x64dbg - Windows Debugger
"Clase de la hoja"
########################################################################################################################################################################################################################################################## Copiar todos los comandos
########################################################################################################################################################################################################################################################## Generar PDF seleccionado/button
■/div titulada
x64dbg representa el pináculo de la tecnología moderna de depuración de Windows, sirviendo como una alternativa completa y fácil de usar a las herramientas tradicionales de depuración como OllyDbg y WinDbg. Este potente depurador de código abierto ha revolucionado la ingeniería inversa de Windows proporcionando una interfaz gráfica intuitiva combinada con capacidades avanzadas de depuración que atienden tanto a analistas de principiantes como a investigadores de seguridad experimentados. Lo que distingue x64dbg es su soporte nativo para aplicaciones Windows de 32 bits y 64 bits, integración perfecta con sistemas operativos Windows modernos, y amplio ecosistema plugin que extiende su funcionalidad mucho más allá de las operaciones básicas de depuración. La arquitectura del depurador enfatiza la usabilidad sin sacrificar el poder, ofreciendo características como la gestión avanzada de puntos de ruptura, análisis de memoria integral, desmontaje integrado con resaltado de sintaxis, y capacidades de scripting sofisticadas. x64dbg se ha convertido en el estándar de facto para el análisis de malware de Windows, investigación de vulnerabilidad y ingeniería inversa de software, proporcionando a los profesionales de seguridad las herramientas que necesitan para entender el comportamiento complejo del software, identificar vulnerabilidades de seguridad, y desarrollar contramedidas eficaces contra software malicioso.
Instalación y configuración
Requisitos del sistema e instalación
# System Requirements
# Windows 7 SP1 or later (Windows 10/11 recommended)
# Visual C++ Redistributable 2019 or later
# .NET Framework 4.7.2 or later
# Administrator privileges for debugging system processes
# Download x64dbg
# Official website: https://x64dbg.com/
# GitHub releases: https://github.com/x64dbg/x64dbg/releases
# Installation Methods
# 1. Portable Installation (Recommended)
# Download x64dbg portable package
# Extract to desired directory (e.g., C:\x64dbg)
# No installation required - run directly
# 2. Installer Package
# Download x64dbg installer
# Run as Administrator
# Follow installation wizard
# Creates desktop shortcuts and file associations
# Directory Structure
x64dbg/
├── release/
│ ├── x32/ # 32-bit debugger
│ │ ├── x32dbg.exe # Main 32-bit debugger
│ │ ├── x32bridge.dll # Bridge library
│ │ └── plugins/ # 32-bit plugins
│ ├── x64/ # 64-bit debugger
│ │ ├── x64dbg.exe # Main 64-bit debugger
│ │ ├── x64bridge.dll # Bridge library
│ │ └── plugins/ # 64-bit plugins
│ ├── x96dbg.exe # Launcher (auto-detects architecture)
│ ├── pluginsdk/ # Plugin development SDK
│ └── help/ # Documentation
# First Launch Setup
# 1. Run x96dbg.exe (recommended launcher)
# 2. Configure initial settings
# 3. Set up symbol paths
# 4. Configure plugin directories
Configuración y personalización
# Configuration Files
# Settings stored in: %APPDATA%\x64dbg\
# Main config: x64dbg.ini (64-bit) / x32dbg.ini (32-bit)
# Essential Configuration Options
[Engine]
BreakpointType=1 # Software breakpoints
CalculationType=0 # Signed calculations
Assembler=0 # XEDParse assembler
IgnoreInconsistentBreakpoints=0
[Disasm]
