Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Try to find a way to copy WinDbgX dbgeng's DLLs instead of legacy WinDbg #196

Open
0vercl0k opened this issue Feb 23, 2024 · 6 comments
Open

Try to find a way to copy WinDbgX dbgeng's DLLs instead of legacy WinDbg #196

0vercl0k opened this issue Feb 23, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@0vercl0k
Copy link
Owner

Currently, wtf tries to find the dbgeng.dll DLLs in a path where the WinDbg that ships with the SDK is (cf https://github.com/0vercl0k/wtf/blob/main/src/wtf/debugger.h#L139).

This is problematic for users when they use the 'new WinDbg' to generate a dump file which is in a format that the WinDbg from the SDK doesn't understand. Those users see the below error message which is confusing:

Initializing the debugger instance.. (this takes a bit of time)
OpenDumpFile(state\mem.dmp) failed with hr=-0x7ff8ffa9

Fixing it manually require to grab the dbgeng.dll & cie and copy them over where wtf is but it is manual.

In theory if I find a way to detect if the WinDbg from the AppStore is installed and where, using those DLLs would always work as they'd be able to load dumps generated from old WinDbg, and the new ones. The issues that I have are:

  • I do not know how to detect if the application is installed
  • Even if I figure out how to get the path, it seems that you need some special rights to copy the files out of the directory which is annoying.

I guess if 1) is solved, we could try to copy the files for the users and if we fail we could tell them to copy the files over themselves or run as admin.
@0vercl0k 0vercl0k mentioned this issue Feb 23, 2024
Closed
@0vercl0k 0vercl0k added the bug Something isn't working label Feb 23, 2024
@GanbaruTobi
Copy link

GanbaruTobi commented Feb 25, 2024
edited
Loading

Detect if the App is installed in PowerShell:

Get-AppxPackage -AllUsers | Select-Object -ExpandProperty PackageFullName | Where-Object { $_ -like 'windbg' }

To copy the files into another directory:
robocopy "C:\Program Files\WindowsApps\FOUND_NAME_HERE" windbg_app /s /e

Then probably its needed to identify if x86 or x64 or arm. In my case
C:\Program Files\WindowsApps\Microsoft.WinDbg_1.2308.2002.0_x64__8wekyb3d8bbwe\amd64\dbgeng.dll has the dll I need.

@GanbaruTobi
Copy link

GanbaruTobi commented Feb 25, 2024
edited
Loading

When I place the found dll's into the wtf.exe directory,wtf will overwrite them again with the SDK's:

grafik

@0vercl0k
Copy link
Owner Author

0vercl0k commented Feb 26, 2024 via email

@GanbaruTobi
Copy link

When I place the found dll's into the wtf.exe directory,wtf will overwrite them again with the SDK's:

grafik

Okey, in a second test this did not happen, and the source code looks good to me. Might have been a random thing to happen or I did something wrong.

@0vercl0k
Copy link
Owner Author

0vercl0k commented Feb 27, 2024 via email

@wumb0
Copy link
Contributor

wumb0 commented Sep 13, 2024

Perhaps it would be useful to add some metadata to a state capture (via snapshot) that indicates the exact dbgeng version being used. If a different version is found by wtf when starting to fuzz then emit a warning. I don't know how granular the reported version of dbgeng is in the extension APIs, but I guess you can just use GetFileVersionInfo on the loaded dbgeng.dll in both snapshot and wtf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@0vercl0k @wumb0 @GanbaruTobi