What is WinAppDbg?
The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.
It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows.
The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes.
Current features also include disassembling x86/x64 native code, debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.
What’s new in this version?
In a nutshell…
- full 64-bit support (including function hooks!)
- added support for Windows Vista and above.
- database code migrated to SQLAlchemy, tested on:
- SQLite 3
- Microsoft SQL Server
should work on other servers too (let me know if it doesn’t!)
- added integration with more disassemblers:
- BeaEngine: http://www.beaengine.org/
- Capstone: http://capstone-engine.org/
- Libdisassemble: http://www.immunitysec.com/resources-freesoftware.shtml
- PyDasm: https://code.google.com/p/libdasm/
- added support for postmortem (just-in-time) debugging
- added support for deferred breakpoints
- now fully supports manipulating and debugging system services
- the interactive command-line debugger is now launchable from your scripts (thanks Zen One for the idea!)
- more UAC-friendly, only requests the privileges it needs before any action
- added functions to work with UAC and different privilege levels, so it’s now possible to run debugees with lower privileges than the debugger
- added memory search and registry search support
- added string extraction functionality
- added functions to work with DEP settings
- added a new event handler, EventSift, that can greatly simplify coding a debugger script to run multiple targets at the same time
- added new utility functions to work with colored console output
- several improvements to the Crash Logger tool
- integration with already open debugging sessions from other libraries is now possible
- improvements to the Process and GUI instrumentation functionality
- implemented more anti-antidebug tricks
- more tools and code examples, and improvements to the existing ones
- more Win32 API wrappers
- lots of miscellaneous improvements, more documentation and bugfixes as usual!
Where can I find WinAppDbg?
HTML format (offline)
PDF format (suitable for printing)
Acknowledgements go to Arthur Gerkis, Chris Dietrich, Felipe Manzano, Francisco Falcon, @Ivanlef0u, Jean Sigwald, John Hernandez, Jun Koi, Michael Hale Ligh, Nahuel Riva, Peter Van Eeckhoutte, Randall Walls, Thierry Franzetti, Thomas Caplin, and many others I’m probably forgetting, who helped find and fix bugs in the almost eternal beta of WinAppDbg 1.5! ;)