Last active
June 11, 2021 10:50
-
-
Save Stolas/c67b0d6ce1de78869764 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SETUP | |
------------------------------------------------------ | |
------------------------------------------------------ | |
CONTROL FLOW | |
c - continue | |
s - step | |
set step-mode off -- Toggle Step Over | |
show step-mode -- Show Step Mode. | |
until 0xaddress - step to address | |
finish - step to next return | |
------------------------------------------------------ | |
BREAKPOINTS | |
break *0xaddress - Set breakpoint | |
// CONTINUE HERE. | |
bl - List breakpoints | |
bd num - disable breakpoint num | |
bc num - clear breakpoitn num | |
ba [e|r|w] 1 0xaddress - break on access [execution|read|write] size address | |
sxe ld:dllname - Break on load of module dllname | |
------------------------------------------------------ | |
DUMP MEMORY | |
d[d|w|b|a] 0xaddress - dump [dword|word|byte|ascii] at address | |
d[d|w|b|a] 0xaddress L5 - option L argument defines how many of them to dump | |
dd register - dump contents of a register | |
ddp 0xaddress - dump contents of address, and whatever it points to | |
dda 0xaddress - dump contents of address, and print the string if it exists | |
u 0xaddress L5 - disassemble at 0xaddress, L instructions | |
------------------------------------------------------ | |
EDIT MEMORY | |
e[d|w|b] 0xaddress newbytes - edit memory | |
------------------------------------------------------ | |
SEARCH MEMORY | |
s -[d|w|b|a] 0x00000000 L?0xffffffff searchval | |
- first option is size (dword, word, byte, ascii string) | |
- second option is start address | |
- third option is end address | |
- last option is the value to search for | |
- ex dword: 0x41414141 | |
- ex word 0x4241 | |
- ex byte ff e3 (can be as many as you like!) | |
- ex ascii: avacado! | |
x nt!Nt*Driver* - examine symbols | |
------------------------------------------------------ | |
SYMBOL SETUP - to dump symbols in C:\sym | |
.sympath .SRV*C:\sym*http://msdl.microsoft.com/download/symbols/ | |
.reload /f | |
------------------------------------------------------ | |
DUMP STRUCTURES | |
!teb - dump thread environment block | |
!peb - dump process environment block | |
!vadump - dump list of memory pages and info | |
!lmi modulename - dump the info for module modulename | |
lm - show loaded modules | |
k - show call stack | |
r - show registers | |
dt structName 0xaddress - display a structure in proper format if you have symbols | |
------------------------------------------------------ | |
.writemem FileName Range | |
a Address Assemble code (patching) | |
!address -summary - Show summery of memory by types | |
!heap -s - Show all heaps | |
!heap -stat -h <heap addr> Show blocks of specific heap | |
!heap -flt s <block size> Show addresses of memory blocks of specific size by heap | |
!heap -p -a <usrPtr> Display allocation call stack for given block user ptr address | |
--------- | |
Report on access: | |
ba a 1 <addr> ".printf(\"Accessed <addr> @ 0x%x\n\"), @eip ; .echo ; g" | |
--------- | |
Kernel Debugging: | |
In Windows enable debugging: | |
bcdedit /copy {current} /d “Windows with with serial debugging”, copy the created {guid} | |
bcdedit /set {guid} debug on | |
bcdedit /set {guid} debugport 4, for some reason none of the others ports worked for me | |
bcdedit /set {guid} baudrate 115200 | |
On host VirtualBox do: | |
Serial Ports -> | |
[X] Enable SerialPort | |
Port Number: COM4 | |
Port Mode: Host Pipe | |
[X] Create Pipe | |
Port/File Path: \\.\pipe\debug | |
Create BAT file for easy access: | |
@echo off | |
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\pipe\debug,resets=1,reconnect=1 | |
Note on Arguments: | |
In the Microsoft x64 calling convention the first four arguments are passed by registers (RCX, RDX, R8 and R9 respectively) | |
whilst the remaining parameters are passed on the stack. | |
Even though the first 4 parameters are passed in registers | |
the calling convention requires that space is allocated for them on the stack (this is called the Home Space). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SETUP | |
------------------------------------------------------ | |
To set windbg as your default post-mortem debugger (run on crash of programs), | |
