Results 1 to 10 of 10

Thread: Windbg remote break command line process ($MFT related)

Threaded View

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,147
    Blog Entries
    5

    Windbg remote break command line process ($MFT related)

    I'd like to debug remotely a command line app and am not quite sure how to get it done. Specifically I'm trying to trace into API's used by Strings64. I'm using Windbg and VirtualKD to connect to Win7x64 running in VMWare. The usual steps I use that seems to work for most usermode apps is like this

    Code:
    !gflag +ksl
    sxe ld app.exe
    g
    
    r $proc
    .process
    
    bp /p @$proc nt!NtMapViewOfSection
    g
    
    bp0 /p @$proc ntdll!RtlUserThreadStart
    g
    At this point I usually used a little script to parse the PE header and find the OEP of the app to break at program start. Blabberer mentioned the easier trick that the OEP can be obtained from the x64 register rcx at the break at RtlUserThreadStart.

    Either way I can normally break at the start of a usermode process remotely without too much problem, including cmd.exe. However I'm not sure how to extend that to a command line process such as strings, findstr, dir, etc. In Win7 a command window by itself runs as the process cmd.exe. In Win10 there is also a child process conhost.exe involved.

    ******************************************

    As to why I'm interested in tracing Strings64, in another thread we discussed how if you pipe the output to a file it will pick up the logfile as a search file and can lead to a recursive unending search if any results have been written to the logfile. The solution I found was that the logfile MUST be named alphabetically so it is the very first file found in the search directory, that way it will be empty when Strings opens it for searching, then closed for good and not lead to recursive results.

    Using Procmon I determined that Strings uses FindFirstFile / FindNextFile, a standard routine for listing files in a directory. This led to wondering what character is "first" in a sorted list of filenames. It turns out that the alphabetical sort order you see in Explorer is different from the sort order yielded by FindFirstFile. The definition for the API states that the order in which the function returns the file names is dependent on the file system type, NTFS vs FAT for example.

    This is further explained in a blog post by Raymond Chen where it is revealed that NTFS captures the case mapping table at the time the drive is formatted

    Why do NTFS and Explorer disagree on filename sorting?
    https://devblogs.microsoft.com/oldnewthing/20050617-10/?p=35293

    I suspected that this case mapping table might be what is defined in the NTFS Master File Table ($MFT) as the $UpCase metadata. Using 7-Zip, of all things, I was able to dump the $UpCase metadata and sure enough it seems to match the exact alphabetical order of filenames returned by FindFirstFile / FindNextFile.

    Here is the method of accessing $MFT using 7-Zip
    https://thestarman.pcministry.com/asm/mbr/IntNTFSfs.htm

    Attached is a screenshot of $UpCase opened in HxD. The first usable alphabetical character for filenames is "!", the last (after regular letters) is "~". This matches all the tests I did using Procmon to monitor Strings Query Directory results of filenames.

    Finally, Procmon points to FindFirstFile eventually leading to FLTMGR.SYS being involved where I was wondering if it was possible to actually see the $MFT being accessed through code, that being the bottom line of all this.

    I could of course just make a gui app that uses FindFirstFile / FindNextFile and trace into it that way, but I'm still wondering how to remotely debug a command line process with my usual Windbg setup.

    Kayaker
    Attached Images Attached Images  

Similar Threads

  1. Ida pro 6.1 remote debugging Windbg
    By dbenchtk in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: October 20th, 2013, 18:35
  2. FSG unpacker with command line support?
    By going in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: January 7th, 2010, 23:00
  3. Ollydbg => command line arguments Ax200
    By totofino in forum OllyDbg Support Forums
    Replies: 8
    Last Post: November 21st, 2006, 20:04
  4. ollydbg command line parameter??
    By pillii in forum OllyDbg Support Forums
    Replies: 9
    Last Post: October 7th, 2005, 04:32
  5. Opening an installer with command line
    By andresiraola in forum OllyDbg Support Forums
    Replies: 2
    Last Post: February 9th, 2005, 08:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •