Time
20 minutes
Difficulty
Intermediate

Video Transcription

00:03
way of breaking stuff with Joe here on Cyber Eri on demand. I has always in your instructor and I as always, I'm just thrilled to have you here. But I have to say that today's video is actually special to me because we're dealing with something that is near and dear to my heart, and that is the Windows deep bugger.
00:23
Now the reason it's so near and dear to my heart is because as people who know me, we can tell you
00:27
most of my career I have been a Windows guy Windows Development. I've been elbow deep in the windows, Colonel, I've really focused on, you know, I was working on exploit development, vulnerability research, just general engineering. Ah, lot of my time has been spent in the Windows operating system, just really working with the nuts and bolts of it. And as I was doing that, the tool that was more useful to me than
00:46
any other tool in the world
00:47
was the Windows debunker. And that's because the windows do bugger is a spectacularly powerful tool with an incredible array of uses.
00:55
Now there are people who don't like windbag. Most of those people are people who just don't like Windows, but it is usable in just about every job field. Just like nudie bugger is Windows De Bugger is useful for programmers to find an X and remove bugs in their code. It's useful for vulnerability, researchers exploit developers.
01:12
It's useful for network administrators trying to figure out what the heck is going wrong
01:17
with one of their network tools. It is just a spectacularly useful tool that could be applied to any discipline that might benefit from understanding what's happening in a process under the hood. And in today's video, we're gonna learn all about it. We're gonna learn how to get windbag. We're gonna learn what it's uses are we're gonna walk through the windows the same we've accounted with Ida
01:34
and then we're gonna actually use it, and we're going to examine
01:37
a running process and see what information we might be able to glean from it. So I'm very excited about this. If you can't tell just from listening to me, I love Windows and I love windbag, and hopefully you're going to learn to love it, too, over the course of the next 15 to 30 minutes, so thank you for watching breaking stuff with Joe here on cyber. Hurry on demand and let's get started.
01:56
So we're gonna go ahead and jump right into our windows 10 PM You've seen a lot of breaking stuff, Joe. Videos before or if you've, you know, been familiar with a lot of my classes. Generally speaking, we're working out of a new bunch of'em or a lab on Cyber Eri. But since this is a window is tool and since we're kind of focused on a Windows product right now, we are going to be using a Windows VM.
02:15
So I already have the page up. That's only because this PM has about happened crashing. Whenever I try to go to the Internet with it.
02:20
I don't think they all do that, but for some reason, this image is being a little screw with me. But the page you're gonna go to is right here looking for the windbag preview the Earl up here. You don't need to try and copy down. We will include the instructions for finding this page in the supplemental materials.
02:35
Then once you get on here, you're just gonna hit this get button and that's going to take you to the download for the installer while specifically it's going to take you to the Microsoft Store where you'll get the download for the installer
02:45
so you can see I skipped ahead a little bit here. The install process for windbag is a little bit slower on on this VM that it might be on a normal machine and it didn't see a need for everybody to sit around and wait on it.
02:55
So we're just gonna open up
02:58
with our Windows menu here. We're gonna open up our windbag preview after it gets installed,
03:05
Digs just a couple seconds to load up. It's a pretty big file, so it takes a second
03:09
and this is a pretty slow VM.
03:15
There we go. So now that windbag is finally open, you can see I've already played around with it a little bit. But when it opens, its gonna have these different sub windows in it. And these different sub windows all kind of contain whatever information you're directing contain. And you can control these by going over here to your view menu and picking which windows you want to see.
03:34
So just a quick walk through them command is the actual command window where you're saying, Start, stop, break things like that.
03:38
It's where you can actually type interactive commands to your program. Watch is setting watch points so specific variables you want to keep track of or functions. You want to see what their access, things like that those that's where you're gonna set your watch points. Locals. You can see any locally defined variables registers. You can see the contents of the registers as you're executing.
03:59
Memory, of course, is going to be whatever is currently started ram that's controlled by the program. You can see your stack frames, your disassembly threads all that. Generally speaking, the way I have mine laid out is I'll have my disassembly
04:11
on its own.
04:15
Here are all these other windows
04:16
off my disassembly on its own over here on the right and then on the left. I'll just break this up into whatever windows I want to have. So, for example, breakpoints
04:26
break points. I'll open that Rio
04:28
and drag it down to be
04:30
this section.
04:32
I might include my stack frames
04:38
and you can see here that you've just youqing reconfigure it and set it up. However, you want it to be laid out, whatever works best for you. Additionally, these other tabs up here at the top, you've got different break points you can add. You can't add breakpoints until you've got a process that you're attached to one working with, which is why these are all great out right now.
04:54
Time travel is kind of an interesting little use or an interesting utility. So it's using stack traces. It will actually allow you to step back and forth through the execution of a program, which is just absolutely phenomenal. Usually with the D buggers you may have seen in our Judy be pro RGB video.
05:12
Trying to step backwards through a process is an absolute nightmare.
05:15
But using this stack tracing this time travel feature in the Windows de bugger, you kind of move back and forward through the program was very, very useful.
05:25
So we've got this revealed these windows laid out. We've got all these different tabs up at the top, and you can see here on our home tab, which is where we're gonna spend most of our time. We have a much different settings, options that we can check out. We have our step commands or step into, Out, Over and Argo command first, we're going to change our theme. Too dark because we're not barbarians and dark theme is always the correct way to go.
05:44
And now we're gonna go ahead and move on to our third and most important objective. Because we've already figured out what windbag is. We figured out what it's for. And now we've had a quick look at the menus in the utilities, and we've got it laid out at least kind of how we want it to be laid out. So the next step is going to be actually debug a program. Now, unlike the
06:00
the GB example where we could debug the program that was written, that was kind of a trivial program to figure out
06:05
here. We're gonna look at an actual Windows utility and see what that D bugger looks like when it's attached to that.
06:13
So the debug, the tool we're gonna debug here is a pretty famous Windows execute herbal, which is called New Pad. So we're just gonna do this launch executed all here over in our start debugging menu,
06:23
and then we're just going to do note pad
06:27
DXC.
06:30
That should give us what we're looking for
06:32
and you can see here. Sure enough, system 32 no pad Dr T X C.
06:39
And it's slowly loading all the modules. These are all the different deals. All of the different libraries there access by no pad like with most things in Windows. It's a pretty big program.
06:48
So here we see we reached a break instruction exception. So that means that this is the program is running and hit the brake that was inserted by the Windows debunker. And that break is sort of, ah,
07:00
programming trick. It's sort of it is informing the D bugger. It's informing the operating system. Hey, throw an exception here because of the fact that I need to break in a city bugger I need to get access to this code is the D bugger. So that's all that's really happening here. Even though it says exception, it's not actually an error. It's a built in an exception that the
07:20
the operating system knows means that you're attaching the bugger.
07:25
So
07:26
we have a break. If we want to actually run the program and C note pad actually running and executing all we're gonna have to do here is used the geeky, which is the go command,
07:35
and you could see it's loaded and down here at the bottom, you can see that the note pad window actually came up,
07:41
which is very useful, but
07:42
we don't really have any ability to do anything with it. Because of that. You can see here that this just says D buggy is running. The code over here isn't changing. There's no information on stacker break points, and the reason for that is that while the program is actively running the D bugger can't really get a lot of context on, it doesn't really know what's happening.
08:00
So we want to do is we want to break back into the program,
08:03
and while with earlier versions you might have to send a specific commander, go through some process with the new version of windbag, all you have to do is go up here to the top left
08:11
and hit break,
08:13
and you could see that once again. It broke in with this
08:16
break exception and we over here we see that we have some stack from information. We actually have a little bit more data. We you know, we can see where we broke in.
08:24
We could see that we were in the base threat way kind of get a start. We're starting to get sort of a frame of reference on this excusable. But if we want to know a little bit more, we want to understand a little bit more. One of the things that we could do
08:35
is type a command to get it to get the symbols for this execute herbal. And if you may, you may or may not remember from our previous debugging video from our GDP video that the symbols are essentially the debugging information or the names of functions and variables that just make it easier to interpret it easier to understand.
08:54
So we want to do to get that is we're gonna take dot
08:56
sym path,
09:01
and then we're going to type srv
09:05
asterisk. And I know this is this text can be a little bit hard to read, trying to zoom in, but unfortunately doesn't look like it's quite working for us. That's okay. Right here. What I've written is dot sym path S Y m P A T h, and then SRV with an asterisk, which is a wild card saying Look for
09:22
that simple and you can see here, gives about, gives him information out says the simple search path is the path we gave it, and it expands it out to show all of the different places that it's currently searching.
09:31
Once we've run that, we're going to just go ahead and hit this. We're gonna run this reload command dot reload,
09:39
and it's going to reload the program with its symbols.
09:52
And then we can see if they actually got loaded by doing X note pad,
10:01
and you can see that all of the different note pad functions got loaded.
10:05
Now these are all of the different sort of sub functions or attributes everything that's contained inside of note pad that has a symbol associated with it now because of the fact that Window's executed a lt's get a little bit ridiculously large. This can pretty easily get out of hand. So when you're looking for a specific function or specific symbol, you might want to
10:24
give a little bit more contact. So, for example, you might want to do something like no pad
10:28
asterisk main asterisk when you're looking for the main function,
10:33
but
10:35
and that is with an ex before it.
10:41
And you can see here it's actually showing us where the main function is in Windows. That's generally going to be win Maine. So now that we know what that function is, we know where that function is located.
10:50
We can create a break point, and we can actually break into the proper execution of this program.
10:56
So what we're gonna do there is we're going to have to come and be you. Note, pad
11:01
win May
11:03
And down here you'll see that that break point is now populated, and we can turn that on and off very easily just by checking this box.
11:11
Once we've got that in place, all we need to do is hit that G again and start note pad running. And if everything goes correctly, it should run for about a billionth of a second and break back out.
11:26
And it looks like everything is not running correctly because it did not hit that break exception. So that's totally fine. What we could do with that we can figure out what's wrong with it is first just hit a restart
11:35
and
11:37
real quick wit for to reload takes just a minute
11:43
and then we're going to hit G again.
11:46
There you go.
11:48
So what happened there? Was that because we had already been running no padded already past the beginning execution of Wind Main? So we had to restart the program and find it. And, you know, we're gonna leave that in after editing because it's one of the important things to note. When your debugging a program like this when in doubt, if you haven't given it data that you can't easily replicate,
12:05
just restarted. I have found so many errors that came about because of something I had done to the program while I was examining it that had just broken everything to pieces. So make sure you have the important details in there and then just hit restart.
12:18
Now you can see that we're actually in wind main were in the actual main function of the main execution function of the program. And over here on our window, to the right, you can see this is all of our disassembled code, which is
12:30
pretty dramatic looking, and you can do
12:33
you can change where you're looking exactly by doing this
12:37
address by affecting this address box. So we do know pad in Maine,
13:07
Rather instead of wind main. What we're gonna be doing is we're gonna be giving it the pointer of wind Main could be seven ff 7435
13:16
64238
13:20
And that'll identify. We're back in one main and weaken CR disassembly.
13:24
It's very easy to accidentally scroll out into absolute mayhem, so it's worth putting down break points or watches on any of the functions that are important to you so that you can have a look at them. And here you can see we have a bunch of different note pad functions that are being called.
13:37
We've got trace logging register. We've got meme sets. We've got all sorts of functions actually being used now because this is a non trivial Windows program. This isn't just a simple thing that I wrote up that we can easily break to pieces. It's a little bit more to try and figure out what exactly is happening, but
13:52
we can get a little bit of context on this program and figure out what it was doing if we didn't know what No Pat Waas
13:58
by finding out what modules are currently loaded. What sort of code libraries are currently in use and the way would do that is just by typing lm which, which is the command to say. Show us the loaded modules
14:09
and you can see here we're gonna get a nice little readout of the module names that start and end locations for them and any information that it might have. So you can see all of these different modules that are being accessed by at all these two models that are being used shelter to Colonel 32 user 32. These are all of the different deals that have been loaded into this program,
14:28
and for the ones that it confined,
14:30
you'll actually get the P. D B files or the symbol files for those as well.
14:37
So we've had a look at what happens inside of window air inside of the Windows note pad, and all we want to do now is just send it back to running so that we can perform whatever operations we want to perform.
14:46
And there we can just hit go
14:50
And, of course, the D Buggy or the program that's being debugged is going to be running again and we can see that we can interact with it.
14:58
Then once we're done, whenever we retired of debugging or we found what we need to find, we're ready to move on. All we want to do here is just stop debugging.
15:11
So that was the relatively simple case of just sort of looking at no pad and seeing, seeing how we can open up no pad in windbag in and kind of poke through it a little bit. But what if we wanted to find out a specific piece of functionality? What if we wanted to see whether or not a specific program was writing files or was actually, you know, performing file? I owe on the disk?
15:30
We would want to, you know, make use of that. Perhaps if we were performing Mauer reverse engineering
15:33
or vulnerability analysis. We were looking for a case where something is being dropped on the disk that we may not know about otherwise, and the way we do that is actually, by creating another break point, you're now you may remember when he looked at are loaded modules just a second ago that one of the modules that got loaded here. Where is it?
15:52
Right down to the bottom. Right from my face is nt d l l nt dll for those who don't know contains a lot of sort of the native windows Colonel functions and is used to do a lot of sort of that interaction between the user and colonel
16:06
modes of the machine. So if we wanted to prevent or just become aware of people accessing the fire, the command
16:14
zw right file, which is the command is being used to perform file I Oh, what we'd do is we'd use BU nt dll
16:22
c w right file.
16:25
And you could see that that's going to create a new break point for us down here at the bottom.
16:27
And that break point is going to exist at the NT d l l N T Wright file function,
16:33
and we can go ahead and disable our first break point here,
16:37
and then we're just gonna go ahead and hit. Go
16:40
and it's gonna run for a couple of seconds
16:42
and you can see that the note pad has come up.
16:45
We can type in it, we can interact with it. Everything works fine.
16:49
What happens when we try and save this file?
16:56
You can see that the note pad seems to have completely frozen on us and nothing. It doesn't seem to be interacting at all. And the reason for that is because we've actually hit this right file.
17:06
And so, by setting that break point, we were able to let know Pat execute completely, normally perform all of its normal behaviors, and then as soon as it did something we don't want it to do, we were able to say, OK, this is bad or this is activity Maybe not bad or malicious, but this is activity that we want to monitor, and we want to understand what's happening.
17:22
Then we can go over here and we can see our frame, our stack frame our list of sort of function calls
17:27
and throw all the way back through this. And you can see obviously, that there are tons and tons of functions that are calling it sort of working their way down the stack.
17:34
But we can show, you know, it's trying to save a file. It's invoking the same dialogue we can see here that it's going through. User 32.
17:44
It's it's trying to access files on disk in order to write information to them. Now, generally speaking, like I said, with a program like note pad, this isn't necessarily going to give you a ton of horrible information you're seeing if it's writing a file. But this can be really, really useful When you're examining malware, you're trying to figure out what a specific execute herbal is doing
18:03
because you're able to now identify specific functions that it's loaded
18:07
by looking at the modules by setting break points on them and then by waiting for those break points to get hit.
18:11
So you might be able to tell, you know, if you set a break point on this anti right file and it never gets touched, well, then it's very likely that whatever you're examining isn't writing files to the disc and windows where if it is, it's doing it through some very special, complex way, because NT dll lives pretty low on that stack of function calls.
18:27
And, of course, over here on the right side, you can see that we have our disassembly established.
18:33
So there you have it. That's the basic use of windbag, obviously there's a lot more to the tool, and we could spend a lot more time on it. But one of the great things about doing videos like this is giving you the tools you need to be dangerous and the information you need to be dangerous. So I really recommend you pull down a copy of windbag for yourself. You play around with it.
18:51
Maybe write your own C program may be trying to a crack me,
18:53
but spend some time really playing around with this and seeing how you can personally use it in your role, whether that's, you know, in your day job, adjusting your personal hobbies. But the basic tools that we kind of went through here, and the understanding of what we've done here is going to really help you and set you up for success with using Wen
19:08
on this video, we kind of went through very briefly. We talked about what windbag is, where you can get it from how you install it. We show I showed you some of the windows that are used in some of the ways you could modify those windows and make use of it to kind of fit your own needs. And then, of course, we actually walk through not only looking at note pad just looking at us and execute Herbal and seeing how we can examine it with windbag,
19:29
but also finding a way to isolate specific functionality based on loaded modules
19:33
and go from that into finding out whether or not a program is actually performing a given action. Obviously, there's a ton more you can do with windbag, and I highly encourage you to take the time to check that out. But I want to thank you all for watching this video. It is always an absolute pleasure to get to make these and help people learn about how to use these tools in their everyday lives, in their jobs and in their work.
19:52
So thank you all for watching. I have been your instructor, Joe Perry, and you have been watching breaking stuff with Joe
19:57
on Cyber Eri on

How to Use WinDBG (BSWJ)

The Windows Debugger (WinDBG, often pronounced 'Windbag') is an incredibly powerful tool for isolating and eliminating flaws in Windows software. It finds use throughout the fields of software engineering, exploit development, red-teaming, and more.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor