cl -Z7 file.c
Instruct the OS to load the program without ASLR to make it easier to analyse.
Address Space Layout Randomization (ASLR) is a computer security technique which involves randomly positioning the
base address of an executable and the position of libraries, heap, and stack, in a process's address space.
editbin /DYNAMICBASE:NO file.exe
Does both source and assembly level debugging.
By default start in Source Mode.
Uncheck Debug > Source Mode
to debug in Assembly Mode.
bp main
By default looks for a .pdb file in the same directory as the executable
.reload /f
.cls
bl
0 e Disable Clear x86 00000000`00406e20 0001 (0001) 0:**** arrays!main
Where
0 = index
e/d = enabled/disabled
00000000`00406e20 = address where the breakpoint was set
g
da <memory address>
bp kernel32!createprocess
.symfix
.reload
.sympath
x kernel32!createprocess*
bc <index>
bp kernel32!createprocessastub #
bp kernel32!virtualallocex # gain a handle to memory inside of a process or to allocate new memory. Returns the address of the memory requested else 0.
bp kernel32!writeprocessmemorystub #
-
Every process that is created will its own contiguous range of virtual memory addresses.
-
It seems that are no gaps to this memory.
-
The OS takes care of mapping this memory to physical memory.
-
Within the virtual memory address space there are certain regions that are of critical importance, such as the stack and the heap.
-
The stack will grow from higher addresses to lower adresses.
-
The heap will grow from lower addresses to higher adresses.
-
Imported libraries tends to live at higher addresses.
-
(un)initialized data and sections (.text, imports, exports), tends to live at lower addresses.
A function is a section of code that performs a specific task and can accept arguments and return a value.
-
Local variables are just space on the stack which are typically referenced relative to EBP or ESP.
-
Function prologue and epilogue help prepare and free a functions stack frame
ESP, stack pointer. Always points to the top of the stack.
EBP, base pointer. Points to the base of the current stack frame.
To be continued ...