Debugger

harald_brown · August 10, 2015, 7:26pm

Hello. i apologize if this is not the correct forum/place but i try. i wrote local user mode debugger(with some kernel capabilities - you can view kernel memory in “real time” - so not less than liveKd) and some supported tools. as local debugger it in general better than windbg or ollydbg, but however now not supported remote debugging by pipes. i design this for self and intensive use in work, but may be this project can be interested as public ? now i try describe basic functional

DbgNew.exe
* can debug active process or create new. exist special light mode “attach” - when you can view memory of process, without real debugging
* can debug multiple processes
* debugging begin from LdrInitializeThunk (incase debug new process)
* for wow64 process you can debug both 32 and 64 code
* you can view(in read only mode, but in “real time”) kernel memory too, modules with export/symbols, etc… if exist pdb for ntoskrnl.exe - can view all UDT types in watch. can convert ID of thread or process to pointer and view it structures.
* you can debug protected processes, all system processes, however need understand, if you debug csrss.exe from same session - system can hang
* many embedded tools as view handles, memory map of process, loaded DLLs in any process (not only in debugged process), threads, drivers, get context of any user thread, allocate/free/protect virtual memory, many etc…* can select are stop on First Chance exceptions, including STATUS_SINGLE_STEP and STATUS_BREAKPOINT - so can select not always stop on it (usual debuggers not support it for this 2 status). also if you already stopped on First chance exception - can press F12 - for pass exception to program - this is very usefull for some program, which special used this exceptions for anti-debug
* you can trace some function step by step and build full call tree (press F4) - also very useful
* supported Dr0-7 registers for hardware breakpoints
* can detach from debugged process at any time
* can intercept debugging, in case if process already debugged - disconnect previous debugger and attach self. some time can be useful, if first instance of some app, exec second and debug it
* comfortable UI interface
unfortunately i not wrote full documentation for DbgNew.exe and many features can be not obvious without it.

some supported tools:
GetPdb.exe - used for download pdb files. DbgNew.exe search pdb for native PE in \systemroot\symbols<ext>\ folder and for wow64 in \systemroot\symbols\wow<ext><br>
“run as pro.exe” - used for exec new process with many extended options - you can select “parent” process (from which new process inherit token), another desktop, select dll for inject with APC or shim. can select just run with debugger, if DbgNew already running, can select run as “Low Integrity”( this feature also embedded in DbgNew)

MemDump.exe - used for save region of process memory to disk. also shown loaded dlls in process, you can select dump dll on disk as image - in this case - tool try return resolved import to original state and roll up section mapping to file offsets

some my remake of known tools winobj.exe and lgSessions.exe(logon sessions with extra info)

PdbUtils.exe - for dump UDT or public symbols from .pdb file

ListProtected.exe - show list of protected(begin from vista) processes in system and thay type/signer (begin from win8)

installer - https://www.sendspace.com/file/zc7b14

Tim_Roberts · August 11, 2015, 12:48pm

xxxxx@live.com wrote:

Hello. i apologize if this is not the correct forum/place but i try. i wrote local user mode debugger(with some kernel capabilities - you can view kernel memory in “real time” - so not less than liveKd) and some supported tools. as local debugger it in general better than windbg or ollydbg, but however now not supported remote debugging by pipes. i design this for self and intensive use in work, but may be this project can be interested as public ?

Your download is a RAR containing two executables. RAR files always
make me suspicious, but that’s just personal prejudice.

It looks like the two executables are actually installers that copy a
bunch of files and install a kernel driver (tkn.dll). Is that right?
It’s asking quite a lot to expect us to install and run unknown
executables without so much as even a supporting web page, especially
when they involve kernel code. Do you have a page that shows
screenshots, just so we have some confidence that this software is
real? Are you intending to make this open source?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Ladislav_Zezula · August 11, 2015, 2:43pm

Maybe if you didnt’t pack your tools with some sort of archiver that gets marked as malware by 14 engines on VirusTotal.com, it would be better:
https://www.virustotal.com/cs/file/1875215827b19f2707a824a91261b7d9a02c81d5313bba6aacacb2d5acbbb75d/analysis/1439316998/

Some of the features you describe seems to be interesting, some, however, are available/implemented in MS libraries, like:

GetPdb.exe - Similar finctionality is in symsrv.dll, used by many utilities that work woth PDB (including WinDbg itself, Sysinternal tools, IDA etc.)

MemDump.exe - the !writemem command in memory does the same thing. Dumping of a DLL/EXE on disk as image is very useful function, I wrote a WinDbgExtension myself, using it to get EXEs, DLLs and SYSes from crash dumps and live debugging sessions.

PdbUtils.exe - I didn’t compare with the “!x” command, aren’t they the same? In case your PdbUtils.exe does more, it would be lovely to be implemented as WinDbg extension.

It seems to me that instead of creating new set of tools, it might be better to extend existing work that Microsoft has done on the Debugging tools. Also the UI - You can write your own UI that uses MS debugging interface (like WinDbg.exe/Cdb.exe/Kd.exe do).

Your work is probably good (I didn’t try as all I need is done by WinDbg and/or few of my extra extensions). With not much effort, you can get insta-support by GUI WinDbg.exe or console CDB.exe too. It can even work on crash dumps with little extra effort. Think about it

L.

harald_brown · August 11, 2015, 3:08pm

“It looks like the two executables are actually installers that copy a
bunch of files and install a kernel driver (tkn.dll). Is that right?”
yes
“It’s asking quite a lot to expect us to install and run unknown
executables”
i think here in practical all use vmware or some other virtual machines - so here and run first times:)
yes, i know that most files can be detected as malware, but as is.
“some, however, are available/implemented in MS libraries, like:”
yes, of course not all functional unique, debugger at all not new thing, but this is my implementation.
“It seems to me that instead of creating new set of tools” - this is not just toolset, but principal new debugger

harald_brown · August 11, 2015, 3:16pm

MemDump.exe - can also dump kernel memory too, dump memory from protected processes…
PdbUtils.exe - can try create full .h - not correct for c++ compiler, but very near and usefull. example of result file .h i attach
how i not try extend WinDbg or CDB, but try write absolute new debugger. for compare it with existing - need try it

https://www.sendspace.com/file/7ku6tg - win10.x64.h - result from PdbUtils.exe on ntkrnlmp.pdb from win10 x64

harald_brown · August 11, 2015, 4:00pm

add as very small example 4 screenshots - https://www.sendspace.com/file/51sr70

1.png - debugging protected protected process, view kernel memory and ETHREAD struct
2.png - trace function call and call tree
3.png - debugging 64 bit code in wow64 process
4.png - view open handles from some process

and real situation - research ‘guest’ bug on windows 10 - http://answers.microsoft.com/en-us/windows/forum/windows_10-security/built-in-guest-account-errors/636d8535-49ec-4312-b03c-5b05cf5827ea