Skip to content

Instantly share code, notes, and snippets.

@v1m

v1m/documentation-tips.md

Last active January 14, 2020 02:51
Show Gist options
  • Save v1m/68b17b9a009822038754 to your computer and use it in GitHub Desktop.
Save v1m/68b17b9a009822038754 to your computer and use it in GitHub Desktop.
Download ZIP
Document that 0-day vulnerability you are debugging
Raw
documentation-tips.md

Hey vulnerability-researcher,

Here are some tips for documenting the reversing work you are doing.

` version 1 Jan 19, 2016.

version 2 Feb 23, 2016. `

Command line (cmd.exe OR powershell)

  • document the OS:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
  • alternate way to document the OS (via reg query):
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CSDVersion
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber
  • get a list of installed security updates via powershell:

run powershell as admin, type: get-hotfix | find "Security Update"

reference: http://stackoverflow.com/questions/815340/how-do-i-get-a-list-of-installed-updates-and-hotfixes

  • get a list of installed security updates (alternate via cmd.exe): wmic qfe list full

  • IE versions via reg query:

REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v Version 
REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v svcUpdateVersion 
REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v svcVersion

WinDbg Tips (User mode)

Are you using windbg for debugging and are looking for ways to document your windbg debugging sessions?

Before hitting the 'g' command after attaching the process to windbg

  • open a logfile where all your commands and their outputs will get stored: .logopen /t C:\directory_name\target.txt

(the above command will add time-stamp to your log file name, so the logfiles will not get overwritten.)

  • document the OS: vertarget

*document the application you are debugging: |

  • document the state of gflags: !gflag

  • document the symbol paths: .sympath

  • after triggering the vulnerability (crashing), consider executing: !analyze -v

  • after you are done debugging, don't forget to close the logfile: .logclose

To document the version of IE you are debugging from within windbg:

.shell -ci "*" REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v Version 
.shell -ci "*" REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v svcUpdateVersion 
.shell -ci "*" REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v svcVersion

feedback?

@v1m

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment