📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  how to get executable loaded info in remote machine using kernel debugging using windbg ?

Topic created on: February 24, 2010 23:45 CST by ronnie291983 .

I was able to connect with windbg but i  tried to enumerate loaded modules it only shows sys files loaded in the remote system?

Can anybody help me in finding and debugging executable loaded in the remote system?

  RabidCicada     March 5, 2010 10:35.58 CST
There could be many issues at hand but:

You can manually walk the LDR_MODULE structs in the PED_LDR_DATA struct as depicted by the windows memory layout https://www.openrce.org/reference_library/files/reference/Windows%20Memory%20Layout,%20User-Kernel%20Address%20Spaces.pdf.

Any reason to expect that there is purposeful module hiding?...or could you have your tool configured wrong?

  RabidCicada     March 5, 2010 10:47.01 CST
You can also run into problems viewing all loaded modules if you are debugging at the wrong level in terms of x86/x64 on a system where the OS is x64 and the application is x86.

When that happens windows loads the application under it's syswow emulation layer.

If you are debugging using x64 Windbg you will only see the stuff that is run at x64 level (syswow etc).  If you run the x86 windbg, then windbg is also running "on top of" the syswow emulation layer but "under" your target program and you will see much more informative and expected output.

Effectively x86 Windbg thinks it's running at the normal OS level and syswow takes care of translating expected calls and structures so that it returns information as if the syswow layer was the OS.  Your entire x86 Process, the modules loaded by the target x86 process, and x86 windbg will all be loaded "on top of" the syswow layer.

As a Side note....There are ways to get the x64 windbg to see the stuff on top of the emulation layer but I forget the commands etc.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit