hammackj

Using WinDbg for Exploit Development Notes

The following are some notes that I found useful when using windbg for exploit development.

Setting up the symbols!

0:001> .sympath SRV*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*http://msdl.microsoft.com/download/symbols
0:011> .reload
Reloading current modules
..................................................................

Basic Commands

0:001> g *Continue execution
0:001> !peb *Displays the process executation block
PEB at 7FFDF000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         01000000
    Ldr.Initialized: Yes
    Ldr.InInitializationOrderModuleList: 71f40 . 99b60
    Ldr.InLoadOrderModuleList: 71ec0 . 99b50
    Ldr.InMemoryOrderModuleList: 71ec8 . 99b58
            Base TimeStamp                     Module
         1000000 424df423 Apr 01 19:23:47 2005 C:\WINNT\system32\spoolsv.exe
        77f80000 41e648e0 Jan 13 04:09:36 2005 C:\WINNT\system32\ntdll.dll
        7c2d0000 42675f8a Apr 21 03:08:42 2005 C:\WINNT\system32\ADVAPI32.dll
        7c570000 41dd0235 Jan 06 03:17:41 2005 C:\WINNT\system32\KERNEL32.dll
        77d30000 425670f4 Apr 08 06:54:28 2005 C:\WINNT\system32\RPCRT4.dll
        78000000 3e6e3115 Mar 11 12:55:17 2003 C:\WINNT\system32\MSVCRT.dll
        77f40000 425670f4 Apr 08 06:54:28 2005 C:\WINNT\system32\GDI32.dll
        77e10000 42675f89 Apr 21 03:08:41 2005 C:\WINNT\system32\USER32.dll
        76a90000 425670f7 Apr 08 06:54:31 2005 C:\WINNT\system32\SPOOLSS.DLL
        77340000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\iphlpapi.dll
        75030000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\system32\WS2_32.DLL
        75020000 3843995d Nov 30 03:31:09 1999 C:\WINNT\system32\WS2HELP.DLL
        77520000 3844d039 Dec 01 01:37:29 1999 C:\WINNT\system32\ICMP.DLL
        77320000 3844d039 Dec 01 01:37:29 1999 C:\WINNT\system32\MPRAPI.DLL
        75150000 425670fb Apr 08 06:54:35 2005 C:\WINNT\system32\SAMLIB.DLL
        7cdc0000 42675f8c Apr 21 03:08:44 2005 C:\WINNT\system32\NETAPI32.DLL
        77980000 41e648e2 Jan 13 04:09:38 2005 C:\WINNT\system32\DNSAPI.dll
        75050000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\system32\WSOCK32.dll
        751c0000 3843995b Nov 30 03:31:07 1999 C:\WINNT\system32\NETRAP.dll
        77bf0000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\NTDSAPI.dll
        77950000 425670f5 Apr 08 06:54:29 2005 C:\WINNT\system32\WLDAP32.DLL
        7c340000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\SECUR32.DLL
        7ce20000 42675f8a Apr 21 03:08:42 2005 C:\WINNT\system32\OLE32.DLL
        779b0000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\OLEAUT32.DLL
        773b0000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\ACTIVEDS.DLL
        77380000 425670f6 Apr 08 06:54:30 2005 C:\WINNT\system32\ADSLDPC.DLL
        77830000 3844d037 Dec 01 01:37:27 1999 C:\WINNT\system32\RTUTILS.DLL
        77880000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\SETUPAPI.DLL
        7c0f0000 425670f4 Apr 08 06:54:28 2005 C:\WINNT\system32\USERENV.DLL
        774e0000 425670f6 Apr 08 06:54:30 2005 C:\WINNT\system32\RASAPI32.DLL
        774c0000 425670f6 Apr 08 06:54:30 2005 C:\WINNT\system32\rasman.dll
        77530000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\TAPI32.dll
        77b50000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\COMCTL32.DLL
        77c70000 4214cf23 Feb 17 11:06:43 2005 C:\WINNT\system32\SHLWAPI.DLL
        77360000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\DHCPCSVC.DLL
        777f0000 3844d037 Dec 01 01:37:27 1999 C:\WINNT\system32\rasadhlp.dll
        76120000 425670f7 Apr 08 06:54:31 2005 C:\WINNT\system32\localspl.dll
        76980000 3ef274e0 Jun 19 21:43:44 2003 C:\WINNT\system32\sfc.dll
        68010000 42565e41 Apr 08 05:34:41 2005 C:\WINNT\system32\sfcfiles.dll
        77820000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\VERSION.dll
        759b0000 3ef274e2 Jun 19 21:43:46 2003 C:\WINNT\system32\LZ32.DLL
        77800000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\winspool.drv
        76620000 425670fa Apr 08 06:54:34 2005 C:\WINNT\system32\MPR.DLL
        733e0000 3843997b Nov 30 03:31:39 1999 C:\WINNT\system32\cnbjmon.dll
        76ab0000 3844d03e Dec 01 01:37:34 1999 C:\WINNT\system32\pjlmon.dll
        76a80000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\tcpmon.dll
        10000000 4ae861e6 Oct 28 09:23:18 2009 C:\WINNT\system32\TPVMMon.dll
        7cf30000 42675f8a Apr 21 03:08:42 2005 C:\WINNT\system32\SHELL32.dll
          db0000 4a1e99c7 May 28 09:03:51 2009 C:\WINNT\system32\TPVMW32.dll
          e00000 4acf07bc Oct 09 04:51:56 2009 C:\WINNT\system32\TPRDPW32.dll
        655e0000 38470103 Dec 02 17:30:11 1999 C:\WINNT\system32\WTSAPI32.dll
        66640000 3ef27504 Jun 19 21:44:20 2003 C:\WINNT\system32\UTILDLL.dll
        65780000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\system32\WINSTA.dll
        68a80000 3ef274fe Jun 19 21:44:14 2003 C:\WINNT\system32\REGAPI.dll
        76a70000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\usbmon.dll
          e60000 49d4afde Apr 02 06:30:22 2009 C:\WINNT\system32\spool\PRTPROCS\W32X86\TPWinPrn.dll
        73930000 3ef274e8 Jun 19 21:43:52 2003 C:\WINNT\system32\CLUSAPI.dll
        689d0000 3ef274fe Jun 19 21:44:14 2003 C:\WINNT\system32\RESUTILS.dll
        782c0000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\System32\rnr20.dll
        777e0000 3844d037 Dec 01 01:37:27 1999 C:\WINNT\System32\winrnr.dll
        74fd0000 3ef274f6 Jun 19 21:44:06 2003 C:\WINNT\system32\msafd.dll
        75010000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\System32\wshtcpip.dll
        76a50000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\win32spl.dll
        7c950000 41e651f8 Jan 13 04:48:24 2005 C:\WINNT\system32\CLBCATQ.DLL
        76b00000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\inetpp.dll
        7e660000 4802a101 Apr 13 19:10:41 2008 C:\WINNT\system32\spool\DRIVERS\W32X86\3\PS5UI.DLL
        SubSystemData:     0
        ProcessHeap:       70000
        ProcessParameters: 20000
        WindowTitle:  'C:\WINNT\system32\spoolsv.exe'
        ImageFile:    'C:\WINNT\system32\spoolsv.exe'
        CommandLine:  'C:\WINNT\system32\spoolsv.exe'
        DllPath:      'C:\WINNT\system32;.;C:\WINNT\system32;C:\WINNT\system;C:\WINNT;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem'
        Environment:  0x10000

