Introduction
flare-dbg is a project meant to aid malware reverse engineers in rapidly developing debugger scripts.
Installation/setup
- Install the
pykd
windbg extension from: https://pykd.codeplex.com/releases - Download the Bootstrapper dll.
- Add the Bootstrapper pykd.dll file into your winext directory. Something like
%ProgramFiles%\Debugging Tools for Windows\winext
. - Install the latest 0.3.x version of pykd using
pip install pykd
. - Ensure you can import
pykd
from within windbg:.load pykd
. - Install
winappdbg
pip install winappdbg
- Setup
vivisect
- Install vivisect using one of the following options:
1. Install source using pip:
pip install https://github.com/williballenthin/vivisect/zipball/master
2. Download and extract upstream vivisect and setPYTHONPATH
to the extracted directory. - Ensure you can import vivisect from a python shell:
import vivisect
. - Setup
flaredbg
- Install flaredbg using
setup.py
Running scripts
There are two options for running scripts:
- Create a script directory and set
PYTHONPATH
to the newly created script directory and add your scripts here. - Copy scripts to the root of your windbg directory. Something like:
%ProgramFiles%\Debugging Tools for Windows\
. Once your script path is setup, scripts are run from the windbg console as follows:
> .load pykd
> !py <script_name>
Installing and running plugins
The recommended way to install scripts is to add the plugins directory of this project to your PYTHONPATH
.
Another option is to follow the second option described above in the Running scripts
section. Simply copy the plugin scripts to the root of your windbg directory.