Using WinDbg for Exploit Development Notes
The following are some notes that I found useful when using windbg for exploit development.
Setting up the symbols!
0:001> .sympath SRV*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*http://msdl.microsoft.com/download/symbols
0:011> .reload
Reloading current modules
..................................................................Basic Commands
0:001> g *Continue execution
0:001> !peb *Displays the process executation block
PEB at 7FFDF000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 01000000
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 71f40 . 99b60
Ldr.InLoadOrderModuleList: 71ec0 . 99b50
Ldr.InMemoryOrderModuleList: 71ec8 . 99b58
Base TimeStamp Module
1000000 424df423 Apr 01 19:23:47 2005 C:\WINNT\system32\spoolsv.exe
77f80000 41e648e0 Jan 13 04:09:36 2005 C:\WINNT\system32\ntdll.dll
7c2d0000 42675f8a Apr 21 03:08:42 2005 C:\WINNT\system32\ADVAPI32.dll
7c570000 41dd0235 Jan 06 03:17:41 2005 C:\WINNT\system32\KERNEL32.dll
77d30000 425670f4 Apr 08 06:54:28 2005 C:\WINNT\system32\RPCRT4.dll
78000000 3e6e3115 Mar 11 12:55:17 2003 C:\WINNT\system32\MSVCRT.dll
77f40000 425670f4 Apr 08 06:54:28 2005 C:\WINNT\system32\GDI32.dll
77e10000 42675f89 Apr 21 03:08:41 2005 C:\WINNT\system32\USER32.dll
76a90000 425670f7 Apr 08 06:54:31 2005 C:\WINNT\system32\SPOOLSS.DLL
77340000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\iphlpapi.dll
75030000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\system32\WS2_32.DLL
75020000 3843995d Nov 30 03:31:09 1999 C:\WINNT\system32\WS2HELP.DLL
77520000 3844d039 Dec 01 01:37:29 1999 C:\WINNT\system32\ICMP.DLL
77320000 3844d039 Dec 01 01:37:29 1999 C:\WINNT\system32\MPRAPI.DLL
75150000 425670fb Apr 08 06:54:35 2005 C:\WINNT\system32\SAMLIB.DLL
7cdc0000 42675f8c Apr 21 03:08:44 2005 C:\WINNT\system32\NETAPI32.DLL
77980000 41e648e2 Jan 13 04:09:38 2005 C:\WINNT\system32\DNSAPI.dll
75050000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\system32\WSOCK32.dll
751c0000 3843995b Nov 30 03:31:07 1999 C:\WINNT\system32\NETRAP.dll
77bf0000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\NTDSAPI.dll
77950000 425670f5 Apr 08 06:54:29 2005 C:\WINNT\system32\WLDAP32.DLL
7c340000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\SECUR32.DLL
7ce20000 42675f8a Apr 21 03:08:42 2005 C:\WINNT\system32\OLE32.DLL
779b0000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\OLEAUT32.DLL
773b0000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\ACTIVEDS.DLL
77380000 425670f6 Apr 08 06:54:30 2005 C:\WINNT\system32\ADSLDPC.DLL
77830000 3844d037 Dec 01 01:37:27 1999 C:\WINNT\system32\RTUTILS.DLL
77880000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\SETUPAPI.DLL
7c0f0000 425670f4 Apr 08 06:54:28 2005 C:\WINNT\system32\USERENV.DLL
774e0000 425670f6 Apr 08 06:54:30 2005 C:\WINNT\system32\RASAPI32.DLL
774c0000 425670f6 Apr 08 06:54:30 2005 C:\WINNT\system32\rasman.dll
77530000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\TAPI32.dll
77b50000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\COMCTL32.DLL
77c70000 4214cf23 Feb 17 11:06:43 2005 C:\WINNT\system32\SHLWAPI.DLL
77360000 3ef274de Jun 19 21:43:42 2003 C:\WINNT\system32\DHCPCSVC.DLL
777f0000 3844d037 Dec 01 01:37:27 1999 C:\WINNT\system32\rasadhlp.dll
76120000 425670f7 Apr 08 06:54:31 2005 C:\WINNT\system32\localspl.dll
76980000 3ef274e0 Jun 19 21:43:44 2003 C:\WINNT\system32\sfc.dll
68010000 42565e41 Apr 08 05:34:41 2005 C:\WINNT\system32\sfcfiles.dll
77820000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\VERSION.dll
759b0000 3ef274e2 Jun 19 21:43:46 2003 C:\WINNT\system32\LZ32.DLL
77800000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\system32\winspool.drv
76620000 425670fa Apr 08 06:54:34 2005 C:\WINNT\system32\MPR.DLL
733e0000 3843997b Nov 30 03:31:39 1999 C:\WINNT\system32\cnbjmon.dll
76ab0000 3844d03e Dec 01 01:37:34 1999 C:\WINNT\system32\pjlmon.dll
76a80000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\tcpmon.dll
10000000 4ae861e6 Oct 28 09:23:18 2009 C:\WINNT\system32\TPVMMon.dll
7cf30000 42675f8a Apr 21 03:08:42 2005 C:\WINNT\system32\SHELL32.dll
db0000 4a1e99c7 May 28 09:03:51 2009 C:\WINNT\system32\TPVMW32.dll
e00000 4acf07bc Oct 09 04:51:56 2009 C:\WINNT\system32\TPRDPW32.dll
655e0000 38470103 Dec 02 17:30:11 1999 C:\WINNT\system32\WTSAPI32.dll
66640000 3ef27504 Jun 19 21:44:20 2003 C:\WINNT\system32\UTILDLL.dll
65780000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\system32\WINSTA.dll
68a80000 3ef274fe Jun 19 21:44:14 2003 C:\WINNT\system32\REGAPI.dll
76a70000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\usbmon.dll
e60000 49d4afde Apr 02 06:30:22 2009 C:\WINNT\system32\spool\PRTPROCS\W32X86\TPWinPrn.dll
73930000 3ef274e8 Jun 19 21:43:52 2003 C:\WINNT\system32\CLUSAPI.dll
689d0000 3ef274fe Jun 19 21:44:14 2003 C:\WINNT\system32\RESUTILS.dll
782c0000 3ef274dd Jun 19 21:43:41 2003 C:\WINNT\System32\rnr20.dll
777e0000 3844d037 Dec 01 01:37:27 1999 C:\WINNT\System32\winrnr.dll
74fd0000 3ef274f6 Jun 19 21:44:06 2003 C:\WINNT\system32\msafd.dll
75010000 3ef27506 Jun 19 21:44:22 2003 C:\WINNT\System32\wshtcpip.dll
76a50000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\win32spl.dll
7c950000 41e651f8 Jan 13 04:48:24 2005 C:\WINNT\system32\CLBCATQ.DLL
76b00000 3ef274df Jun 19 21:43:43 2003 C:\WINNT\system32\inetpp.dll
7e660000 4802a101 Apr 13 19:10:41 2008 C:\WINNT\system32\spool\DRIVERS\W32X86\3\PS5UI.DLL
SubSystemData: 0
ProcessHeap: 70000
ProcessParameters: 20000
WindowTitle: 'C:\WINNT\system32\spoolsv.exe'
ImageFile: 'C:\WINNT\system32\spoolsv.exe'
CommandLine: 'C:\WINNT\system32\spoolsv.exe'
DllPath: 'C:\WINNT\system32;.;C:\WINNT\system32;C:\WINNT\system;C:\WINNT;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem'
Environment: 0x10000Dumping Binary Data
0:001> db eip
7c90120e cc c3 8b ff cc c3 8b ff-8b 44 24 04 cc c2 04 00 .........D$.....
7c90121e 64 a1 18 00 00 00 c3 57-8b 7c 24 0c 8b 54 24 08 d......W.|$..T$.
7c90122e c7 02 00 00 00 00 89 7a-04 0b ff 74 1e 83 c9 ff .......z...t....
7c90123e 33 c0 f2 ae f7 d1 81 f9-ff ff 00 00 76 05 b9 ff 3...........v...
7c90124e ff 00 00 66 89 4a 02 49-66 89 0a 5f c2 08 00 57 ...f.J.If.._...W
7c90125e 8b 7c 24 0c 8b 54 24 08-c7 02 00 00 00 00 89 7a .|$..T$........z
7c90126e 04 0b ff 74 1e 83 c9 ff-33 c0 f2 ae f7 d1 81 f9 ...t....3.......
