windbg.exe
- File Path:
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe - Description: Windows GUI symbolic debugger
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 703B2F8C342FEB9FC8782F48B47BA698 |
| SHA1 | 2CFAE4B5F01E36B937E7AB2BAB4DEF4563330062 |
| SHA256 | B1CE9D33E94CFB98989147AD1A9CC190FF2EDB97BA24F47A80C5ADAAB01EE80C |
| SHA384 | FCB1F8A7686EF7681FA0B75988B41E38A77222F98EBC5CBCCAD111F262FE6A3E1B59E6F057E5CFAF1164BF96D2A92A2B |
| SHA512 | 81CBC23BA64CFF21B89D5773A269516C44F91F4BAFD60E9E58EF8ABA654070A5573E8035F10A498EE5719C54C91E027E1D3E7D78285FC72C0E95D864A6BA0C2C |
| SSDEEP | 12288:ziaAINi0BQjAHXrzYWZci2+Tousrte4XL:D9/L7zYWZT2+Touge |
| IMP | CE2DF536539DE0880E2AEF4A9EE567FE |
| PESHA1 | FF6C1246D69A9A92F08DD9C9F74CDD38752478A9 |
| PE256 | 5B2D3184EF2BEB5F69E50B95D0671B338F5ED4E4A263DA11C2DA66510F78A91B |
Runtime Data
Child Processes:
help.exe
Window Title:
help - WinDbg:10.0.19041.1 X86
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\sym\wntdll.pdb\3CCC2398F623C3D0915D0E0ADC5714A71\wntdll.pdb | File |
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows | File |
| (RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 | File |
| (RWD) C:\Windows\SysWOW64\ntdll.dll | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\1\BaseNamedObjects\1f50HWNDInterface:40030c | Section |
| \Sessions\1\Windows\Theme1383959086 | Section |
| \Windows\Theme2042523233 | Section |
Loaded Modules:
| Path |
|---|
| C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
Signature
- Status: Signature verified.
- Serial:
33000002CF6D2CC57CAA65A6D80000000002CF - Thumbprint:
1A221B3B4FEF088B17BA6704FD088DF192D9E0EF - Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: windbg.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/b1ce9d33e94cfb98989147ad1a9cc190ff2edb97ba24f47a80c5adaab01ee80c/detection
Possible Misuse
The following table contains possible examples of windbg.exe being misused. While windbg.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_cdb.yml | title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner |
DRL 1.0 |
| sigma | proc_creation_win_susp_cdb.yml | - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html |
DRL 1.0 |
| LOLBAS | Cdb.yml | - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html |
|
| signature-base | gen_deviceguard_evasion.yar | reference = “http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html” | CC BY-NC 4.0 |
| stockpile | 7a6ba833-de40-466a-8969-5c37b13603e0.yml | "windbg", |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.