Skip to content

Instantly share code, notes, and snippets.

@Tourountzis

Tourountzis/documentation-tips.md

Forked from v1m/documentation-tips.md
Created January 20, 2016 18:46
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Tourountzis/f5ba7131c6f0b77db643 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Tourountzis/f5ba7131c6f0b77db643 to your computer and use it in GitHub Desktop.
Download ZIP
Document that 0-day vulnerability you are debugging
Raw
documentation-tips.md

Hey vulnerability-researcher,

Here are some tips for documenting the reversing work you are doing.

version 1 Jan 19, 2016.

Command line (cmd.exe OR powershell)

  • document the OS:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
  • alternate way to document the OS (via reg query):
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CSDVersion
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber
  • get a list of installed security updates:

run powershell as admin, type: get-hotfix | find "Security Update"

reference: http://stackoverflow.com/questions/815340/how-do-i-get-a-list-of-installed-updates-and-hotfixes

  • IE versions via reg query:
REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v Version 
REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v svcUpdateVersion 
REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v svcVersion

WinDbg Tips

Are you using windbg for debugging and are looking for ways to document your windbg debugging sessions?

Before hitting the 'g' command after attaching the process to windbg

  • open a logfile where all your commands and their outputs will get stored: .logopen /t C:\directory_name\target.txt

(the above command will add time-stamp to your log file name, so the logfiles will not get overwritten.)

  • document the OS: vertarget

  • document the state of gflags: !gflag

  • document the symbol paths: .sympath

  • after triggering the vulnerability (crashing), consider executing: !analyze -v

  • after you are done debugging, don't forget to close the logfile: .logclose

To document the version of IE you are debugging from within windbg:

.shell -ci "*" REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v Version 
.shell -ci "*" REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v svcUpdateVersion 
.shell -ci "*" REG QUERY "HKLM\Software\Microsoft\Internet Explorer" /v svcVersion

feedback?

@v1m

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment