can a malware debug a debugger like IDA, for example, look for an API that is used for debugging.
and maybe makes it crash or change some values printed to the person using it.
for tools that are widely used I guess it could be ways that malware can use to throw off the person who's debugging.
Related
I've spent the last few days searching google, blogs and MSDN looking for any small scrap of info on how "interop" or "mixed mode" debugging is implemented in Visual Studio.
I'm attempting to implement my own debugger for a custom VM (actually, it gets JIT-ed to native code, which means I'll have to rebuild callstacks for the normal native debugger whenever it enter's the JIT-ed code), but I can't find any info on how you can actually interact with VS's native debugger and do the fancy "native/managed" like transitions that VS's mixed mode debugging pulls off.
So far I've found a few things that provide useful tidbits, but not enough to actually interact with the debugger. The best, most useful articles I've found are:
Mike Stall's various blog posts (mainly these two) while providing useful info and glimpses at the inner workings, they seem to be very heavily tied to .Net debugging.
MSDN's Creating a Basic Debugger gives a nice overview of how MS implements it's debuggers and how you can implement one on the same tech stack. Unfortunately, this doesn't really provide any real info on how to pass data off to VS's native debugger. (Combined with Mike Stall's blogs, it seems like both debuggers would be waiting for the same events, so how do you actually splice the results together in a meaningful way?)
The Debugger Engine API (aka DbgEng) documentation. I found this by running Dependency Walker on VS's native debug engine (NatDbgDE.dll, it seems to export the DebugCreate function which I could only find in this documentation, so it could be related). Unfortunately I've had very little success in even doing any debugging through this and it seems to be poorly documented, although the documentation does seem to indicate this is what I'll probably want to deal with in the end. It also doesn't really say how I can work cooperatively with another debugger and makes no mention of VS's debugger, so I could be going down the wrong path entirely with this anyway.
How can I get started with writing a debugger that will work cooperatively with VS's native debugger?
Thanks!
I'm afraid there's not much documentation on this subject. The resources you mention are all pretty old at this point. My suggestion is to integrate with Visual Studio's newer debug engine (Concord). Concord is used as the debug engine for native debugging from Visual Studio 2012 forward and for all debugging in Visual Studio 2013 forward. One of the design goals of Concord was to simplify mixed mode debugging. It is also designed to be easily extensible.
I created some Concord extensibility documentation that may be of help. It is mainly focused on expression evaluators, but it has some good information for getting started with Concord. Another resource that may be of use is the source code for the Concord-based debugger in Python Tools for Visual Studio. This is a full implementation of a mixed mode debugger that integrates with Concord and allows mixed mode debugging with Python.
At the moment, I’m writing a small console program. It is small enough that I have not bothered to use an IDE, so I’m just using Notepad2 and cl.exe to edit and build the program, and the command-prompt to run and test it.
This works just fine for the most part (don’t freak out, but I’m actually using a bit of “printf debugging” here and there). Unfortunately certain problems are not quite as easy to fix. For example, a pointer/array problem can cause the program to crash.
I know about—and have—Visual Studio, Ollydbg, Windbg, etc. but those are all fancy, schmancy graphical IDEs and debuggers that are too cumbersome to fire up for what usually amounts to a five-second check before going back to the editor. My edit-compile-test cycle is often as low as 10-15 seconds, so such debuggers become an unacceptable bottleneck.
I’m trying to find out if there is a fast and easy method to debug a console application from the command-prompt. Is there a modern text-mode debugger? (Obviously debug isn’t going to be of much use.) Is there some other way—TSR‽—to view values, catch exceptions, or set breakpoints and step through a program?
You need ntsd (part of the same package as WinDbg, shares all comands) - http://msdn.microsoft.com/en-us/windows/hardware/gg463009
Also using free Visual Studio Express may make search for debugging advices easier...
As part of the work I've been doing to answer this question about the technical workings of a glitch in Pokémon Red, I've been looking for a way to use a standard debugger to debug a Game Boy ROM. Although many of the emulators I've found have some support for debugging, nothing I've found so far has been helpful.
As a background, as of now I have tried to use the Visual Boy Advance built-in features to do debugging, but they aren't particularly useful for what I'm trying to do. VBA lacks the ability to set breakpoints, and since it steps forward at the level of frames rather than instructions I'm unable to see how the code is executing when I actually need it to. Although VBA says that it supports GDB debugging, I have been completely unable to get it working. I tried cross-compiling GDB for ARM as per the instructions, but could not get GDB to connect to the emulator (it would recognize that there was a program to connect to, but reported that the protocol had been violated). I repeated this with similar success in both Windows with Cygwin and on Ubuntu Linux. A friend and I tried to use Insight/GDB, but ran into exactly the same problems.
I also tried to use the NO$GBA debugger, but it refused to load my ROM for Pokémon Red (and then insulted me by saying that nothing I could try to do would fix it, as the file was just flat-out wrong).
Additionally, I tried downloading this version of Visual Boy Advance that claims to have a debugger in it, but for some reason I can't get it to enable the debugger. Pressing F11 as per its instructions has no effect whatsoever.
I believe that I've done my due diligence trying to get a debugger working, and I'm surprised that not a single one of them has worked. Does anyone know of a simple, straightforward way to debug Game Boy games using standard debugging techniques? I'm interested mostly in being able to put in memory write breakpoints (to see what routine is clobbering certain parts of memory). I would really appreciate it if someone with first-hand experience doing this could provide details on how to do this, as online resources on the subject seem pretty limited.
If you just want to debug your old gameboy games you can also use bgb which has several debugging options such as tracing, breakpoints, profiler and a lot more.
No$GBA is for GBA games; you want NO$GMB. Note that it's very buggy, and without a registered version (which may be impossible to get legitimately) rather crippled.
bgb is free and is very similar to No$GMB, but even buggier.
VBA is supposed to have a debugger, but there are a million different versions out there, so good luck finding the right one.
Check out the site GbaDev.org and look on the forums. This is the best spot on the web for GBA or even GBC questions. I can tell you that there are many versions of VBA and no$ out and about. The No$ you want was technically a pay for version, but Martin Korth hasn't been answering emails or anything for years now and I'm not sure of its status anymore. I can also answer some questions for you personally if you'd like or help you with the debugger.
I was able to go to the no$ main website, download the windows version of no$gmb, and use it to debug when run in B/W mode - should be sufficient for you needs. F12 opens roms, F2 toggles break points, space traces, F3 steps over, Ctrl-G takes you to an address (or symbol), and Ctrl_B allows conditional break points (by far the most powerful feature for you to use.) For instance, (3000)! would set a read/write breakpoint on address 0x3000. (0300..03003)! sets on a range. As you are looking for specific address changes, this is what you want.
VBA-M has a bunch of debugging tools under "Tools" menu, including memory & tile inspectors and a disassembler. It even has support for GDB. I didn't test with any frontends like gdbgui, or VSCode's GDB support, so YMMV, but the other built-in tools look pretty decent.
Go to the releases section for a build for your platform (arch linux also has it in AUR, for easy install in package manager.)
Here it is running some of the tools on a Mac:
It seems there are dozens of debugger and debugging tools that Microsoft produces, which creates a maze of choices and questions concerning which tool to apply, and when. For example, there is windbg - and the debugger built into Visual Studio. Both can access minidumps. Why would I choose one over the other?
Dr. Watson was the default post-mortem crash analysis tool of the past. It has now been replaced with "Problem Reports & Solutions". Which is in turn replaced with IIS Exception Monitor on servers? And perhaps all of this is built on top of "Microsoft CDB Debugger," or perhaps that is a another duplicate tool? ADPlus, yet another one, is built on CDB Debugger. The maze seems to go on endlessly.
Can someone provide a link to a taxonomy or roadmap of all these tools, with comments of which are being deprecated (Dr. Watson?) and what "tool direction" debug students should absorb? I'm sure there are a number of tools and base libraries I've not mentioned here. it would be nice to know the dependencies between them too (such as ADPlus using the CDB Debugger).
I've found this link to be helpful, since it answers some of the questions I'm asking - though the material is dated. Any other resources that give a similarly simple compare / contrast run-down?
