-1

I'm using the infamous Blackbone library to map / inject another module into a different process and execute its code.

Usually to debug the injected module, i have to attach windbg's debugger to the hijacked process, scan loaded modules using .imgscan command and load symbols accordingly.

I was wondering if such thing is possible using good old visual studio. Within VS there is an option, symbols tab, to load all symbols for all loaded modules, but this doesn't achieve the same effect as .imgscan /l does. So i end up with an unresolved call stack(only memory addresses) and disassembly only.

igal k
  • 1,883
  • 2
  • 28
  • 57
  • @HansPassant: Not with injected modules... See https://social.msdn.microsoft.com/Forums/vstudio/en-US/7ea7dd27-fe9e-4118-988d-567f1dd452ba/how-to-debug-injected-remote-thread-with-symbols-not-a-dll-just-a-thread?forum=windbg etc. – conio Nov 01 '16 at 14:39
  • 2
    But the DLL is not in the Modules window list so it's kind of hard to right click it. – conio Nov 01 '16 at 21:37

1 Answers1

1

I doubt anything has changed since you asked Setting up visual studio c++ debugger to support symbols for modules loaded from memory. The answer is still:

WinDbg is a low-level debugger that allows you do do that. The Visual Studio debugger is a not-so-low-level debugger and can't do that.

Blackbone willfully and maliciously removes the module from the PEB loaded modules lists (see BBUnlinkFromLoader), if it even bothers to load them in a more or less reasonable way. You want to hide a module from the modules list? VS says: "Fine."

If it's so important to you you can try use the WinDbg debugger from the Visual Studio GUI, but it will still be WinDbg with all its benefits and drawbacks. (Requires installing the WDK, I think.)

Community
  • 1
  • 1
conio
  • 3,681
  • 1
  • 20
  • 34