Author Archives: chentiangemalc

Generally, my go-to debugging technique is Time Travel Tracing (TTD.exe). However, without full Symbols for Windows, some types of analysis can be a little tedious creating scripts to dump the API parameters etc. In addition, while you can use breakpoint … Continue reading →

Sometimes I’m working in environments where I can’t copy in any tools for troubleshooting and sometimes simply analyzing the strings in an .EXE gives many useful clues to how it works. Here is a simple version of strings utility that … Continue reading →

Here is a script I wrote experimenting with resolving API Set function calls to on disk module/function/offset.

Replicating the behavior of classic command line tool tree in PowerShell. By default only displays directories, add -ShowFileNames switch to show filenames as well. Script is here https://github.com/chentiangemalc/PowerShellScripts/blob/master/Get-TreeView.ps1 Usage:

An issue you will likely come across if debugging VB6 apps with the inbuilt VB6 runtime built into Windows 8+ is that symbols don’t seem to be available via the Microsoft Symbol Server. This makes VB6 stack traces completely bonkers … Continue reading →

Trying to create a DART recovery image, got the message during the installation from Microsoft Desktop Optimization Pack 2015 running installer from \DaRT\DaRT 10\Installers\en-us\x64\MSDart100.msi However, the latest Windows ADK + Windows PE ADK component has been installed. Suspected the issue … Continue reading →

First you will need to download PDF Sharp and build with Visual Studio the solution “BuildAll-PdfSharp.sln” and then obtaining the output PdfSharp.dll and placing in same directory as script. Takes a specified folder of PDFs and combines them into an … Continue reading →

Previously we looked at removing Office Macro Passwords with PowerShell here. This script can be used to retrieve the master password (i.e. database design password) for many Microsoft Access Database files (.mdb) Note this does not work with databases that … Continue reading →

Was comparing an application behavior between Windows XP and Windows 10 and needed to check the value of some structs, without symbol information for them. The values I wanted to check were specific bits in the struct passed as the … Continue reading →

I wanted to debug startup of a 16-bit DOS driver on 32-bit Windows 10 with NTVDM, however attempts to attach debugger / Time Travel Debugging Trace to NTVDM startup process was triggering access violations and causing NTVDM.exe to crash. Once … Continue reading →