Olly vs WinDbg

I have never used OllyDbg. I get asked if I can use Olly. I say I never have used it, but I am comfortable with WinDbg. My impression has always been that anything Olly can do, WinDbg can do and maybe more.

I once asked a previous manager if I should learn Olly. He said no. He thought my WinDbg skills were sufficient.

Basically, I am looking for a simple Olly vs WinDbg comparison.

I sometimes find myself in an open-source vs MS tools comparison (Vi vs MS-VS or Olly vs WinDbg). It’s more than a debate. it is what certain teams demand under certain contracts. I am re-learning Vi due to necessity. I am trying to decide if I need to add Olly to my study list.

This is very low priority, but I would appreciate a constructive comparison between Olly and WinDbg.

Paul

Paul Sanders wrote:

I have never used OllyDbg. I get asked if I can use Olly. I say I never have used it, but I am comfortable with WinDbg. My impression has always been that anything Olly can do, WinDbg can do and maybe more.

I once asked a previous manager if I should learn Olly. He said no. He thought my WinDbg skills were sufficient.

Basically, I am looking for a simple Olly vs WinDbg comparison.

OllyDbg is a fascinating tool. I used to use it quite extensively,
because it is small and fast, and has a rich and very efficient user
interface. It does a call-tree analysis of your code, which allows it
to show you interesting things in your execution. It knows most of the
Windows APIs, so as you’re stepping through the assembler code, it shows
you which register parameters mean what It is, in my opinion, more
responsive than Windbg. It has a surprisingly useful animated trace
feature. It has a lot of very nice features for assembly-level
debugging and reverse engineering.

However, its fatal flaw is that it does not understand Microsoft symbol
file format or debug information. If you use Borland tools, OllyDbg is
be a great choice. If you use Microsoft tools, then its appeal is
limited. I still have OllyDbg installed, but I use Windbg almost
exclusively.

I sometimes find myself in an open-source vs MS tools comparison (Vi vs MS-VS or Olly vs WinDbg). It’s more than a debate. it is what certain teams demand under certain contracts. I am re-learning Vi due to necessity. I am trying to decide if I need to add Olly to my study list.

A good programmer has many tools in his toolbox. I use gvim for almost
all of my source code editing.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Actually it understands MS symbols just fine.

A better variation is Immunity, which is Olly with python scripting engine
build in.

Windbg is still better for things like kernel debugging and the easy
examination of some registers. For userland though, Olly and Immunity are
hard to beat.

On Tue, Jan 11, 2011 at 12:28 PM, Tim Roberts wrote:

> Paul Sanders wrote:
> > I have never used OllyDbg. I get asked if I can use Olly. I say I never
> have used it, but I am comfortable with WinDbg. My impression has always
> been that anything Olly can do, WinDbg can do and maybe more.
> >
> > I once asked a previous manager if I should learn Olly. He said no. He
> thought my WinDbg skills were sufficient.
> >
> > Basically, I am looking for a simple Olly vs WinDbg comparison.
>
> OllyDbg is a fascinating tool. I used to use it quite extensively,
> because it is small and fast, and has a rich and very efficient user
> interface. It does a call-tree analysis of your code, which allows it
> to show you interesting things in your execution. It knows most of the
> Windows APIs, so as you’re stepping through the assembler code, it shows
> you which register parameters mean what It is, in my opinion, more
> responsive than Windbg. It has a surprisingly useful animated trace
> feature. It has a lot of very nice features for assembly-level
> debugging and reverse engineering.
>
> However, its fatal flaw is that it does not understand Microsoft symbol
> file format or debug information. If you use Borland tools, OllyDbg is
> be a great choice. If you use Microsoft tools, then its appeal is
> limited. I still have OllyDbg installed, but I use Windbg almost
> exclusively.
>
> > I sometimes find myself in an open-source vs MS tools comparison (Vi vs
> MS-VS or Olly vs WinDbg). It’s more than a debate. it is what certain teams
> demand under certain contracts. I am re-learning Vi due to necessity. I am
> trying to decide if I need to add Olly to my study list.
>
> A good programmer has many tools in his toolbox. I use gvim for almost
> all of my source code editing.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Hi Paul,

I think ImmyDbg is perhaps more interesting than OllyDbg. Mainly because
Immunity has been written a few plugins and sponsered a contest to get
some public ones, whereas OllyDbg is basically a solo project. But I’m
annoyed at Immunity for not giving OllyDbg any credit for the GPL fork
they took. Olly and Immy have a few pentest features that Windbg doesn’t
have. Otherwise, Windbg is generally more powerful. You need to know
Python to properly script ImmyDbg.

