x64dbg - Windows Debugger

📋 Kopieren Sie alle Befehle 📄 PDF generieren

x64dbg stellt die Spitze moderner Windows Debugging-Technologie dar, die als umfassende und benutzerfreundliche Alternative zu herkömmlichen Debugging-Tools wie OllyDbg und WinDbg dient. Dieser leistungsstarke Open-Source-Debugger hat Windows-Reverse-Engineering revolutioniert, indem er eine intuitive grafische Schnittstelle kombiniert mit fortschrittlichen Debugging-Funktionen, die sowohl Anfänger-Analysten als auch erfahrene Sicherheitsforscher bieten. Was x64dbg auseinander setzt, ist seine native Unterstützung für 32-Bit und 64-Bit Windows-Anwendungen, nahtlose Integration mit modernen Windows-Betriebssystemen und umfangreiches Plugin-Ökosystem, das seine Funktionalität weit über grundlegende Debugging-Operationen hinaus erweitert. Die Architektur des Debuggers betont Usability, ohne Macht zu opfern, bietet Funktionen wie fortschrittliches Breakpoint Management, umfassende Speicheranalyse, integrierter Disassembler mit Syntax-Highlighting und anspruchsvolle Skripting-Funktionen. x64dbg ist der de facto Standard für Windows-Malware-Analyse, Schwachstellenforschung und Software-Reverse-Engineering, Bereitstellung von Sicherheitsexperten mit den Werkzeugen, die sie benötigen, um komplexe Software-Verhalten zu verstehen, Sicherheitslücken zu identifizieren und effektive Gegenmaßnahmen gegen bösartige Software zu entwickeln.

Installation und Inbetriebnahme

Systemanforderungen und Installation

```bash

System Requirements

Windows 7 SP1 or later (Windows 10/11 recommended)

Visual C++ Redistributable 2019 or later

.NET Framework 4.7.2 or later

Administrator privileges for debugging system processes

Download x64dbg

Official website: https://x64dbg.com/

GitHub releases: https://github.com/x64dbg/x64dbg/releases

Installation Methods

1. Portable Installation (Recommended)

Download x64dbg portable package

Extract to desired directory (e.g., C:\x64dbg)

No installation required - run directly

2. Installer Package

Download x64dbg installer

Run as Administrator

Follow installation wizard

Creates desktop shortcuts and file associations

Directory Structure

x64dbg/ ├── release/ │ ├── x32/ # 32-bit debugger │ │ ├── x32dbg.exe # Main 32-bit debugger │ │ ├── x32bridge.dll # Bridge library │ │ └── plugins/ # 32-bit plugins │ ├── x64/ # 64-bit debugger │ │ ├── x64dbg.exe # Main 64-bit debugger │ │ ├── x64bridge.dll # Bridge library │ │ └── plugins/ # 64-bit plugins │ ├── x96dbg.exe # Launcher (auto-detects architecture) │ ├── pluginsdk/ # Plugin development SDK │ └── help/ # Documentation

First Launch Setup

1. Run x96dbg.exe (recommended launcher)

2. Configure initial settings

3. Set up symbol paths

4. Configure plugin directories

```_

Konfiguration und Anpassung

```bash

Configuration Files

# Settings stored in: %APPDATA%\x64dbg\

Main config: x64dbg.ini (64-bit) / x32dbg.ini (32-bit)

Essential Configuration Options

[Engine] BreakpointType=1 # Software breakpoints CalculationType=0 # Signed calculations Assembler=0 # XEDParse assembler IgnoreInconsistentBreakpoints=0

[Disasm] Uppercase=0 # Lowercase assembly TabbedMnemonic=0 # Tabbed mnemonics ArgumentSpaces=0 # Spaces in arguments MemorySpaces=0 # Spaces in memory operands NoHighlightOperands=0 # Highlight operands NoCurrentModuleText=0 # Show current module 0xPrefixValues=1 # 0x prefix for hex values

[Gui] FpuRegistersLittleEndian=0 # FPU register display SaveColumnOrder=1 # Save column order NoCloseDialog=0 # Close confirmation PidInHex=0 # Process ID in hex SidebarWatchLabels=1 # Watch labels in sidebar

Symbol Configuration

Options -> Preferences -> Symbols

Microsoft Symbol Server: https://msdl.microsoft.com/download/symbols

Local symbol cache: C:\Symbols

Symbol search paths: _NT_SYMBOL_PATH environment variable

Plugin Configuration

# Plugins directory: x64dbg\release\x64\plugins\ # Plugin settings: %APPDATA%\x64dbg\plugins\

Essential Plugins

ScyllaHide: Anti-anti-debugging

xAnalyzer: Advanced static analysis

x64dbgpy: Python scripting

OllyDumpEx: Process dumping

Multiline Ultimate Assembler: Enhanced assembly

```_

Grundlegende Debugging Operationen

Belastung und Befestigung an Prozessen

```bash

Loading Executables

File -> Open -> Select executable

Drag and drop executable onto x64dbg

Command line: x64dbg.exe target.exe

Command Line Arguments

File -> Change Command Line

Set arguments before starting debugging

Example: program.exe -arg1 value1 -arg2

Attaching to Running Processes

File -> Attach

Select process from list

Filter by name or PID

Requires appropriate privileges

Process Selection Criteria

Architecture matching (32-bit vs 64-bit)

Process permissions

Anti-debugging protections

System process restrictions

Loading DLLs for Analysis

File -> Open -> Select DLL

Analyze DLL exports and imports

Set breakpoints on DLL functions

Useful for library analysis

Working Directory

File -> Change Working Directory

Set appropriate working directory

Important for file path resolution

Affects relative path operations

```_

Navigation und Schnittstellenübersicht

```bash

Main Interface Components

1. CPU Window - Main debugging interface

- Disassembly view

- Register view

- Memory dump

- Stack view

- Information view

2. Log Window - Debug output and messages

3. Breakpoints Window - Breakpoint management

4. Memory Map - Process memory layout

5. Call Stack - Function call hierarchy

6. SEH Chain - Exception handler chain

7. Threads - Thread information

8. Handles - Process handles

9. Modules - Loaded modules

Navigation Shortcuts

Ctrl+G # Go to address/expression Ctrl+F # Find in current module Ctrl+B # Binary search Ctrl+R # Find references Ctrl+N # Find names/labels

View Navigation

F7 # Step into F8 # Step over F9 # Run/Continue Ctrl+F2 # Restart debugging Alt+F9 # Execute till user code

Memory Navigation

Ctrl+M # Memory map Ctrl+D # Dump memory Ctrl+S # Stack view Ctrl+E # Modules view

Window Management

F3 # Close tab Ctrl+Tab # Switch tabs F5 # Reload Ctrl+F4 # Close window ```_

Grundlegende Debugging Controls

```bash

Execution Control

F9 # Run/Continue execution F7 # Step into (follow calls) F8 # Step over (skip calls) Ctrl+F7 # Step into (skip system calls) Ctrl+F8 # Step over (skip system calls) F4 # Run to cursor Ctrl+F9 # Run to user code Alt+F9 # Execute until return

Advanced Execution

Shift+F7 # Step into (force) Shift+F8 # Step over (force) Ctrl+Shift+F7 # Animate into Ctrl+Shift+F8 # Animate over

Process Control

Ctrl+F2 # Restart debugging Ctrl+Alt+F2 # Close debugging F6 # Pause execution Ctrl+Break # Break execution

Thread Control

Threads window: View -> Threads

Switch between threads

Suspend/resume individual threads

View thread context and stack

Exception Handling

Options -> Preferences -> Exceptions

Configure exception handling

First chance exceptions

Second chance exceptions

Ignore specific exceptions

```_

Breakpoint Management

Software Breakpoints

```bash

Setting Breakpoints

F2 # Toggle breakpoint at current line

Right-click -> Breakpoint -> Toggle

Click in margin of disassembly view

Breakpoint Types

Software breakpoints (INT3)

Hardware breakpoints (debug registers)

Memory breakpoints (page guard)

Conditional breakpoints

One-time breakpoints

Breakpoint Window

View -> Breakpoints (Alt+B)

Enable/disable breakpoints

Edit breakpoint conditions

View breakpoint statistics

Export/import breakpoints

Conditional Breakpoints

Right-click breakpoint -> Edit

Condition examples:

eax == 0x1234

[esp+4] > 100

GetTickCount() > start_time + 5000

strcmp(esi, "password") == 0

Breakpoint Actions

Log message without breaking

Execute command on hit

Increment hit counter

Break after N hits

Advanced Breakpoint Features

Fast resume (skip breakpoint once)

Silent breakpoints (no GUI update)

Temporary breakpoints (auto-remove)

Breakpoint groups and categories

```_

Hardware Breakpoints

```bash

Hardware Breakpoint Types

Execute breakpoints (DR0-DR3)

Read/write breakpoints

Access breakpoints (read or write)