Dumping Binary Data

0:001> db eip
7c90120e  cc c3 8b ff cc c3 8b ff-8b 44 24 04 cc c2 04 00  .........D$.....
7c90121e  64 a1 18 00 00 00 c3 57-8b 7c 24 0c 8b 54 24 08  d......W.|$..T$.
7c90122e  c7 02 00 00 00 00 89 7a-04 0b ff 74 1e 83 c9 ff  .......z...t....
7c90123e  33 c0 f2 ae f7 d1 81 f9-ff ff 00 00 76 05 b9 ff  3...........v...
7c90124e  ff 00 00 66 89 4a 02 49-66 89 0a 5f c2 08 00 57  ...f.J.If.._...W
7c90125e  8b 7c 24 0c 8b 54 24 08-c7 02 00 00 00 00 89 7a  .|$..T$........z
7c90126e  04 0b ff 74 1e 83 c9 ff-33 c0 f2 ae f7 d1 81 f9  ...t....3.......
7c90127e  ff ff 00 00 76 05 b9 ff-ff 00 00 66 89 4a 02 49  ....v......f.J.I

Disassembling Instructions

0:001> u eip
ntdll!DbgBreakPoint:
7c90120e cc              int     3
7c90120f c3              ret
7c901210 8bff            mov     edi,edi
ntdll!DbgUserBreakPoint:
7c901212 cc              int     3
7c901213 c3              ret
7c901214 8bff            mov     edi,edi
7c901216 8b442404        mov     eax,dword ptr [esp+4]
7c90121a cc              int     3

