applied security conferences and training: CanSecWest | PacSec | EUSecWest |

Security Masters Dojo

Advanced and intermediate security training and technology enhancement for information security professionals.

CanSecWest: Security Masters Dojo Vancouver

Introduction to Windows Analysis, Forensics and Reverse Engineering with WinDBG

Register for the March 12-13, 2-day Course

Alex Ionescu


The Windows Debugger (WinDBG) is an invaluable tool for troubleshooting, analyzing, forensics, reverse engineering, and learning about a wide variety of Microsoft Operating Systems-based code, including XBOX Games, Windows Phone Applications, Kernel Rootkits, User-Mode Malware and the Azure Hypervisor. Powered by a wide variety of extensions and access to public symbol files, it can be a powerful tool in the arsenal of both an attacker and defender. Yet, decades of abandonment led to an arcane scripting and automation language, painfully slow serial port-based connectivity, and a GUI straight out of Windows 3.1 MDI.

With a refreshed passion and renewed development effort, the WinDBG team has made significant changes to the entire debugging architecture and platform, providing 10Gbit/s connectivity for Virtual Machine and Remote System debugging, an entirely new rewritten user interface, a powerful debugger data model for visualizing code and data structures in agnostic ways, and an ES6 JavaScript scripting language that can imperatively hunt in memory, conditionalize breakpoints, and even extend the namespace, model, and data structures shown in the debugger and its symbols.

If the thought of bridging a JavaScript routine with a public symbol data type to hunt for a rootkit using a LINQ query with a predicate based on a lambda expression sounds like kind of reversing and forensics you'd like to be doing instead of relying on 3rd party tools or learning what .block { @@C++((*(int*)@@MASM(nt!Foo))[0n10]) } means or which devil spawn it will form in your kernel.

Key Learning Objectives:

Upon completion of this training, participants will be able to:

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.


To get the most out of this training, knowledge of computer science concepts such as memory, registers, processes, threads, and basic programming knowledge (functions and basic data structures) is highly recommended. Students should be common with basic Windows OS knowledge (kernel mode vs. user mode, processes vs. threads, heap, stack, pool, drivers, etc.). A reading of Windows Internals 7th Edition, Part 1 is optional but would be helpful to maximize knowledge absorption.

What you will need to bring:

Students will need a laptop with the ability to run a 64-bit version of Windows 10 1803 (Redstone 4) and a wireless network adapter. Full administrative access and the ability to turn off BitLocker/SecureBoot is needed, otherwise a Virtual Machine such as VMWare Workstation and/or Oracle Virtual Box needs to be installed with a Windows 10 1803 x64 build and the appropriate software, which can be obtained from Additionally, the latest Windows 10 RS4 SDK as of March 10th must be installed. Final download links and software information will be sent by e-mail to all attendees.

Who Should Attend:

Windows Kernel Exploitation/Internals/Rootkit analysis-course attendees, Bug Hunters & Red Teamers, User Mode Exploit Developers, Windows Driver Developers & Testers, Windows Forensic analysts, anyone with an interest in understanding Windows Kernel and User forensics and data structures, Ethical Hackers, Security Researchers and Penetration Testers looking to upgrade their skill-set and toolkit with the new Windows Debugger capabilities.