Good tutorial for WinDbg? - windbg

This question's answers are a community effort. Edit existing answers to improve this post. It is not currently accepting new answers or interactions.
Are there good tutorials for showing how to use WinDbg?

Basic Tutorials & Usage Demos
Installing and Configuring WinDbg (Windows Debug Tools)
Mike Taulty - A word for WinDbg
WinDbg Tutorials
Windows Debuggers: Part 1: A WinDbg Tutorial
Different Ways to "Start"/Attach WinDbg
Start Debugging with WinDbg (includes how to debug an .msi)
How to debug a Windows service
Setting up Windows Debugging
Debugging SQL Server...here, here, here, here
Workspaces (Understanding how they work)
Pimp up your debugger: Creating a custom workspace for WinDbg debugging
Uncovering How Workspaces Work in WinDbg
Cmdtree
Allows you to define a "menu" of debugger commands for easy access to frequently used commands without having to remember the terse command names. Don't have to put all the command definitions into the same cmdtree text file....you can keep them separate and load multiple ones (they then get their own window).
Amazing helper .cmdtree
How do I make a cmdtree window dock at startup in WinDbg
Making it easier to debug .NET dumps in WinDbg using .cmdtree
Microshaoft Cmdtree
Special Command—Execute Commands from a Customized User Interface with .cmdtree
Startup Script
You can use the -c option on the command line to automatically run a WinDbg script when you start WinDbg.
Gives opportunity to turn on DML (Debugger Markup Language) mode, load particular extensions, set .NET exception breakpoints, set kernel flags (e.g. when kernel debugging you might need to change the DbgPrint mask so you see tracing information....ed nt!Kd_DEFAULT_Mask 0xFFFFFFFF), load cmdtrees, etc.
http://yeilho.blogspot.co.uk/2012/10/windbg-init-script.html
Take Control of WinDbg
An example script:
$$ Include a directory to search for extensions
$$ (point to a source controlled or UNC common directory so that all developers get access)
.extpath+"c:\svn\DevTools\WinDBG\Extensions"
$$ When debugging a driver written with the Windows Driver Framework/KMDF
$$ load this extension that comes from the WinDDK.
!load C:\WinDDK\7600.16385.1\bin\x86\wdfkd.dll
!wdftmffile C:\WinDDK\7600.16385.1\tools\tracing\i386\wdf01009.tmf
$$ load some extensions
.load msec.dll
.load byakugan.dll
.load odbgext.dll
.load sosex
.load psscor4
$$ Make commands that support DML (Debugger Markup Language) use it
.prefer_dml 1
.dml_start
$$ Show NTSTATUS codes in hex by default
.enable_long_status 1
$$ Set default extension
.setdll psscor4
$$ Show all loaded extensions
.chain /D
$$ Load some command trees
.cmdtree c:\svn\DevTools\WinDBG\cmdtree\cmdtree1.txt
.cmdtree c:\svn\DevTools\WinDBG\cmdtree\cmdtree2.txt
$$ Show some help for the extensions
!wdfkd.help
!psscor4.help
.help /D
Command Cheat Sheets
Crash Dump Analysis Poster v3.0
SOS Cheat Sheet (.NET 2.0/3.0/3.5)
WinDbg cheat sheet (Art of Dev)
WinDbg Kernel-Mode Extension Commands Flashcards
Extensions (extend the range of commands/features supported)
AddSym- allows transfer of symbol names between IDA and WinDbg
bigLasagne (bldbgexts & blwdbgue)- assembly syntax highlighting and a driver mapping tool)
BigLib Number Reader
Byakugan- detect antidebugging methods, vista heap visualization/emulation, track buffers in memory
CmdHist- records every command you executed in your debug session so you can re-execute easily
Core Analyzer- check heap structures for corruption, detect objects shared by threads, etc.
dom WinDbg Extension- (!stlpvector, !idt, !unhex, !grep, etc.)
dumppe- dumps PE file from memory
Image Viewer Extension (Vladimir Vukicevic)
Intel UEFI Development Kit Debugger Tool- debug UEFI firmware
leaktrap- GDI/USER handle tracker to aid in leak detection
Mona (requires PyKD)- set of commands to aid in advanced analysis/find exploits
MSEC- provides automated crash analysis and security risk assessment
narly- lists info about loaded modules such as if using SafeSEH, ASLR, DEP, /GS (Buffer Security Checks)
netext (Rodney Viana)- (!wservice - list WCF service objects, !wconfig - show .config lines, !whttp - list HttpContexts, !wselect/!wfrom - support SQL like queries on arrays)
