Debuggers & Debugging

6 files

1. Application Debugging in a Productive Environment

   By Teddy Rogers

   The document you have at hand is made for people who have to support and maintain a production environment. In this course we'll try to give an answer on questions like : "yesterday it still worked and now it doesn't anymore, what did happen ?" or "why does it work on this computer and not on another one ?".
   Each chapter can be seen as a stand alone par. However, some background information and knowledge like symbols usage and calling conventions ­ are essential parts you must know to follow this course.
   Every part of this paper is explained as a walkthrough. This gives the student the possibility to use the document as reference material and/or as a workbook to learn some particular debugging scenarios. In no way this guide attempts to be a replacement for the manuals that come with the debuggers. The WinDbg debugger comes with such an outstanding and complete documentation that it is impossible to do better than that.
   The reader of this document shouldn't be proficient in writing applications, nor should she/he be an expert in assembler or another language to follow this course. However, as with most things in live : "the more you know in advance, the better". The topics covered in this guide are rather complicated, but working with the WinDbg debugger is explained step by step.
   

   185 downloads

   0 comments

   Submitted February 15, 2020

2. Painless Guide on DLL Debugging

   By Teddy Rogers

   I have seen many people that can not understand how debugging a DLL is done, and I've recieved a couple of requests on such topics, so I'm writing this guide in the hope that someone can find it useful.
   This guide is not for 100% newbies, those who don't know/didn't use a (disassembler, debugger) before should read more on that topic before reading this guide.
   In this guide I don't include too much of "proof-of-concept" examples, it's a general idea that I want to deliver, that's all.
   

   573 downloads

   0 comments

   Submitted February 15, 2020

3. Python Windows Debugging Reference

   By Teddy Rogers

   A few years back I summarized a gray hat Python book into a useful mind map to aid remembering how debuggers work.
   

   144 downloads

   0 comments

   Submitted February 15, 2020

4. The Big SoftICE Howto

   By Teddy Rogers

   Debugging applications or drivers are part of every programmer’s day. Nearly every IDE I know has its own debugger. Most of them suck in several ways and often don’t fulfil all the needs the coder has. Especially when developing a ring0 application, such as a driver for a video or audio device. Without a powerful kernel debugger it’s very hard for the coding artist to fix problems, because as you know bigger programming faults lead to bluescreens, followed by a reboot. Referring to the security or antivirus scene a debugger is often used when reversing a binary for vulnerabilities or discovering the functionality of malware. The best disassembler IDA Pro from Datarescue also supports debugging for some time now and improves the reversers work when analyzing an application, particularly when the binary is compressed with an executable packer. Microsoft ships their Visual Studio with a nice debugger which has also the capability of kernel debugging. But almost all debuggers have still some disadvantages. In my opinion currently there’s only one debugger that is nearly perfect, the world famous SoftICE. Formerly created by NuMega, sold to Compuware in 1997 and now implemented in Driverstudio, SoftICE is a fully featured debugger with dozens of commands I’ll try to bring you closer in this essay. Have you ever wondered what the ICE stands for in SoftICE? Quite easy, it means “In Circuit Emulator”. If you don’t know what an ICE is, just google for it wink This paper will give you a step by step introduction to SoftICE. First we’ll discuss the most important things while installation and configuration as well as covering several problems that can happen. Subsequent to this I will discuss hotkeys, the most important basic and many advanced commands SoftICE has. Furthermore I will give examples how to use them as well as alluding stumbling blocks with some instructions. In the end of the document I prepared a list of useful API
   calls, which may help when searching for the right breakpoint in future debugging sessions. To reproduce all the things best, discussed here in the following, you should be armed with WinXP or Win2003, Driverstudio v3.2, IceExt v0.67, Spy & Capture v2.70 as well as VMWare Workstation v5.5. Watch the link list at the bottom where to get the tools needed. The reader of this document should have a basic understanding of x86 assembly and the fundamentals of debugging. Ok, let’s getting started now.
   

   195 downloads

   0 comments

   Submitted February 15, 2020

5. Virt-ICE: Next-Generation Debugger for Malware Analysis

   By Teddy Rogers

   Dynamic malware analysis is an important method to analyze malware. The most important tool for dynamic malware analysis is debugger. However, because debuggers are originally built by software developers to debug legitimate software, they have some significant flaws against malware. First of all, malware can easily detect the presence of debugger with various tricks. Another fundamental problem is that because malware run in the same security domain with debugger, they can potentially tamper with the debugger, and prevent it from functioning correctly. Unfortunately, all of the above drawbacks are unfixable in the current architecture.
   This research presents a new debugger named VirtICE, which is designed to address the problems of current malware debuggers. Using virtualization technology, Virt-ICE is invisible to malware, thus renders most available anti-debugging techniques useless. Thanks to the isolation provided by virtual machine, Virt-ICE is out of the reach of malware, and cannot be tampered with.
   Another advantage of Virt-ICE is that unlike many other popular debuggers, it can deal with ring-0 code, therefore it has no issue handling kernel rootkits. Virt-ICE also offers a novel event-based method to intercept malware execution, which can help to improve the debugging efficiency. Finally, Virt-ICE includes some built-in automatic malware analysis facilities to give the analysts more information on malware, so they can reduce the time on the job by focusing their debugging efforts on important points.
   

   155 downloads

   0 comments

   Submitted February 15, 2020

6. Windows Internal Debugging

   By Teddy Rogers

   The internal mechanisms of what allows user-mode debugging to work have rarely ever been fully explained. Even worse, these mechanisms have radically changed in Windows XP, when much of the support was re-written, as well as made more subsystem portable by including most of the routines in ntdll, as part of the Native API. This three part series will explain this functionality, starting from the Win32 (kernel32) viewpoint all the way down (or up) to the NT Kernel (ntoskrnl) component responsible for this support, called Dbgk, while taking a stop to the NT System Library (ntdll) and its DbgUi component.
   
   The reader is expected to have some basic knowledge of C and general NT Kernel architecture and semantics. Also, this is not an introduction on what debugging is or how to write a debugger. It is meant as a reference for experienced debugger writers, or curious security experts.
   

   166 downloads

   0 comments

   Submitted February 15, 2020