DbgPlus Extension v1.0a for Microsoft Windbg

This is the alpha release of the first public version of the DbgPlus extension. We call it alpha because it still contains a few minor glitches and bugs, as well as 'non-functional' points of improvement (such as performance). It is a 1.0 version, though, in the sense that it displays the feature set desired for this first release and it is, in fact, a hundred percent usable.

Although DbgPlus was born from hackish code created to aid vulnerability analysis, one can say its features are generic enough to make it useful for general-purpose debugging as well. Below, we describe its functionalities in brief:

[1] Remote call - This feature makes it possible to execute a call to a function in the debuggee address space and see the return value. Unlike windbg's '.call' meta-command, we are able to call a function even without symbol information. In fact, the user can call a function just by specifying its address. Furthermore, unlike Skywing's excellent extension, SDbgExt [*] (which contains a similar functionality), we execute the call without needing the user to resume the execution of the process itself, making it perfect for post-mortem analysis (e.g. when the process has already crashed and you want to call some functions that will retrieve useful information on the process data).

[2] Trace and print history - This command will make the program execute until it reaches a breakpoint or exception and then print the last N (where N is an user-supplied number) instructions executed.

[3] Watch a range of memory - In order to overcome the processor's (and debugger's) limitation on the number of watchpoints, this command enables the user to watch for read and writes to a range of memory unlimited in size. Different from the way that the breakpoint/watchpoint-setting commands normally work, when you issue !watchrange the program will execute and print the instructions accessing the range of memory. It will do so without ever breaking and until it reaches a breaking condition (breakpoints, exceptions...). These are not persistent watchpoints, meaning you should then issue the command again is you're still interested in watching that range of memory further.

[4] Watch a register - This feature is perhaps the most exotic of the ones in DbgPlus, but can be a life saver if the user has to investigate the data-flow of a specific register for any reason. The !watchreg command takes a register name as parameter and watches for changes to that register in a similar fashion as the !watchrange command, printing the relevant instructions until a breaking condition.

As previously said, DbgPlus suffers from a few limitations. Most notably, the user should be aware that DbgPlus is not able to work with 64-bits targets and makes no effort to be otherwise. Adding support for 64-bits is doable but requires modifications in many parts of the code was not considered critical for this release. Furthermore, the last 3 commands described above change the execution to stepping mode, making the performance thousands of time slower and therefore, being unsuited for long excerpts of code (depending on the power of the computer and how long you want to wait for the analysis) or code that interacts with the user. Therefore, the sensible user will want to delimit the pieces of code he wants to analyze with care, instead of issuing those commands to work throughout the whole execution of a big program or on GUI code.

Last but not least, any new user is extremely recommended to issue the !help command, which will hopefully enlighten him/her on the usage of the rest of the DbgPlus commands.

The Scanit R&D Labs is open for feature requests and bug reports. Contact us at research@scanit.net for anything concerning DbgPlus or our other projects.

Have fun,

Scanit R&D Labs

[*] SDbgExt - http://www.valhallalegends.com/Skywing