Github is Broken with their crap personal access tokens update
Will push this OSED guide for WinDBG later when GH fixes their shit. Or properly documents it without me pouring through a monsterous manpage.
I have better shit to do than fuck around with this.
- Access Symbol Settings
File--> Symbol File Path - Commonly used symbol path
C:\Symbols - Microsoft symbols path
srv*c:\symbols*https://msdl.microsoft.com/download/symbols - Force download of all available symbols for all available modules
.reload /f - Disassemble a function
u kernel32!GetCurrentThread - Display bytes of ESP register
db esp - Display the bytes in words
dw esp - Display DWORDS
dd esp - Display QWORDS
dq 'memory address' - Display ASCII Characters
dc KERNELBASE - Display in WORDS format
dW KERNELBASE+0x40 - Dump data longer than 0x80 bytes
dd esp L4 - The dds, dps, and dqs commands display the contents of memory in the given range. This memory is assumed to be a series of addresses in the symbol table. The corresponding symbols are displayed as well.
dds esp L4 - Dump in unicode
du register - dump dwords (32 bit) and interpret the result as a symbol
dds 'memory address or structure' - Dump the Thread Environment Block
dt ntdll!_TEB - Recursively display nested structures
dt -r ntdll!_TEB @$teb - Display specific field in the TEB
dt ntdll!_TEB @$teb ThreadLocalStoragePointer - Get size of a structure
?? sizeof(ntdll!_TEB) - Editing contents of registers
ed esp 41414141 - Editing using ASCII
ea esp abcd - Editing using unicode
eu esp 'unicode string' - Search bytes in memory of entire application
s -d 0 L?80000000 41414141 - Searching for ASCII string in memory
s -a 0 L?80000000 "This program cannot be run in DOS mode" - Dump all registers
r - Dump specific register
r ecx - dd poi(esp) display double and the data referenced from memory address, like a double pointer **ptr
dd poi(esp) - Specify new value for a register
r ecx=41414141 - Setting a breakpoint at the Windows WriteFile API
bp kernel32!WriteFile - List breakpoints
bl - Continue execution
g - Disable a breakpoint
bd 0 - Enable a breakpoint
be 0 - Clear a breakpoint
bc 0 - Clear all breakpoints
bc * - List modules of ole32.dll
lm m ole32 - Set breakpoint at a unresolved function
bu ole32!WriteStringStream - Show the number of bytes written at a breakpoint as soon as it is reached (notepad.exe)
bp kernel32!WriteFile ".printf \"The number of bytes written is: %p\", poi(esp + 0x0C);.echo;g" - Set hardware breakpoint with execute command and one byte in size against a writefile function
ba e 1 kernel32!WriteFile - Set hardware breakpoint with read command and one byte in size against a writefile function
ba r 1 kernel32!WriteFile - Set hardware breakpoint with write command and one byte in size against a writefile function
ba w 1 kernel32!WriteFile - execute one single instruction at a time and steps overfunction calls
p - do the same, but will also step intofunction calls
t - (step to next return), which allows us to fast-forward to the end of a function
pt - executes code until a branching instruction is reached. This includes conditional or unconditional branches, function calls, and return instructions
ph - Step to address command
pa FastBackServer!FXCLI_OraBR_Exec_Command+0x7366 - Display all loaded modules
lm - Filter displayed modules that matches a wildcard
lm m kernel* - Dump information about a symbol
x kernelbase!CreateProc* - Perform simple math
? 77269bc0 -77231430 - More math
? 77269bc0 >> 18 - Convert decimal to hex
? 0n41414141 - Convert binary to hex
? 0y1110100110111 - Display all formats at once
.formats 41414141 - Store the value of a mathematical calculation into a pseudo register
r @$t0 = (41414141 -414141) * 0n10 - Display the contents of a pseudo register
r @$t0 - Allow execution to continue for memory access violations generated by a egghunter
sxd av - Allow execution to continue if egghunter hits a guard page
sxd gp - Using narly
.load narly - Using nmod module in narly
!nmod - Checking virtual protect of a memory page
!vprot memoryaddress