I am starting with this new series on Windows Application Debugging. With this blog series we will be looking into
- What is Debugging?
- Importance of debugging
- Tools of debugging
- Lab setup
- Important concepts in WinDBG world
- Important commands and Demo with sample C programs
What is Debugging?
“Debugging is the process of finding and resolving defects or problems within a computer program that prevent correct operation of computer software or a system.” says Wikipedia. But for any IT security guy, Debugging is way to unearth loads of information about application we want to hack. We can make application dance with debuggers and spill information too. We will try to see everything which is possible with debuggers.
Debugging is not Pentesting, Exploitation or Code review
Yes, you read it right!!! Debugging is not actual pentesting, exploitation or code review. We may say that Debugging is supporting step in pentesting, exploitation or code review. In traditional sense, you run application in debugger, try to check how it behaves at low levels, gather whatever information you need and use it as per your requirement. Here you are doing “Recon” not “Exploitation”. 😊
Importance of debugging
Debugging works differently for different people. For example;
- For developers: To check how program is working or at what point it is failing and try to resolve issue.
- For malware analysts: To check what is malware doing behind the scene. They’ll put malware in special sandbox and will see how it will act.
- For Forensics team: To check the memory dumps captured from machine targeted by malicious attackers.
- For shellcoder: To disassemble high level language executable into almost equivalent Assembly language code. This code will be used for creating actual shellcode.
- For exploit researchers/developers: To find bug in execution logic or underlying functions of target applications. They can accordingly create their exploits.
and so on….
For this particular blog series, I’ll be showing use of debuggers from Shellcoder’s perspective. Reason? Because I’m shellcoder 😛
Tools of debugging
You might think, why there is such title? Answer is straightforward – Debugger, right? Nope, its not that easy. Allow me to explain….
Of course, debugger is the official tool for debugging. However, debuggers run at very low level and you may not need them all the time. Also, there are couple of tools we may need to use along with official debugger in order to understand system in more details. Hence in this section, we will look into that in this part. We will be moving from most basic to advance, in context of Windows OS and C Programming.
- Printf function: Most crude way of debugging. Put print statements everywhere you get error. Its really good, you should try it sometimes.
- Error Handling in C: C do not have exception handling mechanism, but it has Error Handling mechanisms. This article listed couple of them.
- Actual Debuggers
- Sysinternals Utilities: Sysinternals is one of the most versatile toolkits released by Microsoft. This will help us to understand Windows architecture, program processes, DLLs, thread, fabric etc. It can give you details about kernel as well. These are some official trainings from Microsoft.
Now that we have seen important tools. Let’s actually look into some of the available debuggers :
- OllyDBG – One of the most famous debuggers out there. But it is not a valid option for our quest, as Ollydbg is old and only supports x86 OSes.
- Immunity Debugger – Again, this only supports x86 machines. Hence out of question.
- x64dbg – Now this is we can look into. This open source debugger looks just like Ollydbg/Immunity and it is more supported. Surely you can use it for Win 10 x64 debugging.
- WinDBG – This is the official debugger provided by Microsoft, but not the only one. Not very user friendly but really powerful in my opinion.
- IDA Pro – One of the most well-known, versatile debugger and disassembler. Only problem is, unlike other debuggers, this one is paid (really costly). They have freeware version with them but it supports only x86 and really limited functionality.
- Radare2 – This one is just like IDA Pro, only open source. However, as per many people stated online, learning curve is very steep. You can use it if you like to test your patience and experience agony 😊. Maybe I’ll pull my own hair and write separate blogpost on this. But that’s in future.
My choice of debugger:
I am choosing WinDBG. Reasons? Even though WinDBG is not most intuitive and user friendly, it has some upper hand over other debuggers:
- It’s from Microsoft: Since this is official debugger from Microsoft, it supports almost every windows version and Microsoft technology. Hence, you can debug C, C++, C#, VB, UWP, Mobile Apps, Azure, XBOX, Kinect platform apps etc. Also, it is available for x64, x86, ARM etc. Integrated with IDE.
- Cost: It is totally free. It comes with Windows Software Development Toolkit.
- It can be used for Kernel mode debugging too.
- Along with Windbg, MS provides additional debuggers too. They are KD, NTKD, CDB, NTSD. KD is CLI based Kernel Mode Debugger. NTKD is exactly similar to KD, only difference is – on invoking – it will spawn new CMD window. Similarly, CDB is CLI User-mode Debugger. NTSD is exactly similar to CDB, only difference is – on invoking – it will spawn new CMD window. All these debuggers use same underlying debugging engine. Hence you can switch over to these if you want more Hacker-like feeling.
- Variety of extensions/add-ons/plugins support Windbg.
- Microsoft releases a book named “Windows Internals” with every new Windows version, which is the best resource you can find to understand the closed sourced Windows OSes. WinDBG (along with Sysinternals) is the core tool to carry out exercises in mentioned in that book.
I guess these many details are sufficient for first post. In next blogpost, we will be looking into the lab setup, which is an interesting affair itself. Till then, Auf Wiedersehen!!!!