ODbgExt- open debugger extensions
OllyMigrate- pass debuggee to another debugger without restarting
Psscor2- a superset of SOS for assisting in debugging .NET 2.0 managed code
Psscor4- a superset of SOS for assisting in debugging .NET 4 managed code
PyDBGExt- allows Python scripting to be used
PyKD- allows Python to be used to script WinDbg
sdbgext (Nynaeve)-(!valloc, !vallocrwx, !heapalloc, !heapfree, !remotecall, !remotecall64, !loaddll, !unloaddll, !close, !killthread, !adjpriv, !ret)
SieExtPub-legacy extension...now built into WinDbg in ext.dll
SOSEX- more commands for helping to debug managed NET 2.0 or 4.0 code
SPT/SDBGExt2 (Steve Niemitz)- (!DumpHttpContext, !DumpASPNetRequests, !DumpSqlConnectionPools, !DumpThreadPool, etc.)
Uniqstack- source to a debugger extension (need an OSR Online account to access it)
viscope- code coverage graph
Wait Chain Traversal/wct.dll (CodePlex Debugging Extensions- display wait chains of application threads (helps find deadlocks)
windbgshark- integrates the Wireshark protocol analyser to enable VM traffic manipulation and analysis
WinDbg Extensions (Sasha Goldstein)- Tracer, WCT, heap_stat, bkb, traverse_map, traverse_vector)
WinDbg Highlight (ColorWindbg.dll) (Use Google Translate to translate link)- assembly language syntax highlighting
Write your own extension
Developing WinDbg ExtEngCpp Extension in C++
Tools of the Trade: Part IV - Developing WinDbg Extension DLLs
The Basics of Debugger Extensions: Short Term Effort, Long Term Gain
Debugging Managed Code
Breaking on an Exception
Breaking on specific CLR Exception
Debugging .NET framework source code within WinDbg
Debugging exceptions in managed code using WinDbg
Debugging managed code using WinDbg and SOS.dll
Debugging with WinDbg. Deadlocks in Applications.
MANAGED DEBUGGING with WinDbg. Introduction and Index
Setting .NET breakpoints in WinDbg for applications that crash on startup
Scripting (C#, PS, Python, and WinDbg)
KDAR (Kernel Debugger Anti Rootkit)- a collection of WinDbg scripts
Sysnative BSOD Scripts/Processing Apps
WinDbg Script library- a collection of WinDbg scripts
Scripting MDbg and DbgHostLib- allows managed code to script the Managed Debugger (MDBG) and the DbgEng
ExtCS- allows control of WinDbg via C# scripts
PowerDBG- allows control of WinDbg via PowerShell scripts
Pykd - allows control of WinDbg via Python scripts
windbglib - Python wrapper library around the pykd extension for WinDbg, mimicking immlib (so you can use scripts originally written for Immunity Debugger)
Debuggers/Tools that use the dbgeng.dll API/WinDbg Tools
A Simple Dbgeng Based User Mode Debugger
Acorns.Debugging NET Deadlock Detector (uses cdb.exe) (download)
CLR Managed Debugger (MDBG)
DbgHost - How to control a debugging engine
Debug Diagnostic Tool v1.2 (DebugDiag), Ver 2.0 + DebugDiag Blog
Dynamorio - dynamic binary instrumentation tool which can interact with WinDbg
IDA + WinDbg plugin
GUI WinDbg
LeakShell (find managed leaks)
mdbglib - Managed Debug API
PyDbgEng- Python wrapper for Windows Debugging Engine
SOSNET - a WinDbg Fork/alternative shell that concentrates on using the SOS extension and supports C# scripting
SOSNET O2 fork - fork of SOSNET that uses Roslyn for the C# REPL (read-eval-print-loop) scripting engine
VDB/Vivisect (kenshoto) - provides a cross-platform debugging API layered on WinDbg
WinAppDbg + Heappie-WinAppDbg
Writing a basic Windows debugger
Different Ways to Generate Crash Dump Files for Post-Mortem Analysis
DebugDiag 2.0
Dump Cheat Sheet- includes how to generate dump from Hyper-V, VMware ESX, and XenServer VMs.
Citrix SystemDump
Keyboard Keypress Combination
MiniDumpWriteDump- (via Win32 API call inside your application). (Example for C# applications)
NMI Switch(hardware based feature to generate an NMI...usually found on high-end servers e.g. HP or you can obtain an add-in PCI card "Universal PCI Dump Switch"). Microsoft NMI technology background.
Procdump
Menu System ? Advanced System Settings ? Startup and Recovery(registry info), (how to configure a Complete (Full) Memory Dump), (how to enable Complete Memory Dump), (how to enable Complete Memory Dump on Windows 7 when PC has lots of memory...normally not available when more than 2 GB of memory)