For a second Windows debugger, after Windbg, I’d consider IDA Pro before
Olly/Immy. More features and scripts. IDA Pro is commercial, with
trialware demo, but their N-1th release is available as fully-functional
freeware.

Or, if you need to cover MinGW-compiled or CygWin-compiled binaries, or
Unix, then I’d learn GDB, and the Eclipse front-end. Regarding your
VS-vs-Vi, Vim has scripts to invoke the MS tools from w/i Vim. Or you
can use plugins to run Vim w/i VS. And VS (and MonoDevelop) have Vi key
bindings.

But, given this is the “KD” list, if your goals are strictly NT drivers,
then stick with Windbg, and learn it even better.

PS: Has anyone used HyperDbg? I’ve been meaning to try it out, if it has
any useful, unique features; or if it is even usable.

http://code.google.com/p/hyperdbg/

Minimally, it (hyperdbg) basically doesn’t work with MP.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lee Fisher
Sent: Tuesday, January 11, 2011 2:07 PM
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Subject: Re: [windbg] Olly vs WinDbg

Hi Paul,

I think ImmyDbg is perhaps more interesting than OllyDbg. Mainly because
Immunity has been written a few plugins and sponsered a contest to get
some public ones, whereas OllyDbg is basically a solo project. But I’m
annoyed at Immunity for not giving OllyDbg any credit for the GPL fork
they took. Olly and Immy have a few pentest features that Windbg doesn’t
have. Otherwise, Windbg is generally more powerful. You need to know
Python to properly script ImmyDbg.

For a second Windows debugger, after Windbg, I’d consider IDA Pro before
Olly/Immy. More features and scripts. IDA Pro is commercial, with
trialware demo, but their N-1th release is available as fully-functional
freeware.

Or, if you need to cover MinGW-compiled or CygWin-compiled binaries, or
Unix, then I’d learn GDB, and the Eclipse front-end. Regarding your
VS-vs-Vi, Vim has scripts to invoke the MS tools from w/i Vim. Or you
can use plugins to run Vim w/i VS. And VS (and MonoDevelop) have Vi key
bindings.

But, given this is the “KD” list, if your goals are strictly NT drivers,
then stick with Windbg, and learn it even better.

PS: Has anyone used HyperDbg? I’ve been meaning to try it out, if it has
any useful, unique features; or if it is even usable.

http://code.google.com/p/hyperdbg/

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

ollydbg is a very good debuuger for usermode debugging especially debugging
unknown binaries without having sources

its string searching , pseudo wild card searching call tree, run trace ,
conditional debugging facilities , are fantastic and i use it a lot

it has lots of plugins available

tim ollydbg understands pdb symbols search for modified commandline plugin
for 1.10 version

in version 2.01 alpha symbol understanding facility has been builtin for the
first time

see a call stack

CPU Stack
Address Value ASCII Comments
0013A434 [0043ABF7 ??C. ; RETURN from kernel32.CreateProcessW to
ollydbg.0043ABF7
0013A438 /00000000 … ; ApplicationName = NULL
0013A43C |0013A9FC ?? . ; CommandLine =
““F:\WINDDK\Thanksoleh\objchk_
wxp_x86\i386\Thanksoleh.exe””
0013A440 |00000000 … ; pProcessSecurity = NULL
0013A444 |00000000 … ; pThreadSecurity = NULL
0013A448 |00000000 … ; InheritHandles = FALSE
0013A44C |04000032 2… ; CreationFlags =
DEBUG_ONLY_THIS_PROCESS|CREATE_NEW_CONSOLE|NORMAL_PRIORITY_CLASS|CREATE_DEFAULT_ERROR_MODE
0013A450 |00000000 … ; pEnvironment = NULL
0013A454 |0013BC14 ? . ; CurrentDirectory =
"F:\WINDDK\Thanksoleh\objchk_wxp_x86\i386"
0013A458 |0013A47C |? . ; pStartupInfo = 0013A47C -> STARTUPINFOW
{Size=68., Reserved1=NULL, Desktop=NULL, Title=NULL, X=0, Y=0, Width=0,
Height=0, XCountChars=0, YCountChars=0, FillAttribute=0,
Flags=STARTF_USESHOWWINDOW|STARTF_FORCEOFFFEEDBACK,
ShowWindow=SW_SHOWDEFAULT, Reserve
0013A45C |0013A46C l? . ; pProcessInformation = 0013A46C ->
PROCESS_INFORMATION {hProcess=NULL, hThread=NULL, ProcessID=11, ThreadID=11}

windbg is a monopoly debugger for kernelmode i use it a lot too
i would love to see good debugger extensions

but i believe only one public debugger extension is available sdbgexts by
ken

On Tue, Jan 11, 2011 at 9:02 PM, Paul Sanders wrote:

> I have never used OllyDbg. I get asked if I can use Olly. I say I never
> have used it, but I am comfortable with WinDbg. My impression has always
> been that anything Olly can do, WinDbg can do and maybe more.
>
> I once asked a previous manager if I should learn Olly. He said no. He
> thought my WinDbg skills were sufficient.
>
> Basically, I am looking for a simple Olly vs WinDbg comparison.
>
> I sometimes find myself in an open-source vs MS tools comparison (Vi vs
> MS-VS or Olly vs WinDbg). It’s more than a debate. it is what certain teams
> demand under certain contracts. I am re-learning Vi due to necessity. I am
> trying to decide if I need to add Olly to my study list.
>
> This is very low priority, but I would appreciate a constructive comparison
> between Olly and WinDbg.
>
> Paul
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
thanks and regards

raj_r

Basically its a right tool for the job…if you know Windbg and are doing
dev, stick with it.

If you are doing malware analysis, RCE for vulnerability research or exploit
development, then I’d say Immunity or Olly are the way to go.

Mike

On Tue, Jan 11, 2011 at 2:30 PM, raj_r wrote:

> ollydbg is a very good debuuger for usermode debugging especially debugging
> unknown binaries without having sources
>
> its string searching , pseudo wild card searching call tree, run trace ,
> conditional debugging facilities , are fantastic and i use it a lot
>
>
>
> it has lots of plugins available
>
> tim ollydbg understands pdb symbols search for modified commandline plugin
> for 1.10 version
>
> in version 2.01 alpha symbol understanding facility has been builtin for
> the first time
>
> see a call stack
>
> CPU Stack
> Address Value ASCII Comments
> 0013A434 [0043ABF7 ??C. ; RETURN from kernel32.CreateProcessW to
> ollydbg.0043ABF7
> 0013A438 /00000000 … ; ApplicationName = NULL
> 0013A43C |0013A9FC ?? . ; CommandLine =
> ““F:\WINDDK\Thanksoleh\objchk_
> wxp_x86\i386\Thanksoleh.exe””
> 0013A440 |00000000 … ; pProcessSecurity = NULL
> 0013A444 |00000000 … ; pThreadSecurity = NULL
> 0013A448 |00000000 … ; InheritHandles = FALSE
> 0013A44C |04000032 2… ; CreationFlags =
> DEBUG_ONLY_THIS_PROCESS|CREATE_NEW_CONSOLE|NORMAL_PRIORITY_CLASS|CREATE_DEFAULT_ERROR_MODE
> 0013A450 |00000000 … ; pEnvironment = NULL
> 0013A454 |0013BC14 ? . ; CurrentDirectory =
> "F:\WINDDK\Thanksoleh\objchk_wxp_x86\i386"
> 0013A458 |0013A47C |? . ; pStartupInfo = 0013A47C -> STARTUPINFOW
> {Size=68., Reserved1=NULL, Desktop=NULL, Title=NULL, X=0, Y=0, Width=0,
> Height=0, XCountChars=0, YCountChars=0, FillAttribute=0,
> Flags=STARTF_USESHOWWINDOW|STARTF_FORCEOFFFEEDBACK,
> ShowWindow=SW_SHOWDEFAULT, Reserve
> 0013A45C |0013A46C l? . ; pProcessInformation = 0013A46C ->
> PROCESS_INFORMATION {hProcess=NULL, hThread=NULL, ProcessID=11, ThreadID=11}
>
>
>
> windbg is a monopoly debugger for kernelmode i use it a lot too
> i would love to see good debugger extensions
>
> but i believe only one public debugger extension is available sdbgexts by
> ken
>
>
>
>
>
>
>
>
> On Tue, Jan 11, 2011 at 9:02 PM, Paul Sanders wrote:
>
>> I have never used OllyDbg. I get asked if I can use Olly. I say I never
>> have used it, but I am comfortable with WinDbg. My impression has always
>> been that anything Olly can do, WinDbg can do and maybe more.
>>
>> I once asked a previous manager if I should learn Olly. He said no. He
>> thought my WinDbg skills were sufficient.
>>
>> Basically, I am looking for a simple Olly vs WinDbg comparison.
>>
>> I sometimes find myself in an open-source vs MS tools comparison (Vi vs
>> MS-VS or Olly vs WinDbg). It’s more than a debate. it is what certain teams
>> demand under certain contracts. I am re-learning Vi due to necessity. I am
>> trying to decide if I need to add Olly to my study list.
>>
>> This is very low priority, but I would appreciate a constructive
>> comparison between Olly and WinDbg.
>>
>> Paul
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> –
> thanks and regards
>
> raj_r
> — WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer