From Collaborative RCE Tool Library

Jump to: navigation, search

WinDbg Extensions


Tool name: !exploitable Crash Analyzer
Rating: 0.0 (0 votes)
Author: Microsoft Security Engineering Center (MSEC) Security Science Team                        
Website: http://msecdbg.codeplex.com
Current version: 1.0.6
Last updated: June 17, 2009
Direct D/L link: N/A
License type: Free
Description:  !exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post at http://blogs.technet.com/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer.aspx, or watch the video at http://channel9.msdn.com/posts/PDCNews/Bang-Exploitable-Security-Analyzer/.

This tool was created by the Microsoft Security Engineering Center (MSEC) Security Science Team. For more information on MSEC and the Security Science team, please visit http://www.microsoft.com/security/msec. To see what's being worked on presently, visit the Security Research and Development blog at http://blogs.technet.com/srd/
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GUI WinDbg
Rating: 0.0 (0 votes)
Author: STZWEI                        
Website: http://www.woodmann.com/forum/showthread.php?t=9522
Current version: 1.03
Last updated: October 28, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: A very useful GUI for windbg by STZWEI, this is the first version, and is a very helpful for those who crack with windbg, i write 6 tutorials with WINDBG and i´m learning the use of this good debugger.

Start windbg last version, and start the GUI, you will have a useful GUI for avoid type, in BPs,historical save of commands (tipying the initial letters can be restored), and many many improvements.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: narly
Rating: 0.0 (0 votes)
Author: Nephi Johnson                        
Website: http://code.google.com/p/narly/
Current version: 1.0
Last updated: March 15, 2011
Direct D/L link: http://code.google.com/p/narly/downloads/list
License type: Apache License 2.0
Description: This windbg extension is intended to be able to:

list /SafeSEH, /GS, DEP, and ASLR info about all loaded modules
search for ROP gadgets
other misc utils
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PyDbgEng
Rating: 0.0 (0 votes)
Author: Botten Biss                        
Website: http://pydbgeng.sourceforge.net
Current version: 0.5
Last updated: March 3, 2007
Direct D/L link: N/A
License type: Free / Open Source
Description: Microsoft releases free and powerfull debugging tools for Windows. The packadge includes the well known 'WinDbg' debugger, which, at its core, runs on top the Windows debugging engine - dbgeng.dll.

DbgEng is a powerfull debugger engine. Its features include:
* user mode debugging
* kernel mode debugging
* x86, x64 support
* soft and hw breakpoints
* symbol server
* and more!

PyDbgEng is a Python Wrapper For Microsoft Debug Engine.


Features

* Wrapper for DebugCreate() API which creates IDebugClient COM interface.
* Easy access to IDebugClient COM interface
* Easy access to all other DbgEng COM interfaces via IDebugClient.QueryInterface()
* Easy access to all DbgEng structs and enums.
* Receive DbgEng events. Currently supported: IDebugEventCallbacks, IDebugOutputCallbacks


Applications

Now that you have a scriptable debugger, here are some of the things you can do:
* Fault Injection
* Automatic Executable Unpacking
* Application Fuzzing
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SDbgExt
Rating: 0.0 (0 votes)
Author: Skywing                        
Website: http://www.valhallalegends.com/
Current version: 1.09
Last updated: 2006
Direct D/L link: http://www.nynaeve.net/Programs/sdbgext.zip
License type: Free
Description: * SDbgExt provides various useful command extensions for WinDbg, including:
* Call an arbitrary function in the target without having symbols.
* Display various VC STL types (including std::string, std::wstring, std::set, std::map, std::list, std::vector). This is primarily limited to providing the address of each element.
* Display a security descriptor on an open object handle.
* Display various information about a window (e.g. Spy++'s window properties).
* Allows you to load custom symbols from a map file (useful for loading symbols from a disassembler, such as IDA).
* To install, place SDbgExt in your WinExt directory. Online help is available with !help after loading SDbgExt (.load SDbgExt).
* Requires the Visual C++ 8 runtimes. On Windows XP Service Pack 1 or earlier, you may need to install Windows Installer 3.0.


The 1.09 release primarily adds support for displaying exception handler data on x64. While there is “some” built-in debugger support for this (via the “.fnent”) command, this support is extremely minimal. You are essentially required to dump the unwind data structures yourself and manually parse them out, which isn’t exactly fun. So, I added support for doing all of that hard work to SDbgExt, via the !fnseh SDbgExt extension (display function SEH data). This support is complementary to the !exchain command supplied by ext.dll for x86 targets.

The “!fnseh” command supports displaying most of the interesting fields of the unwind metadata (besides information on how the prologue works). It also properly supports chained unwind information records (both the documented and undocumented formats). There is also basic support for detecting and processing CL’s C/C++ exception scope tables, if a function uses C language exception handling (__try/__except/__finally).

More info can be found in the release message here:
http://www.nynaeve.net/?p=94
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: VMKD
Rating: 0.0 (0 votes)
Author: Skywing                        
Website: http://www.nynaeve.net/?page_id=168
Current version: 1.1.1.7
Last updated: October 28, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: VMKD (Virtual Machine KD Extensions) is a program that provides high speed kernel debugging support for VMware virtual machines. VMKD allows you to debug a VMware VM in a high speed fashion, instead of using the much slower and lower bandwidth virtual serial port mechanism.

