WinAppDbg comes with a collection of tools useful for common tasks when debugging or fuzzing a program. The most important tool, the Crash logger, attaches to any number of target processes and collects crash dump information in a SQL database. It can also apply heuristics to discard multiple occurrences of the same crash.
The source code of these tools can also be read for more examples on programming using WinAppDbg.
Attaches as a debugger or starts a new process for debugging. Whenever an interesting debug event occurs (i.e. a bug is found) it can save the info to a database (SQLite, MySQL, SQL Server, etc.) and/or log it through standard output.
A heuristic signature can be used to try to determine whether two crashes were caused by the same bug, in order to discard duplicates. It can also try to guess how exploitable would the found crashes be, using similar heuristics to those of !exploitable.
Additional features allow attaching to system services, setting breakpoints at the target process(es), attaching to spawned child processes, restarting crashed processes, and running a custom command when a crash is found.
Settings are defined in a Unix-style configuration file. Here’s a template file you can use, where all options are explained.
Shows the contents of the crashes database to standard output.
These tools were inspired by the ptools suite by Nicolás Economou.
Extremely simple command line debugger. It’s main feature is being written entirely in Python, so it’s easy to modify or write plugins for it.
Traces execution of a process. It supports three methods: single stepping, single stepping on branches, and native syscall hooking.
Forces a process to load a DLL library of your choice.
pfind.py :
Finds the given text, binary data, binary pattern or regular expression in a process memory space.
plist.py :
Shows a list of all currently running processes.
pmap.py :
Shows a map of a process memory space.
pread.py :
Reads the memory contents of a process to standard output or any file of your choice.
Writes to the memory of a process from the command line or any file of your choice.
pkill.py :
Terminates a process or a batch of processes.
Dumps all ASCII strings from a live process.
Allows you to create a new process specifying any other process as it’s parent, and inherit it’s handles. See the blog post by Didier Stevens for the original C version.
Shows an hexadecimal dump of the contents of a file.