After you launch the program in the IDA debugger, the process will pause, and the following debugger display will be presented to you:

When the process is under debugger control, the disassembly toolbar is replaced with the debugger toolbar. This toolbar consists of buttons related to the debugging functionality (such as process control and breakpoint):

• Disassembly Window: This window is synchronized with the current value of the instruction pointer register (eip or rip). The disassembly windows offer the same functionality that you learned in the previous chapter. You can also switch between the graph view and the text view modes by pressing the spacebar key.
• Register Window: This window displays the current contents of the CPU's general-purpose register. You can right-click a register value and click Modify value, Zero value, Toggle value, Increment, or Decrement value. Toggling a value is particularly useful if you want to change the states of CPU flag bits. If the value of the register is a valid memory location, the right-angle arrow next to the register's value will be active; clicking on this arrow will relocate the view to the corresponding memory location. If you ever find that you have navigated to a different location and would like to go to the location pointed to by the instruction pointer, then just click on the right-angle arrow next to the value of the instruction pointer register (eip or rip).
• Stack View: The stack view displays the data contents of the process's runtime stack. Inspecting the stack before calling a function can yield information about the number of function arguments and the types of function arguments.
• Hex View: This displays the standard hex dump of the memory. Hex view is useful if you want to display the contents of a valid memory location (contained within a register, a stack, or the instruction).
• Modules View: This displays the list of modules (executables and their shared libraries) loaded into the process memory. Double-clicking any module in the list displays a list of symbols exported by that module. This is an easy way to navigate to the functions within the loaded libraries.
• Threads View: Displays a list of threads in the current process. You can right-click on this window to suspend a thread or resume a suspended thread.
• Segments Window: The segments window is available via View | Open Subviews | Segments (or Shift + F7). When you are debugging a program, the segments window provides information regarding the allocated memory segments in a process. This window displays the information about where the executable and its sections are loaded in memory. It also contains details on all of the loaded DLLs, and their section information. Double-clicking on any entry will take you to the corresponding memory location in either the disassembly window or the hex window. You can control where the contents of the memory address should be displayed (in the disassembly or hex window); to do that, just place the cursor anywhere in the disassembly or hex window, and then double-click on the entry. Depending on the cursor location, the contents of the memory address will be displayed in the appropriate window:

• Imports and Exports Window: When the process is under debugger control, the Imports and Exports windows are not displayed by default. You can bring up these windows via Views | Open subviews. The Imports window lists all of the functions imported by the binary, and the Exports window lists all of the exported functions. The exported functions are normally found in the DLLs, so this window can be particularly useful when you are debugging malicious DLLs.

The other IDA windows, explained in the previous chapter, can also be accessed via Views | Open Subviews.