Uppercase=0 # Lowercase assembly
TabbedMnemonic=0 # Tabbed mnemonics
ArgumentSpaces=0 # Spaces in arguments
MemorySpaces=0 # Spaces in memory operands
NoHighlightOperands=0 # Highlight operands
NoCurrentModuleText=0 # Show current module
0xPrefixValues=1 # 0x prefix for hex values
[Gui]
FpuRegistersLittleEndian=0 # FPU register display
SaveColumnOrder=1 # Save column order
NoCloseDialog=0 # Close confirmation
PidInHex=0 # Process ID in hex
SidebarWatchLabels=1 # Watch labels in sidebar
# Symbol Configuration
# Options -> Preferences -> Symbols
# Microsoft Symbol Server: https://msdl.microsoft.com/download/symbols
# Local symbol cache: C:\Symbols
# Symbol search paths: _NT_SYMBOL_PATH environment variable
# Plugin Configuration
# Plugins directory: x64dbg\release\x64\plugins\
# Plugin settings: %APPDATA%\x64dbg\plugins\
# Essential Plugins
# ScyllaHide: Anti-anti-debugging
# xAnalyzer: Advanced static analysis
# x64dbgpy: Python scripting
# OllyDumpEx: Process dumping
# Multiline Ultimate Assembler: Enhanced assembly
Operaciones básicas de depuración
Carga y Adjunción a Procesos
# Loading Executables
# File -> Open -> Select executable
# Drag and drop executable onto x64dbg
# Command line: x64dbg.exe target.exe
# Command Line Arguments
# File -> Change Command Line
# Set arguments before starting debugging
# Example: program.exe -arg1 value1 -arg2
# Attaching to Running Processes
# File -> Attach
# Select process from list
# Filter by name or PID
# Requires appropriate privileges
# Process Selection Criteria
# Architecture matching (32-bit vs 64-bit)
# Process permissions
# Anti-debugging protections
# System process restrictions
# Loading DLLs for Analysis
# File -> Open -> Select DLL
# Analyze DLL exports and imports
# Set breakpoints on DLL functions
# Useful for library analysis
# Working Directory
# File -> Change Working Directory
# Set appropriate working directory
# Important for file path resolution
# Affects relative path operations
Navegación e interfaz
# Main Interface Components
# 1. CPU Window - Main debugging interface
# - Disassembly view
# - Register view
# - Memory dump
# - Stack view
# - Information view
# 2. Log Window - Debug output and messages
# 3. Breakpoints Window - Breakpoint management
# 4. Memory Map - Process memory layout
# 5. Call Stack - Function call hierarchy
# 6. SEH Chain - Exception handler chain
# 7. Threads - Thread information
# 8. Handles - Process handles
# 9. Modules - Loaded modules
# Navigation Shortcuts
Ctrl+G # Go to address/expression
Ctrl+F # Find in current module
Ctrl+B # Binary search
Ctrl+R # Find references
Ctrl+N # Find names/labels
# View Navigation
F7 # Step into
F8 # Step over
F9 # Run/Continue
Ctrl+F2 # Restart debugging
Alt+F9 # Execute till user code
# Memory Navigation
Ctrl+M # Memory map
Ctrl+D # Dump memory
Ctrl+S # Stack view
Ctrl+E # Modules view
# Window Management
F3 # Close tab
Ctrl+Tab # Switch tabs
F5 # Reload
Ctrl+F4 # Close window
Controles básicos de depuración
# Execution Control
F9 # Run/Continue execution
F7 # Step into (follow calls)
F8 # Step over (skip calls)
Ctrl+F7 # Step into (skip system calls)
Ctrl+F8 # Step over (skip system calls)
F4 # Run to cursor
Ctrl+F9 # Run to user code
Alt+F9 # Execute until return
# Advanced Execution
Shift+F7 # Step into (force)
Shift+F8 # Step over (force)
Ctrl+Shift+F7 # Animate into
Ctrl+Shift+F8 # Animate over
# Process Control
Ctrl+F2 # Restart debugging
Ctrl+Alt+F2 # Close debugging
F6 # Pause execution
Ctrl+Break # Break execution
# Thread Control
# Threads window: View -> Threads
# Switch between threads
# Suspend/resume individual threads
# View thread context and stack
# Exception Handling
# Options -> Preferences -> Exceptions
# Configure exception handling
# First chance exceptions
# Second chance exceptions
# Ignore specific exceptions
Gestión de puntos de ruptura
Puntos de ruptura de software
# Setting Breakpoints
F2 # Toggle breakpoint at current line
# Right-click -> Breakpoint -> Toggle
# Click in margin of disassembly view
# Breakpoint Types
# Software breakpoints (INT3)
# Hardware breakpoints (debug registers)
# Memory breakpoints (page guard)
# Conditional breakpoints
# One-time breakpoints
# Breakpoint Window
# View -> Breakpoints (Alt+B)
# Enable/disable breakpoints
# Edit breakpoint conditions
# View breakpoint statistics
# Export/import breakpoints
# Conditional Breakpoints
# Right-click breakpoint -> Edit
# Condition examples:
# eax == 0x1234
# [esp+4] > 100
# GetTickCount() > start_time + 5000
# strcmp(esi, "password") == 0
# Breakpoint Actions
# Log message without breaking
# Execute command on hit
# Increment hit counter
# Break after N hits
# Advanced Breakpoint Features
# Fast resume (skip breakpoint once)
# Silent breakpoints (no GUI update)
# Temporary breakpoints (auto-remove)
# Breakpoint groups and categories
Hardware Breakpoints
# Hardware Breakpoint Types
# Execute breakpoints (DR0-DR3)
# Read/write breakpoints
# Access breakpoints (read or write)
# Size options: 1, 2, 4, 8 bytes
# Setting Hardware Breakpoints
# Right-click -> Breakpoint -> Hardware, Execute
# Right-click -> Breakpoint -> Hardware, Access
# Breakpoints window -> Add hardware breakpoint
# Hardware Breakpoint Advantages
# No code modification (stealth)
# Work on packed/encrypted code
# Limited to 4 breakpoints (x86/x64)
# Faster than software breakpoints
# Memory Breakpoints
# Right-click -> Breakpoint -> Memory Access
# Break on memory page access
# Useful for large memory regions
# Uses page guard mechanism
# Breakpoint Scripting
# Automatic actions on breakpoint hit
# Log values and continue
# Modify registers/memory
# Call functions or APIs
Técnicas avanzadas de punto de ruptura
# API Breakpoints
# Breakpoints -> Add API breakpoint
# Set breakpoints on imported functions
# Monitor API calls and parameters
# Useful for behavior analysis
# Exception Breakpoints
# Break on specific exceptions
# Access violations
# Integer divide by zero
# Stack overflow
# Custom exception codes
# Tracing and Logging
# Trace into/over with logging
# Log register values
# Log memory contents
# Log function parameters
# Export trace to file
# Breakpoint Conditions
# Complex conditional expressions
# Register comparisons
# Memory content checks
# String comparisons
# Mathematical expressions
# Breakpoint Performance
# Minimize breakpoint overhead
# Use hardware breakpoints for hot paths
# Conditional breakpoints vs. logging
# Batch breakpoint operations
Análisis de memoria y manipulación
Memory Exploration
# Memory Map Analysis
# View -> Memory Map (Ctrl+M)
# Shows all memory regions
# Base address, size, protection
# Module information
# Memory type (Image, Mapped, Private)
# Memory Dump Views
# View -> Dump (Ctrl+D)
# Hexadecimal view of memory
# ASCII/Unicode string view
# Disassembly view
# Structure view
# Memory Navigation
# Go to address (Ctrl+G)
# Follow in dump
# Follow in disassembler
# Follow in stack
# Binary search (Ctrl+B)
# Memory Search
# Search -> Find Pattern
# Hex pattern search
# String search (ASCII/Unicode)
# Regular expression search
# Reference search
# Memory Protection
# View memory protection flags
# Read/Write/Execute permissions
# PAGE_GUARD detection
# DEP/NX bit status
# ASLR information
Modificación de memoria
# Direct Memory Editing
# Double-click in dump view
# Edit hex values
# Edit ASCII strings
# Undo/redo support
# Assembly Patching
# Right-click -> Assemble
# Modify instructions in place
# NOP out instructions
# Insert jumps and calls
# Patch binary files
# Fill Memory
# Right-click -> Fill
# Fill with pattern
# Fill with zeros
# Fill with NOPs (0x90)
# Fill with specific bytes
# Copy/Paste Operations
# Copy memory regions
# Paste from clipboard
# Export to file
# Import from file
# Binary data manipulation
# Memory Allocation
# Debug -> Allocate Memory
# Allocate new memory regions
# Set protection flags
# Useful for shellcode testing
# Custom memory layouts
Análisis avanzado de memoria
# Heap Analysis
# View -> Heap
# Heap block enumeration
# Allocation tracking
# Heap corruption detection
# Use-after-free detection
# Stack Analysis
# View -> Stack (Ctrl+S)
# Stack frame analysis
# Return address verification
# Stack overflow detection
# Local variable inspection
# String Analysis
# Search -> String References
# Find all string references
# Unicode/ASCII detection
# String encoding analysis
# Obfuscated string detection
# Structure Analysis
# Define custom structures
# Apply structures to memory
# Structure member highlighting
# Nested structure support
# Array and pointer handling
# Memory Comparison
# Compare memory regions
# Before/after snapshots
# Differential analysis
# Change tracking
# Memory diffing tools
Características avanzadas de depuración
Plugin System and Extensions
# Plugin Management
# Plugins -> Plugin Manager
# Load/unload plugins
# Plugin configuration
# Plugin development SDK
# Essential Plugins
# ScyllaHide - Anti-anti-debugging
# Installation: Copy to plugins folder
# Configuration: Hide debugger presence
# Bypass common anti-debugging tricks
# xAnalyzer - Static Analysis
# Automatic analysis of functions
# API call analysis
# String reference analysis
# Control flow analysis
# x64dbgpy - Python Scripting
# Python script execution
# Automation capabilities
# Custom analysis scripts
# Integration with Python libraries
# OllyDumpEx - Process Dumping
# Dump process memory
# Reconstruct import table
# Fix relocations
# Unpack protected executables
# Multiline Ultimate Assembler
# Enhanced assembly editing
# Multi-line assembly
# Macro support
# Advanced instruction encoding
Escritura y automatización
# Built-in Scripting
# Script window (View -> Script)
# x64dbg script language
# Conditional execution
# Loops and variables
# Function calls
# Basic Script Commands
msg "Hello World" # Display message
bp 0x401000 # Set breakpoint
run # Start execution
step # Single step
log "EAX: \\\\{eax\\\\}" # Log register value
# Variables and Expressions
$var = eax # Assign register to variable
$addr = 0x401000 # Assign address
$result = [$addr] # Read memory
mov eax, $var # Use variable in assembly
# Control Flow
if eax == 0x1234 # Conditional execution
msg "Found target value"
end
while eax != 0 # Loop execution
step
end
# Function Definitions
function analyze_function
bp $arg1 # Set breakpoint at argument
run # Execute
log "Function called"
end
# Advanced Scripting
# File I/O operations
# Registry access
# Process manipulation
# Network operations
# Cryptographic functions
Anti-Debugging and Evasion
# Common Anti-Debugging Techniques
# PEB BeingDebugged flag
# Debug heap flags
# NtGlobalFlag checks
# Debug object detection
# Timing attacks
# ScyllaHide Configuration
# Hide debugger presence
# Hook anti-debugging APIs
# Modify PEB structure
# Hide debug heap
# Bypass timing checks
# Manual Anti-Debugging Bypass
# Patch anti-debugging checks
# Modify PEB flags manually
# Hook API functions
# Use hardware breakpoints
# Stealth debugging techniques
# Advanced Evasion
# Kernel debugging detection
# Hardware debugging detection
# Virtual machine detection
# Sandbox evasion
# Analysis environment detection
# Countermeasures
# Use multiple debugging tools
# Modify system artifacts
# Custom debugging techniques
# Emulation environments
# Hybrid analysis approaches
Análisis de malware con x64dbg
