| Trees | Indices | Help |
|---|
|
|
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 64
|
|||
gflag_stuff = |
|||
token_elevation_types = |
|||
__package__ = |
|||
|
|||
Print out the TEB for the current or specified thread. Usage: teb [threadid] |
Print the PEB Usage: peb |
Show all the registry keys the target process currently has open. Usage: regkeys |
Show all the current exception information.
-P Toggle the "PendingSignal" meta key which controls
delivery (or handling) of the current exception.
Usage: einfo [options]
|
Walk and print the SEH chain for the current (or specified) thread. Usage: seh [threadid] |
Show the SafeSEH status of all the loaded DLLs or list the handlers for a particular dll by normalized name. Usage: safeseh [libname] |
Show Win32 Heap Information. Usage: heaps [-F <heapaddr>] [-C <address>] [-L <segmentaddr>] -F <heapaddr> print the freelist for the heap -C <address> Find and print the heap chunk containing <address> -S <segmentaddr> Print the chunks for the given heap segment -L <heapaddr> Print the look aside list for the given heap -V Validate the heaps (check next/prev sizes and free list) -l <heapaddr> Leak detection (list probable leaked chunks) -U <heapaddr> Show un-commited ranges for the specified heap (no options lists heaps and segments) |
Determine which PE's in the current process address space support Vista's ASLR implementation by the presence of the IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE (0x0040) bit in the DllCharacteristics field of the PE header. Usage: aslr [libname] |
Enable write access watching on a given memory page. This works by setting the page to read-only and then specially handling the access violations as though they were hardware Watchpoints. Usage: pagewatch [options] [<addr_expression>] -C - Clear the current pagewatch log -F - Toggle auto-continue behavior (run and record vs. stop on hit) -L - List the current hits from the pagewatch log -M - Add page watches to the entire memory map from addr_expression -R - Use to enable *read* watching while adding a page watch -S <addr> - Show touches to the specified address -P <addr> - Show memory touched by specifed program counter (eip) -u - When listing, show only *unique* entries |
Enable basic debugger stealth. This has the following effects: Change PEB to show BeingDebugged == 0 Special breakpoint on CheckRemoteDebuggerPresent WARNING: break/sendBreak() behave VERY strange with this because the kernel aparently doesn't think he needs to post the exception to the debugger? |
Support a subset of gflags like behavior on windows. This enables features *exclusively* by direct process manipulation and does NOT set any registry settings or persist across processes... Usage: gflags [toggle_type] NOTE: Most of these options require symbols! |
Show extended info about loaded PE binaries.
Usage: pe [opts] [<libname>...]
-I Show PE import files.
-m Toggle inmem/ondisk behavior (directly mapped DLLs)
-N Show full NT header
-t Show PE timestamp information
-E Show PE exports
-S Show PE sections
-v Show FileVersion from VS_VERSIONINFO
-V Show all keys from VS_VERSIONINFO
NOTE: "libname" may be a vtrace expression:
Examples:
# Show the imports from a PE loaded at 0x777c0000
pe -I 0x777c0000
# Show the exports from advapi32.dll
pe -E advapi32
# Show the build timestamp of the PE pointed to by a register
pe -t esi+10
|
Rebase the specified address expression as though the origin library had gotten it's suggested base address rather than being ASLR'd. Usage: deaslr <addr_expr> |
Set the symbol path for the tracer. This will currently only effect *subsequent* library loads! Usage: sympath <new_path> |
Use the extended intel hardware support to step to the next branch
target.
Usage: stepb
NOTE: This will *not* work inside VMware / VirtualBox. Other hypervisors
may vary... (it will simply single step)
|
Check the executable regions of the target process for any hooks by comparing against the PE on disk. This will account for relocations and import entries. |
Enable/Disable the current VDB location as the current Just-In-Time debugger for windows applications. Usage: jitenable [-D] -E Enable VDB JIT debugging -D Disable JIT debugging |
List the running service names and pids. Usage: svclist |
Inject a shared object (DLL) into the target process. Usage: injectso <dllname> |
Display the current UAC status of the target process. (User Account Control) Usage: uac |
Hook the specified IAT entries by munging a pointer and emulating
"breakpoint" like behavior on the resultant memory access errors. Basically,
break on import call...
Usage: hookiat <libname> [ <implibname> [ <impfuncname> ] ]
Example:
hookiat calc
hookiat calc kernel32
hookiat calc kernel32 LoadLibraryA
NOTE: Once added, you may use "bp" and commands like "bpedit" to modify,
remove, or add code to "iat hooks"
|
|
|||
gflag_stuff
|
token_elevation_types
|
| Trees | Indices | Help |
|---|
| Generated by Epydoc 3.0.1 on Fri Nov 16 18:22:10 2012 | http://epydoc.sourceforge.net |