simply run windbg from the command line with the -I option: | |
C:\wherever\windbg.exe -I | |
All windbg is a frontend for dbgeng.dll. | |
------------------------------------------------------ | |
CONTROL FLOW | |
g - go / continue / run | |
p - step over | |
t - step into | |
(All further commands also work as ta, tc, tt, tct, th - stepping in insted of over) | |
pa 0xaddress - step to address | |
pc - step to next call | |
pt - step to next return | |
pct - step to next call or return | |
ph - step to next branching instruction | |
------------------------------------------------------ | |
BREAKPOINTS | |
bp 0xaddress - Set breakpoint | |
bl - List breakpoints | |
bd num - disable breakpoint num | |
bc num - clear breakpoitn num | |
ba [e|r|w] 1 0xaddress - break on access [execution|read|write] size address | |
sxe ld:dllname - Break on load of module dllname | |
------------------------------------------------------ | |
DUMP MEMORY | |
d[d|w|b|a] 0xaddress - dump [dword|word|byte|ascii] at address | |
d[d|w|b|a] 0xaddress L5 - option L argument defines how many of them to dump | |
dd register - dump contents of a register | |
ddp 0xaddress - dump contents of address, and whatever it points to | |
dda 0xaddress - dump contents of address, and print the string if it exists | |
u 0xaddress L5 - disassemble at 0xaddress, L instructions | |
------------------------------------------------------ | |
EDIT MEMORY | |
e[d|w|b] 0xaddress newbytes - edit memory | |
------------------------------------------------------ | |
SEARCH MEMORY | |
s -[d|w|b|a] 0x00000000 L?0xffffffff searchval | |
- first option is size (dword, word, byte, ascii string) | |
- second option is start address | |
- third option is end address | |
- last option is the value to search for | |
- ex dword: 0x41414141 | |
- ex word 0x4241 | |
- ex byte ff e3 (can be as many as you like!) | |
- ex ascii: avacado! | |
x nt!Nt*Driver* - examine symbols | |
------------------------------------------------------ | |
SYMBOL SETUP - to dump symbols in C:\sym | |
.sympath .SRV*C:\sym*http://msdl.microsoft.com/download/symbols/ | |
.reload /f | |
------------------------------------------------------ | |
DUMP STRUCTURES | |
!teb - dump thread environment block | |
!peb - dump process environment block | |
!vadump - dump list of memory pages and info | |
!lmi modulename - dump the info for module modulename | |
lm - show loaded modules | |
k - show call stack | |
r - show registers | |
dt structName 0xaddress - display a structure in proper format if you have symbols | |
------------------------------------------------------ | |
.writemem FileName Range | |
a Address Assemble code (patching) | |
!address -summary - Show summery of memory by types | |
!heap -s - Show all heaps | |
!heap -stat -h <heap addr> Show blocks of specific heap | |
!heap -flt s <block size> Show addresses of memory blocks of specific size by heap | |
!heap -p -a <usrPtr> Display allocation call stack for given block user ptr address | |
--------- | |
Report on access: | |
ba a 1 <addr> ".printf(\"Accessed <addr> @ 0x%x\n\"), @eip ; .echo ; g" | |
--------- | |
Kernel Debugging: | |
In Windows enable debugging: | |
bcdedit /copy {current} /d “Windows with with serial debugging”, copy the created {guid} | |
bcdedit /set {guid} debug on | |
bcdedit /set {guid} debugport 4, for some reason none of the others ports worked for me | |
bcdedit /set {guid} baudrate 115200 | |
On host VirtualBox do: | |
Serial Ports -> | |
[X] Enable SerialPort | |
Port Number: COM4 | |
Port Mode: Host Pipe | |
[X] Create Pipe | |
Port/File Path: \\.\pipe\debug | |
Create BAT file for easy access: | |
@echo off | |
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\pipe\debug,resets=1,reconnect=1 | |
Note on Arguments: | |
In the Microsoft x64 calling convention the first four arguments are passed by registers (RCX, RDX, R8 and R9 respectively) | |
whilst the remaining parameters are passed on the stack. | |
Even though the first 4 parameters are passed in registers | |
the calling convention requires that space is allocated for them on the stack (this is called the Home Space). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment