SlideShare a Scribd company logo

Windows debugging sisimon

Download as PPT, PDF
Sisimon Soman
Sisimon Soman
1 of 20
Windows User-Mode Debugging Sisimon E S
Agenda • Windows concepts • Stack Frames • WinDBG setup • Analyze a simple crash • WinDBG commands • Analyze an IMA crash from customer
Windows User mode concepts • Process, Thread, process environment block (PEB), thread environment block (TEB). • Exe, Dll, PE format. • Monolithic kernels and micro-kernels. • Image File Execution Option. • Win32 subsystem, Windows Executive, Kernel, Session Manager (Smss) , Winlogon, SCM,….. • WinDBG – The powerful tool to debug from user to kernel mode..
TEB
PEB
How to setup WinDBG • Default debugger that trigger whenever a crash happen, HKEY_LOCAL_MACHINESOFTWAREMicroso ftWindows NTCurrentVersionAeDebug • Don’t need to copy all OS version/SP symbols • MS maintains Windows symbol server, • SRV*DownstreamStore*http://msdl.microsoft.co m/download/symbols
Stack Frames – x86 Calling Conventions • __cdecl -> Parameters push right to left, caller cleanup the stack. • __stdcall -> Parameters push right to left, callee cleanup the stack. • __fastcall ->The first two DWORD-or-smaller arguments are passed in the ecx and edx registers. The remaining parameters are passed on the stack, pushed right to left. The callee cleans the stack. • C++ (this calling convention)-> pushed right to left , this pointer in ecx, callee clean the stack.
Stack Frames – x64 Calling Conventions • Only one calling convention- Uses increased number of registers. • The first four integer or pointer parameters are passed in the rcx, rdx, r8, and r9 registers. • The first four floating-point parameters are passed in the first four SSE registers, xmm0-xmm3. • Any additional arguments are passed on the stack. • An integer or pointer return value is returned in the rax register, while a floating-point return value is returned in xmm0. • Itanium -> Large number of registers -> Uses registers instead of stack. Once all register fill up, use stack. • “Another session on Itanium and x64 debugging”
Stack Frame continued.. • The purpose EBP – Frame Pointer. • Function parameter, local variables in stack and, it’s the same thread stack (one stack per thread). • EBP + offset points to function parameter • EBP – offset points to local variables. • Demo – Start the crash analyze and see how stack frame looks like.
Let’s analyze a simple crash. • 0:000> u Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 • Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 154]: • 00401580 55 push ebp - First Push EBP to stack • 00401581 8bec mov ebp,esp  Set new ebp as current esp • 00401583 83ec14 sub esp,14h  make enough room for local variable • 00401586 894dec mov dword ptr [ebp-14h],ecx <- Copy the this pointer to stack first element for the current stack frame • 00401589 c745f400000000 mov dword ptr [ebp-0Ch],0  one of the local var to 0 • 00401590 c745fc0a000000 mov dword ptr [ebp-4],0Ah  Another local var to 10 • 00401597 c745f80f000000 mov dword ptr [ebp-8],0Fh  Another local var to 15 • 0040159e cc int 3  Our hard coded break point
• 0:000> u • Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1+0x1f [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 160]: • 0040159f 8b45f4 mov eax,dword ptr [ebp-0Ch] • 004015a2 50 push eax  push first arg to stack • 004015a3 8b4df8 mov ecx,dword ptr [ebp-8] • 004015a6 51 push ecx  push second arg to stack • 004015a7 8b55fc mov edx,dword ptr [ebp-4] • 004015aa 52 push edx push third arg to stack 004015ab 8b4dec mov ecx,dword ptr [ebp-14h]  set the this pointer to ecx • 004015ae e82d000000 call Simple_App_Crash3!CSimpleAppCrash3Dlg::Add (004015e0)  call Add( unseen this in ecx, arg1, arg2, arg3)
• 0:000> u Simple_App_Crash3!CSimpleAppCrash3Dlg::Add • Simple_App_Crash3!CSimpleAppCrash3Dlg::Add [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 166]: • 004015e0 55 push ebp  push new ebp • 004015e1 8bec mov ebp,esp  set new ebp and current esp • 004015e3 51 push ecx push this to stack • 004015e4 894dfc mov dword ptr [ebp-4],ecx • 004015e7 8b45fc mov eax,dword ptr [ebp-4] • 004015ea c7407464000000 mov dword ptr [eax+74h],64h  set • this->variable=100 • 004015f1 6838344000 push offset Simple_App_Crash3! CSimpleAppCrash3App::`vftable'+0xd8 (00403438) • 004015f6 ff15a4324000 call dword ptr [Simple_App_Crash3!_imp__printf (004032a4)]
• 0:000> r • eax=00000000 ebx=00000111 ecx=0013fe74 edx=00000000 esi=00403444 edi=00000001 • eip=0040159e esp=0013f860 ebp=0013f874 iopl=0 nv up ei pl nz na pe nc • cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 • Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1+0x1e: • 0040159e cc int 3 • 0:000> dds 0013f860 • 0013f860 0013fe74 • 0013f864 7e41b788 USER32!GetParent+0x59 • 0013f868 00000000 • 0013f86c 0000000f • 0013f870 0000000a • 0013f874 0013f884  push current ebp to stack, set new ebp as esp Stack Frame - 1 • 0013f878 7c1746cc MFC71!_AfxDispatchCmdMsg+0x3d [f:vs70builds3077vcmfcatlshipatlmfcsrcmfccmdtarg.cpp @ 89] • 0013f87c 00403444 Simple_App_Crash3!CSimpleAppCrash3Dlg::messageMap • 0013f880 0013fe74 • 0013f884 0013f8b4  push current ebp to stack, set new ebp as esp Stack Frame - 2 • 0013f888 7c171915 MFC71!CCmdTarget::OnCmdMsg+0x10a [f:vs70builds3077vcmfcatlshipatlmfcsrcmfccmdtarg.cpp @ 396] • 0013f88c 0013fe74 • 0013f890 000003e8 • 0013f894 00000000 • 0013f898 00401580 Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 154] • 0013f89c 00000000 • 0013f8a0 00000035 • 0013f8a4 00000000 • 0013f8a8 0013fe74 • 0013f8ac 000003e8 • 0013f8b0 00000000 • 0013f8b4 0013f8d8  push current ebp to stack, set new ebp as esp, Stack Frame - 3 • 0013f8b8 7c14db36 MFC71!CDialog::OnCmdMsg+0x1b [f:vs70builds3077vcmfcatlshipatlmfcsrcmfcdlgcore.cpp @ 88] • 0013f8bc 000003e8 • 0013f8c0 00000000 • 0013f8c4 00000000 • 0013f8c8 00000000 • 0013f8cc 000003e8 • 0013f8d0 0013fe74 • 0013f8d4 00000000 • 0013f8d8 0013f928 • 0013f8dc 7c175cd8 MFC71!CWnd::OnCommand+0x51 [f:vs70builds3077vcmfcatlshipatlmfcsrcmfcwincore.cpp @ 2549]
Frequently used WinDBG commands for user mode debugging. • | - process • ~ - thread (~.,~*,~#) • ~<thread>s – switch thread • kv, kb, kb n, • !analyze –v • r • u
WinDBG commands continued.. • x, x mymodule!*spin*, • x * (similar to dv display address and name of all local variable) • dt (dt r) • lm, lmv mTest* • ln
WinDBG commands continued.. • .cls • .restart (restart app in user mode, system in kernel mode) • .reload , reload /f • !teb –thread environment block • !peb – process environment block
• .frame n (use kb n, .frame <frame no>) • dds
How to start the crash analysis • First check the instruction that cause the crash. • Different way in Kernel and user mode crash. • Check the stack frames. • Check the module that cause the crash. • Stack corruption, Heap corruption, dead lock,.. • For kernel-> track IRP, check IRP fields, IRQL,..
• Crash dump analysis example - IMA service is crashing, let us analyze the dump.