When you use VMKD to debug a VM, VMKD creates a named pipe on the machine hosting the VM that you can connect to using the usual kernel debugging over named pipe support in WinDbg. However, unlike conventional VM kernel debugging, which is done by creating a virtual serial port in the VM and exposing it to the host system as a named pipe, VMKD does not internally use a virtual serial port to communicate with the kernel running in the VM. Instead, VMKD uses a high speed interface that takes advantage of the fact that the kernel is running in a VM to enhance the performance and responsiveness of the kernel debugging experience.

VMKD has presently only been tested against VMware Server 1.0.3 and 1.0.4. It is designed in a fashion that is intended to be portable to future VMware versions, however this forwards compatibility is fairly fragile and may break on future releases. VMKD does not support Microsoft Virtual Server or other virtualization products. Do not attempt to use VMKD with other virtualization programs or with a physical machine.

The main benefits of using VMKD instead of conventional serial port debugging are:

1. Responsiveness. VMKD provides a very low latency link between the kernel debugger and the VM if you are running the kernel debugging on the same computer hosting the VM. This means that most kernel debugger commands will respond much quicker than with normal kernel debugging (many commands are typically fairly close to local kernel debugging (lkd) speed, such as !process 0 0, which typically returns in 1-2 seconds or less even with 40-50 running processes when operating with VMKD). This improved response time even makes complex conditional breakpoints on “warm” kernel code paths feasible!

2. Data transfer speed. VMKD can move data to and from a VM much faster than the virtual serial port debugging mechanism. For example, I typically received around ~200KBps throughput while doing bulk memory reads on a VM, far beyond that possible with a virtual serial port. Most of the overhead now remaining in terms of bulk data transfer is reflective of design limitations of the protocol that VMKD uses to talk to the kernel debugger client (DbgEng.dll). Note that 1394 can still write physical memory dumps faster than VMKD, because 1394 KD can essentially DMA the target’s physical memory across the wire due to special support in the 1394 DbgEng KD protocol client. However, in most other aspects, VMKD provides equivalent or superior performance to even 1394 KD.

3. Processor usage. Normally, when you are kernel debugging a computer, the target is spinning on the kernel debugger I/O hardware (such as the serial port or 1394 controller). With a VM, this is a particular problematic condition, as it causes the VM to monopolize one CPU with useless polling. VMKD allows the VM to sleep while waiting for input from the kernel debugger, eliminating the tendancy of conventional virtual serial port debugging to severely degrade overall system performance on the host computer.

However, VMKD is not perfect. Because it was written without the assistance of either VMware or Microsoft, integration with the Windows kernel and VMware is a bit rough around the edges. Due to this, there are some steps that need to be followed to use VMKD. For some kernel debugging tasks, it may simply be easier to just use virtual serial port debugging and live with the limitations of the virtual serial port than to set up a VMKD debugging session.
Also listed in: VM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinDbg Script
Rating: 0.0 (0 votes)
Author: Lionel d'Hauenens                        
Website: http://www.laboskopia.com/php/outils.php
Current version: 1.0 (beta)
Last updated: 2007
Direct D/L link: http://www.laboskopia.com/download/SysecLabs-Windbg-Script.zip
License type: Free
Description: Syseclabs WinDbg script is a script library which simply fits into the windbg environment as new commands. So far, the available commands make it possible to operate and be able to obtain various kinds of information about the system. They are rather oriented towards security, study of the system and rootkits research.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: WinDbg Struct Converter
Rating: 0.0 (0 votes)
Author: ZaiRoN                        
Website: http://www.woodmann.com/forum/showthread.php?t=11120
Current version: 1.0
Last updated: January 1, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: How many times did you create a structure starting from Windbg's dt command output? It sometimes happens especially if you use Ida or if you need to code something. It’s something that makes me feel unhappy. It’s a boring job for sure, particularly when you have to deal with big structures (i.e. ethread). There are some ready made definitions online, but there’s not a standard definition for a single structure. Most of the time it depends on the OS you are running on.

All I want to do is to convert dt’s output into a struct definition. The output to convert is something like (obtained by Windbg using "dt _list_entry" command):

ntdll!_LIST_ENTRY
+0×000 Flink  : Ptr32 _LIST_ENTRY
+0×004 Blink  : Ptr32 _LIST_ENTRY


And this is what I want to generate:

typedef struct _LIST_ENTRY
{
struct _LIST_ENTRY* Flink; // 0×000
struct _LIST_ENTRY* Blink; // 0×004
} LIST_ENTRY, *PLIST_ENTRY;


I’m not a Windbg guru and I don’t know if there is a quickest way, so the idea is to write something able to perform (almost all) the convertion.

The gui is pretty simple, it contains two edit boxes and two buttons, nothing more. The conversion process starts by pressing the “Convert” button, the program converts the data stored inside the clipboard. The left box will be filled with the clipboard’s contents while the other box will contain the converted structure.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (19)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (20)
   Needs New Category  (3)