Size options: 1, 2, 4, 8 bytes

Setting Hardware Breakpoints

Right-click -> Breakpoint -> Hardware, Execute

Right-click -> Breakpoint -> Hardware, Access

Breakpoints window -> Add hardware breakpoint

Hardware Breakpoint Advantages

No code modification (stealth)

Work on packed/encrypted code

Limited to 4 breakpoints (x86/x64)

Faster than software breakpoints

Memory Breakpoints

Right-click -> Breakpoint -> Memory Access

Break on memory page access

Useful for large memory regions

Uses page guard mechanism

Breakpoint Scripting

Automatic actions on breakpoint hit

Log values and continue

Modify registers/memory

Call functions or APIs

```_

Advanced Breakpoint Techniques

```bash

API Breakpoints

Breakpoints -> Add API breakpoint

Set breakpoints on imported functions

Monitor API calls and parameters

Useful for behavior analysis

Exception Breakpoints

Break on specific exceptions

Access violations

Integer divide by zero

Stack overflow

Custom exception codes

Tracing and Logging

Trace into/over with logging

Log register values

Log memory contents

Log function parameters

Export trace to file

Breakpoint Conditions

Complex conditional expressions

Register comparisons

Memory content checks

String comparisons

Mathematical expressions

Breakpoint Performance

Minimize breakpoint overhead

Use hardware breakpoints for hot paths

Conditional breakpoints vs. logging

Batch breakpoint operations

```_

Speicheranalyse und Manipulation

Explorationsprojekt

```bash

Memory Map Analysis

View -> Memory Map (Ctrl+M)

Shows all memory regions

Base address, size, protection

Module information

Memory type (Image, Mapped, Private)

Memory Dump Views

View -> Dump (Ctrl+D)

Hexadecimal view of memory

ASCII/Unicode string view

Disassembly view

Structure view

Memory Navigation

Go to address (Ctrl+G)

Follow in dump

Follow in disassembler

Follow in stack

Binary search (Ctrl+B)

Memory Search

Search -> Find Pattern

Hex pattern search

String search (ASCII/Unicode)

Regular expression search

Reference search

Memory Protection

View memory protection flags

Read/Write/Execute permissions

PAGE_GUARD detection

DEP/NX bit status

ASLR information

```_

Speicheränderung

```bash

Direct Memory Editing

Double-click in dump view

Edit hex values

Edit ASCII strings

Undo/redo support

Assembly Patching

Right-click -> Assemble

Modify instructions in place

NOP out instructions

Insert jumps and calls

Patch binary files

Fill Memory

Right-click -> Fill

Fill with pattern

Fill with zeros

Fill with NOPs (0x90)

Fill with specific bytes

Copy/Paste Operations

Copy memory regions

Paste from clipboard

Export to file

Import from file

Binary data manipulation

Memory Allocation

Debug -> Allocate Memory

Allocate new memory regions

Set protection flags

Useful for shellcode testing

Custom memory layouts

```_

Erweiterte Speicheranalyse

```bash

Heap Analysis

View -> Heap

Heap block enumeration

Allocation tracking

Heap corruption detection

Use-after-free detection

Stack Analysis

View -> Stack (Ctrl+S)

Stack frame analysis

Return address verification

Stack overflow detection

Local variable inspection

String Analysis

Search -> String References

Find all string references

Unicode/ASCII detection

String encoding analysis

Obfuscated string detection

Structure Analysis

Define custom structures

Apply structures to memory

Structure member highlighting

Nested structure support

Array and pointer handling

Memory Comparison

Compare memory regions

Before/after snapshots

Differential analysis

Change tracking

Memory diffing tools

```_

Erweiterte Debugging-Funktionen

Plugin System und Erweiterungen

```bash

Plugin Management

Plugins -> Plugin Manager

Load/unload plugins

Plugin configuration

Plugin development SDK

Essential Plugins

ScyllaHide - Anti-anti-debugging

Installation: Copy to plugins folder

Configuration: Hide debugger presence

Bypass common anti-debugging tricks

xAnalyzer - Static Analysis

Automatic analysis of functions

API call analysis

String reference analysis

Control flow analysis

x64dbgpy - Python Scripting

Python script execution

Automation capabilities

Custom analysis scripts

Integration with Python libraries

OllyDumpEx - Process Dumping

Dump process memory

Reconstruct import table

Fix relocations

Unpack protected executables

Multiline Ultimate Assembler

Enhanced assembly editing

Multi-line assembly

Macro support

Advanced instruction encoding

```_

Skript und Automatisierung

```bash

Built-in Scripting

Script window (View -> Script)

x64dbg script language

Conditional execution

Loops and variables

Function calls

Basic Script Commands

msg "Hello World" # Display message bp 0x401000 # Set breakpoint run # Start execution step # Single step log "EAX: \\{eax\\}" # Log register value

Variables and Expressions

$var = eax # Assign register to variable $addr = 0x401000 # Assign address $result = [$addr] # Read memory mov eax, $var # Use variable in assembly

Control Flow

if eax == 0x1234 # Conditional execution msg "Found target value" end

while eax != 0 # Loop execution step end

Function Definitions

function analyze_function bp $arg1 # Set breakpoint at argument run # Execute log "Function called" end

Advanced Scripting

File I/O operations

Registry access

Process manipulation

Network operations

Cryptographic functions

```_

Anti-Debugging und Evasion

```bash

Common Anti-Debugging Techniques

PEB BeingDebugged flag

Debug heap flags

NtGlobalFlag checks

Debug object detection

Timing attacks

ScyllaHide Configuration

Hide debugger presence

Hook anti-debugging APIs

Modify PEB structure

Hide debug heap

Bypass timing checks

Manual Anti-Debugging Bypass

Patch anti-debugging checks

Modify PEB flags manually

Hook API functions

Use hardware breakpoints

Stealth debugging techniques

Advanced Evasion

Kernel debugging detection

Hardware debugging detection

Virtual machine detection

Sandbox evasion

Analysis environment detection

Countermeasures

Use multiple debugging tools

Modify system artifacts

Custom debugging techniques

Emulation environments

Hybrid analysis approaches

```_

Malware Analyse mit x64dbg

Integration der statischen Analyse

```bash

Initial Triage

File -> Open -> Load malware sample

View -> Modules -> Analyze loaded modules

View -> Memory Map -> Examine memory layout

Search -> String References -> Find interesting strings

Import Analysis

View -> Modules -> Select main module

Right-click -> View Imports

Identify suspicious APIs:

- File operations: CreateFile, WriteFile, DeleteFile

- Registry: RegOpenKey, RegSetValue, RegDeleteKey

- Network: socket, connect, send, recv

- Process: CreateProcess, OpenProcess, TerminateProcess

- Crypto: CryptAcquireContext, CryptEncrypt

Export Analysis

View -> Modules -> Select module

Right-click -> View Exports

Identify exported functions

Potential DLL functionality

Entry points for analysis

String Analysis

Search -> String References

Look for:

- URLs and IP addresses

- File paths and registry keys

- Error messages

- Cryptographic constants

- Command and control indicators

Entry Point Analysis

Automatic break at entry point

Analyze initialization code

Identify packing/obfuscation

Find original entry point (OEP)

```_

Dynamische Verhaltensanalyse

```bash

Execution Monitoring

Set breakpoints on critical APIs

bp CreateFileA # File creation bp RegOpenKeyA # Registry access bp socket # Network activity bp VirtualAlloc # Memory allocation

API Parameter Analysis

Break on API calls

Examine parameters on stack/registers

Log parameter values

Trace data flow

Network Behavior

Monitor network-related APIs

bp WSAStartup # Winsock initialization bp connect # Network connections bp send # Data transmission bp recv # Data reception

File System Activity

bp CreateFileA # File operations bp WriteFile # File writing bp ReadFile # File reading bp DeleteFileA # File deletion

Registry Monitoring

bp RegOpenKeyA # Registry access bp RegSetValueA # Registry modification bp RegQueryValueA # Registry reading bp RegDeleteKeyA # Registry deletion

Process Injection Detection

bp VirtualAllocEx # Remote memory allocation bp WriteProcessMemory # Remote memory writing bp CreateRemoteThread # Remote thread creation bp SetWindowsHookEx # Hook installation ```_

Entpacken und Entobfuscation

```bash

Packer Detection

Analyze entry point code

Look for packer signatures

Check section characteristics

Examine import table

Common Packers

UPX: Ultimate Packer for eXecutables

ASPack: Advanced Software Protection

Themida: Commercial protector

VMProtect: Virtualization protection

Manual Unpacking Process

1. Set breakpoint at entry point

2. Step through unpacking routine

3. Look for jumps to unpacked code

4. Identify original entry point (OEP)

5. Dump unpacked code

6. Reconstruct import table

OEP Detection Techniques

Look for PUSHAD/POPAD sequences

Monitor for jumps to new sections

Watch for import table reconstruction

Identify tail jump patterns

Memory Dumping

Plugins -> OllyDumpEx

Select process and module

Choose dump options

Reconstruct imports

Fix relocations

Save unpacked executable

Import Reconstruction

Analyze import table

Identify API calls

Rebuild import directory

Fix import address table (IAT)

Validate import resolution

```_

Erweiterte Malware-Techniken

```bash

Code Injection Analysis

Monitor injection techniques:

- DLL injection

- Process hollowing

- Atom bombing

- Manual DLL loading

- Reflective DLL loading

Rootkit Detection

Monitor system modifications:

- SSDT hooking

- IDT modifications

- IRP hooking

- File system filters

- Registry filters

Persistence Mechanisms

Registry run keys

bp RegSetValueA # Monitor registry modifications

Windows services

bp CreateServiceA # Service creation

Scheduled tasks

bp CreateProcessA # Task scheduler execution

DLL hijacking

bp LoadLibraryA # DLL loading

Communication Analysis

C&C; communication patterns

Protocol analysis

Encryption detection

Data exfiltration methods

Command parsing

Evasion Techniques

Anti-analysis detection

Sandbox evasion

VM detection

Debugger detection

Time-based evasion

```_

Schwachstelle Forschung und Entwicklung

Crash Analyse und Debugging

```bash

Exception Handling

Options -> Preferences -> Exceptions

Configure exception handling

First chance vs second chance

Ignore specific exceptions

Crash Analysis Workflow

1. Reproduce crash

2. Analyze exception information

3. Examine crash context

4. Identify root cause

5. Develop exploit

Register Analysis at Crash

Examine register values

Identify controlled registers

Check for code execution

Analyze memory corruption

Stack Analysis

View -> Stack

Examine stack contents

Identify return addresses

Look for buffer overflows

Check stack cookies/canaries

Heap Analysis

View -> Heap

Examine heap corruption

Identify use-after-free

Analyze heap metadata

Check heap protections

```_

Pufferüberlaufanalyse

```bash

Identifying Buffer Overflows

Look for dangerous functions:

strcpy, strcat, sprintf, gets

Analyze input validation

Check buffer boundaries

Examine stack layout

Pattern Generation and Analysis

Generate unique patterns

Identify offset to return address

Calculate exact overflow length

Determine controlled data

Return Address Control

Verify EIP/RIP control

Find suitable return address

Bypass ASLR if present

Identify gadgets for ROP

Shellcode Development

Develop custom shellcode

Avoid bad characters

Encode if necessary

Test in debugger environment

Exploit Testing

Test exploit reliability

Handle different OS versions

Bypass security mitigations

Validate payload execution

```_

Advanced Exploitation Techniques

```bash

ROP Chain Development

Search for ROP gadgets

Build ROP chain

Bypass DEP/NX

Stack pivot techniques

Heap Exploitation

Heap spray techniques

Use-after-free exploitation

Heap overflow exploitation

Heap metadata corruption

Format String Exploitation

Identify format string bugs

Control format string

Arbitrary read/write

Code execution techniques

Race Condition Exploitation

Identify race conditions

Time-of-check vs time-of-use

Thread synchronization issues

Exploit timing windows

Kernel Exploitation

Kernel debugging setup

Driver vulnerability analysis

Privilege escalation

Kernel shellcode development

```_

x64dbgs umfassende Debugging-Funktionen, intuitive Schnittstelle und umfangreiches Plugin-Ökosystem machen es zu einem unverzichtbaren Werkzeug für Windows-Reverse Engineering und Malware-Analyse. Seine native Unterstützung für 32-Bit- und 64-Bit-Anwendungen, kombiniert mit erweiterten Funktionen wie bedingten Breakpoints, Speicheranalyse und Skripting-Funktionen, bietet Sicherheitsforschern die Werkzeuge, die sie benötigen, um komplexe Softwareverhalten zu verstehen und Sicherheitslücken zu identifizieren. Ob für Malware-Analysen, Schwachstellenforschung, Exploit-Entwicklung oder allgemeine Software Debugging verwendet, x64dbg bietet die Leistung und Flexibilität, die moderne Sicherheitsexperten für ihre anspruchsvollsten Analyseaufgaben benötigen. Die aktive Entwicklung der Debugging-Community und die stetige Verbesserung der Funktionen sorgen dafür, dass sie an der Spitze der Windows Debugging-Technologie bleibt, sich an neue Bedrohungen und Analyse-Herausforderungen anzupassen und gleichzeitig den Ruf als führende Windows Debugging-Plattform zu erhalten.