Bases: vtrace.notifiers.Notifier
Show / set the ‘mode’ of the arm core between arm and thumb.
Usage: armcore [arm|thumb]
Display information about the currently stopped eprocess.
Usage: eprocess #FIXME support listing #FIXME support eprocess interp address
Display information about the currently stopped ethread.
Usage: ethread #FIXME support listing them #FIXME support ethread interp arbitrary address
Issue a gdb “monitor” command which allows access to the extensions inside the gdb stub.
Example: gdbmon r fs
(try: “gdbmon help” for info on supported commands in the target stub)
Determine which PE’s in the current process address space support Vista’s ASLR implementation by the presence of the IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE (0x0040) bit in the DllCharacteristics field of the PE header.
Usage: aslr [libname]
Rebase the specified address expression as though the origin library had gotten it’s suggested base address rather than being ASLR’d.
Usage: deaslr <addr_expr>
Show all the current exception information.
| -P | Toggle the “PendingSignal” meta key which controls delivery (or handling) of the current exception. |
Usage: einfo [options]
Support a subset of gflags like behavior on windows. This enables features exclusively by direct process manipulation and does NOT set any registry settings or persist across processes...
Usage: gflags [toggle_type]
NOTE: Most of these options require symbols!
Show Win32 Heap Information.
Usage: heaps [-F <heapaddr>] [-C <address>] [-L <segmentaddr>] -F <heapaddr> print the freelist for the heap -C <address> Find and print the heap chunk containing <address> -S <segmentaddr> Print the chunks for the given heap segment -L <heapaddr> Print the look aside list for the given heap -V Validate the heaps (check next/prev sizes and free list) -l <heapaddr> Leak detection (list probable leaked chunks) -U <heapaddr> Show un-commited ranges for the specified heap (no options lists heaps and segments)
Hook the specified IAT entries by munging a pointer and emulating “breakpoint” like behavior on the resultant memory access errors. Basically, break on import call...
Usage: hookiat <libname> [ <implibname> [ <impfuncname> ] ]
NOTE: Once added, you may use “bp” and commands like “bpedit” to modify, remove, or add code to “iat hooks”
Check the executable regions of the target process for any hooks by comparing against the PE on disk. This will account for relocations and import entries.
Inject a shared object (DLL) into the target process.
Usage: injectso <dllname>
Enable/Disable the current VDB location as the current Just-In-Time debugger for windows applications.
Usage: jitenable [-D] -E Enable VDB JIT debugging -D Disable JIT debugging
Enable write access watching on a given memory page. This works by setting the page to read-only and then specially handling the access violations as though they were hardware Watchpoints.
Usage: pagewatch [options] [<addr_expression>] -C - Clear the current pagewatch log -F - Toggle auto-continue behavior (run and record vs. stop on hit) -L - List the current hits from the pagewatch log -M - Add page watches to the entire memory map from addr_expression -R - Use to enable read watching while adding a page watch -S <addr> - Show touches to the specified address -P <addr> - Show memory touched by specifed program counter (eip) -u - When listing, show only unique entries
Show extended info about loaded PE binaries.
Usage: pe [opts] [<libname>...] -I Show PE import files. -m Toggle inmem/ondisk behavior (directly mapped DLLs) -N Show full NT header -t Show PE timestamp information -E Show PE exports -S Show PE sections -v Show FileVersion from VS_VERSIONINFO -V Show all keys from VS_VERSIONINFO
NOTE: “libname” may be a vtrace expression:
Examples:
# Show the imports from a PE loaded at 0x777c0000 pe -I 0x777c0000
# Show the exports from advapi32.dll pe -E advapi32
# Show the build timestamp of the PE pointed to by a register pe -t esi+10
Show all the registry keys the target process currently has open.
Usage: regkeys
Show the SafeSEH status of all the loaded DLLs or list the handlers for a particular dll by normalized name.
Usage: safeseh [libname]
Walk and print the SEH chain for the current (or specified) thread.
Usage: seh [threadid]
Enable basic debugger stealth. This has the following effects:
Change PEB to show BeingDebugged == 0 Special breakpoint on CheckRemoteDebuggerPresent
WARNING: break/sendBreak() behave VERY strange with this because the kernel aparently doesn’t think he needs to post the exception to the debugger?
Use the extended intel hardware support to step to the next branch target.
Usage: stepb
List the running service names and pids.
Usage: svclist
Set the symbol path for the tracer. This will currently only effect subsequent library loads!
Usage: sympath <new_path>
Print out the TEB for the current or specified thread.
Usage: teb [threadid]
Display the current UAC status of the target process. (User Account Control)
Usage: uac