Let me be 100% clear. It really gets on my nerves to the point I feel like I should crush my mouse into the desk to fill better. Why on Arrakis did they had to make their operating system in such a way that every item you could think of needs a dedicated tool to be investigated. What was wrong with "everything is a file", uh ?
Everything is
IUnknown. Wonderful.- - - Round 1 - - FIGHT! - - -
I wouldn't even object if you had a clear way to scan that.
Want to find the log where
DbgPrint wrote stuff ? Better download debugview.exe and don't mess with its settings or you won't see anythingNeed to check some NDIS log instead ? that will be
tracelog.exe for you. But make sure to check you got anything with tracert.exe before you try to use PDB files to make sense of what you got.Want to figure out what devices are out there ? You'll need
c:\program files (x86)\Windows Kits\...\devcon.exe (that's another download for you)Want to know what drivers are out there ? that will be
driverquery, sir. But maybe you want a cup of sc query first ? Or some pnputil.exe /enum-drivers to check the drivers cache ?Want to know what that 1077 error code means ? Please use
net helpmsg 1077.Let's not even talk about where to find 'all the running applications' or their windows.
No wonder why they needed a powershell to make things start to work.
Oh, /dev, /sys, /proc. How much I miss you... msinfo32 is such a poor substitute ...
- - - Round 2 - - FIGHT! - - -
I wish I could simply use my knowledge of gdb on Windows binaries, but I haven't found any way to do so. Granted, Visual Studio debugger does a decent job, but given the size (and the license requirement) of VS, I can hardly install that on every test system on which stepping through code might be required.
Easy (in gdb environment): you'd use gdbserver on the 'test system' and connect from your full-fledged gdb-compatible debugger on the machine that has the source and stuff. Again, I have no clue whether this is possible in the Windows econosystem.
So what's left is WinDbg, which requires a much smaller package to be installed. I'm going through GFFault.net tutorial to try figuring out how to learn that tool.
- - - Round 3 - - FIGHT! - - -
If not, I guess I could at least teach myself https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
Just in case you wonder how to enable core dumps on a system without ulimit, check out Windows Error Reporting. It's not like you hadn't launched the Registry Editor earlier this week, right ?
- - - Epilogue - - -
Before you install rogue sotfware on your machine, you might want to know that Windows has
md5sum "equivalent" within the swiss-knife certutil tool: certutil /hashfile your_file_name md5.
- + 
Vote for your favourite post
2 comments:
There again. Colleague has issues with not seeing any of their DbgPrint messages in DebugView. My own notes mention "use debugview in administrator" and "you won't see anything until you configure the levels properly".
Microsoft Doc reminds me to create a key in the registry, then reboot before I can see those DbgPrint messages.
I am so lucky my teammate have developped a cross-platform, integrated way to view debug messages that is space-and-time-and-relative-dimensions-efficient.
edit: wait ... They just sent me a package with debugLevel=DL_INFO instead of debugLevel=WARN since they have their own verbosity-level-filtering macro on top of the one the kernel uses... It seems to unlock tons of stuff ... so likely my registry key wasn't needed at all.
edit: unfortunately, to see anything, I'm forced to use the 'verbose kernel' mode, which dumps tons of useless things as well.
Ah, dmesg... where are thou ?
other items in the 'windriver survival kit':
- c:\windows\inf\setupapi.dev.log will gather info about installing/removing drivers. Most windows tools won't auto-update as it changes, though.
- sc start|stop FILTER_DRIVER_NAME to send control commands that enable/disable the filter without installing/uninstalling it. (you get the FILTER_DRIVER_NAME with driverquery, mentioned in the body of the post
Post a Comment