Reverse Engineering Stack Exchange
Reverse Engineering Stack Exchange

Questions tagged [windbg]

A graphical stand-alone multipurpose debugger for Microsoft Windows, distributed on the web by Microsoft.

201 questions
6
votes
2 answers

Removing personal data from dump file

I want to publish a crash dump on the Internet for other people to learn from the dump. Usually I take dumps with .dump /ma which is fine. However, I'm a bit concerned about personal data included in the dump and I'd like to remove it. The WinDbg…
Thomas Weller
  • 970
  • 6
  • 19
6
votes
1 answer

Can Windbg trace function calls within a module?

I want to log any functions within a specific module that are called during an execution. I tried !for_each_function and wt command. However, since the target module doesn't have any symbols, !for_each_function cannot recognize any functions. wt…
user15580
  • 253
  • 3
  • 11
6
votes
1 answer

Find main() function of executable with windbg

I have an executable without debug symbols, and I want to get to its' main() function. What I do is putting breakpoint at $exentry address, but this address of some CRT-initialization. To get to the main() I need to single-step until I see some…
Hanik
  • 63
  • 1
  • 5
5
votes
2 answers

windbg: How to determine the opcode for an assembly language instruction or set of instructions

I am working on an assignment to perform an exploit using a rop chain. While I understand the basics behind rop, I don't know how to convert instructions like xchg eax, esp; retn; to their opcodes. I tried using: 0:005> a input> xchg eax,esp but…
dnraikes
  • 379
  • 5
  • 11
3
votes
2 answers

Why doesn't WinDbg resolve the function names?

This is definitely a beginner question but the WinDbg docs didn't help me out much because most of it is oriented around debugging programs with PDB files available. I tried .reload but it didn't have any effect. Here is a simple call to MessageBox…
dvvr
  • 31
  • 1
  • 3
3
votes
1 answer

Windbg 'as' command in log breakpoint

I want to break the debugee as it opens a known file, using windbg. As $scmp doesn't accept direct address, I have to use as (windbg alias command). So, I put a conditional breakpoint at CreateFileA: bu Kernel32!CreateFileA "as /ma ${/v:fName}…
sealed...
  • 291
  • 1
  • 8
3
votes
1 answer

Prevent Windbg Log Breakpoint Fail by Memory Check

Following break point fails because of bad memory address in some situation and cause break in execution: bp 0x12345678 ".printf \"PID: %d, unkVar: %d\\n\", ..., poi(poi(ecx+1c)+8)+c;g" Is there any way to test memory address before dereferencing…
sealed...
  • 291
  • 1
  • 8
3
votes
1 answer

Obfuscating dump files

Like in my previous question, I want to make some dump files available for learning dump analysis and reverse engineering. To organize my example programs from which I create the dumps, I give them meaningful names. However, that usually means that…
Thomas Weller
  • 970
  • 6
  • 19
3
votes
1 answer

Specifying an MMX register's value in WinDbg

i am analysing a crash, the crash occurs in a function that its always on use, if set a break point in this function always stop the program. When the crash occurs, overwrite mm3 register, i want when overwrite mm3 with my values use the…
spider-45
  • 95
  • 5
2
votes
1 answer

windbg refferencing symbols is inconsistent

As part of an assignment, I am trying to do some debugging in iexplore.exe (Aurora vulnerability). After I load the test webpage in iexplorer 8, I open windbg and attach to the iexplore process. I verify my symbolpath by using: .sympathy Symbol…
dnraikes
  • 379
  • 5
  • 11
2
votes
0 answers

Windbg multiple memory windows

I have tried to open multiple memory windows but I can't. I tried to find resolution for this on windbg help and on old version it is possible, however on new version I can't find how to open multiple memory windows. Please help me!
short dragon
  • 71
  • 3
2
votes
0 answers

How to search for String/Byte pattern in memory within a WinDBG Time Travel Debugging trace?

I'm currently practicing with WinDBG by playing around with a notepad trace. During recording the trace I have opened notepad, typed in "AAAABBBB" waited a few secs and then stopped the recording. Now I'm trying to find this string or byte pattern…
programmerskitchen
  • 33
  • 2
1
vote
1 answer

How to get the EIP value right before WinDBG attach operation?

When WinDBG attach to a process, the EIP will point at ntdll!DbgBreakPoint in a dedicated thread different to the main process threads. Is it possible to get the EIP value right before the attach operation? If possible, how to get the EIP value…
yegle
  • 111
  • 4
1
vote
1 answer

windbg: the name of a function displayed by the command "x" is unusable with the command "u"

I start with Windbg. In a "kernel debugger" session, I place myself in the context of a service (I chose audiosrv for my learning). I would like to disassemble a function that I easily identify with the "x" command. I use the "u" function with the…
NoelBlanc
  • 61
  • 4
1
vote
0 answers

How does windbg correctly resolve symbol addresses for optimised code?

When you debug optimised code, I know that address arithmetic doesn't work correctly: 0:004> u dwmcore!CPartitionVerticalBlankScheduler::WaitForWork+0x69 u…
Lewis Kelsey
  • 295
  • 2
  • 9
1
2