Exetools  

Go Back   Exetools > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-13-2012, 16:42
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 919
Rept. Given: 60
Rept. Rcvd 419 Times in 94 Posts
Thanks Given: 68
Thanks Rcvd at 328 Times in 100 Posts
Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499
debugging of complex 64b targets and proper tools

Hi all,
I need to debug a complex program under a win 64 system, for complex I don't mean a protected target, but a target very big with several dlls loaded and released, partially written in .NET and native code.

So I investigated a little what 64 bit debuggers were present. Olly has to be excluded unfortunately, but there were two other alternatives I found:
  • IDA64: I still honestly have not tried it under 64b platform because I hate its debugging interface and think that it's quite unusable. Beside this IDA64 is still less advanced than its 32b version, because it lacks some important features (e.g. the decompiler wont' support 64b code) and has some bugs (e.g. the disassmbly engine often doesn't recognize double words, references and portions of functions)
  • BugDb64 (http://forum.exetools.com/showthread.php?t=14539): I tried this promising one since it's a nice mixture of SoftICE commands and Olly interface. But unfortunately it still lacks several important functionalities and some already present don't work (it's a pre-alpa therefore it's normal). For my target for example I needed to break on a specific dll when it was being loaded by the program, but the command supposed to to that simply doesn't work. It's as well impossible to enter into a specific module (like Olly does) to add breakpoints or any other stuff in a specifi portion of code.

So I'm now stuck with static patching (under IDA64) and offline tests if the patch works.

The question is therefore which other tools I have to succesfully debug and patch 64b applications. It seems like several tools still are just not being ported to 64b. And of course which are your experiences!

BR,
Shub
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #2  
Old 12-13-2012, 17:05
Av0id Av0id is offline
VIP
 
Join Date: Jan 2006
Posts: 399
Rept. Given: 112
Rept. Rcvd 111 Times in 69 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 15 Posts
Av0id Reputation: 100-199 Av0id Reputation: 100-199
WinDBG, PEBrowseDbg64 and HIEW for patching
Reply With Quote
  #3  
Old 12-13-2012, 17:21
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 919
Rept. Given: 60
Rept. Rcvd 419 Times in 94 Posts
Thanks Given: 68
Thanks Rcvd at 328 Times in 100 Posts
Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499
I just preferred something more "visual". What about VisualDuxDbgSetup.zip ? Anyone tried it already? Which limitations has the free version?
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #4  
Old 12-13-2012, 19:31
cyberbob's Avatar
cyberbob cyberbob is offline
VIP
 
Join Date: Aug 2004
Posts: 93
Rept. Given: 23
Rept. Rcvd 118 Times in 28 Posts
Thanks Given: 6
Thanks Rcvd at 30 Times in 14 Posts
cyberbob Reputation: 100-199 cyberbob Reputation: 100-199
Quote:
Originally Posted by Shub-Nigurrath View Post
For my target for example I needed to break on a specific dll when it was being loaded by the program, but the command supposed to to that simply doesn't work.
strange, I have tested bpdll command under win7 & win8 and it works fine, maybe try using a wildcard e.g. bpdll *your.dll
If that doesn't help I'd be happy to investigate it, just send me PM with target app or link.

Quote:
Originally Posted by Shub-Nigurrath View Post
It's as well impossible to enter into a specific module (like Olly does) to add breakpoints or any other stuff in a specifi portion of code.
you can see loaded dll's in command window then press g in dissasembly window to jump into that module or you can use x (eXamine symbol) command e.g. x user32_* to list exported function to get function addr then set bp on it or disassemble it.

As for Visual DuxDebugger, I'm a bit bias but I think is a hideous piece of software. Current version is 3.9 but it feels like pre-alfa e.g. instead jumps to imports:

JMP [ntdll!RtlExitUserProcess]
JMP [user32!MessageBoxA]

you like see something like this

JMP [RIP+0xf8c]
JMP [RIP+0xf96]
Reply With Quote
  #5  
Old 02-20-2013, 04:17
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Ok, i admit you will never like the WinDBG because of its interface and the vast array of commands , but it's surely the most powerful debugger out there for ring0/ring3 debugging. Moreover it can handle tons of stuff that no other debugger can do for you right now, at least under x64 platform until "SoftIce64" will be available Think about this, i am sure it is the best choice, thats why i am spending a bit of time every day to learn it in depth. As for direct patching, Hiew, no doubt
__________________
<<< The L10n won't give up >>>
Reply With Quote
  #6  
Old 03-08-2013, 23:17
g0dmoney
 
Posts: n/a
WinDBG is definitely the best option in my experience. You should be able to use the WinDbg engine in IDA now I think as well. WinDbg isn't too bad to get use to, and its powerful and scriptable. Debugging services is simple too, you can set your target to execute in WinDbg when the service starts: http://support.microsoft.com/kb/824344
Reply With Quote
  #7  
Old 03-09-2013, 05:17
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
I agree with you, even if i can't still figure out why the command pause+call_stack doesn't work properly in my debugging session as though Ollydbg (F12+k) :-/
__________________
<<< The L10n won't give up >>>
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT +8. The time now is 16:30.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )