General usage

REVEN integrates WinDbg at multiple stages of the workflow. See the parent page for more information.

This page contains general information about the possible usage & limitations of WinDbg in both debugger-assisted recording and trace analysis use cases.

Reading the state

Most commands that read the current state of the debuggee will work. For example:

  • .reload is necessary, then lm
  • k, dt
  • .tlist, !peb, !handle, !time
  • Reading memory, especially reading structured data
  • etc.

Note that in certain areas (such as interrupts often found at the start of a trace, or in a VM), some commands (callstack or !peb for example) may return unexpected results. This appears to be due to the state of the target at this point (exception handling).

Navigation is mostly similar whether connected to a trace or a VM. See the next section for specificities when connected to a trace.

  • You can use basic WinDbg tracing and stepping commands to move in the trace or the VM. For simple commands, like t, WinDbg will go automatically to the next transition.
  • You can set breakpoints using the usual breakpoint commands. The resume command (g) can then be used to jump to the next transition where a breakpoint is hit.

Trace-analysis specificities

When navigating a trace with WinDbg, certain commands cannot fully execute because they reach the end of a trace:

  • Stepping out (gu) of a function that never returns.
  • Resuming the VM (g) when no breakpoint is set (or no set breakpoint has a hit)

In this case, the bridge will request focus, and allow the user to specify a new transition number to break at.

Hence, whenever you wish to jump to a certain transition number you can:

  1. Deactivate all breakpoints,
  2. Resume the VM,
  3. Select the bridge program
  4. Enter the new transition number
  5. Click on "Start"
  6. Select the WinDbg window again: it has control of the trace again.

Moreover, the following navigation commands are not supported:

  • Reverse step in / into / out

Synchronization with Axion

When analyzing a trace, you can synchronize the Axion GUI with WinDbg. In the bridge, set the Sessions combo box to select a session name. You can then select the same session name in an Axion GUI client connected to the same REVEN trace.

When setup, each time a new transition is selected in WinDbg (for instance using commands to browse the trace), the same transition will also be selected in Axion.

NOTE: if you checked the Create checkbox next to the Sessions combo box, then a new session name will be generated by the bridge upon connecting to the server.

Current known limitations/issues

Regardless of the use case, commands that would end up writing to the debugged system are not supported, even when connecting to a VM:

  • Changing registers
  • Writing to memory
  • Any command that would result in a write to the debuggee's state, such as changing process via .process /i

Note that these do not make sense in the context of a REVEN trace, since we're working on a read-only trace. And while they would make more sense in the context of a VM, they are not supported there as well.

Finally, the following WinDbg functionalities are not supported:

  • Memory breakpoints.
  • sx* commands to control the debugger's behavior on common events.