Skip to content

Instantly share code, notes, and snippets.

@rbento

rbento/notes-on-windbg.md

Last active January 29, 2022 20:45
Show Gist options
  • Save rbento/949f04808c72e20b86031d5384fc3f88 to your computer and use it in GitHub Desktop.
Save rbento/949f04808c72e20b86031d5384fc3f88 to your computer and use it in GitHub Desktop.
Download ZIP
Notes on WinDbg
Raw
notes-on-windbg.md

WinDbg

Compile with debug symbols

cl -Z7 file.c

Instruct the OS to load the program without ASLR to make it easier to analyse.

Address Space Layout Randomization (ASLR) is a computer security technique which involves randomly positioning the

base address of an executable and the position of libraries, heap, and stack, in a process's address space.

editbin /DYNAMICBASE:NO file.exe

WinDbg

Does both source and assembly level debugging.

By default start in Source Mode.

Uncheck Debug > Source Mode to debug in Assembly Mode.

Commands
Set breakpoint on main
bp main
Reload executable loading debug symbols

By default looks for a .pdb file in the same directory as the executable

.reload /f
Clear command prompt window
.cls
List breakpoints
bl
Format
0 e Disable Clear  x86 00000000`00406e20     0001 (0001)  0:**** arrays!main

Where

0                 = index
e/d               = enabled/disabled
00000000`00406e20 = address where the breakpoint was set
Go to the first breakpoint / resume execution
g
Dump data as ascii and other formats
da <memory address>
Set breakpoint on library function
bp kernel32!createprocess
Load symbols from Microsoft
Point WinDbg to Symbol servers
.symfix
.reload
Show .symfix server URL
.sympath
List library function names
x kernel32!createprocess*
Clear a breakpoint
bc <index>

bp kernel32!createprocessastub        #
bp kernel32!virtualallocex            # gain a handle to memory inside of a process or to allocate new memory. Returns the address of the memory requested else 0.
bp kernel32!writeprocessmemorystub    #
Stack Frame

  • Every process that is created will its own contiguous range of virtual memory addresses.

  • It seems that are no gaps to this memory.

  • The OS takes care of mapping this memory to physical memory.

  • Within the virtual memory address space there are certain regions that are of critical importance, such as the stack and the heap.

  • The stack will grow from higher addresses to lower adresses.

  • The heap will grow from lower addresses to higher adresses.

Also:

  • Imported libraries tends to live at higher addresses.

  • (un)initialized data and sections (.text, imports, exports), tends to live at lower addresses.

Functions

A function is a section of code that performs a specific task and can accept arguments and return a value.

Locals

  • Local variables are just space on the stack which are typically referenced relative to EBP or ESP.

  • Function prologue and epilogue help prepare and free a functions stack frame

Registers in this context

ESP, stack pointer. Always points to the top of the stack.

EBP, base pointer. Points to the base of the current stack frame.

To be continued ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment