An in-depth tutorial on the MASM and C++ expression evaluators in WinDBG.
Windows 10
WinDBG quick start tutorial
Step by step walk-through for learning basic commands and navigation in WinDBG.
Windows 10
System setup for kernel development and debugging
Instructions for setting up a Windows kernel driver development and debugging environment.
Windows 10
Top Ten useful Kernel APIs
Top ten useful APIs for Windows kernel software driver development.
Windows 10
Interrupt Dispatching Internals
Details of interrupt dispatching changes in recent versions of Windows.
Windows 10
Kernel Debugging Tricks
Video presentation of the top 10 cool kernel debugging tricks in Windows.
Windows 7+
Kernel Callback Functions
Comprehensive list of documented and undocumented APIs available in the Windows kernel to register callback routines.
Windows 8.1
How KMDF converts handles to pointers
Algorithms used by the Windows Kernel Mode Driver Framework (KMDF) to convert handles to KMDF objects to raw kernel mode pointers.
Windows XP+
EX_FAST_REF Pointers
Details of EX_FAST_REF pointer implementation in the Windows Kernel.
Windows 7
Usage of TEB ArbitraryUserPointer
Describes the various uses of the ArbitraryUserPointer field in the
Thread Environment Block (TEB) data structure.
Windows 7+
Useful Build Macros
Useful macros for use in the sources file for building kernel drivers using the Windows 7 WDK command line build environment.
Windows XP - Windows 7
NTOSKRNL Component List
List of components within NTOSKRNL along with their respective function prefixes.
Windows 8.1
Windows Object Allocation Pool Types
Describes how Windows selects the pool type to allocate objects from and which pool types are used to allocate various objects.
Windows 8
Windows Kernel Thread List
Lists all the threads created by the Kernel and a brief description of the functionality they each one provides.
Windows 8
Safe kernel thread creation API
Describes a new system thread creation API which solves a very common problem with drivers wherein a driver unloads before all the threads created by the driver are terminated.
Windows 8
How Windows Sets the Default Audio Device
Describes the mechanism used by Windows to select the default device for audio playback.
Windows Vista+
Finding physical memory ranges from a kernel debugger
Describes a debugger technique to obtain the addresses and lengths of various physical memory ranges in use on a Windows system.
Windows Vista+
WinDBG - A rodent killer
Step by step description for getting rid of Poison IVY RAT using just WinDBG.
Windows XP+
Windows on ARM - An assembly language primer
Tutorial on ARM architecture, assembly language, calling convention, exceptions, interrupts, system calls, interlocked operations etc. on Windows 8.
Windows 8+
Dump Analysis - Debugging a Multi-Process Hang
Analysis of an application hang caused by chain of RPC calls.
Debugging power IRP watchdog timeouts on Vista and later versions of windows.
Windows Vista+
Catalog of key Windows kernel data structures
Explanation of key data structures used by Windows device drivers, kernel and HAL.
Windows 7+
Command Line Tips
Useful CMD.exe commands related drivers, debugger configuration, memory dump generation, etc.
Windows 7+
X64 Deep Dive
In-depth tutorial on the key aspects of code execution and debugging on X64 like compiler optimizations, exception handling, parameter passing, stack layout and parameter retrieval.
Windows Vista+
X86 Compiler Optimization - Parameter Reuse
Describes optimizations performed by the X86 compiler wherein it reuses the stack based parameter space to store local variables.
Windows XP+
TDI Overview
Overview of Windows Kernel Transport Driver Interface (TDI).
Windows XP+
Windows Object Headers
Describes the changes that have been made to the object header structure in Windows 7.
Windows 7+
Prototype PTEs
Describes Prototype PTEs and how they are used to implement shared memory in Windows.
Windows XP+
X64 Kernel Virtual Address Space
Describes the layout and the components of the Kernel Virtual Address Space.
Windows 7+
NDIS 6 Net Buffer Lists and Net Buffers
Describes internals and usage of NDIS 6 NBLs, NBs and MDLs.
Windows Vista+
Finding AFD Endpoints
Describes a technique to locate AFD socket endpoint structures in a complete or kernel memory dump.
Windows Vista+
Finding Windows Socket Client (WSK) Client Drivers
Describes a technique to locate WSK drivers in a complete or kernel memory dump.
Windows Vista+
Finding Windows Filtering Platform (WFP) Callouts
Describes a technique to locate WFP drivers and the callouts they have established in a complete or kernel memory dump.
Windows Vista+
System Call Instructions
Explanation of mechanisms used to perform a user to kernel mode thread transition.
Windows XP+
timer Abnormalities
Explanation of output and idiosyncrasies of !timer kernel debugger extension command.