Getting Started Guide
How to Install and Use x64dbg
This guide covers installing x64dbg on Windows and using it for basic binary debugging, breakpoints, and malware analysis.
Prerequisites
- -Windows 7+ (64-bit)
- -A binary to analyze
Install x64dbg
Download and extract x64dbg. It's portable - no installer needed.
Download
# Download latest snapshot from https://x64dbg.com
# Extract the zip to a folder like C:\x64dbg
# Run x96dbg.exe (launcher that picks 32 or 64-bit)Or via Chocolatey
choco install x64dbg.portableNote: x96dbg.exe is the launcher that auto-selects x32dbg or x64dbg based on the target binary's architecture.
Load a Binary
Open a binary for debugging. x64dbg pauses at the system entry point.
GUI
# File > Open > Select your executable
# The debugger pauses at ntdll entry point
# Press F9 (Run) to reach the application entry pointSet Breakpoints
Breakpoints pause execution so you can inspect the program's state at critical points.
Key commands
# F2 - Toggle breakpoint at current line
# Ctrl+G - Go to address
# F7 - Step into (follow function calls)
# F8 - Step over (execute call, stop at next line)
# F9 - Run until next breakpointNote: For malware analysis, set breakpoints on API calls like CreateFile, WriteFile, RegSetValue, connect, and send to understand what the malware does.
Inspect Memory and Registers
View register values, memory contents, and the stack while debugging.
Key windows
# CPU tab - Disassembly, registers, stack, memory dump
# Memory Map tab - See all loaded modules and memory regions
# Handles tab - Open file handles, registry keys, network sockets
# Strings tab - Right-click module > Search for > All stringsUseful Plugins
x64dbg has a plugin ecosystem. A few essentials for security work.
Essential plugins
# ScyllaHide - Anti-anti-debug (hides debugger from detection)
# x64dbgpy - Python scripting support
# Swiss Army Knife - Collection of useful utilities
# SharpOD - Another anti-debug plugin
# Install: drop DLLs into x64dbg/release/x32/plugins/ or x64/plugins/Note: Malware commonly checks for debuggers using IsDebuggerPresent, NtQueryInformationProcess, and timing checks. ScyllaHide patches these so the malware doesn't know it's being analyzed.