Figure 4.6 A typical OllyDbg screenUnsurprisingly, one place where WinDbg is unbeatable and far surpasses
OllyDbg is in its integration with the operating system. WinDbg has powerful
extensions that can provide a wealth of information on a variety of internal
system data structures. This includes dumping currently active user-mode
heaps, security tokens, the PEB (Process Environment Block) and the TEB
(Thread Environment Block), the current state of the system loader (the com-
ponent responsible for loading and initializing program executables), and so
on. Beyond the extensions, WinDbg also supports stepping through the earli-
est phases of process initialization, even before statically linked DLLs are ini-
tialized. This is different from OllyDbg, where debugging starts at the primary
executable’s WinMain (this is the .exe file launched by the user), after all stati-
cally linked DLLs are initialized. Figure 4.7 shows a screenshot from WinDbg.
Notice how the code being debugged is a part of the NTDLLloader code that
initializes DLLs while the process is coming up—not every user-mode debug-
ger can do that.120 Chapter 4