A Debugging Approach to Application Verifier

Application Verifier, also known as AppVerifier, is a dynamic instrumentation tool for user mode applications. It is free available from SDK/PSDK, with a set of GUI applications and DLL extensions, plus a good document. Let’s begin by adding the most famous application – notepad.exe – from the appverif.exe GUI, and launch notepad.exe from WinDBG: windbg.exe notepad.exe ModLoad: 00620000 00650000   notepad.exeModLoad:…

1

Early Debugging

Early debugging is a wide topic, on a Windows PC it might be: Application startup Service startup WinLogon CSRSS (Client/Server Runtime Subsystem) Windows Setup and OS Loader MBR (Master boot record) BIOS POST (Power-on self-test) Application Startup As we have demonstrated in the user mode debug event loop, when an application was launched from a debugger,…

0

Side Effects of Debugger

A target program might behave differently if it is being debugged, sometimes this can be very annoying. Also, these behavior deviations can be leveraged by anti-debugging. IsDebuggerPresent and CheckRemoteDebuggerPresent are well known APIs to tell if a program is attached by a debugger. 0:000> uf KERNELBASE!IsDebuggerPresent KERNELBASE!IsDebuggerPresent: 7512f41b 64a118000000    mov     eax,dword ptr fs:[00000018h] 7512f421 8b4030          mov     eax,dword ptr [eax+30h] 7512f424 0fb64002        movzx   eax,byte ptr [eax+2] 7512f428 c3              ret CloseHandle would raise an exception under a debugger, as stated…

2

A Debugging Approach to IFEO

IFEO (Image File Execution Options) is a feature provided by the NT based operating system. It can be helpful when you are trying to debug at the very beginning of an application launch. A few people also taked about IFEO on MSDN Blogs: Image File Execution Options by Junfeng. Inside ‘Image File Execution Options’ debugging…

2