Task Manager "Create Dump File"
UserDump, instructions (very old tool)
UserModeProcessDumper, instructions
Visual Studio "Save Dump As…"
WER (Windows Error Reporting....local dumps)
WinDbg
Dump Analysis Tools
BlueScreenView - finds the minidump .dmp files saved by Windows after a BSOD, and extracts information about what caused the crash
Debug.Analyzer (can analyse dump files and plug-ins can be written in .NET)
SAD - Simple After Dump (postmortem analyzer)
Volatility - framework for analyzing "memory" recorded in dump files (cheat sheet)
Dump related Tools
Citrix dumpcheck - checks consistency of dump file (looks like it's been abandoned link + link)
dumpchk (part of Debugging Tools) - checks consistency of a Dump file
MoonSols Windows Memory Toolkit (formerly windd) - converts various raw memory dump files into WinDbg compatible dmp files
vm2dmp - Microsoft Hyper-V VM State to Memory Dump Converter
vmss2core - converts VMware snapshot file into a core dump file (download), (instructions)
Kernel Debugging Virtual Machines
VMKD - Virtual Machine KD Extensions
VirtualKD - (kernel debugger support for OS's hosted in VMware/VirtualBox)
Videos
.NET Cracking 101 #2 - WinDbg basics
.NET Debugging for the Production Environment (Channel9)
dotnetConf - Advanced Debugging with WinDbg and SOS
David Truxall "Debugging with WinDbg"
Mike Taulty Debugging Memory Leaks
oredev 2009 Session: Debugging .NET Applications with WinDbg
Pluralsight Advanced Windows Debugging(plus various other ones at Pluralsight)
Tess Ferrandez WinDbg (Channel9)
TiGa's Video Tutorial Series on IDA Pro
Blogs
Advanced .NET Debugging
All Your Base Are Belong To Us (Sasha Goldstein)
Analyze-v
ASP.NET Debugging
Cyberiafreak (threading and advanced Windows programming and debugging)
Debug Analyzer.NET
Debug and Beyond
Debugging Experts Magazine Online
Debugging Toolbox (WinDbg scripts, debugging and troubleshooting tools and techniques to help you isolate software problems.)
Decrypt my World
greggm's WebLog
Junfeng Zhang's Windows Programming Notes
Kristoffer's tidbits
Mark Russinovich's Blog
Mike Stalls .NET Debugging Blog
Naveen's Blog
Never Doubt Thy Debugger (Carlo)
Notes from a Dark Corner
Ntdebugging Blog (Microsoft Global Escalation Services team)
Nynaeve. Adventures in Windows debugging and reverse engineering
PFE Developer Notes for the Field
Visual Studio Debugger Team
WinDbg by Volker von Einem
Advanced Articles & Tutorial Resources
Advanced Debugging Techniques in WinDbg
Debugging Applications for MS.Net and Windows (PowerPoint Slides)
Debugging STL Containers with WinDbg
Debug Tutorials 1-7 (CodeProject-Toby Opferman)
Debugging.tv
Developmentor WinDbg Tagged articles
Dr Fu's Security Blog - Malware Analysis Tutorials - Reverse Engineering Approach
Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development
Hunting Rootkits
Remote Microsoft Windows Server OS Kernel Debugging Using Dell Windows Debugger Utility (DWDU) (DELL(TM) Windows(R) Debugger Utility 1.1 README)
Alternative Debuggers
Bokken - (Inguma) (GUI for radare)
BugDbg
Debug++ (not released yet)
Debuggy
Discoloured Ring 0 Debugger (download)
edb (Linux)
FDBG
GoBug
Hades (Ring 3 debugger with anti debugger detection strategy)
Hopper (Linux, OS X and Windows) (Windows debugging not currently implemented)
Hyperdbg
IDA Debugger
ImmunityDebugger
Nanomite
Obsidian (non-intrusive debugger)
OllyDBG
PEBrowse
RaceVB6 (VB6 P-Code debugger)
radare
radare2ui (GUI for radare)
Rasta Ring 0 Debugger (RR0D)
Syser Kernel Debugger
TRW 2000 (very old debugger circa W9x) + dions plugin archive
VisualDux Debugger
Wintruder (extendable debugger)
WKTVDebugger (a debugger for Visual Basic P-Code) (download)
x64_dbg
Zeta Debugger
Other Links
Collaborative RCE Tool Library- debugger and system level tools
cr4zyserb- plugins & other debugging tools
How to Write a Windows Debugger References (Devon Straw)- detailed information that you would need if you wanted to write your own debugger e.g. PDB file format, .DMP file formats, PE File structure, how to record stack traces, etc., etc.
Tuts4You- unpackers, IDA, OllyDBG, Immunity Debugger plugins, etc.

Related

How to publish a Console Application that uses 3rd party references?

My problem might seem specific, but in fact it is probably very general: How to publish a Console Application that uses 3rd party references?
I am using Visual Studio 2015 to make a Console Application called Gdx2PostgreSql programmed in Visual Basic. The application is reading data in a Gdx-file (output from a GAMS program, www.gams.com) and writing the data to a PostgreSql database. The interface to PostgreSql is handled by NpgSql, www.npgsql.org. NpgSql is referenced as
\\dtu-storage\hela\Documents\Visual Studio 2015\Projects\GDX to PostgreSQL 2\packages\Npgsql.3.1.7\lib\net451\Npgsql.dll
The program functions correctly when it is executed in Debug mode inside Visual Studio.
I have to be able to run the program from the command prompt in a CMD window. Moreover, I have to be able to run the program by spawning from a GAMS program using the GAMS syntax
Execute 'Gdx2PostgreSql "FileName.gdx" "CaseName"';
I have published the program and run the setup file installing the program. But when I run it in a CMD window I get the error:
'Gdx2PostgreSql' is not recognized as an internal or external command, operable program or batch file.
I get the same error message when spawning from my GAMS program.
Being rather desperate I have tried renaming the file setup.exe in the Publish-folder to Gdx2PostgreSql.exe. When I use this file I get:
Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'Npgsql, Version=3.1.7.0, Culture=neutral, PublicKeyToken=5d8b90d52f46fda7' or one of its dependencies. The system cannot find the file specified.
That is, NpgSql is not known to the program.
As I see it, I need to have one EXE-file that holds all what is needed - especially because my program should be able to run on other PCs, too.
Can anyone help me make my program Gdx2PostgreSql function?
Finally, I should mention that I have made other programs reading Gdx-files and using NggSql to write to PostgreSql. These programs function correctly, but they are Windows Forms Applications – and not Console Applications.
Console applications aren't really any different from winforms applications - you have to distribute the EXE along with any DLLs it depends on - in the same directory. As mentioned in the comment, after building your program you should be able to find everything you need under bin/Debug (or Release).
Regarding why your Gdx2PostgreSql isn't being found, that's likely a problem of path - try running your program with an absolute path, or cd'ing into bin/Debug (or Release) before executing it.

