In this post, we will look into configuring WinDBG for actual debugging. For that we have to understand something called symbols, their significance and some related commands for it.
What is “Symbols”?
If you directly started debugging application, you may get access to variables and their memory location. Reading those variables and memory addresses is tedious task. Symbols (or Symbolic Information) will provide some additional information about debugee which will help you to perform debugging bit easily.
There are two types of symbols.
Private symbols – Which contains most of the data and makes debugging very easy. This is the reason why many developers do not share them to public.
Public symbols – Which are stripped down version of Private symbols. They have bare minimum information and available to public.
How to get Symbols?
Many developers and companies (including Microsoft) provides public symbols. Typically, symbol files might contain:
- Global variables
- Local variables
- Function names and the addresses of their entry points
- Frame pointer omission (FPO) records
- Source-line numbers
They are in .pdb file format. These symbols can be generated, while compiling code in Visual Studio compiler. This will be addressed in one of the future blogpost.
Microsoft used to provide offline set of Symbols. Now User needs to configure Microsoft Symbol Server path and download them. Let’s do it then.
- Open Environment Variable from Start menu.
Add below entries in User Variable section:
- Variable name: _NT_ SYMBOL_PATH
- Variable value: SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols
SRV – Server string,
C:\Symbols – Local folder for containing symbols, https://msdl.microsoft.com/download/symbols – Microsoft public symbol server URL.
If you want to debug any third-party application with symbols available, you can directly put .pdb files in local symbols folder.
Important commands for Symbols
We can start with some important commands for symbols:
- Open WinDBG (x64) with Admin privilege.
- Open notepad.exe file with File > Open Executable option. Keyboard shortcut is Ctrl + E.
On successful loading, you’ll see following window.
- To check current symbol path, execute “.sympath” in command line. You’ll get something like this
- Execute “.sympath+ <additional symbol path>” to append new symbol path. I am not showing screenshot for this command as I don’t really have additional symbol path.
- Execute “!sym noisy” to get verbose output of symbol download. It is recommended to use this command, as by default WinDBG do not shows Symbols downloading and you may feel debugger is frozen. Now run “.reload” command to download/update symbols from Microsoft symbol server, as shown below:
In my case I’ve already downloaded symbols. That’s why very less logs are generated in above screenshot. If you want to download all symbols, execute “.reload /f”, where /f stands for Forced download. With this you are set with debugging lab.
(Bonus) Configuring Mona.py for Exploit development
If you are into exploit development, it is good idea to add Mona.py into it. Mona.py is the versatile Python script written by Corelan team for exploit development purpose. Now thing is, configuring Mona.py for Immunity debugger is piece-of-cake task. For other debuggers however, especially for WinDBG, it is bit pain. Bring x64 platform in picture, it may become pain-in-@$5. But not impossible. Let see how!!!
You need following tools:
- WinDBG – up and running
- Latest Python 2.7.x (x64) installed in Windows host. (Installation is easy. Don’t ask me. Do it yourself!!!)
- Mona.py and windbglib.py files (Available at https://github.com/corelan/windbglib )
- Latest version of pykd-xxx.whl (Available at https://githomelab.ru/pykd/pykd/wikis/All%20Releases )
- VC++ redistributables (vcredist_x86.exe & vcredist_x64.exe)
Steps to install Mona.py:
- First install WinDBG, as shown in last blogpost.
- Then install latest Python 2.7.x (x64).
- Finally, install vcredist_x86.exe and vcredist_x64.exe with Admin privilege.
- Download and extract pykd-xxx.whl. Once extracted, open CMD with Admin privilege and change directory to extracted folder. Then execute following command.
On successful installation, there will be message box pop-up.
- From extracted whl folder, copy pykd.pyd to “C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext”. Unblock file from Properties option if necessary.
- Copy Mona.py and Windbglib.py to “C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\”. Unblock from Properties option if necessary.
To check if everything is done correctly, perform following steps:
- Open WinDBG (x64) with Admin privilege.
- Select “notepad.exe” with File > Open Executable option.
- Use “.load pykd.pyd” to load python interpreter.
- Use “!py mona” to check Mona.py is being loaded. If all goes well, you’ll get following output:
If this is done, you are all set for Exploit Development adventures. I guess we are good to stop over here. In next part, we will leave debugger behind and dive inside Windows OS theory. Till then, Auf Wiedersehen!!!!