Side Effects of Debugger

A target program might behave differently if it is being debugged, sometimes this can be very annoying. Also, these behavior deviations can be leveraged by anti-debugging. IsDebuggerPresent and CheckRemoteDebuggerPresent are well known APIs to tell if a program is attached by a debugger. 0:000> uf KERNELBASE!IsDebuggerPresent KERNELBASE!IsDebuggerPresent: 7512f41b 64a118000000    mov     eax,dword ptr fs:[00000018h] 7512f421 8b4030          mov     eax,dword ptr [eax+30h] 7512f424 0fb64002        movzx   eax,byte ptr [eax+2] 7512f428 c3              ret CloseHandle would raise an exception under a debugger, as stated…

2

MACRO Revisited

Macro is powerful, but few people understand how it works. In theory, syntax highlighting for C/C++ is impossible due to the presence of Preprocessing Directives FDIS N3290 16 . Sometimes I do feel that C++ is a mixture of three languages instead of a single language, I have to keep in mind that there are…

2

Undocumented WinDBG

Abstraction and encapsulation are good because they make it easier to build complex systems, however, there are times you have to peek inside the abstraction and demistify the encapsulation. This is especially true for debugging and performance tuning (I will not talk about reverse engineering this time). Familiar yourself with the right tools are very important, and…

2

A Debugging Approach to IFEO

IFEO (Image File Execution Options) is a feature provided by the NT based operating system. It can be helpful when you are trying to debug at the very beginning of an application launch. A few people also taked about IFEO on MSDN Blogs: Image File Execution Options by Junfeng. Inside ‘Image File Execution Options’ debugging…

2

Data Breakpoints

The Visual Studio debugger supports a kind of breakpoint called Data Breakpoint, sometimes it is also called watchpoint. Data breakpoint is architecture dependant, as it requires hardware support provided by CPU. For x86, this will be the DR (Debug Register). The following code demonstrates how to use the x86 debug register by implementing a very simple native debugger. #define WIN32_LEAN_AND_MEAN #include <Windows.h> #include <stdio.h>…

2

Use Windows Debuggers for Non-Debugging Tasks

Many people who has been using Emacs for decades were shocked when they heard that Emacs is actually a text editor instead of an operating system. – vi advocator Sharing a similar spirit as Emacs, Windows Debuggers are also super good at non-debugging tasks. Calculator The builtin expression evaluator of Windows Debuggers can be used as…

2

The Main Thread Problem

Every few months I heard people asking the same question: Given a process ID (or handle), how can I get its main thread ID (or handle)? Normally that would raise another question: What is the definition of a main thread? While the Windows operating system doesn’t have a concept called main thread, and threads donnot…

1

Using Function Evaluation in WinDBG

People who develop debuggers would know in theory you cannot have a perfect disassembler (especially for x86) and stepper (especially for Step Over). People who develop commercial debuggers would know Function Evaluation (a.k.a. funceval) is a big challenge while implementing an Expression Evaluator. And people who develop the Visual Studio Debugger would face other difficulties – Interop Debugging, Edit & Continue….

1

Windows 8 and conhost.exe

While debugging a console application on Windows 8, I noticed the console application is trying to create a process in the very beginning: windbg.exe -xe ld:ntdll.dll -c “bm ntdll!*CreateProcess*; g; k” cmd.exe CommandLine: cmd.exeModLoad: 000007ff`01d60000 000007ff`01f1e000   ntdll.dllntdll!RtlUserThreadStart:000007ff`01d7c3d0 4883ec48        sub     rsp,48hProcessing initial command ‘bm ntdll!*CreateProcess*; g; k’0:000> bm ntdll!*CreateProcess*; g; k  1: 000007ff`01d90f60 @!”ntdll!RtlCreateProcessParametersEx”  2: 000007ff`01d63070…

1

A Debugging Approach to Application Verifier

Application Verifier, also known as AppVerifier, is a dynamic instrumentation tool for user mode applications. It is free available from SDK/PSDK, with a set of GUI applications and DLL extensions, plus a good document. Let’s begin by adding the most famous application – notepad.exe – from the appverif.exe GUI, and launch notepad.exe from WinDBG: windbg.exe notepad.exe ModLoad: 00620000 00650000   notepad.exeModLoad:…

1