All Questions
53 questions
1
vote
1
answer
110
views
Attaching into an x86 process in windbg
How can I attach into an x86 process from windbg?
currently I am waiting for the process to load then I am breaking into wow64cpu!KiFastSystemCall to switch into x86 context and only then put bp to ...
- 13
2
votes
2
answers
139
views
What is the gdb command equivalent of bp MODULE_NAME+0x12345678 in WinDBG?
What is the gdb command equivalent of bp MODULE_NAME+0x12345678 in WinDBG?
I found this command useful to debug with ASLR (w/o disabling it).
- 113
1
vote
1
answer
85
views
Should shell32.dll be in executable search path for winword.exe with WinDBG?
I'm threat hunting and I'm curious if there should be a shell32.dll in the executable search path in windbg for winword.exe.
user42604
5
votes
0
answers
766
views
Comparison of Windows Debuggers
I have some experience reverse engineering ELF files using tools like GDB, radare2, and Ghidra, but I am new to Windows debugging. There are quite a few different debuggers out there for Windows and ...
- 161
0
votes
1
answer
129
views
Find out which struct RaGetUnitStorageDeviceProperty use by reverse engineering
I am trying to find out which struct storport!RaGetUnitStorageDeviceProperty uses by myself. I know I can use google and find out the correct answer is _RAID_UNIT_EXTENSION. However i want to do it ...
- 33
1
vote
2
answers
864
views
Why windbg skips syscall on kernel mode?
I have a VM running windows with notepad open, I did list the modules with lm:
start end module name
00007ffc`60fb0000 00007ffc`60fe2000 vertdll (deferred) ...
- 69
2
votes
1
answer
377
views
'... Debugger undefined or null reference' error when WinDBG TTD Scripting with Javascript
I tried Javascript scripting on WinDbg (TTD specifically); but even in simple example I get error
Unable to get property 'Debugger' of undefined or null reference.
Line was simply var ctl = host....
- 21
1
vote
0
answers
258
views
Why rundll32.exe could be loading a DLL multiple times?
Since I started reverse engineering I've found multiple DLLs that when being debugged(IDA + WindDBG) would be unloaded and reloaded continuously without any evident reason.
Most of the time I use ...
- 11
1
vote
1
answer
382
views
Reverse engineer sticky notes to allow external script to open new notes
For a silly little project I wanted to do, I wanted to make it so that I could open new notes (Microsoft Sticky Notes) from an external script - preferably python. Although I'm not good at reverse ...
0
votes
1
answer
143
views
How much of the kernel does remote kernel debugging allow you to debug?
This is a theoretical question because I've never set up remote kernel debugging before -- but I will do at some point, which should hopefully answer some of the experimental questions I have.
What ...
- 305
0
votes
2
answers
288
views
kd live local debugging !pte and db don't work (only shows context of the debugger for all contexts), but !vtop works
Says the PDPT and PDs of the process are at the same physcial frames (pfns) in both processes.
The first process is winword.exe and the second process is calc.exe
The virtual address in the first case ...
- 305
6
votes
1
answer
577
views
WinDBG Hung on Shellcode Execution
I've been trying to debug a piece of simple shellcode with Windbg. To go over the steps I took, I allocated a buffer for the shellcode with .foreach /pS 5 ( register { .dvalloc 400 } ) { r @$t0 = ...
- 395
2
votes
1
answer
590
views
Get return address from syscall
I'm debugging some 32-bit process using windbg kernel debugger. This process calls some syscalls, so I set few breakpoints at kernel functions like nt!NtQuerySystemInformation. So after breakpoint hit,...
- 103
0
votes
2
answers
94
views
Predicting Memory locations of arguments within a function
I'm trying to write a script that would help display the memory contents of the arguments passed within a function. For example, in the function below, the first argument starts at the EAX register. ...
- 63
1
vote
2
answers
5k
views
x64dbg (x32dbg) log registers every step like windbg
So I just switched to x64dbg (really using x32 atm) from windbg and so far I like it but the one thing I'm missing is windbg printing all the registers every step in the command window. Anyone know ...
- 11