- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/
- https://github.com/TimMisiak/windup
Get the latest version (stolen from here):
wget --quiet --continue --no-check-certificate -O windbg.appinstaller https://aka.ms/windbg/download
grep -ioP "htt.*bundle" windbg.appinstaller > msix.txt
wget --quiet --continue --no-check-certificate -i msix.txt
7z.exe x windbg.msixbundle
7z.exe x *x64.msix -owindbgnew
cd windbgnew
start dbgx.shell.exe
Load debugging symbols:
> srv*c:\symbols*https://msdl.microsoft.com/download/symbols
> .reload /f
Unassemble from memory:
> u kernel32!GetCurrentThread
Read bytes from memory:
> db esp [L1]
> db 41414141
> db kernel32!WriteFile
> dw esp
> dd esp
> dq esp
> dW/dc KERNELBASE+0x40
Read data at a specified address:
> dd esp L1
41414141
> dd 41414141
// The same as pointer to data
> dd poi(esp)
Dump structures:
> dt ntdll!_TEB
> dt -r ntdll!_TEB @$teb ThreadLocalStoragePointer
> dt -r ntdll!_TEB @$teb
> ?? sizeof(ntdll!_TEB)
Edit bytes:
> dd esp L1
> ed esp 41414141
> dd esp L1
> da esp
> ea esp "AAAA"
> da esp
Search memory space:
> ed esp 41414141
> s -d 0 L?80000000 41414141
> s -a 0 L?80000000 "This program cannot be run in DOS mode"
Work with registers:
> r
> r eax
> r eax=41414141
Work with software breakpoints:
> bp kernel32!WriteFile
> bl
> bd 0
> be 0
> bc 0
> bc *
> lm m ole32
> bu ole32!WriteStringStream
> bl
Breakpoints and actions:
BOOL WriteFile(
HANDLE hFile,
LPCVOID lpBuffer,
DWORD nNumberOfBytesToWrite, // Write to file "hello" -> "db esp+0x0c L1" is 04 (length of "hello", also in esi register)
LPDWORD lpNumberOfBytesWritten,
LPOVERLAPPED lpOverlapped
);
> bp kernel32!WriteFile ".printf \"The number of bytes written is: %p\", poi(esp + 0x0C);.echo;g"
> bp kernel32!WriteFile ".if (poi(esp + 0x0C) != 4) {gc} .else {.printf \"The number of bytes written is 4\";.echo;}"
> bp kernel32!WriteFile ".if (@esi != 4) {gc} .else {.printf \"The number of bytes written is 4\";.echo;}"
Work with hardware breakpoints:
// Before: write "w00tw00t" to a file, save the file, close Notepad, re-open the file
> s -a 0x0 L?80000000 w00tw00t
> s -u 0x0 L?80000000 w00tw00t
> ba w 2 00b8b238
> du
00b8b238 "a00tw00t"
![[Pasted image 20230924234241.png]]
Step through code:
> p // step over
> t // step into
> pt // step to next return
> ph // execute code until a branching instruction is reached
List modules and symbols:
> .reload /f
> lm
> lm m kernel*
> x kernelbase!CreateProc*
Evaluation and output formats:
> ? ((41414141 - 414141) * 0n10) >> 8
> ? 41414141
> ? 0n41414141
> ? 0y10101010
> .formats 41414141
Pseudo registers:
> r @$t0 = (41414141 - 414141) * 0n10
> ? @$t0 >> 8