Over the course of multiple OALABS Twitch streams we will build the world's worst debugger! The purpose of the streams is to learn more about the inner workings of debugging under Windows and gain a better general understanding of what our tools are doing when we are debugging malware.
Much of the code in this project is heavily copy-pasted from multiple sources on the Internet. We will try to maintain a list of original sources here, but we may occasionally miss sources while on stream. If we missed something let us know so we can add it!
- Maltracer (@buffer)
- Grey Hay Python excercise (@Newlog)
- Winappdbg (@MarioVilas)
- Fastir Collector (@SekoiaLab)
- StackOverflow "tasklist does not list all Modules in 64-systems"
- StackOverflow "How to enum modules in a 64bit process from a 32bit WOW process"
- EnigmaHWID - hardware breakpoint (@mrexodia)
The "system breakpoint" is set automaticall for a debugged process by ntdll:LdrpDoDebuggerBreak. We can receive this in our debugger as a software breakpoint event but we need to be careful... the context debug registers are restored in ntdll after this bp so we cannot set a hardware breakpoint from here it will be cleared!
The hardware breakpoint dr registers are set in thread specific context so it is possible to set different hw bp per thread. In practice this is not usually what we want as an analyst -- we want to set a hw bp that fires for all threads. To accomplish this we needed to add some helper methods that track all of the process threads. When a new hw bp is added it is added to all threads, and when a new thread is created the hw bps are added to it.
Because this project is meant to be a community effort on stream we won’t be accepting PRs. Aside from some maintenance/cleanup all coding will be done on-stream. If you have feature requests or suggestions leave your feedback as an Issue or come chat with us on Discord.
💖 Check out our schedule we stream Thursdays and Sundays at 1300 EST