Recommended

Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1ArcBlock
 
The Ring programming language version 1.10 book - Part 89 of 212
The Ring programming language version 1.10 book - Part 89 of 212The Ring programming language version 1.10 book - Part 89 of 212
The Ring programming language version 1.10 book - Part 89 of 212Mahmoud Samir Fayed
 
LvivPy4 - Threading vs asyncio
LvivPy4 - Threading vs asyncioLvivPy4 - Threading vs asyncio
LvivPy4 - Threading vs asyncioRoman Rader
 
Appsec obfuscator reloaded
Appsec obfuscator reloadedAppsec obfuscator reloaded
Appsec obfuscator reloadedCyber Security Alliance
 
YCAM Workshop Part 2
YCAM Workshop Part 2YCAM Workshop Part 2
YCAM Workshop Part 2Shigeru Kobayashi
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
C言語静的解析ツールと Ruby 1.9 trunk
C言語静的解析ツールと Ruby 1.9 trunkC言語静的解析ツールと Ruby 1.9 trunk
C言語静的解析ツールと Ruby 1.9 trunkikegami__
 

Recommended

Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1Ethereum virtual machine for Developers Part 1
Ethereum virtual machine for Developers Part 1ArcBlock
 
The Ring programming language version 1.10 book - Part 89 of 212
The Ring programming language version 1.10 book - Part 89 of 212The Ring programming language version 1.10 book - Part 89 of 212
The Ring programming language version 1.10 book - Part 89 of 212Mahmoud Samir Fayed
 
LvivPy4 - Threading vs asyncio
LvivPy4 - Threading vs asyncioLvivPy4 - Threading vs asyncio
LvivPy4 - Threading vs asyncioRoman Rader
 
Appsec obfuscator reloaded
Appsec obfuscator reloadedAppsec obfuscator reloaded
Appsec obfuscator reloadedCyber Security Alliance
 
YCAM Workshop Part 2
YCAM Workshop Part 2YCAM Workshop Part 2
YCAM Workshop Part 2Shigeru Kobayashi
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
C言語静的解析ツールと Ruby 1.9 trunk
C言語静的解析ツールと Ruby 1.9 trunkC言語静的解析ツールと Ruby 1.9 trunk
C言語静的解析ツールと Ruby 1.9 trunkikegami__
 
Synapse india dotnet development overloading operater part 3
Synapse india dotnet development overloading operater part 3Synapse india dotnet development overloading operater part 3
Synapse india dotnet development overloading operater part 3Synapseindiappsdevelopment
 
第二回CTF勉強会資料
第二回CTF勉強会資料第二回CTF勉強会資料
第二回CTF勉強会資料Asuka Nakajima
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)Simen Li
 
Mangling Ruby with TracePoint
Mangling Ruby with TracePointMangling Ruby with TracePoint
Mangling Ruby with TracePointMark
 
Mdp plus 2.1
Mdp plus 2.1Mdp plus 2.1
Mdp plus 2.1boedax
 
aiohttp intro
aiohttp introaiohttp intro
aiohttp introAnton Kasyanov
 
Intro to reverse engineering owasp
Intro to reverse engineering owaspIntro to reverse engineering owasp
Intro to reverse engineering owaspTsvetelin Choranov
 
Linux audit-rules
Linux audit-rulesLinux audit-rules
Linux audit-rulesGary Smith
 
timingExercise
timingExercisetimingExercise
timingExerciseAmrita Singh
 
Android virtual machine internals
Android virtual machine internalsAndroid virtual machine internals
Android virtual machine internalsShaul Rosenzwieg
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
Code vectorization for mobile devices
Code vectorization for mobile devicesCode vectorization for mobile devices
Code vectorization for mobile devicesSt1X
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112Bordeaux I
 
Debugging Debugging
Debugging DebuggingDebugging Debugging
Debugging DebuggingCISPA Helmholtz Center for Information Security
 
Microprocessor.ppt
Microprocessor.pptMicroprocessor.ppt
Microprocessor.pptsafia kalwar
 
assembly language programming and organization of IBM PC" by YTHA YU
assembly language programming and organization of IBM PC" by YTHA YUassembly language programming and organization of IBM PC" by YTHA YU
assembly language programming and organization of IBM PC" by YTHA YUEducation
 
Introduction for microprocessor
Introduction for microprocessorIntroduction for microprocessor
Introduction for microprocessorTHANDAIAH PRABU
 
Part I:Introduction to assembly language
Part I:Introduction to assembly languagePart I:Introduction to assembly language
Part I:Introduction to assembly languageAhmed M. Abed
 
Microprocessor
MicroprocessorMicroprocessor
Microprocessoraaina_katyal
 

More Related Content

What's hot

Synapse india dotnet development overloading operater part 3
Synapse india dotnet development overloading operater part 3Synapse india dotnet development overloading operater part 3
Synapse india dotnet development overloading operater part 3Synapseindiappsdevelopment
 
第二回CTF勉強会資料
第二回CTF勉強会資料第二回CTF勉強会資料
第二回CTF勉強会資料Asuka Nakajima
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)Simen Li
 