Integración del análisis estadístico
# Initial Triage
# File -> Open -> Load malware sample
# View -> Modules -> Analyze loaded modules
# View -> Memory Map -> Examine memory layout
# Search -> String References -> Find interesting strings
# Import Analysis
# View -> Modules -> Select main module
# Right-click -> View Imports
# Identify suspicious APIs:
# - File operations: CreateFile, WriteFile, DeleteFile
# - Registry: RegOpenKey, RegSetValue, RegDeleteKey
# - Network: socket, connect, send, recv
# - Process: CreateProcess, OpenProcess, TerminateProcess
# - Crypto: CryptAcquireContext, CryptEncrypt
# Export Analysis
# View -> Modules -> Select module
# Right-click -> View Exports
# Identify exported functions
# Potential DLL functionality
# Entry points for analysis
# String Analysis
# Search -> String References
# Look for:
# - URLs and IP addresses
# - File paths and registry keys
# - Error messages
# - Cryptographic constants
# - Command and control indicators
# Entry Point Analysis
# Automatic break at entry point
# Analyze initialization code
# Identify packing/obfuscation
# Find original entry point (OEP)
Análisis dinámico del comportamiento
# Execution Monitoring
# Set breakpoints on critical APIs
bp CreateFileA # File creation
bp RegOpenKeyA # Registry access
bp socket # Network activity
bp VirtualAlloc # Memory allocation
# API Parameter Analysis
# Break on API calls
# Examine parameters on stack/registers
# Log parameter values
# Trace data flow
# Network Behavior
# Monitor network-related APIs
bp WSAStartup # Winsock initialization
bp connect # Network connections
bp send # Data transmission
bp recv # Data reception
# File System Activity
bp CreateFileA # File operations
bp WriteFile # File writing
bp ReadFile # File reading
bp DeleteFileA # File deletion
# Registry Monitoring
bp RegOpenKeyA # Registry access
bp RegSetValueA # Registry modification
bp RegQueryValueA # Registry reading
bp RegDeleteKeyA # Registry deletion
# Process Injection Detection
bp VirtualAllocEx # Remote memory allocation
bp WriteProcessMemory # Remote memory writing
bp CreateRemoteThread # Remote thread creation
bp SetWindowsHookEx # Hook installation
Desembalaje y deobfuscación
# Packer Detection
# Analyze entry point code
# Look for packer signatures
# Check section characteristics
# Examine import table
# Common Packers
# UPX: Ultimate Packer for eXecutables
# ASPack: Advanced Software Protection
# Themida: Commercial protector
# VMProtect: Virtualization protection
# Manual Unpacking Process
# 1. Set breakpoint at entry point
# 2. Step through unpacking routine
# 3. Look for jumps to unpacked code
# 4. Identify original entry point (OEP)
# 5. Dump unpacked code
# 6. Reconstruct import table
# OEP Detection Techniques
# Look for PUSHAD/POPAD sequences
# Monitor for jumps to new sections
# Watch for import table reconstruction
# Identify tail jump patterns
# Memory Dumping
# Plugins -> OllyDumpEx
# Select process and module
# Choose dump options
# Reconstruct imports
# Fix relocations
# Save unpacked executable
# Import Reconstruction
# Analyze import table
# Identify API calls
# Rebuild import directory
# Fix import address table (IAT)
# Validate import resolution
Técnicas avanzadas de malware
# Code Injection Analysis
# Monitor injection techniques:
# - DLL injection
# - Process hollowing
# - Atom bombing
# - Manual DLL loading
# - Reflective DLL loading
# Rootkit Detection
# Monitor system modifications:
# - SSDT hooking
# - IDT modifications
# - IRP hooking
# - File system filters
# - Registry filters
# Persistence Mechanisms
# Registry run keys
bp RegSetValueA # Monitor registry modifications
# Windows services
bp CreateServiceA # Service creation
# Scheduled tasks
bp CreateProcessA # Task scheduler execution
# DLL hijacking
bp LoadLibraryA # DLL loading
# Communication Analysis
# C&C communication patterns
# Protocol analysis
# Encryption detection
# Data exfiltration methods
# Command parsing
# Evasion Techniques
# Anti-analysis detection
# Sandbox evasion
# VM detection
# Debugger detection
# Time-based evasion
Vulnerability Research and Exploit Development
Crash Analysis and Debugging
# Exception Handling
# Options -> Preferences -> Exceptions
# Configure exception handling
# First chance vs second chance
# Ignore specific exceptions
# Crash Analysis Workflow
# 1. Reproduce crash
# 2. Analyze exception information
# 3. Examine crash context
# 4. Identify root cause
# 5. Develop exploit
# Register Analysis at Crash
# Examine register values
# Identify controlled registers
# Check for code execution
# Analyze memory corruption
# Stack Analysis
# View -> Stack
# Examine stack contents
# Identify return addresses
# Look for buffer overflows
# Check stack cookies/canaries
# Heap Analysis
# View -> Heap
# Examine heap corruption
# Identify use-after-free
# Analyze heap metadata
# Check heap protections
Análisis del flujo de amortiguación
# Identifying Buffer Overflows
# Look for dangerous functions:
# strcpy, strcat, sprintf, gets
# Analyze input validation
# Check buffer boundaries
# Examine stack layout
# Pattern Generation and Analysis
# Generate unique patterns
# Identify offset to return address
# Calculate exact overflow length
# Determine controlled data
# Return Address Control
# Verify EIP/RIP control
# Find suitable return address
# Bypass ASLR if present
# Identify gadgets for ROP
# Shellcode Development
# Develop custom shellcode
# Avoid bad characters
# Encode if necessary
# Test in debugger environment
# Exploit Testing
# Test exploit reliability
# Handle different OS versions
# Bypass security mitigations
# Validate payload execution
Técnicas avanzadas de explotación
# ROP Chain Development
# Search for ROP gadgets
# Build ROP chain
# Bypass DEP/NX
# Stack pivot techniques
# Heap Exploitation
# Heap spray techniques
# Use-after-free exploitation
# Heap overflow exploitation
# Heap metadata corruption
# Format String Exploitation
# Identify format string bugs
# Control format string
# Arbitrary read/write
# Code execution techniques
# Race Condition Exploitation
# Identify race conditions
# Time-of-check vs time-of-use
# Thread synchronization issues
# Exploit timing windows
# Kernel Exploitation
# Kernel debugging setup
# Driver vulnerability analysis
# Privilege escalation
# Kernel shellcode development
Las capacidades integrales de depuración de x64dbg, la interfaz intuitiva y el amplio ecosistema de plugin hacen que sea una herramienta indispensable para la ingeniería inversa de Windows y el análisis de malware. Su soporte nativo para aplicaciones de 32 bits y 64 bits, combinado con características avanzadas como puntos de ruptura condicional, análisis de memoria y capacidades de scripting, proporciona a los investigadores de seguridad las herramientas que necesitan para entender el comportamiento complejo del software e identificar vulnerabilidades de seguridad. Ya sea utilizado para análisis de malware, investigación de vulnerabilidad, desarrollo de explotación o depuración de software general, x64dbg ofrece la potencia y flexibilidad que los profesionales de seguridad modernos requieren para sus tareas de análisis más difíciles. La comunidad de desarrollo activa del depurador y las mejoras continuas de características aseguran que permanezca a la vanguardia de la tecnología de depuración de Windows, adaptándose a nuevas amenazas y desafíos de análisis manteniendo su reputación como la plataforma de depuración de Windows.