WinDbg Commands Cheatsheet



Shows the stack of the current thread.

kb : Displays the first three arguments passed to each stack entry.

kp : Displays more information including the name and type of the parameters for each stack entry.


Shows all threads, the current been debugging thread will have a dot ahead like the thread 2 shown below.

0:002> ~
0  Id: 5a0.1f8 Suspend: 1 Teb: 7ffdd000 Unfrozen
1  Id: 5a0.158 Suspend: 1 Teb: 7ffdc000 Unfrozen
.  2  Id: 5a0.b28 Suspend: 1 Teb: 7ffdb000 Unfrozen

We can use ~*kb(or ~*kp) to enumerate all threads and print their stack trace information.

Read More »

Avoid Mass Assignment in ASP.NET MVC


Copied from here

One of the scenarios that I always demonstrate during an ASP.NET MVC class is how to create a mass assignment vulnerability and then execute an over-posting attack. It is a mass assignment vulnerability that led to a severe problem on github last week.

Let’s say you have the following model.

public class User
    public string FirstName { get; set; }
    public bool IsAdmin { get; set; }

When you want to let a regular user change their first name, you give them the following form.

@using (Html.BeginForm()) {
     @Html.EditorFor(model => model.FirstName)
    <input type="submit" value="Save" />

There is no input in the form to let a user set the IsAdmin flag, but this won’t stop someone from crafting an HTTP request with IsAdmin in the query string or request body. Maybe they saw the “IsAdmin” name somewhere in a request displaying account details, or maybe they just got lucky and guessed the name.

Read More »

Handle Leak Analysis via WinDbg


This article illustrates how to investigate the handle leak via WinDbg.

The idea is to take two snapshots and compare them to find out the code where handle was allocated during the period.

Read More »

Hide Console Window From Process Start


Copied from here

I had a similar issue when attempting to start a process without showing the console window. I tested with several different combinations of property values until I found one that exhibited the behavior I wanted.

Here is a page detailing why the UseShellExecute property must be set to false.

Under Remarks section on page:

If the UseShellExecute property is true or the UserName and Password properties are not null, the CreateNoWindow property value is ignored and a new window is created.

ProcessStartInfo startInfo = new ProcessStartInfo();
startInfo.FileName = fullPath;
startInfo.Arguments = args;
startInfo.RedirectStandardOutput = true;
startInfo.RedirectStandardError = true;
startInfo.UseShellExecute = false;
startInfo.CreateNoWindow = true;

Process processTemp = new Process();
processTemp.StartInfo = startInfo;
processTemp.EnableRaisingEvents = true;
catch (Exception e)

Written with StackEdit.

Read More »

WinDbg Incorrect Stack Trace


copied from MDA-Anthology Page288.

One of mistakes beginners make is trusting WinDbg !analyze or kv commands displaying stack trace. WinDbg is only a tool, sometimes information necessary to get correct stack trace is missing and therefore some critical thought is required to distinguish between correct and incorrect stack traces. I call this pattern Incorrect Stack Trace. Incorrect Stack Traces usually

  • Have WinDbg warning: “Following frames may be wrong”
  • Don’t have the correct bottom frame like kernel32!BaseThreadStart (in user-mode)
  • Have function calls that don’t make any sense
  • Have strange looking disassembled function code or code that doesn’t make any sense from compiler perspective
  • Have ChildEBP and RetAddr addresses that don’t make any sense

Read More »