7c90127e ff ff 00 00 76 05 b9 ff-ff 00 00 66 89 4a 02 49 ....v......f.J.IDisassembling Instructions
0:001> u eip
ntdll!DbgBreakPoint:
7c90120e cc int 3
7c90120f c3 ret
7c901210 8bff mov edi,edi
ntdll!DbgUserBreakPoint:
7c901212 cc int 3
7c901213 c3 ret
7c901214 8bff mov edi,edi
7c901216 8b442404 mov eax,dword ptr [esp+4]
7c90121a cc int 3Listing Loaded Modules
0:018> lmf
start end module name
00930000 00947000 odbcint C:\WINDOWS\system32\odbcint.dll
01000000 01081000 winlogon C:\WINDOWS\system32\winlogon.exe
01360000 0139c000 WgaLogon C:\WINDOWS\system32\WgaLogon.dll
01c70000 01f35000 xpsp2res C:\WINDOWS\system32\xpsp2res.dll
47020000 47028000 dimsntfy C:\WINDOWS\System32\dimsntfy.dll
5ad70000 5ada8000 uxtheme C:\WINDOWS\system32\uxtheme.dll
5b860000 5b8b5000 NETAPI32 C:\WINDOWS\system32\NETAPI32.dll
5d090000 5d12a000 COMCTL32 C:\WINDOWS\system32\COMCTL32.dll
68000000 68036000 rsaenh C:\WINDOWS\system32\rsaenh.dll
71aa0000 71aa8000 WS2HELP C:\WINDOWS\system32\WS2HELP.dll
71ab0000 71ac7000 WS2_32 C:\WINDOWS\system32\WS2_32.dll
71b20000 71b32000 MPR C:\WINDOWS\system32\MPR.dll
71bf0000 71c03000 SAMLIB C:\WINDOWS\system32\SAMLIB.dll
723d0000 723ec000 WINSCARD C:\WINDOWS\system32\WINSCARD.DLL
72d10000 72d18000 msacm32 C:\WINDOWS\system32\msacm32.drv
72d20000 72d29000 wdmaud C:\WINDOWS\system32\wdmaud.drv
73000000 73026000 WINSPOOL C:\WINDOWS\system32\WINSPOOL.DRV
74320000 7435d000 ODBC32 C:\WINDOWS\system32\ODBC32.dll
755c0000 755ee000 msctfime C:\WINDOWS\system32\msctfime.ime
75930000 7593a000 PROFMAP C:\WINDOWS\system32\PROFMAP.dll
75940000 75948000 NDdeApi C:\WINDOWS\system32\NDdeApi.dll
75950000 7596a000 WlNotify C:\WINDOWS\system32\WlNotify.dll
75970000 75a68000 MSGINA C:\WINDOWS\system32\MSGINA.dll
76360000 76370000 WINSTA C:\WINDOWS\system32\WINSTA.dll
76390000 763ad000 IMM32 C:\WINDOWS\system32\IMM32.DLL
763b0000 763f9000 comdlg32 C:\WINDOWS\system32\comdlg32.dll
76600000 7661d000 cscdll C:\WINDOWS\system32\cscdll.dll
76790000 7679c000 cryptdll C:\WINDOWS\system32\cryptdll.dll
769c0000 76a74000 USERENV C:\WINDOWS\system32\USERENV.dll
76b40000 76b6d000 WINMM C:\WINDOWS\system32\WINMM.dll
76bb0000 76bb5000 sfc C:\WINDOWS\system32\sfc.dll
76bc0000 76bcf000 REGAPI C:\WINDOWS\system32\REGAPI.dll
76bf0000 76bfb000 PSAPI C:\WINDOWS\system32\PSAPI.DLL
76c30000 76c5e000 WINTRUST C:\WINDOWS\system32\WINTRUST.dll
76c60000 76c8a000 sfc_os C:\WINDOWS\system32\sfc_os.dll
76c90000 76cb8000 IMAGEHLP C:\WINDOWS\system32\IMAGEHLP.dll
76d60000 76d79000 iphlpapi C:\WINDOWS\system32\iphlpapi.dll
76f50000 76f58000 WTSAPI32 C:\WINDOWS\system32\WTSAPI32.dll
76f60000 76f8c000 WLDAP32 C:\WINDOWS\system32\WLDAP32.dll
76fd0000 7704f000 CLBCATQ C:\WINDOWS\system32\CLBCATQ.DLL
77050000 77115000 COMRes C:\WINDOWS\system32\COMRes.dll
77120000 771ab000 OLEAUT32 C:\WINDOWS\system32\OLEAUT32.dll
773d0000 774d3000 comctl32_773d0000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
774e0000 7761d000 ole32 C:\WINDOWS\system32\ole32.dll
77690000 776b1000 NTMARTA C:\WINDOWS\system32\NTMARTA.DLL
776c0000 776d2000 AUTHZ C:\WINDOWS\system32\AUTHZ.dll
776e0000 77703000 SHSVCS C:\WINDOWS\system32\SHSVCS.dll
77920000 77a13000 SETUPAPI C:\WINDOWS\system32\SETUPAPI.dll
77a20000 77a74000 cscui C:\WINDOWS\system32\cscui.dll
77a80000 77b15000 CRYPT32 C:\WINDOWS\system32\CRYPT32.dll
77b20000 77b32000 MSASN1 C:\WINDOWS\system32\MSASN1.dll
77b40000 77b62000 Apphelp C:\WINDOWS\system32\Apphelp.dll
77bd0000 77bd7000 midimap C:\WINDOWS\system32\midimap.dll
77be0000 77bf5000 MSACM32_77be0000 C:\WINDOWS\system32\MSACM32.dll
77c00000 77c08000 VERSION C:\WINDOWS\system32\VERSION.dll
77c10000 77c68000 msvcrt C:\WINDOWS\system32\msvcrt.dll
77c70000 77c95000 msv1_0 C:\WINDOWS\system32\msv1_0.dll
77dd0000 77e6b000 ADVAPI32 C:\WINDOWS\system32\ADVAPI32.dll
77e70000 77f02000 RPCRT4 C:\WINDOWS\system32\RPCRT4.dll
77f10000 77f59000 GDI32 C:\WINDOWS\system32\GDI32.dll
77f60000 77fd6000 SHLWAPI C:\WINDOWS\system32\SHLWAPI.dll
77fe0000 77ff1000 Secur32 C:\WINDOWS\system32\Secur32.dll
7c800000 7c8f6000 kernel32 C:\WINDOWS\system32\kernel32.dll
7c900000 7c9b2000 ntdll C:\WINDOWS\system32\ntdll.dll
7c9c0000 7d1d7000 SHELL32 C:\WINDOWS\system32\SHELL32.dll
7e410000 7e4a1000 USER32 C:\WINDOWS\system32\USER32.dll
7e720000 7e7d0000 sxs C:\WINDOWS\system32\sxs.dll
Unloaded modules:
74980000 74aa3000 msxml3.dll
77710000 77754000 ES.DLL
72d20000 72d29000 wdmaud.drv
66700000 6688d000 sfcfiles.dll
71e50000 71e65000 msapsspc.dll
78080000 78091000 MSVCRT40.dll
767f0000 76818000 schannel.dll
75b00000 75b15000 digest.dll
747b0000 747f7000 msnsspc.dll
78080000 78091000 MSVCRT40.dll
74980000 74aa3000 msxml3.dll
5fff0000 5fff4000 KBDUS.DLL
74ad0000 74ad8000 powrprof.dll
4bfb0000 4bfcc000 dpcdll.dll
74980000 74aa3000 msxml3.dll
4bfb0000 4bfcc000 dpcdll.dllSearching Memory
0:018> s 7c900000 7c9b2000 FF E4
7c96bf33 ff e4 be 96 7c fd be 96-7c 00 00 00 00 53 69 7a ....|...|....Siz
0:018> u 7c96bf33
ntdll!`string'+0xa9:
7c96bf33 ffe4 jmp esp
7c96bf35 be967cfdbe mov esi,0BEFD7C96h
7c96bf3a 96 xchg eax,esi
7c96bf3b 7c00 jl ntdll!RtlpDphFreeDelayedBlocksFromHeap+0xad (7c96bf3d)
7c96bf3d 0000 add byte ptr [eax],al
7c96bf3f 005369 add byte ptr [ebx+69h],dl
7c96bf42 7a65 jp ntdll!RtlpDphFreeDelayedBlocksFromHeap+0x119 (7c96bfa9)
7c96bf44 207265 and byte ptr [edx+65h],dhAwesome Plugins
Byakugan
Byakugan is a plugin a part of Metasploit. The following examples are taken from the Byakugan slides in the reference section below. To load Byakugan type:
0:001> !load C:\path\to\byakugan.dllUsage
0:001> !jutsu
0:001> !jutsu identBuf MyBufName CONTENTS
0:001> !jutsu identBuf msfpattern 500
0:001> !justsu listBuf
0:001> !jutsu rmbuf MyBufName
0:001> !jutsu hunt
0:001> !jutsu findReturn
0:001> !tenketsu
0:001> !tenketsu listHeaps
0:001> !tenketsu listChunks!Exploitable Crash Analyzer
!exploitable is created by Microsoft and freely available. To load !exploitable type:
0:001> !load c:\path\to\msec.dllUsage
Using !exploitable is really easy, when you have a first chance exception just type:
(19ec.468): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=00000101 edx=ffffffff esi=00000000 edi=00000000
eip=77f9193c esp=0132ffa8 ebp=0132ffb4 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000286
ntdll!DbgBreakPoint:
77f9193c cc int 3
0:006> g
(19ec.1a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000113 ecx=00000001 edx=00000000 esi=7c57edd2 edi=007f46bc
eip=41414141 esp=0098fd88 ebp=0098fde0 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
41414141 ?? ???
0:001> !load msec.dll
0:001> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at
Unknown Symbol @ 0x0000000041414141 called from KERNEL32!BaseThreadStart+0x0000000000000052 (Hash=0x264d5172.0x5a5e1f77)
Access violations at the instruction pointer are exploitable if not near NULL.