When we talk about dynamic analysis, the main group of tools we are referring to are debuggers. The most popular debuggers are as follows:
- WinDbg: This is an irreplaceable tool when we are talking about debugging the kernel-mode code on Windows. Officially supported by Microsoft, this tool features multiple commands and extensions that aim to make the analysis as straightforward as possible. KD debugger that is shipped together with WinDbg is its console analog sharing the same debugging engine. There are three groups of commands supported: regular commands, meta-commands (the ones that start with "."), and extension commands (the ones that start with "!"). Here are some of the most common commands that are used when performing rootkit analysis:
- ?: This is used to display regular commands.
- .help: This is used to display meta-commands.
- .hh: This is used to open the documentation for the specified command.
- bp, bu, and ba: These are used to set breakpoints, including...