Let me be 100% clear. It really gets on my nerves to the point I feel like I should crush my mouse into the desk to fill better. Why on Arrakis did they had to make their operating system in such a way that every item you could think of needs a dedicated tool to be investigated. What was wrong with "everything is a file", uh ?
Everything is IUnknown
. Wonderful.
- - - Round 1 - - FIGHT! - - -
I wouldn't even object if you had a clear way to scan that.
Want to find the log where
DbgPrint
wrote stuff ? Better download
debugview.exe and don't mess with its settings or you won't see anything
Need to check some NDIS log instead ? that will be tracelog.exe
for you. But make sure to check you got anything with tracert.exe
before you try to use PDB files to make sense of what you got.
Want to figure out what devices are out there ? You'll need c:\program files (x86)\Windows Kits\...\devcon.exe
(that's another download for you)
Want to know what drivers are out there ? that will be driverquery
, sir. But maybe you want a cup of sc
query first ? Or some pnputil.exe /enum-drivers
to check the drivers cache ?
Want to know what that 1077 error code means ? Please use net helpmsg 1077
.
Let's not even talk about where to find 'all the running applications' or their windows.
No wonder why they needed a powershell to make things start to work.
Oh, /dev, /sys, /proc. How much I miss you... msinfo32 is such a poor substitute ...
- - - Round 2 - - FIGHT! - - -
I wish I could simply use my knowledge of gdb on Windows binaries, but I haven't found any way to do so. Granted, Visual Studio debugger does a decent job, but given the size (and the license requirement) of VS, I can hardly install that on every test system on which stepping through code might be required.
Easy (in gdb environment): you'd use gdbserver on the 'test system' and connect from your full-fledged gdb-compatible debugger on the machine that has the source and stuff. Again, I have no clue whether this is possible in the Windows econosystem.
So what's left is WinDbg, which requires a much smaller package to be installed. I'm going through
GFFault.net tutorial to try figuring out how to learn that tool.
- - - Round 3 - - FIGHT! - - -
There's a strace-like tool in https://github.com/DynamoRIO/drmemory ... we'll see whether that makes me a better windebugger during 2021 ... forget it: drstrace.exe just crashes when starting to trace most programs, including something as simple as Notepad.exe >_<
If not, I guess I could at least teach myself https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
Just in case you wonder how to enable core dumps on a system without ulimit, check out
Windows Error Reporting. It's not like you hadn't launched the Registry Editor earlier this week, right ?
- - - Epilogue - - -
Before you install rogue sotfware on your machine, you might want to know that Windows has md5sum
"equivalent" within the swiss-knife certutil tool: certutil /hashfile your_file_name md5
.