Listing Loaded Modules

0:018> lmf
start    end        module name
00930000 00947000   odbcint  C:\WINDOWS\system32\odbcint.dll
01000000 01081000   winlogon C:\WINDOWS\system32\winlogon.exe
01360000 0139c000   WgaLogon C:\WINDOWS\system32\WgaLogon.dll
01c70000 01f35000   xpsp2res C:\WINDOWS\system32\xpsp2res.dll
47020000 47028000   dimsntfy C:\WINDOWS\System32\dimsntfy.dll
5ad70000 5ada8000   uxtheme  C:\WINDOWS\system32\uxtheme.dll
5b860000 5b8b5000   NETAPI32 C:\WINDOWS\system32\NETAPI32.dll
5d090000 5d12a000   COMCTL32 C:\WINDOWS\system32\COMCTL32.dll
68000000 68036000   rsaenh   C:\WINDOWS\system32\rsaenh.dll
71aa0000 71aa8000   WS2HELP  C:\WINDOWS\system32\WS2HELP.dll
71ab0000 71ac7000   WS2_32   C:\WINDOWS\system32\WS2_32.dll
71b20000 71b32000   MPR      C:\WINDOWS\system32\MPR.dll
71bf0000 71c03000   SAMLIB   C:\WINDOWS\system32\SAMLIB.dll
723d0000 723ec000   WINSCARD C:\WINDOWS\system32\WINSCARD.DLL
72d10000 72d18000   msacm32  C:\WINDOWS\system32\msacm32.drv
72d20000 72d29000   wdmaud   C:\WINDOWS\system32\wdmaud.drv
73000000 73026000   WINSPOOL C:\WINDOWS\system32\WINSPOOL.DRV
74320000 7435d000   ODBC32   C:\WINDOWS\system32\ODBC32.dll
755c0000 755ee000   msctfime C:\WINDOWS\system32\msctfime.ime
75930000 7593a000   PROFMAP  C:\WINDOWS\system32\PROFMAP.dll
75940000 75948000   NDdeApi  C:\WINDOWS\system32\NDdeApi.dll
75950000 7596a000   WlNotify C:\WINDOWS\system32\WlNotify.dll
75970000 75a68000   MSGINA   C:\WINDOWS\system32\MSGINA.dll
76360000 76370000   WINSTA   C:\WINDOWS\system32\WINSTA.dll
76390000 763ad000   IMM32    C:\WINDOWS\system32\IMM32.DLL
763b0000 763f9000   comdlg32 C:\WINDOWS\system32\comdlg32.dll
76600000 7661d000   cscdll   C:\WINDOWS\system32\cscdll.dll
76790000 7679c000   cryptdll C:\WINDOWS\system32\cryptdll.dll
769c0000 76a74000   USERENV  C:\WINDOWS\system32\USERENV.dll
76b40000 76b6d000   WINMM    C:\WINDOWS\system32\WINMM.dll
76bb0000 76bb5000   sfc      C:\WINDOWS\system32\sfc.dll
76bc0000 76bcf000   REGAPI   C:\WINDOWS\system32\REGAPI.dll
76bf0000 76bfb000   PSAPI    C:\WINDOWS\system32\PSAPI.DLL
76c30000 76c5e000   WINTRUST C:\WINDOWS\system32\WINTRUST.dll
76c60000 76c8a000   sfc_os   C:\WINDOWS\system32\sfc_os.dll
76c90000 76cb8000   IMAGEHLP C:\WINDOWS\system32\IMAGEHLP.dll
76d60000 76d79000   iphlpapi C:\WINDOWS\system32\iphlpapi.dll
76f50000 76f58000   WTSAPI32 C:\WINDOWS\system32\WTSAPI32.dll
76f60000 76f8c000   WLDAP32  C:\WINDOWS\system32\WLDAP32.dll
76fd0000 7704f000   CLBCATQ  C:\WINDOWS\system32\CLBCATQ.DLL
77050000 77115000   COMRes   C:\WINDOWS\system32\COMRes.dll
77120000 771ab000   OLEAUT32 C:\WINDOWS\system32\OLEAUT32.dll
773d0000 774d3000   comctl32_773d0000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
774e0000 7761d000   ole32    C:\WINDOWS\system32\ole32.dll
77690000 776b1000   NTMARTA  C:\WINDOWS\system32\NTMARTA.DLL
776c0000 776d2000   AUTHZ    C:\WINDOWS\system32\AUTHZ.dll
776e0000 77703000   SHSVCS   C:\WINDOWS\system32\SHSVCS.dll
77920000 77a13000   SETUPAPI C:\WINDOWS\system32\SETUPAPI.dll
77a20000 77a74000   cscui    C:\WINDOWS\system32\cscui.dll
77a80000 77b15000   CRYPT32  C:\WINDOWS\system32\CRYPT32.dll
77b20000 77b32000   MSASN1   C:\WINDOWS\system32\MSASN1.dll
77b40000 77b62000   Apphelp  C:\WINDOWS\system32\Apphelp.dll
77bd0000 77bd7000   midimap  C:\WINDOWS\system32\midimap.dll
77be0000 77bf5000   MSACM32_77be0000 C:\WINDOWS\system32\MSACM32.dll
77c00000 77c08000   VERSION  C:\WINDOWS\system32\VERSION.dll
77c10000 77c68000   msvcrt   C:\WINDOWS\system32\msvcrt.dll
77c70000 77c95000   msv1_0   C:\WINDOWS\system32\msv1_0.dll
77dd0000 77e6b000   ADVAPI32 C:\WINDOWS\system32\ADVAPI32.dll
77e70000 77f02000   RPCRT4   C:\WINDOWS\system32\RPCRT4.dll
77f10000 77f59000   GDI32    C:\WINDOWS\system32\GDI32.dll
77f60000 77fd6000   SHLWAPI  C:\WINDOWS\system32\SHLWAPI.dll
77fe0000 77ff1000   Secur32  C:\WINDOWS\system32\Secur32.dll
7c800000 7c8f6000   kernel32 C:\WINDOWS\system32\kernel32.dll
7c900000 7c9b2000   ntdll    C:\WINDOWS\system32\ntdll.dll
7c9c0000 7d1d7000   SHELL32  C:\WINDOWS\system32\SHELL32.dll
7e410000 7e4a1000   USER32   C:\WINDOWS\system32\USER32.dll
7e720000 7e7d0000   sxs      C:\WINDOWS\system32\sxs.dll

Unloaded modules:
74980000 74aa3000   msxml3.dll
77710000 77754000   ES.DLL
72d20000 72d29000   wdmaud.drv
66700000 6688d000   sfcfiles.dll
71e50000 71e65000   msapsspc.dll
78080000 78091000   MSVCRT40.dll
767f0000 76818000   schannel.dll
75b00000 75b15000   digest.dll
747b0000 747f7000   msnsspc.dll
78080000 78091000   MSVCRT40.dll
74980000 74aa3000   msxml3.dll
5fff0000 5fff4000   KBDUS.DLL
74ad0000 74ad8000   powrprof.dll
4bfb0000 4bfcc000   dpcdll.dll
74980000 74aa3000   msxml3.dll
4bfb0000 4bfcc000   dpcdll.dll

Searching Memory

0:018> s 7c900000 7c9b2000 FF E4
7c96bf33  ff e4 be 96 7c fd be 96-7c 00 00 00 00 53 69 7a  ....|...|....Siz

0:018> u 7c96bf33
ntdll!`string'+0xa9:
7c96bf33 ffe4            jmp     esp
7c96bf35 be967cfdbe      mov     esi,0BEFD7C96h
7c96bf3a 96              xchg    eax,esi
7c96bf3b 7c00            jl      ntdll!RtlpDphFreeDelayedBlocksFromHeap+0xad (7c96bf3d)
7c96bf3d 0000            add     byte ptr [eax],al
7c96bf3f 005369          add     byte ptr [ebx+69h],dl
7c96bf42 7a65            jp      ntdll!RtlpDphFreeDelayedBlocksFromHeap+0x119 (7c96bfa9)
7c96bf44 207265          and     byte ptr [edx+65h],dh

Awesome Plugins

Byakugan

Byakugan is a plugin a part of Metasploit. The following examples are taken from the Byakugan slides in the reference section below. To load Byakugan type:

0:001> !load C:\path\to\byakugan.dll

Usage

0:001> !jutsu

0:001> !jutsu identBuf MyBufName CONTENTS

0:001> !jutsu identBuf msfpattern 500

0:001> !justsu listBuf

0:001> !jutsu rmbuf MyBufName

0:001> !jutsu hunt

0:001> !jutsu findReturn

0:001> !tenketsu

0:001> !tenketsu listHeaps

0:001> !tenketsu listChunks

!Exploitable Crash Analyzer

!exploitable is created by Microsoft and freely available. To load !exploitable type:

0:001> !load c:\path\to\msec.dll

Usage

Using !exploitable is really easy, when you have a first chance exception just type:

(19ec.468): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=00000101 edx=ffffffff esi=00000000 edi=00000000
eip=77f9193c esp=0132ffa8 ebp=0132ffb4 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000286
ntdll!DbgBreakPoint:
77f9193c cc              int     3
0:006> g
(19ec.1a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000113 ecx=00000001 edx=00000000 esi=7c57edd2 edi=007f46bc
eip=41414141 esp=0098fd88 ebp=0098fde0 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
41414141 ??              ???
0:001> !load msec.dll
0:001> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at
Unknown Symbol @ 0x0000000041414141 called from KERNEL32!BaseThreadStart+0x0000000000000052 (Hash=0x264d5172.0x5a5e1f77)

Access violations at the instruction pointer are exploitable if not near NULL.

References