Guest lecture: Windows Debugger Internals

This semester, students can take a class called Software Reverse Engineering at the University of Mannheim, Germany. In this class, Professor Felix Freiling and his two assistants Carsten Willems and Ralf Hund teach approximately 20-30 students about topics like x86 assembly, Windows internals, and sandboxing of malicious files. The students then use their new knowledge in hands-on homework where they have to crack simple crackmes or analyze malware files.

Last December I was invited to give a guest lecture there about a topic of my choice. Of the available topics, the one that seemed most relevant to my work at zynamics was debuggers and debugger internals.

Yesterday my big day had come. I travelled to Mannheim to give the second guest lecture of my life (I blogged about the first one at Dortmund University). I gave a brief history of popular reverse engineering debuggers from SoftICE to WinDbg. I talked about common debugger  features and how to use them for reverse engineering. I explained in detail what you have to do if you want to implement your own Windows debugger. In the end I spent a few slides talking about anti-debugging measures software uses to protect itself against reverse engineers.

I think the guest lecture went pretty well from my point of view. Unfortunately the students did not seem to be as interested in reverse engineering as the students at Dortmund University were. Maybe they would have paid more attention if they had known before that implementing their own Win32 debugger would be their next homework assignment. 🙂

Anyway, below you can find the German language slides I used for my guest lecture. If you do not have Flash installed, you can get a direct download here.

[slideshare id=3965027&doc=unimannheimdebuggers-100504092656-phpapp02]

5 Responses to “Guest lecture: Windows Debugger Internals”

  1. elias says:

    It is interesting to learn that some universities in Germany are offering such classes.

    Slide 11: good old days! ;p

    • Sebastian Porst says:

      Yeah, there are probably four or five German universities (I am aware of) where you can learn stuff like that. However, this is a very recent trend, maybe two or three years old.

  2. S P T Krishnan says:

    Will you create a english version of your slides for english speaking people who frequent zynamics blog ? 🙂

  3. […] about Windows debugger internals and their use in reverse engineering which you can read about here. This week it was my turn to share some knowledge about architectural diversity in reverse […]