Goal: Learn how to recognize various abnormal software behavior patterns in x64 memory dumps.
Patterns: Virtualized Process; Message Box; Frozen Process; Wait Chain (ALPC)
1. Launch WinDbg from Windows Kits \ Debugging Tools for Windows (X64).
2. Open \AWMDA-Dumps\64-bit\Complete\MEMORY-W81.DMP
3. We get the dump file loaded:
Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [E:\AWMDA-Dumps\64-bit\Complete\MEMORY-W81.DMP] Kernel Bitmap Dump File: Full address space is available Symbol ...