There is no difference between CDB and NTSD, other than how they spawn new windows. Choosing when to use Visual Studio over the command line debuggers is sometimes a matter of personal choice, but sometimes the command line is a better tool for the job. Once you get good at using the command line debuggers, you can get things done much more quickly. I suspect there are a few scenarios that remain where you can only debug a specific problem with the command line debugger, but I can't think of any off hand. The third debugger you've missed is kd, which is the kernal debugger. If you want to debug kernal mode stuff (i.e. your device drivers you've written) it's really your only choice.
CDB, NTSD and KD are all part of the debugging tools for Windows, itself part of the DDK. Visual Studio does not depend on the other debugging package and vice-versa.
Watson and the like are not debuggers. They merely observe and report. I suspect the best advice there is use whichever one is appropriate to your problem. I mean, there are lots of tools for all sorts of different MS technologies. E.g. Orca for MSI databases. All of these products are unrelated, often released and maintained by different divisions, etc. As a result, I doubt you'll find a chart showing their relationships since they are so diverse.
Im sure this has happened to folks before, something works in debug mode, you compile in release, and something breaks.
This happened to me while working on a Embedded XP environment, the best way i found to do it really was to write a log file to determine where it would go wrong.
What are your experiences/ discoveries trying to tackle an annoying Release-mode bug?
Make sure you have good debug symbols available (you can do this even with a release build, even on embedded devices). You should be able to get a stack trace and hopefully the values of some variables. A good knowledge of assembly language is probably also useful at this point.
My experience is that generally the bug is related to code that is near the area of breakage. That is to say, if you are seeing an issue arising in the function "LoadConfigInfoFromFile" then probably you should start by closely analysing that for issues, rather than "DrawControlsOnScreen", if you know what I mean. "Spooky action at a distance" type bugs do not tend to arise often (although when they do, they tend to be a major bear).
Tracefile is always a good idea.
When it's about crashes, I'm using adplus, which is part of debugging tools for windows. basically what adplus does, is, it attaches windbg to the executable you're monitoring. When the application crashes, you get a crash dump and a log file. You can load the crash dump in your preferred debugger and find out, which instruction lead to the crash.
As release builds are heavily optimized compared to debug builds, the way you compile your code affects its behaviour. This is basically true when crashes in multithreaded code happen in the release version but not the debug version. adplus and windbg helped me, to find out, where this happened.
ADPlus is explained here:
httx://support.microsoft.com/?scid=kb%3Ben-us%3B286350&x=15&y=12
Basically what you have to do is:
1. Download and install WinDbg into C:\debuggers
httx://www.microsoft.com/whdc/devtools/debugging/default.mspx
Start your application
open a cmd and cd to c:\debuggers
start adplus like this:
"adplus.bat -crash your_exe.exe"
reproduce the crash
analyze the crashdump in vs2005 or in windbg
If it's only a small portion of the application that needs debugging then you can change those source files only to be built without optimisations. Presumably you generate debug info for all builds, and so this makes the application run mostly as it would in release, but allows you to debug the interesting parts properly.
How about using Trace statements. They are there for Release mode value checking.
Trace.WriteLine(myVar);
I agree on log file debugging to narrow it down.
I've used "Entering FunctionName" "Leaving FunctionName" until I can find what method it enters before the crash. Then I add more log messages re-compile and re-release.
Besides playing with turning off optimization and/or turning on debug information for your Release build as pauldoo said, a log file will good data can really help. I once wrote a "trace" app that would capture trace logs for the app if it was running when the release build started (otherwise the results would go to the debugger's output window if running under the debugger). I was able to have end-users email me log files from them reproducing the bugs they were seeing, and it was the only way I would have found the problem in at least one case.
Though it's probably not usable in an embedded environment, I've had good luck with WinDbg for debugging release-mode Windows applications. Even if the application is not compiled with symbol information, you can at least get a usable stack trace and plenty of other useful crash information.
You could also copy your debug symbols to the production environment even if it's compiled in relase mode
Here's an article with more information
If you problem is synchronization related dumping log in the file might be problematic.
In this case i usually will use some big array of string and dump this to screen/file after the problem was reproduces.
This is of course depend on your memory restriction, sometime i use just few symbols and numbers to store in the array if the memory on the platform is limited. Reading such logs is not a big pleasure, but sometimes this is the only choice.