Mangling Ruby with TracePoint
Mangling Ruby with TracePointMangling Ruby with TracePoint
Mangling Ruby with TracePointMark
 
Mdp plus 2.1
Mdp plus 2.1Mdp plus 2.1
Mdp plus 2.1boedax
 
Intro to reverse engineering owasp
Intro to reverse engineering owaspIntro to reverse engineering owasp
Intro to reverse engineering owaspTsvetelin Choranov
 
Linux audit-rules
Linux audit-rulesLinux audit-rules
Linux audit-rulesGary Smith
 
Android virtual machine internals
Android virtual machine internalsAndroid virtual machine internals
Android virtual machine internalsShaul Rosenzwieg
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
Code vectorization for mobile devices
Code vectorization for mobile devicesCode vectorization for mobile devices
Code vectorization for mobile devicesSt1X
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical FileSoumya Behera
 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112Bordeaux I
 

What's hot (16)

Synapse india dotnet development overloading operater part 3
Synapse india dotnet development overloading operater part 3Synapse india dotnet development overloading operater part 3
Synapse india dotnet development overloading operater part 3
 
第二回CTF勉強会資料
第二回CTF勉強会資料第二回CTF勉強会資料
第二回CTF勉強会資料
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
 
Mangling Ruby with TracePoint
Mangling Ruby with TracePointMangling Ruby with TracePoint
Mangling Ruby with TracePoint
 
Mdp plus 2.1
Mdp plus 2.1Mdp plus 2.1
Mdp plus 2.1
 
aiohttp intro
aiohttp introaiohttp intro
aiohttp intro
 
Intro to reverse engineering owasp
Intro to reverse engineering owaspIntro to reverse engineering owasp
Intro to reverse engineering owasp
 
Linux audit-rules
Linux audit-rulesLinux audit-rules
Linux audit-rules
 
timingExercise
timingExercisetimingExercise
timingExercise
 
Android virtual machine internals
Android virtual machine internalsAndroid virtual machine internals
Android virtual machine internals
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
 
Code vectorization for mobile devices
Code vectorization for mobile devicesCode vectorization for mobile devices
Code vectorization for mobile devices
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
 
Dsd lab Practical File
Dsd lab Practical FileDsd lab Practical File
Dsd lab Practical File
 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112
 

Viewers also liked

Microprocessor.ppt
Microprocessor.pptMicroprocessor.ppt
Microprocessor.pptsafia kalwar
 
assembly language programming and organization of IBM PC" by YTHA YU
assembly language programming and organization of IBM PC" by YTHA YUassembly language programming and organization of IBM PC" by YTHA YU
assembly language programming and organization of IBM PC" by YTHA YUEducation
 
Introduction for microprocessor
Introduction for microprocessorIntroduction for microprocessor
Introduction for microprocessorTHANDAIAH PRABU
 
Part I:Introduction to assembly language
Part I:Introduction to assembly languagePart I:Introduction to assembly language
Part I:Introduction to assembly languageAhmed M. Abed
 
Assembly language programming_fundamentals 8086
Assembly language programming_fundamentals 8086Assembly language programming_fundamentals 8086
Assembly language programming_fundamentals 8086Shehrevar Davierwala
 
Introduction to Microprocessors
Introduction to MicroprocessorsIntroduction to Microprocessors
Introduction to Microprocessors76 Degree Creative
 
Assembly Language Lecture 1
Assembly Language Lecture 1Assembly Language Lecture 1
Assembly Language Lecture 1Motaz Saad
 
Chapter 3 INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMING
Chapter 3 INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMINGChapter 3 INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMING
Chapter 3 INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMINGFrankie Jones
 
Assembly Language Basics
Assembly Language BasicsAssembly Language Basics
Assembly Language BasicsEducation Front
 
Assembly language programming(unit 4)
Assembly language programming(unit 4)Assembly language programming(unit 4)
Assembly language programming(unit 4)Ashim Saha
 

Viewers also liked (13)

Debugging Debugging
Debugging DebuggingDebugging Debugging
Debugging Debugging
 
Microprocessor.ppt
Microprocessor.pptMicroprocessor.ppt
Microprocessor.ppt
 
assembly language programming and organization of IBM PC" by YTHA YU
assembly language programming and organization of IBM PC" by YTHA YUassembly language programming and organization of IBM PC" by YTHA YU
assembly language programming and organization of IBM PC" by YTHA YU
 
Introduction for microprocessor
Introduction for microprocessorIntroduction for microprocessor
Introduction for microprocessor
 
Part I:Introduction to assembly language
Part I:Introduction to assembly languagePart I:Introduction to assembly language
Part I:Introduction to assembly language
 
Microprocessor
MicroprocessorMicroprocessor
Microprocessor
 
Assembly language programming_fundamentals 8086
Assembly language programming_fundamentals 8086Assembly language programming_fundamentals 8086
Assembly language programming_fundamentals 8086
 
Introduction to Microprocessors
Introduction to MicroprocessorsIntroduction to Microprocessors
Introduction to Microprocessors
 
Assembly Language Lecture 1
Assembly Language Lecture 1Assembly Language Lecture 1
Assembly Language Lecture 1
 
Chapter 3 INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMING
Chapter 3 INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMINGChapter 3 INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMING
Chapter 3 INSTRUCTION SET AND ASSEMBLY LANGUAGE PROGRAMMING
 
Assembly Language Basics
Assembly Language BasicsAssembly Language Basics
Assembly Language Basics
 
Microprocessor ppt
Microprocessor pptMicroprocessor ppt
Microprocessor ppt
 
Assembly language programming(unit 4)
Assembly language programming(unit 4)Assembly language programming(unit 4)
Assembly language programming(unit 4)
 

Similar to Windows debugging sisimon

Windows kernel debugging workshop in florida
Windows kernel debugging workshop in floridaWindows kernel debugging workshop in florida
Windows kernel debugging workshop in floridaSisimon Soman
 
The forgotten art of assembly
The forgotten art of assemblyThe forgotten art of assembly
The forgotten art of assemblyMarian Marinov
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...Chanwoo Choi
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...Positive Hack Days
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_royRoy
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadachecamsec
 
Reverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesReverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesSmartDec
 
Porting NetBSD to the open source LatticeMico32 CPU
Porting NetBSD to the open source LatticeMico32 CPUPorting NetBSD to the open source LatticeMico32 CPU
Porting NetBSD to the open source LatticeMico32 CPUYann Sionneau
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARFSamy Bahra
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisDmitry Vostokov
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기Ji Hun Kim
 
running stable diffusion on android
running stable diffusion on androidrunning stable diffusion on android
running stable diffusion on androidKoan-Sin Tan
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 

Similar to Windows debugging sisimon (20)

Windows kernel debugging workshop in florida
Windows kernel debugging workshop in floridaWindows kernel debugging workshop in florida
Windows kernel debugging workshop in florida
 
The forgotten art of assembly
The forgotten art of assemblyThe forgotten art of assembly
The forgotten art of assembly
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
 
17
1717
17
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 
Reverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machinesReverse engineering of binary programs for custom virtual machines
Reverse engineering of binary programs for custom virtual machines
 
Porting NetBSD to the open source LatticeMico32 CPU
Porting NetBSD to the open source LatticeMico32 CPUPorting NetBSD to the open source LatticeMico32 CPU
Porting NetBSD to the open source LatticeMico32 CPU
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
W10: Interrupts
W10: InterruptsW10: Interrupts
W10: Interrupts
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARF
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
running stable diffusion on android
running stable diffusion on androidrunning stable diffusion on android
running stable diffusion on android
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 

More from Sisimon Soman

Windows memory manager internals
Windows memory manager internalsWindows memory manager internals
Windows memory manager internalsSisimon Soman
 
Windows kernel debugging session 2
Windows kernel debugging session 2Windows kernel debugging session 2
Windows kernel debugging session 2Sisimon Soman
 
Storage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talkStorage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talkSisimon Soman
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernelSisimon Soman
 
Windows kernel and memory io subsystem
Windows kernel and memory io subsystemWindows kernel and memory io subsystem
Windows kernel and memory io subsystemSisimon Soman
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualizationSisimon Soman
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernelSisimon Soman
 
Design Patterns By Sisimon Soman
Design Patterns By Sisimon SomanDesign Patterns By Sisimon Soman
Design Patterns By Sisimon SomanSisimon Soman
 

More from Sisimon Soman (11)

Windows memory manager internals
Windows memory manager internalsWindows memory manager internals
Windows memory manager internals
 
Windows kernel
Windows kernelWindows kernel
Windows kernel
 
Windows kernel debugging session 2
Windows kernel debugging session 2Windows kernel debugging session 2
Windows kernel debugging session 2
 
