refactoring: dummypdb implemented as a separate class; move some routines into symbols.cpp; clean project;
– symbols.cpp, symbols.hpp
– wdbgark.cpp, wdbgark.hpp
– systemcb.cpp, systemcb.hpp
– sdt_w32p.cpp, sdt_w32p.hpp
– wdbgark.vcxproj.. more..
WDBGARK is an extension (dynamic library) for the Microsoft Debugging Tools for Windows. It main purpose is to view and analyze anomalies in Windows kernel using kernel debugger. It is possible to view various system callbacks, system tables, object types and so on. For more user-friendly view extension uses DML. For the most of commands kernel-mode connection is required. Feel free to use extension with live kernel-mode debugging or with kernel-mode crash dump analysis (some commands will not work). Public symbols are required, so use them, force to reload them, ignore checksum problems, prepare them before analysis and you’ll be happy.
Command Support :
Operating System Support:
+ Microsoft Windows XP (x86)
+ Microsoft Windows 2003 (x86/x64)
+ Microsoft Windows Vista (x86/x64)
+ Microsoft Windows 7 (x86/x64)
+ Microsoft Windows 8.x (x86/x64)
+ Microsoft Windows 10.x (theoretically)
Windows BETA/RC is supported by design, but read a few notes. First, i don’t care about checked builds. Second, i don’t care if you don’t have symbols (public or private). IA64/ARM is unsupported (and will not).
Sources and build :
Sources are organized as a Visual Studio 2012 solution.
Build using VS2012:
1.Download and install latest WDK
2.Define system environment variables (e.g. WDK 8.1).
— DBGSDK_INC_PATH = C:\WinDDK\8.1\Debuggers\inc
— DBGSDK_LIB_PATH = C:\WinDDK\8.1\Debuggers\lib
— WDKDIR = C:\WinDDK\8.1
3.Select Build -> Batch Build from the menu and build dummypdb module (x86 and x64).
4.Choose solution configuration and platform for the main project.
Post-build event is enabled for debug build. It automatically copies linked extension into WinDBG’s plugins folder (e.g. x64 target:
“copy /B /Y $(OutDir)$(TargetName)$(TargetExt) $(WDKDIR)\Debuggers\x64\winext\$(TargetName)$(TargetExt)”).
1.Download and install Debugging Tools from the Microsoft WDK downloads page.
2.Build or download the extention.
3.Make sure that Visual C++ Redistributable for Visual Studio 2012 has already been installed.
4.Copy extension to the WDK debugger’s directory (e.g. WDK 8.1):
— .x64: C:\WinDDK\8.1\Debuggers\x64\winext\
— x86: C:\WinDDK\8.1\Debuggers\x86\winext\
6.Setup WinDBG to use Microsoft Symbol Server correctly or deal with them manually.
7.Load extension by .load wdbgark (you can see loaded extensions with a .chain command).
8.Execute !wdbgark.help for help or !wdbgark.wa_scan for a full system scan.
Author : Vyacheslav Rusakov is a Malware Expert at Kaspersky Lab.
Source : https://github.com/swwwolf/