugger, using the built-in disassembler and more.
6. Debugger Engine and API Extensions: This last section of the class will introduce the Debugger Engine and its COM and .NET interfaces, as well as API extensions that interact with it. This debugger engine allows creating custom C++ (or C#) extensions that can be loaded into the debugger to automatically run code analysis or forensic operations. Students will be introduced to these APIs and learn how to write a simple debugger extension for various use cases in user and kernel mode, as well as for crash dump analysis. Additionally, usage and integration of the engine into other projects will also be discussed, such as the PoolViewer tool or the DbgX package.
Alongside these debugging skills, the class will also teach core concepts of the Windows Operating system necessary for debugging. Those will include processes and threads, stacks, objects and handle tables, memory management basics and more.