Windows io manager
Windows io managerWindows io manager
Windows io manager
 
Storage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talkStorage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talk
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernel
 
Windows kernel and memory io subsystem
Windows kernel and memory io subsystemWindows kernel and memory io subsystem
Windows kernel and memory io subsystem
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualization
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernel
 
COM and DCOM
COM and DCOMCOM and DCOM
COM and DCOM
 
Design Patterns By Sisimon Soman
Design Patterns By Sisimon SomanDesign Patterns By Sisimon Soman
Design Patterns By Sisimon Soman
 

Windows debugging sisimon

  • 1. Windows User-Mode Debugging Sisimon E S
  • 2. Agenda • Windows concepts • Stack Frames • WinDBG setup • Analyze a simple crash • WinDBG commands • Analyze an IMA crash from customer
  • 3. Windows User mode concepts • Process, Thread, process environment block (PEB), thread environment block (TEB). • Exe, Dll, PE format. • Monolithic kernels and micro-kernels. • Image File Execution Option. • Win32 subsystem, Windows Executive, Kernel, Session Manager (Smss) , Winlogon, SCM,….. • WinDBG – The powerful tool to debug from user to kernel mode..
  • 4.
  • 5. TEB
  • 6. PEB
  • 7. How to setup WinDBG • Default debugger that trigger whenever a crash happen, HKEY_LOCAL_MACHINESOFTWAREMicroso ftWindows NTCurrentVersionAeDebug • Don’t need to copy all OS version/SP symbols • MS maintains Windows symbol server, • SRV*DownstreamStore*http://msdl.microsoft.co m/download/symbols
  • 8. Stack Frames – x86 Calling Conventions • __cdecl -> Parameters push right to left, caller cleanup the stack. • __stdcall -> Parameters push right to left, callee cleanup the stack. • __fastcall ->The first two DWORD-or-smaller arguments are passed in the ecx and edx registers. The remaining parameters are passed on the stack, pushed right to left. The callee cleans the stack. • C++ (this calling convention)-> pushed right to left , this pointer in ecx, callee clean the stack.
  • 9. Stack Frames – x64 Calling Conventions • Only one calling convention- Uses increased number of registers. • The first four integer or pointer parameters are passed in the rcx, rdx, r8, and r9 registers. • The first four floating-point parameters are passed in the first four SSE registers, xmm0-xmm3. • Any additional arguments are passed on the stack. • An integer or pointer return value is returned in the rax register, while a floating-point return value is returned in xmm0. • Itanium -> Large number of registers -> Uses registers instead of stack. Once all register fill up, use stack. • “Another session on Itanium and x64 debugging”
  • 10. Stack Frame continued.. • The purpose EBP – Frame Pointer. • Function parameter, local variables in stack and, it’s the same thread stack (one stack per thread). • EBP + offset points to function parameter • EBP – offset points to local variables. • Demo – Start the crash analyze and see how stack frame looks like.
  • 11. Let’s analyze a simple crash. • 0:000> u Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 • Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 154]: • 00401580 55 push ebp - First Push EBP to stack • 00401581 8bec mov ebp,esp  Set new ebp as current esp • 00401583 83ec14 sub esp,14h  make enough room for local variable • 00401586 894dec mov dword ptr [ebp-14h],ecx <- Copy the this pointer to stack first element for the current stack frame • 00401589 c745f400000000 mov dword ptr [ebp-0Ch],0  one of the local var to 0 • 00401590 c745fc0a000000 mov dword ptr [ebp-4],0Ah  Another local var to 10 • 00401597 c745f80f000000 mov dword ptr [ebp-8],0Fh  Another local var to 15 • 0040159e cc int 3  Our hard coded break point
