x64dbg - Débogueur Windows
x64dbg représente le pinacle de la technologie de débogage Windows moderne, servant d'alternative complète et conviviale aux outils de débogage traditionnels comme OllyDbg et WinDbg. Ce puissant débogueur open-source a révolutionné l'ingénierie inverse de Windows en fournissant une interface graphique intuitive combinée à des capacités de débogage avancées qui répondent à la fois aux analystes débutants et aux chercheurs chevronnés en sécurité. Ce qui distingue x64dbg est son support natif pour les applications Windows 32-bit et 64-bit, l'intégration transparente avec les systèmes d'exploitation Windows modernes, et l'écosystème de plugin étendu qui étend sa fonctionnalité bien au-delà des opérations de débogage de base. L'architecture du débogueur met l'accent sur la facilité d'utilisation sans sacrifier la puissance, offrant des fonctionnalités comme la gestion avancée des points d'arrêt, l'analyse complète de la mémoire, le démontage intégré avec mise en évidence syntaxique et des capacités de script sophistiquées. x64dbg est devenu la norme de facto pour l'analyse de logiciels malveillants Windows, la recherche de vulnérabilité, et l'ingénierie inverse de logiciels, fournissant aux professionnels de la sécurité les outils dont ils ont besoin pour comprendre le comportement logiciel complexe, identifier les vulnérabilités de sécurité, et développer des contre-mesures efficaces contre les logiciels malveillants.
Installation et configuration
Exigences du système et installation
# System Requirements
# Windows 7 SP1 or later (Windows 10/11 recommended)
# Visual C++ Redistributable 2019 or later
# .NET Framework 4.7.2 or later
# Administrator privileges for debugging system processes
# Download x64dbg
# Official website: https://x64dbg.com/
# GitHub releases: https://github.com/x64dbg/x64dbg/releases
# Installation Methods
# 1. Portable Installation (Recommended)
# Download x64dbg portable package
# Extract to desired directory (e.g., C:\x64dbg)
# No installation required - run directly
# 2. Installer Package
# Download x64dbg installer
# Run as Administrator
# Follow installation wizard
# Creates desktop shortcuts and file associations
# Directory Structure
x64dbg/
├── release/
│ ├── x32/ # 32-bit debugger
│ │ ├── x32dbg.exe # Main 32-bit debugger
│ │ ├── x32bridge.dll # Bridge library
│ │ └── plugins/ # 32-bit plugins
│ ├── x64/ # 64-bit debugger
│ │ ├── x64dbg.exe # Main 64-bit debugger
│ │ ├── x64bridge.dll # Bridge library
│ │ └── plugins/ # 64-bit plugins
│ ├── x96dbg.exe # Launcher (auto-detects architecture)
│ ├── pluginsdk/ # Plugin development SDK
│ └── help/ # Documentation
# First Launch Setup
# 1. Run x96dbg.exe (recommended launcher)
# 2. Configure initial settings
# 3. Set up symbol paths
# 4. Configure plugin directories
Configuration et personnalisation
# Configuration Files
# Settings stored in: %APPDATA%\x64dbg\
# Main config: x64dbg.ini (64-bit) / x32dbg.ini (32-bit)
# Essential Configuration Options
[Engine]
BreakpointType=1 # Software breakpoints
CalculationType=0 # Signed calculations
Assembler=0 # XEDParse assembler
IgnoreInconsistentBreakpoints=0
[Disasm]
Uppercase=0 # Lowercase assembly
TabbedMnemonic=0 # Tabbed mnemonics
ArgumentSpaces=0 # Spaces in arguments
MemorySpaces=0 # Spaces in memory operands
NoHighlightOperands=0 # Highlight operands
NoCurrentModuleText=0 # Show current module
0xPrefixValues=1 # 0x prefix for hex values
[Gui]
FpuRegistersLittleEndian=0 # FPU register display
SaveColumnOrder=1 # Save column order
NoCloseDialog=0 # Close confirmation
PidInHex=0 # Process ID in hex
SidebarWatchLabels=1 # Watch labels in sidebar
# Symbol Configuration
# Options -> Preferences -> Symbols
# Microsoft Symbol Server: https://msdl.microsoft.com/download/symbols
# Local symbol cache: C:\Symbols
# Symbol search paths: _NT_SYMBOL_PATH environment variable
# Plugin Configuration
# Plugins directory: x64dbg\release\x64\plugins\
# Plugin settings: %APPDATA%\x64dbg\plugins\
# Essential Plugins
# ScyllaHide: Anti-anti-debugging
# xAnalyzer: Advanced static analysis
# x64dbgpy: Python scripting
# OllyDumpEx: Process dumping
# Multiline Ultimate Assembler: Enhanced assembly
```_
## Opérations de débogage de base
### Chargement et fixation aux processus
```bash
# Loading Executables
# File -> Open -> Select executable
# Drag and drop executable onto x64dbg
# Command line: x64dbg.exe target.exe
# Command Line Arguments
# File -> Change Command Line
# Set arguments before starting debugging
# Example: program.exe -arg1 value1 -arg2
# Attaching to Running Processes
# File -> Attach
# Select process from list
# Filter by name or PID
# Requires appropriate privileges
# Process Selection Criteria
# Architecture matching (32-bit vs 64-bit)
# Process permissions
# Anti-debugging protections
# System process restrictions
# Loading DLLs for Analysis
# File -> Open -> Select DLL
# Analyze DLL exports and imports
# Set breakpoints on DLL functions
# Useful for library analysis
# Working Directory
# File -> Change Working Directory
# Set appropriate working directory
# Important for file path resolution
# Affects relative path operations
```_
### Navigation et interface Aperçu
```bash
# Main Interface Components
# 1. CPU Window - Main debugging interface
# - Disassembly view
# - Register view
# - Memory dump
# - Stack view
# - Information view
# 2. Log Window - Debug output and messages
# 3. Breakpoints Window - Breakpoint management
# 4. Memory Map - Process memory layout
# 5. Call Stack - Function call hierarchy
# 6. SEH Chain - Exception handler chain
# 7. Threads - Thread information
# 8. Handles - Process handles
# 9. Modules - Loaded modules
# Navigation Shortcuts
Ctrl+G # Go to address/expression
Ctrl+F # Find in current module
Ctrl+B # Binary search
Ctrl+R # Find references
Ctrl+N # Find names/labels
# View Navigation
F7 # Step into
F8 # Step over
F9 # Run/Continue
Ctrl+F2 # Restart debugging
Alt+F9 # Execute till user code
# Memory Navigation
Ctrl+M # Memory map
Ctrl+D # Dump memory
Ctrl+S # Stack view
Ctrl+E # Modules view
# Window Management
F3 # Close tab
Ctrl+Tab # Switch tabs
F5 # Reload
Ctrl+F4 # Close window
Contrôles de débogage de base
# Execution Control
F9 # Run/Continue execution
F7 # Step into (follow calls)
F8 # Step over (skip calls)
Ctrl+F7 # Step into (skip system calls)
Ctrl+F8 # Step over (skip system calls)
F4 # Run to cursor
Ctrl+F9 # Run to user code
Alt+F9 # Execute until return
# Advanced Execution
Shift+F7 # Step into (force)
Shift+F8 # Step over (force)
Ctrl+Shift+F7 # Animate into
Ctrl+Shift+F8 # Animate over
# Process Control
Ctrl+F2 # Restart debugging
Ctrl+Alt+F2 # Close debugging
F6 # Pause execution
Ctrl+Break # Break execution
# Thread Control
# Threads window: View -> Threads
# Switch between threads
# Suspend/resume individual threads
# View thread context and stack
# Exception Handling
# Options -> Preferences -> Exceptions
# Configure exception handling
# First chance exceptions
# Second chance exceptions
# Ignore specific exceptions
Gestion des points d'arrêt
Points d'arrêt du logiciel
# Setting Breakpoints
F2 # Toggle breakpoint at current line
# Right-click -> Breakpoint -> Toggle
# Click in margin of disassembly view
# Breakpoint Types
# Software breakpoints (INT3)
# Hardware breakpoints (debug registers)
# Memory breakpoints (page guard)
# Conditional breakpoints
# One-time breakpoints
# Breakpoint Window
# View -> Breakpoints (Alt+B)
# Enable/disable breakpoints
# Edit breakpoint conditions
# View breakpoint statistics
# Export/import breakpoints
# Conditional Breakpoints
# Right-click breakpoint -> Edit
# Condition examples:
# eax == 0x1234
# [esp+4] > 100
# GetTickCount() > start_time + 5000
# strcmp(esi, "password") == 0
# Breakpoint Actions
# Log message without breaking
# Execute command on hit
# Increment hit counter
# Break after N hits
# Advanced Breakpoint Features
# Fast resume (skip breakpoint once)
# Silent breakpoints (no GUI update)
# Temporary breakpoints (auto-remove)
# Breakpoint groups and categories
Points d'arrêt matériels
# Hardware Breakpoint Types
# Execute breakpoints (DR0-DR3)
# Read/write breakpoints
# Access breakpoints (read or write)
# Size options: 1, 2, 4, 8 bytes
# Setting Hardware Breakpoints
# Right-click -> Breakpoint -> Hardware, Execute
# Right-click -> Breakpoint -> Hardware, Access
# Breakpoints window -> Add hardware breakpoint
# Hardware Breakpoint Advantages
# No code modification (stealth)
# Work on packed/encrypted code
# Limited to 4 breakpoints (x86/x64)
# Faster than software breakpoints
# Memory Breakpoints
# Right-click -> Breakpoint -> Memory Access
# Break on memory page access
# Useful for large memory regions
# Uses page guard mechanism
# Breakpoint Scripting
# Automatic actions on breakpoint hit
# Log values and continue
# Modify registers/memory
# Call functions or APIs
Techniques avancées de point d'arrêt
# API Breakpoints
# Breakpoints -> Add API breakpoint
# Set breakpoints on imported functions
# Monitor API calls and parameters
# Useful for behavior analysis
# Exception Breakpoints
# Break on specific exceptions
# Access violations
# Integer divide by zero
# Stack overflow
# Custom exception codes
# Tracing and Logging
# Trace into/over with logging
# Log register values
# Log memory contents
# Log function parameters
# Export trace to file
# Breakpoint Conditions
# Complex conditional expressions
# Register comparisons
# Memory content checks
# String comparisons
# Mathematical expressions
# Breakpoint Performance
# Minimize breakpoint overhead
# Use hardware breakpoints for hot paths
# Conditional breakpoints vs. logging
# Batch breakpoint operations
Analyse de mémoire et manipulation
Exploration de mémoire
# Memory Map Analysis
# View -> Memory Map (Ctrl+M)
# Shows all memory regions
# Base address, size, protection
# Module information
# Memory type (Image, Mapped, Private)
# Memory Dump Views
# View -> Dump (Ctrl+D)
# Hexadecimal view of memory
# ASCII/Unicode string view
# Disassembly view
# Structure view
# Memory Navigation
# Go to address (Ctrl+G)
# Follow in dump
# Follow in disassembler
# Follow in stack
# Binary search (Ctrl+B)
# Memory Search
# Search -> Find Pattern
# Hex pattern search
# String search (ASCII/Unicode)
# Regular expression search
# Reference search
# Memory Protection
# View memory protection flags
# Read/Write/Execute permissions
# PAGE_GUARD detection
# DEP/NX bit status
# ASLR information
Modification de mémoire
# Direct Memory Editing
# Double-click in dump view
# Edit hex values
# Edit ASCII strings
# Undo/redo support
# Assembly Patching
# Right-click -> Assemble
# Modify instructions in place
# NOP out instructions
# Insert jumps and calls
# Patch binary files
# Fill Memory
# Right-click -> Fill
# Fill with pattern
# Fill with zeros
# Fill with NOPs (0x90)
# Fill with specific bytes
# Copy/Paste Operations
# Copy memory regions
# Paste from clipboard
# Export to file
# Import from file
# Binary data manipulation
# Memory Allocation
# Debug -> Allocate Memory
# Allocate new memory regions
# Set protection flags
# Useful for shellcode testing
# Custom memory layouts
Analyse avancée de la mémoire
# Heap Analysis
# View -> Heap
# Heap block enumeration
# Allocation tracking
# Heap corruption detection
# Use-after-free detection
# Stack Analysis
# View -> Stack (Ctrl+S)
# Stack frame analysis
# Return address verification
# Stack overflow detection
# Local variable inspection
# String Analysis
# Search -> String References
# Find all string references
# Unicode/ASCII detection
# String encoding analysis
# Obfuscated string detection
# Structure Analysis
# Define custom structures
# Apply structures to memory
# Structure member highlighting
# Nested structure support
# Array and pointer handling
# Memory Comparison
# Compare memory regions
# Before/after snapshots
# Differential analysis
# Change tracking
# Memory diffing tools
Fonctions avancées de débogage
Système de plugin et Extensions
# Plugin Management
# Plugins -> Plugin Manager
# Load/unload plugins
# Plugin configuration
# Plugin development SDK
# Essential Plugins
# ScyllaHide - Anti-anti-debugging
# Installation: Copy to plugins folder
# Configuration: Hide debugger presence
# Bypass common anti-debugging tricks
# xAnalyzer - Static Analysis
# Automatic analysis of functions
# API call analysis
# String reference analysis
# Control flow analysis
# x64dbgpy - Python Scripting
# Python script execution
# Automation capabilities
# Custom analysis scripts
# Integration with Python libraries
# OllyDumpEx - Process Dumping
# Dump process memory
# Reconstruct import table
# Fix relocations
# Unpack protected executables
# Multiline Ultimate Assembler
# Enhanced assembly editing
# Multi-line assembly
# Macro support
# Advanced instruction encoding
Scénario et automatisation
# Built-in Scripting
# Script window (View -> Script)
# x64dbg script language
# Conditional execution
# Loops and variables
# Function calls
# Basic Script Commands
msg "Hello World" # Display message
bp 0x401000 # Set breakpoint
run # Start execution
step # Single step
log "EAX: \\\\{eax\\\\}" # Log register value
# Variables and Expressions
$var = eax # Assign register to variable
$addr = 0x401000 # Assign address
$result = [$addr] # Read memory
mov eax, $var # Use variable in assembly
# Control Flow
if eax == 0x1234 # Conditional execution
msg "Found target value"
end
while eax != 0 # Loop execution
step
end
# Function Definitions
function analyze_function
bp $arg1 # Set breakpoint at argument
run # Execute
log "Function called"
end
# Advanced Scripting
# File I/O operations
# Registry access
# Process manipulation
# Network operations
# Cryptographic functions
Anti-débogue et évacuation
# Common Anti-Debugging Techniques
# PEB BeingDebugged flag
# Debug heap flags
# NtGlobalFlag checks
# Debug object detection
# Timing attacks
# ScyllaHide Configuration
# Hide debugger presence
# Hook anti-debugging APIs
# Modify PEB structure
# Hide debug heap
# Bypass timing checks
# Manual Anti-Debugging Bypass
# Patch anti-debugging checks
# Modify PEB flags manually
# Hook API functions
# Use hardware breakpoints
# Stealth debugging techniques
# Advanced Evasion
# Kernel debugging detection
# Hardware debugging detection
# Virtual machine detection
# Sandbox evasion
# Analysis environment detection
# Countermeasures
# Use multiple debugging tools
# Modify system artifacts
# Custom debugging techniques
# Emulation environments
# Hybrid analysis approaches
Analyse des logiciels malveillants avec x64dbg
Intégration de l'analyse statique
