{"id":7786,"date":"2021-05-03T12:25:16","date_gmt":"2021-05-03T12:25:16","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7786"},"modified":"2021-05-03T13:05:27","modified_gmt":"2021-05-03T13:05:27","slug":"non-debugging-uses-of-cdb","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2021\/05\/03\/non-debugging-uses-of-cdb\/","title":{"rendered":"Non-debugging uses of CDB"},"content":{"rendered":"\n

Catching up with another tweet<\/a> from 3 months ago.<\/p>\n\n\n\n

VMWare Workstation installs cdb.exe debugger for you – you can play around with its features if you happen to find it during engagement. Other than the obvious “I can run and manipulate other processes with it”, here are 2 other ideas:<\/p>\n\n\n\n

AeDebug setup<\/strong><\/p>\n\n\n\n

Using -iae -iaec options you can use cdb.exe to install itself as a AeDebug debugger. So, if you do so, cdb.exe will be the signed Microsoft binary doing the dirty deed for you, and you can then swap it with your malicious cdb.exe.<\/p>\n\n\n\n

-iae install as AeDebug debugger
-iaec install as AeDebug debugger with given command tail<\/pre>\n\n\n\n
Launch programs via COMSPEC abuse<\/strong><\/p>\n\n\n\n
Cdb allows us to switch to shell temporarily, a bit like ftp.exe<\/a>, and lo-and-behold, it relies on COMSPEC environment variable too. Hence we can launch a program via it e.g. like this:<\/p>\n\n\n\n
\"\"<\/a><\/figure><\/div>\n\n\n\n
The obvious question is – why – after all, cdb.exe is a debugger and we can launch programs anyway. Apart from the obvious “why not” – this way we can launch a program w\/o debugging flags (e.g. DEBUG_ONLY_THIS_PROCESS).<\/p>\n","protected":false},"excerpt":{"rendered":"
Catching up with another tweet from 3 months ago. VMWare Workstation installs cdb.exe debugger for you – you can play around with its features if you happen to find it during engagement. Other than the obvious “I can run and … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[19,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7786"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7786"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7786\/revisions"}],"predecessor-version":[{"id":7792,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7786\/revisions\/7792"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7786"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7786"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}