Introduction to Windbg2ida

 Windbg2ida lets you dump each step (instruction) in Windbg then give you a dump file and you can use it later in your IDA to put color on each line of the instructions that you've run to show code coverage.

Windbg2ida

You can use Windbg2ida to see differences between two or more code coverages in IDA.

How to use?

    -   Load Script


      Download windbg2ida from here or use git to download files.

    git clone https://github.com/SinaKarvandi/windbg2ida.git

      Open Windbg and load windbg2ida.js script (replace path with your computer path to windbg2ida.js)

    	.load jsprovider.dll
    	.scriptload "C:\Users\Sina\Desktop\windbg2ida\windbg2ida.js"

      Important note : If you can't load the script or the script gives you error about using files then make sure to update you windbg (Windows SDK) to the latest version as the previous versions have problem with using file with JavaScript.


    -   Examples


  •       The simplest example is execute until the return of current function. (replace the path to save the dump)

  •     	!windbg2ida_run_until_ret "c:\\users\\sina\\desktop\\dump1.w2i"

  •       If you wanna run a specific number of instructions (e.g 100 instruction). (replace the path to save the dump)

  •     	!windbg2ida_run_with_limitation 100,"c:\\users\\sina\\desktop\\dump1.w2i"

  •       If you want to execute until a specific address is executed. (replace the path to save the dump and the address(es))

  •     	!windbg2ida_run_until_address "fffff80617bc4622,fffff80617bc4628,fffff80617bc462a"
    ,"c:\\users\\sina\\desktop\\dump1.w2i"

  •       If you want to execute until a specific address is executed or if windbg reaches to the return of current function. (replace the path to save the dump and the address(es))

  •     	!windbg2ida_run_until_address_or_return "fffff80617bc4622","c:\\users\\sina\\desktop\\dump1.w2i"



        -   Show Dump in IDA


    Now in order to use your dump file(s), copy them into "w2i Files" folder next to IDAScript.py, goto IDA > File > Script file... > select IDAScript.py.

    Each time you run IDAScript.py all the .w2i files in the "w2i Files" graphs are colorized in IDA. You can see "Output Window" for more details (e.g functions that changed their colors).



        -   Configuration


  •       Change the color of code coverage graph. (Change the hex number of color). This option is special useful when you want to compare two or more dumps.

  •     	!windbg2ida_set_color 0x36AC29


  •       Disable Step in into function calls.

  •     	!windbg2ida_disable_stepin


  •       Disable registers in comment of IDA.

  •     	!windbg2ida_disable_registers_in_comment

    For more information about other configs use the !windbg2ida to see the help.



        -   Unload Script


          To unload the windbg2ida.js (replace path with your computer path to windbg2ida.js)

        	.scriptunload "C:\Users\Sina\Desktop\windbg2ida\windbg2ida.js"


    Pictures

    Windbg2ida Windbg2ida Windbg2ida

    Demo

    Windbg2ida Help

    Features

    Current features :

    • Comparing two or more code coverage files simultaneously
    • Works on both x64 and x86 version of Windbg
    • Show registers for each instruction
    • Show memorry contents for each instruction
    • Both User-mode and Kernel-mode Compatible
    • Use dump files offline without need to re-run in Windbg
    • Show other modules and invalid addresses
    • etc.

    What's new?

    • Add comparing for two or more files
    • Add read from folders
    • Add registers + eflag read
    • Add branch status show

    Todo

    • Add Pause when a special value detected for a register
    • Add Pause when a special memory address used in program flow

    Contribution

    Windbg2ida is maintained by Sina Karvandi, you can find me in Twitter . If you see any problem or if you need a new feature you can use Issues on GitHub.
    Any Contribution is appreciated.