# Initial Triage
# File -> Open -> Load malware sample
# View -> Modules -> Analyze loaded modules
# View -> Memory Map -> Examine memory layout
# Search -> String References -> Find interesting strings
# Import Analysis
# View -> Modules -> Select main module
# Right-click -> View Imports
# Identify suspicious APIs:
# - File operations: CreateFile, WriteFile, DeleteFile
# - Registry: RegOpenKey, RegSetValue, RegDeleteKey
# - Network: socket, connect, send, recv
# - Process: CreateProcess, OpenProcess, TerminateProcess
# - Crypto: CryptAcquireContext, CryptEncrypt
# Export Analysis
# View -> Modules -> Select module
# Right-click -> View Exports
# Identify exported functions
# Potential DLL functionality
# Entry points for analysis
# String Analysis
# Search -> String References
# Look for:
# - URLs and IP addresses
# - File paths and registry keys
# - Error messages
# - Cryptographic constants
# - Command and control indicators
# Entry Point Analysis
# Automatic break at entry point
# Analyze initialization code
# Identify packing/obfuscation
# Find original entry point (OEP)
Analyse dynamique du comportement
# Execution Monitoring
# Set breakpoints on critical APIs
bp CreateFileA # File creation
bp RegOpenKeyA # Registry access
bp socket # Network activity
bp VirtualAlloc # Memory allocation
# API Parameter Analysis
# Break on API calls
# Examine parameters on stack/registers
# Log parameter values
# Trace data flow
# Network Behavior
# Monitor network-related APIs
bp WSAStartup # Winsock initialization
bp connect # Network connections
bp send # Data transmission
bp recv # Data reception
# File System Activity
bp CreateFileA # File operations
bp WriteFile # File writing
bp ReadFile # File reading
bp DeleteFileA # File deletion
# Registry Monitoring
bp RegOpenKeyA # Registry access
bp RegSetValueA # Registry modification
bp RegQueryValueA # Registry reading
bp RegDeleteKeyA # Registry deletion
# Process Injection Detection
bp VirtualAllocEx # Remote memory allocation
bp WriteProcessMemory # Remote memory writing
bp CreateRemoteThread # Remote thread creation
bp SetWindowsHookEx # Hook installation
Déballage et débrouillage
# Packer Detection
# Analyze entry point code
# Look for packer signatures
# Check section characteristics
# Examine import table
# Common Packers
# UPX: Ultimate Packer for eXecutables
# ASPack: Advanced Software Protection
# Themida: Commercial protector
# VMProtect: Virtualization protection
# Manual Unpacking Process
# 1. Set breakpoint at entry point
# 2. Step through unpacking routine
# 3. Look for jumps to unpacked code
# 4. Identify original entry point (OEP)
# 5. Dump unpacked code
# 6. Reconstruct import table
# OEP Detection Techniques
# Look for PUSHAD/POPAD sequences
# Monitor for jumps to new sections
# Watch for import table reconstruction
# Identify tail jump patterns
# Memory Dumping
# Plugins -> OllyDumpEx
# Select process and module
# Choose dump options
# Reconstruct imports
# Fix relocations
# Save unpacked executable
# Import Reconstruction
# Analyze import table
# Identify API calls
# Rebuild import directory
# Fix import address table (IAT)
# Validate import resolution
Techniques avancées de malware
# Code Injection Analysis
# Monitor injection techniques:
# - DLL injection
# - Process hollowing
# - Atom bombing
# - Manual DLL loading
# - Reflective DLL loading
# Rootkit Detection
# Monitor system modifications:
# - SSDT hooking
# - IDT modifications
# - IRP hooking
# - File system filters
# - Registry filters
# Persistence Mechanisms
# Registry run keys
bp RegSetValueA # Monitor registry modifications
# Windows services
bp CreateServiceA # Service creation
# Scheduled tasks
bp CreateProcessA # Task scheduler execution
# DLL hijacking
bp LoadLibraryA # DLL loading
# Communication Analysis
# C&C communication patterns
# Protocol analysis
# Encryption detection
# Data exfiltration methods
# Command parsing
# Evasion Techniques
# Anti-analysis detection
# Sandbox evasion
# VM detection
# Debugger detection
# Time-based evasion
Recherche et développement de la vulnérabilité
Analyse des accidents et débogage
# Exception Handling
# Options -> Preferences -> Exceptions
# Configure exception handling
# First chance vs second chance
# Ignore specific exceptions
# Crash Analysis Workflow
# 1. Reproduce crash
# 2. Analyze exception information
# 3. Examine crash context
# 4. Identify root cause
# 5. Develop exploit
# Register Analysis at Crash
# Examine register values
# Identify controlled registers
# Check for code execution
# Analyze memory corruption
# Stack Analysis
# View -> Stack
# Examine stack contents
# Identify return addresses
# Look for buffer overflows
# Check stack cookies/canaries
# Heap Analysis
# View -> Heap
# Examine heap corruption
# Identify use-after-free
# Analyze heap metadata
# Check heap protections
Analyse du dépassement des tampons
# Identifying Buffer Overflows
# Look for dangerous functions:
# strcpy, strcat, sprintf, gets
# Analyze input validation
# Check buffer boundaries
# Examine stack layout
# Pattern Generation and Analysis
# Generate unique patterns
# Identify offset to return address
# Calculate exact overflow length
# Determine controlled data
# Return Address Control
# Verify EIP/RIP control
# Find suitable return address
# Bypass ASLR if present
# Identify gadgets for ROP
# Shellcode Development
# Develop custom shellcode
# Avoid bad characters
# Encode if necessary
# Test in debugger environment
# Exploit Testing
# Test exploit reliability
# Handle different OS versions
# Bypass security mitigations
# Validate payload execution
Techniques d'exploitation avancées
# ROP Chain Development
# Search for ROP gadgets
# Build ROP chain
# Bypass DEP/NX
# Stack pivot techniques
# Heap Exploitation
# Heap spray techniques
# Use-after-free exploitation
# Heap overflow exploitation
# Heap metadata corruption
# Format String Exploitation
# Identify format string bugs
# Control format string
# Arbitrary read/write
# Code execution techniques
# Race Condition Exploitation
# Identify race conditions
# Time-of-check vs time-of-use
# Thread synchronization issues
# Exploit timing windows
# Kernel Exploitation
# Kernel debugging setup
# Driver vulnerability analysis
# Privilege escalation
# Kernel shellcode development
Les capacités complètes de débogage de x64dbg, l'interface intuitive et l'écosystème de plugin étendu en font un outil indispensable pour l'ingénierie inverse de Windows et l'analyse de logiciels malveillants. Son support natif pour les applications 32 bits et 64 bits, combiné à des fonctionnalités avancées comme les points d'arrêt conditionnels, l'analyse de mémoire et les capacités de script, fournit aux chercheurs en sécurité les outils dont ils ont besoin pour comprendre le comportement logiciel complexe et identifier les vulnérabilités de sécurité. Qu'il soit utilisé pour l'analyse de logiciels malveillants, la recherche de vulnérabilité, le développement d'exploitation ou le débogage général de logiciels, x64dbg offre la puissance et la flexibilité dont les professionnels de la sécurité modernes ont besoin pour leurs tâches d'analyse les plus difficiles. La communauté de développement active du débogueur et les améliorations continues des fonctionnalités assurent qu'il reste à l'avant-garde de la technologie de débogage Windows, s'adaptant aux nouvelles menaces et défis d'analyse tout en conservant sa réputation de plateforme de débogage Windows de premier plan.