Questions tagged [windbg]
A graphical stand-alone multipurpose debugger for Microsoft Windows, distributed on the web by Microsoft.
202 questions
1
vote
1
answer
51
views
Register flags abbreviations in Windbg
I used trace (t) command in Windbg but I don't see the flag values, except this:
nv up ei pl nz na pe nc
I suppose these are some abbreviations of flag states but I cannot find what they mean. Is ...
- 45
1
vote
1
answer
110
views
Attaching into an x86 process in windbg
How can I attach into an x86 process from windbg?
currently I am waiting for the process to load then I am breaking into wow64cpu!KiFastSystemCall to switch into x86 context and only then put bp to ...
- 13
0
votes
0
answers
54
views
What DLL is WinDbg's dt command implemented in?
I know that most of the WinDbg extensions that are used with the exclamation mark, like !time, etc. are implemented inside the kdext.dll that are in:
"C:\Program Files\WindowsApps\Microsoft....
- 1,770
2
votes
1
answer
90
views
WinDbg command to retrieve TTBR registers for Aarch64?
Aarch64 architecture has the following registers, that contain physical base addresses for the virtual-to-physical translation tables for different exception levels:
TTBR0_EL1, TTBR1_EL1, TTBR0_EL2, ...
- 1,770
0
votes
0
answers
45
views
Dynamic analysis of cmd dependent software
There is a PE file, which can't run by itself, and can only be called from cmd.exe, it doesn't create independent processes, and can be launched independently only with .bat scripts, which without &...
0
votes
1
answer
118
views
Windbg conditional breakpoint issue
Can't get a conditional breakpoint to fire in Windbg. I tried:
bp xxxxxxxx "j (@ebp+0C==115) ''; 'gc' "
bp xxxxxxxx "j (ebp+0C==115) ''; 'gc' "
bp xxxxxxxx "j (poi(ebp+0C)==...
- 45
0
votes
0
answers
54
views
Reversing SYSTEM Process
I'm doing some vulnerability research against a Windows server application that serves some update files that clients can download. Using TcpView/netstat, I can see that there is an open port ...
- 3
0
votes
0
answers
73
views
Windbg set conditional breakpoint
Can't get this to work. I want to set a conditional breakpoint in Windbg with the condition to be when eax is 11h (17). I tried:
bu xxxxxxxx ".if(eax != 17){gc}"
bu xxxxxxxx ".if(@eax !=...
- 45
2
votes
2
answers
139
views
What is the gdb command equivalent of bp MODULE_NAME+0x12345678 in WinDBG?
What is the gdb command equivalent of bp MODULE_NAME+0x12345678 in WinDBG?
I found this command useful to debug with ASLR (w/o disabling it).
- 113
0
votes
0
answers
53
views
how to set flag in windbg
Let's say we have 2 functions funcA and funcB, funcA is the upstream of funcB. I want to view certain values and call stack in funcB only if funcA satisfies certain conditions. I can't achieve this ...
- 313
1
vote
1
answer
56
views
windbg conditional breakpoint equal always get 0
I want to set a conditional breakpoint on function argument at the entry of a function. Here is the value I want which is c0 a8 89 01. I want to break the function when that register holds this ...
- 313
0
votes
3
answers
365
views
how to stop windbg when register value changes
I'm using windbg to find the memory of a specific structure in windows. The way is to look at certain values stored in stack and registers in entry function. I notice that register ax holds that value ...
- 313
0
votes
1
answer
61
views
unable to figure out how a windbg extension work
I'm trying to figure out how the below windbg extension works
!ndiskd.nbl addr -hexcap(or -data)
kd> !ndiskd.nbl ffffce8c96bde070 -hexcap
# NET_BUFFER_LIST ffffce8c96bde070
# NET_BUFFER ...
- 313
0
votes
0
answers
176
views
windbg fail to load symbol with UNC store
I'm debugging a qemu windows machine in docker and the windbg shows the file is missing. Windbg is attached to qemu
kd> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: cache*;...
- 313
1
vote
2
answers
114
views
how to access the initialized data in windbg through offset from IDA
In IDA, I see a value called dword_1C0203AB4 which doesn't have a symbol name. I want to view the value in system. My windbg is connected to the system and the driver files in system and IDA is the ...
- 313