WinDbg

From aldeid
Jump to navigation Jump to search

Description

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Installation

WinDbg

Install Windows Debugging Tools from the standalone version:

Windows Debugging Tools are also available from the SDK/WDK ISO:

Note
  • If you're not planning to develop drivers, you can just install the standalone version, or eventually the SDK.
  • If the installation fails, please refer to this page

Symbols

The best way to install Symbols is to create the following environment variable:

Name Value
_NT_SYMBOL_PATH symsrv*symsrv.dll*c:\websymbols*http://msdl.microsoft.com/download/symbols

It will point to the online symbols server and create a local cache in C:\websymbols.

If your machine has no connectivity to the Internet, you can also download an offline version but it takes a lot of space and you're likely to miss some symbols because it won't be as updated as the online version:

Kernel debugging with WinDbg

If you're planning to perform kernel debugging with WinDbg, refer to this section.

Menu

File Edit View Debug Window Help
  • Open Source File... (Ctrl+O)
  • Close Current Window (Ctrl+F4)
  • Open Executable... (Ctrl+E)
  • Attach to a Process... (F6)
  • Open Crash Dump... (Ctrl+D)
  • Connect to Remote Session (Ctrl+R)
  • Connect to Remote Stub...
  • Kernel Debug... (Ctrl+K)
  • Symbol File Path... (Ctrl+S)
  • Source File Path... (Ctrl+P)
  • Image File Path... (Ctrl+I)
  • Open Workspace... (Ctrl+W)
  • Save Workspace
  • Save Workspace As...
  • Clear Workspace...
  • Delete Workspaces...
  • Open Workspace in File...
  • Save Workspace to File...
  • Map Network Drive...
  • Disconnect Network Drive...
  • Recent Files
  • Exit (Alt+F4)
  • Cut (Ctrl+X)
  • Copy (Ctrl+C)
  • Copy Formatted
  • Paste (Ctrl+V)
  • Select All (Ctrl+A)
  • Write Window Text to File...
  • Copy Window Test to Clipboard
  • Add to Command Output...
  • Clean Command Output
  • Evaluate Selection (Ctrl+Shift+V)
  • Dsiplay Selected Type (Ctrl+Shift+Y)
  • Find... (Ctrl+F)
  • Find Next (F3)
  • Go to Address... (Ctrl+G)
  • Go to Line... (Ctrl+L)
  • Go to Current Instruction (Alt+Keypad*)
  • Set Current Instruction (Ctrl+Shift+I)
  • Breakpoints... (Alt+F9)
  • Open/Close Log File...
  • Command (Al+1)
  • Watch (Al+2)
  • Locals (Al+3)
  • Registers (Al+4)
  • Memory (Al+5)
  • Call Stack (Al+6)
  • Disassembly (Al+7)
  • Scratch Pad (Al+8)
  • Processes and Threads (Al+9)
  • Command Browser (Ctrl+N)
  • Recent Commands
  • SetBrowser Start Command
  • Verbose Ourput (Ctrl+Alt+V)
  • Event Timestamps
  • Show Version (Ctrl+Alt+W)
  • Toolbar
  • Status Bar
  • Font...
  • Options...
  • Source language file extensions...
  • WinDbg Command Line...
  • Go (F5)
  • Go Unhandled Exception
  • Go Handled Exception
  • Restart (Ctrl+Shift+F5)
  • Stop Debugging (Shift+F5)
  • Detach Debuggeee
  • Break (Ctrl+Break)
  • Step Into (F11 or F8)
  • Step Over (F10)
  • Step Out (Shift+F11)
  • Run to Cursor (Ctrl+F10 or F7)
  • Source Mode
  • Resolve Unqualified Symbols
  • Event Filters...
  • Modules...
  • Kernel Connection
    • Cycle Baud Rate (Ctrl+Alt+A)
    • Cycle Initial Break (Ctrl+Alt+K)
    • Resynchronize (Ctrl+Alt+R)
  • Close All Source Windows
  • Close All Error Windows
  • Open Dock
  • Dock All
  • Undock All
  • Cascade Floating Windows
  • Horizontally Tile Floating Windows
  • Vertically Tile Floating Windows
  • MDI Emulation
  • Automatically Open Disassembly
  • Windows...
  • Contents
  • Window (F1)
  • Selection
  • Index
  • Search
  • About...

