Top Rating
- Top Contributors
  Discover the Top Open Source contributors by country or by language
- Interviews
  Discover real stories from Open Source developers
Discover

Discover your Favorite Language
Discover the top trending repositories and projects on Github. Explore the latest trends in your preferred languages.

Erlang

PHP

Ruby

Emacs Lisp

Python

R

Crystal

Swift

More Languages
Awesome

Awesome repositories
Discover the most awesome repositories and projects of your favorite languages. Inspired by the Awesome-* lists trend in GitHub.

Zig

F#

Erlang

Go

R

Python

JavaScript

PowerShell

More Languages
By Country

Rankings by Country
Discover the community of talented open source contributors in each country.

🇳🇨 New Caledonia

🇮🇶 Iraq

🇸🇳 Senegal

🇺🇾 Uruguay

🇻🇺 Vanuatu

🇮🇲 Isle of Man

🇸🇬 Singapore

🇱🇹 Lithuania

All Countries Compare Countries

yardenshafir/WinDbg_Scripts

Stars
382
Rank 112,241 (Top 3 %)
Language
JavaScript
Created over 4 years ago
Updated 8 months ago

yardenshafir/WinDbg_Scripts

yardenshafir

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Useful scripts for WinDbg using the debugger data model

WinDbg_Scripts

Useful scripts for WinDbg using the debugger data model

Usage, examples, explanations and general rants (also available in PDF form here):

https://medium.com/@yardenshafir2/windbg-the-fun-way-part-1-2e4978791f9b
https://medium.com/@yardenshafir2/windbg-the-fun-way-part-2-7a904cba5435

Useful Commands and Syntax

__iserror(x)
Returns true if a statement throws an error.

dx @$curprocess.Io.Handles.Where(h => !__iserror(h.Type == "File") && h.Type == "File")

SelectMany
Flattens a nested collection, for example runs a query on all threads in all processes and flattens the results

dx @$cursession.Processes.SelectMany(p => p.Threads.Select(t => t.KernelObject.ThreadName))

Conditional Operations

dx @$curthread.KernelObject.ActiveImpersonationInfo != 0 ? @$curthread.KernelObject.ClientSecurity.ImpersonationLevel : "Not Impersonating"

Executing a Legacy Command

dx @$printSecurityDescriptor = (sd => Debugger.Utility.Control.ExecuteCommand("!sd " + ((__int64)sd).ToDisplayString("x") + " 1"))

Cast Pointer to Function Address

dx @$curprocess.Threads.Select(t => (void(*)())t.KernelObject.StartAddress)

IoRingReadWritePrimitive

Post exploitation technique to turn arbitrary kernel write / increment into full read/write primitive on Windows 11 22H2

PoolViewer

An application to view and filter pool allocations from a dmp file on Windows 10 RS5+.

CVE-2020-1034

PoC demonstrating the use of cve-2020-1034 for privilege escalation

SymlinkCallback

A driver that hooks C: volume using symbolic link callback to track all FS access to the volume

cet-research

A collection of tools, source code, and papers researching Windows' implementation of CET.

KernelDataStructureFinder

Driver and WinDBG scripts to dump information about all resources and lookaside lists

InformationClasses

Documenting system information classes and their uses

DpcWait

Driver demonstrating how to register a DPC to asynchronously wait on an object

MitigationFlagsCliTool

Command like tool to print mitigation flags for running processes in a memory dump

IoRing_Demos

A repository for I/O ring demos, use cases and performance testing on Windows

conference_talks

Slides from various conference talks

CallbackObjectAnalyzer

Dumps information about all the callback objects found in a dump file and the functions registered for them

s1dbg

windbg extension that does stuff