Level: Technical

With its ability to use operating system symbols and recognize many, even undocumented system structures, WinDbg is a powerful tool and effectively the only debugger used to analyze kernel mode malware and inspect objects kept internally by Windows in a live debugging session or by analyzing the full memory dump.

Unfortunately, WinDbg’s learning curve has been traditionally steep, due to a large number of often unintuitive debugging commands, rudimentary user interfaces, and arcane scripting syntax.

Over the years there have been several more and less successful attempts to make WinDbg scripting simpler for the user, with the most widely accepted interface being the pyKd Python extension. Still, the WinDbg scripting remained far from being user-friendly.

Developers behind Debugging Tools for Windows have been aware of WinDbg limitations for some time and recently they put a lot of effort into making WinDbg more user-friendly. They have exposed new Debugger Object Model, with new dx command to inspect it, together with NatVis visualization specification XML language, and LINQ queries which allow the user to filter the results of the dx debugging command.

With the Debugger Object Model, they exposed many of the operating system objects tracked internally by the debugger such as processes, threads, handles, stacks, and others through a user-friendly hierarchical namespace. Users can simply inspect Debugger.Sessions.First().Processes to enumerate all processes in the current session. They also exposed the file system and WinDbg disassembler to allow for more advanced methods of debugging and program analysis.

Finally, a new Javascript scripting interface was created, to allow the user to inspect the object model and augment it by adding new object definitions to its namespace.

Although many researchers will question the choice of the programming language for the new scripting interface, there is no doubt that the latest Javascript extension makes scripting within WinDbg much more intuitive than any of the previous attempts.

This presentation will specifically focus on the WinDbg Debugger Object Model and the Javascript scripting interface for malware research by walking through analysis of a rootkit driver used in a recent crypto mining campaign. The attendees will be able to see the new scripting interface in action and return to their own research with a few new WinDbg scripting tricks in their pockets.

Vanja Svajcer works as a Technical Leader for Cisco Talos. He is a security researcher with more than 20 years of experience in malware research and detection development. Prior to joining Talos, Vanja worked as a principal researcher for SophosLabs and led a Security Research Team at Hewlett Packard Enterprise. Vanja enjoys tinkering with automated analysis systems, reversing binaries and Android malware. He often attempts and successfully manages to present at the security-related conferences such as Virus Bulletin, AVAR, BalcCon, FSec, Infosec, RSA and others.


[Slides (PDF)] [Recording (MP4)]

Comments are closed.