debugging of complex 64b targets and proper tools
 

Hi all,
I need to debug a complex program under a win 64 system, for complex I don't mean a protected target, but a target very big with several dlls loaded and released, partially written in .NET and native code.

So I investigated a little what 64 bit debuggers were present. Olly has to be excluded unfortunately, but there were two other alternatives I found:

• IDA64: I still honestly have not tried it under 64b platform because I hate its debugging interface and think that it's quite unusable. Beside this IDA64 is still less advanced than its 32b version, because it lacks some important features (e.g. the decompiler wont' support 64b code) and has some bugs (e.g. the disassmbly engine often doesn't recognize double words, references and portions of functions)
• BugDb64 (http://forum.exetools.com/showthread.php?t=14539): I tried this promising one since it's a nice mixture of SoftICE commands and Olly interface. But unfortunately it still lacks several important functionalities and some already present don't work (it's a pre-alpa therefore it's normal). For my target for example I needed to break on a specific dll when it was being loaded by the program, but the command supposed to to that simply doesn't work. It's as well impossible to enter into a specific module (like Olly does) to add breakpoints or any other stuff in a specifi portion of code.

So I'm now stuck with static patching (under IDA64) and offline tests if the patch works.

The question is therefore which other tools I have to succesfully debug and patch 64b applications. It seems like several tools still are just not being ported to 64b. And of course which are your experiences!

BR,
Shub

WinDBG, PEBrowseDbg64 and HIEW for patching

I just preferred something more "visual". What about VisualDuxDbgSetup.zip ? Anyone tried it already? Which limitations has the free version?

strange, I have tested bpdll command under win7 & win8 and it works fine, maybe try using a wildcard e.g. bpdll *your.dll
If that doesn't help I'd be happy to investigate it, just send me PM with target app or link.

you can see loaded dll's in command window then press g in dissasembly window to jump into that module or you can use x (eXamine symbol) command e.g. x user32_* to list exported function to get function addr then set bp on it or disassemble it.

As for Visual DuxDebugger, I'm a bit bias but I think is a hideous piece of software. Current version is 3.9 but it feels like pre-alfa e.g. instead jumps to imports:

JMP [ntdll!RtlExitUserProcess]
JMP [user32!MessageBoxA]

you like see something like this

JMP [RIP+0xf8c]
JMP [RIP+0xf96]

Ok, i admit you will never like the WinDBG because of its interface and the vast array of commands , but it's surely the most powerful debugger out there for ring0/ring3 debugging. Moreover it can handle tons of stuff that no other debugger can do for you right now, at least under x64 platform until "SoftIce64" will be available :) Think about this, i am sure it is the best choice, thats why i am spending a bit of time every day to learn it in depth. As for direct patching, Hiew, no doubt ;)

WinDBG is definitely the best option in my experience. You should be able to use the WinDbg engine in IDA now I think as well. WinDbg isn't too bad to get use to, and its powerful and scriptable. Debugging services is simple too, you can set your target to execute in WinDbg when the service starts: http://support.microsoft.com/kb/824344

I agree with you, even if i can't still figure out why the command pause+call_stack doesn't work properly in my debugging session as though Ollydbg (F12+k) :-/