> dd esp L1
> ed esp 41414141
> dd esp L1
> da esp
> ea esp "AAAA"
> da esp
Search memory space:
> ed esp 41414141
> s -d 0 L?80000000 41414141
> s -a 0 L?80000000 "This program cannot be run in DOS mode"
Work with registers:
> r
> r eax
> r eax=41414141
Work with software breakpoints:
> bp kernel32!WriteFile
> bl
> bd 0
> be 0
> bc 0
> bc *
> lm m ole32
> bu ole32!WriteStringStream
> bl
Breakpoints and actions:
BOOL WriteFile(
HANDLE hFile,
LPCVOID lpBuffer,
DWORD nNumberOfBytesToWrite, // Write to file "hello" -> "db esp+0x0c L1" is 04 (length of "hello", also in esi register)
LPDWORD lpNumberOfBytesWritten,
LPOVERLAPPED lpOverlapped
);
> bp kernel32!WriteFile ".printf \"The number of bytes written is: %p\", poi(esp + 0x0C);.echo;g"
> bp kernel32!WriteFile ".if (poi(esp + 0x0C) != 4) {gc} .else {.printf \"The number of bytes written is 4\";.echo;}"
> bp kernel32!WriteFile ".if (@esi != 4) {gc} .else {.printf \"The number of bytes written is 4\";.echo;}"
Work with hardware breakpoints:
// Before: write "w00tw00t" to a file, save the file, close Notepad, re-open the file
> s -a 0x0 L?80000000 w00tw00t
> s -u 0x0 L?80000000 w00tw00t
> ba w 2 00b8b238
> du
00b8b238 "a00tw00t"
![[Pasted image 20230924234241.png]]
Step through code:
> p // step over
> t // step into
> pt // step to next return
> ph // execute code until a branching instruction is reached
List modules and symbols:
> .reload /f
> lm
> lm m kernel*
> x kernelbase!CreateProc*