  • 12. • 0:000> u • Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1+0x1f [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 160]: • 0040159f 8b45f4 mov eax,dword ptr [ebp-0Ch] • 004015a2 50 push eax  push first arg to stack • 004015a3 8b4df8 mov ecx,dword ptr [ebp-8] • 004015a6 51 push ecx  push second arg to stack • 004015a7 8b55fc mov edx,dword ptr [ebp-4] • 004015aa 52 push edx push third arg to stack 004015ab 8b4dec mov ecx,dword ptr [ebp-14h]  set the this pointer to ecx • 004015ae e82d000000 call Simple_App_Crash3!CSimpleAppCrash3Dlg::Add (004015e0)  call Add( unseen this in ecx, arg1, arg2, arg3)
  • 13. 0:000> u Simple_App_Crash3!CSimpleAppCrash3Dlg::Add • Simple_App_Crash3!CSimpleAppCrash3Dlg::Add [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 166]: • 004015e0 55 push ebp  push new ebp • 004015e1 8bec mov ebp,esp  set new ebp and current esp • 004015e3 51 push ecx push this to stack • 004015e4 894dfc mov dword ptr [ebp-4],ecx • 004015e7 8b45fc mov eax,dword ptr [ebp-4] • 004015ea c7407464000000 mov dword ptr [eax+74h],64h  set • this->variable=100 • 004015f1 6838344000 push offset Simple_App_Crash3! CSimpleAppCrash3App::`vftable'+0xd8 (00403438) • 004015f6 ff15a4324000 call dword ptr [Simple_App_Crash3!_imp__printf (004032a4)]
  • 14. 0:000> r • eax=00000000 ebx=00000111 ecx=0013fe74 edx=00000000 esi=00403444 edi=00000001 • eip=0040159e esp=0013f860 ebp=0013f874 iopl=0 nv up ei pl nz na pe nc • cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 • Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1+0x1e: • 0040159e cc int 3 • 0:000> dds 0013f860 • 0013f860 0013fe74 • 0013f864 7e41b788 USER32!GetParent+0x59 • 0013f868 00000000 • 0013f86c 0000000f • 0013f870 0000000a • 0013f874 0013f884  push current ebp to stack, set new ebp as esp Stack Frame - 1 • 0013f878 7c1746cc MFC71!_AfxDispatchCmdMsg+0x3d [f:vs70builds3077vcmfcatlshipatlmfcsrcmfccmdtarg.cpp @ 89] • 0013f87c 00403444 Simple_App_Crash3!CSimpleAppCrash3Dlg::messageMap • 0013f880 0013fe74 • 0013f884 0013f8b4  push current ebp to stack, set new ebp as esp Stack Frame - 2 • 0013f888 7c171915 MFC71!CCmdTarget::OnCmdMsg+0x10a [f:vs70builds3077vcmfcatlshipatlmfcsrcmfccmdtarg.cpp @ 396] • 0013f88c 0013fe74 • 0013f890 000003e8 • 0013f894 00000000 • 0013f898 00401580 Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 154] • 0013f89c 00000000 • 0013f8a0 00000035 • 0013f8a4 00000000 • 0013f8a8 0013fe74 • 0013f8ac 000003e8 • 0013f8b0 00000000 • 0013f8b4 0013f8d8  push current ebp to stack, set new ebp as esp, Stack Frame - 3 • 0013f8b8 7c14db36 MFC71!CDialog::OnCmdMsg+0x1b [f:vs70builds3077vcmfcatlshipatlmfcsrcmfcdlgcore.cpp @ 88] • 0013f8bc 000003e8 • 0013f8c0 00000000 • 0013f8c4 00000000 • 0013f8c8 00000000 • 0013f8cc 000003e8 • 0013f8d0 0013fe74 • 0013f8d4 00000000 • 0013f8d8 0013f928 • 0013f8dc 7c175cd8 MFC71!CWnd::OnCommand+0x51 [f:vs70builds3077vcmfcatlshipatlmfcsrcmfcwincore.cpp @ 2549]
  • 15. Frequently used WinDBG commands for user mode debugging. • | - process • ~ - thread (~.,~*,~#) • ~<thread>s – switch thread • kv, kb, kb n, • !analyze –v • r • u
  • 16. WinDBG commands continued.. • x, x mymodule!*spin*, • x * (similar to dv display address and name of all local variable) • dt (dt r) • lm, lmv mTest* • ln
  • 17. WinDBG commands continued.. • .cls • .restart (restart app in user mode, system in kernel mode) • .reload , reload /f • !teb –thread environment block • !peb – process environment block
  • 18. • .frame n (use kb n, .frame <frame no>) • dds
  • 19. How to start the crash analysis • First check the instruction that cause the crash. • Different way in Kernel and user mode crash. • Check the stack frames. • Check the module that cause the crash. • Stack corruption, Heap corruption, dead lock,.. • For kernel-> track IRP, check IRP fields, IRQL,..
  • 20. • Crash dump analysis example - IMA service is crashing, let us analyze the dump.