Attaching GDB to Eclipse to debug JNI C++ code

I'm having problems debugging a JNI application. I've read several threads in StackOverflow, like this one, this one or this one. I've also tried to start gdb in a separated shell and attach it to the running java process. In both cases, the problem is the same: GDB can't find the sources to debug. Things tried
Add "dir" line to gdbinit, pointing to C++ sources folder
Adding the C++ sources folder to the GDB debbuging configuration in Eclipse, in the "Sources" tab.
Adding set environment LD_LIBRARY_PATH=/path/to/library.so, being library.so the library file built from C++ source files
Attach ddd to the java process, but then I get an error because pthread_join.c is not found in the working directory. I don't have this file in my hard disk. I don't know what is this about.
Nothing worked. I've spent several days on this. I know my bug is in the C++ code called by the JNI wrapper, but I can't debug it. Any hints? If helps, I'm running Eclipse Juno in Debian 7 under a Parallels VM on Mac OS.
Many thanks in advance,
You need to have debug information in your native library. You should pass -g to your compiler and linker to have this information in the executable. You may also want to add -O0.
As an alternative to attaching to the Java process, you can create a C++ app and debug it directly. You just need to link in the functions you want to test. In the main function, create the VM, register the functions with RegisterNatives, and kick off a Java test class the uses them.
Hopefully, the debugger has no problem finding the sources since it is just part of the normal compile/link/debug loop of a C++ app.
I would suggest to start with the latest ADT bundle. You can even download the Mac version, so you will not even need Parallels (see a detailed instructions). Then, choose Debug Android Native Application in launch menu.

CLI tool that lists the DLL files that are mentioned in the Imports section of a Windows PE executable?

I am looking for a CLI tool that will list all of the DLL files referenced in the Import section of a Windows executable file. Back in the day, Windows shipped with a GUI tool called QuickView that provided this information. However, I need a CLI-based application that will provide this information and preferrably a free / open-source application if possible.
IIRC, dumpbin tool from Microsoft could help. It is shipped with Microsoft Visual C++. The details are in MSDN.
Try dumpbin /IMPORTS <pe_file_to_analyze>.
I guess, the tool is not open source, however. But if it is included in Microsoft Visual C++ Express (not sure about that), you can get it for free.
After asking this question and doing some searching, I concluded that the easiest way to get a program like this was to write one. So I did.
The end result was a program named PEImportList (released under the MIT license). It does nothing more than open a PE executable (x86 only at the moment) and read the import data, printing a list of DLL names to the console.
The code will run on any platform and can be found in this single file here:
https://gist.github.com/nathan-osman/5b25da083ad5c6557e89
Simply invoke the program by passing the executable as a parameter. If you want only the DLL names printed, then stick the -l option in front of the executable parameter.

(Visual) Profiling with Eclipse CDT

Is there a established standard plugin/ method for visual profiling with Eclipse CDT? By visual I mean not invoking my programs manually and appealing visual output of the profiling results with gauges etc. like in similar Tools (like e.g. Netbeans's Java Profiler).
After some research, the most common CDT profilers are GProf and valgrind.
A good tutorial for GProf can be found here.
As I'm using MacOSX, GProf is not usable, because it bases on system calls that seem to have vanished from MacOSX some versions ago. Therefore I recommend valgrind (in combination with Massif) - it works like a charm on my apple and fulfills all my needs (heap usage graph, see below). Both softwares can be found here.
EDIT: massif output is better viewed with (guess what) the massif viewer by Milian Wolff (native on KDE, ports for MacOSX are available). Just feed in the massif output (valgrind --tool=massif {appname}).

Easiest language to produce a Windows executable to prefix running another executable with system calls?

I want to run some system commands (to fix things) before running an executable. I have a reasonably locked down (work) Windows XP system and so can't change what a shortcut points to. For my users' convenience, I must keep the same shortcut. However, I am able to swap out the .exe (renaming) and potentially replace it with another .exe (of the same name) which runs my system commands and then runs the original .exe.
What would be the easiest and quickest language/compiler to do this in? Previously, I've done this sort of thing in C (and tried it today in Python using py2exe without much success). Preferably free solutions.
Visual C# 2008 Express Edition is
free
comes with a compiler
outputs exes
C# is a good choice if you have C
experience
.net currently is the "canonical"
Windows platform