Usage

Commands

Registers

Command Description Example
r<reg> Read register 
kd> redx
edx=0022e0dc
r @<reg> <val> Overwrite register 
kd> redx
edx=0022e0dc
kd> r @edx=0022E068
kd> redx
edx=0022e068

Memory

Shortcut Description Example
da <addr> reads from memory and display it as ascii text da 0x401030
du <addr> reads from memory and display it as unicde text
dd <addr> reads from memory and display it as 32bit double words 
kd> dd dwo(KeServiceDescriptorTable) L100
[SNIP]
80501dac  805e9c02 805ada08 806052dc 8056c0ce
80501dbc  8060cb50 8060cb50 8053c02e 80606e68
80501dcc  80607ac8 f7c38486 805b3de0 8056f3ca
80501ddc  806053a4 8056c222 8060c2dc 8056fc46
80501dec  805cbee0 8059a6fc 805c2bfc 805c17c8
[SNÏP]
ea <addr> <data> write <data> as ascii to memory address <addr>
eu <addr> <data> write <data> as unicode to memory address <addr>
ed <addr> <data> write <data> as 32bit double words to memory address <addr>
dwo <expr> dereference a 32bit pointer and see value at that location du dwo (esp+4)

Breakpoints

Shortcut Description Example
bc Clear breakpoint <num> or all breakpoints (bc *) 
kd> bl
 0 e f7be9000     0001 (0001) Mlwx486
 1 e f7be9486     0001 (0001) Mlwx486+0x486
kd> bc 0
kd> bl
 1 e f7be9486     0001 (0001) Mlwx486+0x486
bp [<func> <action>] breakpoint (can be specified with function and action) 
kd> bp GetProcAddess "da dwu(esp+8); g"
kd> bp f7c4d486 ".if dwo(esp+0x24)==0 {} .else {gc}"
bu <module!function> set a deferred breakpoint on code that isn’t yet loaded (sets a breakpoint on a function as soon as function is loaded with the name module)
bl List breakpoints 
kd> bl
 0 e f7be9000     0001 (0001) Mlwx486
 1 e f7be9486     0001 (0001) Mlwx486+0x486

Stepping

Shortcut Description Example
g or F5 Go (continue)
p or F10 Step over
t or F11 Step into

Loaded modules

Shortcut Description Example
lm List modules 
kd> lm
start             end                 module name
fffff800`00bc2000 fffff800`00bcc000   kdcom      (deferred)             
fffff800`02a1e000 fffff800`02a67000   hal        (deferred)             
fffff800`02a67000 fffff800`03044000   nt         (pdb symbols)          c:\websymbols\ntkrnlmp.pdb\F8E2A8B5C9B74BF4A6E4A48F180099942\ntkrnlmp.pdb
fffff880`00c00000 fffff880`00c5c000   volmgrx    (deferred)             
fffff880`00c5c000 fffff880`00c6c000   PCIIDEX    (deferred)             
[SNIP]

Symbols

Shortcut Description Example
ln <addr> List the closest symbols for a given memory address. Useful to determine what is the purpose of a function call (e.g. call 0x10203040)
x <module!function> Search for functions or symbols using wildcards

This example shows how to list kernel functions that perform process creation 

kd> x nt!*CreateProcess*
fffff800`02f4b6b0 nt!NtCreateProcessEx (<no parameter info>)
fffff800`02f18b10 nt!PspSetCreateProcessNotifyRoutine (<no parameter info>)
fffff800`02ad1e00 nt!ZwCreateProcessEx (<no parameter info>)
fffff800`02f18d30 nt!PsSetCreateProcessNotifyRoutineEx (<no parameter info>)
[SNIP]

Processes

Shortcut Description Example
dt <module!obj> show structure information of object obj 
kd> dt nt!_DRIVER_OBJECT
   +0x000 Type             : Int2B
   +0x002 Size             : Int2B
   +0x008 DeviceObject     : Ptr64 _DEVICE_OBJECT
   +0x010 Flags            : Uint4B
   +0x018 DriverStart      : Ptr64 Void
   +0x020 DriverSize       : Uint4B
   +0x028 DriverSection    : Ptr64 Void
   +0x030 DriverExtension  : Ptr64 _DRIVER_EXTENSION
   +0x038 DriverName       : _UNICODE_STRING
   +0x048 HardwareDatabase : Ptr64 _UNICODE_STRING
   +0x050 FastIoDispatch   : Ptr64 _FAST_IO_DISPATCH
   +0x058 DriverInit       : Ptr64     long 
   +0x060 DriverStartIo    : Ptr64     void 
   +0x068 DriverUnload     : Ptr64     void 
   +0x070 MajorFunction    : [28] Ptr64     long 
kd> dt ntdll!_PEB
   +0x000 InheritedAddressSpace : UChar
   +0x001 ReadImageFileExecOptions : UChar
   +0x002 BeingDebugged    : UChar
   +0x003 SpareBool        : UChar
   +0x004 Mutant           : Ptr32 Void
   +0x008 ImageBaseAddress : Ptr32 Void
   +0x00c Ldr              : Ptr32 _PEB_LDR_DATA
   +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : Ptr32 Void
   +0x018 ProcessHeap      : Ptr32 Void
   [SNIP]

Kernel Debugging scenario

# Step Example
1
Look at userspace code
Find functions that interact with the kernel
  • CreateService called with dwServiceType=0x1 (SERVICE_KERNEL_DRIVER)
  • DeviceIoControl function called to communicate from the user space to the kernel space
2
Look in kernel-mode code
Find driver in the kernel (WinDbg will alert when kernel modules are loaded)
 
ModLoad: f7b0d000 f7b0e780     FileWriter.sys
3
Find the driver object
Find the address of the driver object
 
kd> !drvobj FileWriter
Driver object (827e3698) is for:
Loading symbols for f7b0d000 FileWriter.sys -> FileWriter.sys
*** ERROR: Module load completed but symbols could not be loaded for FileWriter.sys
\Driver\FileWriter
Driver Extension List: (id , addr)
Device Object list:
826eb030
4
Analyze driver object structure
Analyze the driver object structure and identify the offset to the beginning of the Major Function table
 
kd>dt nt!_DRIVER_OBJECT 0x827e3698
nt!_DRIVER_OBJECT
   +0x000 Type             : 4
   +0x002 Size             : 168
   [SNIP]
   +0x038 MajorFunction    : [28] 0xf7b0da06      long  +0
5
Find function called
Identify the address of the function called using arithmetic expression
In our example, we have:
827e3698 Address of the driver object
0x38 offset to the beginning of the table
0xe*4 Index of the IRP_MJ_DEVICE_CONTROL * 4 bytes (a pointer is 4 bytes in length)
L1 To limit the output to only 1 DWORD
Note
Offsets can be found in the wdm.h file: 
$ grep IRP_MJ_DEVICE_CONTROL wdm.h 
#define IRP_MJ_DEVICE_CONTROL           0x0e

kd> dd 827e3698+0x38+0xe*4 L1
827e3708 f7b0da66
6
Check instruction at that address
Check whether instructions at that address seem valid
 
kd> u f7b0da66
FileWriter+0xa66:
f7b0da66 6a68           push     68h
f7b0da68 6838d9b0f7     push     offset FileWriter+0x938 (f7b0d938)
f7b0da6d e822faffff     call     FileWriter+0x494 (f7b0d494)
7
Analyze function in IDA Pro

Examples

See examples

Comments

Keywords: windbg kernel debugging







Retrieved from "https://www.aldeid.com/w/index.php?title=WinDbg&oldid=30052"