Ida Cheat Sheet
I know IDA has a 'universal unpacker' plugin, as well as a 'reconstruct' option. But I have the.dll open in IDA. A.dll can't be executed, so I can't seemingly use these tools. I have a memdump of the unpacked.dll, but I had trouble importing it manually in IDA. That doesn't seem like a promising route. IDAPython is basically a way to interact with the IDC scripting. It can be used to automate certain tasks such as deobfuscation or coloring of code. In this short tip we will make a brief tour of. The Ultimate Vegan Cheat Sheet. The Ultimate Vegan Cheat Sheet. January 4, 2018 - Posted by Nadia Schilling. TAG: Vegan, Veganuary, Vegetarian. Support IDA Today. TTM4115 UML Cheat Sheet by Ida - Cheatography.com Created Date: 3852Z.
Working with WinDbg is kind of pain in the ass and I never remember all the commands by heart, so I write down the commands I used.
Loading stuff
| .loadby sos mscorwks | Load SOS extension (will identify sos location by loaded mscorwks path) |
| .load c:WindowsMicrosoft.NETFrameworkv2.0.50727sos | Load SOS extension for .NET 2.0 |
| .load psscor2 | Load PSSCOR for .NET 2.0 (replaces SOS) |
| .load sosex | Load SOSEX extension |
| .load sieextpub | Load SieExtPub extension |
| .load rpcexts | Load RPC extension |
| .unload | Unload extension |
| .cordll -ve -u -l | Retry loading of SOS |
| !help <command> | Latest extension commands help (SOS,SOSEX,PSSCOR) |
| !sosex.help | Like !help but for specifically for SOSEX |
| !sosexhelp | Display this screen or details about the specified command (SOSEX) |
| !sym noisy [.symfix c:symbols] .reload | Load symbols if not set in environment |
| .load wow64exts !sw .effmach | Switched to 32bit mode after doing this |
Examining code and stacks
| ~<thread id>s | Set active thread |
| ~ | all threads |
| !clrstack [-a] [-p] [-l] | managed call stack (no CLR stuff) |
| !dumpstack [-ee] | unmanaged and managed call stack |
| !eestack -short [-ee] | Run dumpstack on all threads and show only ‘interesting’ (lock, hijacked, managed) |
| !mk [FrameCount] [-l] [-p] [-a] | unmanaged and managed call stack, better than !dumpheap (sosex) |
| Kb [number] | Unmanaged stack with arguments (kb4 limits stack to 4 frames) |
| !uniqstack | Unmanaged stacks without duplication, nice if have many worker threads |
| !threads [-live] [-special] | all managed threads |
| !dso [-verify] [top stack [bottom stack]] | Objects stack trace (the actual object type and not where the method is) |
| !mdso [/a | /r | /c:n | /t:<typeFilter> | /mt:<mt>] | Dumps object references on the stack and in CPU registers in the current context |
| !name2ee mscorlib.dll System.Threading.Thread .foreach (t {!dumpheap -mt <mtaddress> -short}) {.if(poi(${t}+28)>0){.printf ” Thread Obj: %N, Obj Address: ${t}, Name: %N n”,poi(${t}+28), poi(${t}+c)}} | 2 commands get the .net threads object address for each thread matching by thread obj id |
Exceptions
| !analyze -v [-hang] | -v Very detailed exception data (SLOW), -hang Generates !analyze hung-application output. |
| !pe [<exceptionAddr>] | most recent exception data (don’t forget the external stack) |
| !dae | Dump all exception found (psscor) |
CLR data structures
| !eeheap -gc | Get managed heap size |
| !dumpheap [-stat] [-mt <>] [-type <>] [-strings] [-min] [-max] | What classes take space in managed heap |
| !dumpheap <address> <address> | Show the object that are in the given memory segments (show only specific generation by combining with output of !eeheap -gc) |
| !dumpgen <genNum> [-free] [-stat] [-type <>] [-nostrings] | Dumps the contents of the specified generation (sosex) |
| !gcgen <objectAddr> | Displays the GC generation of the specified object (sosex) |
| !gcroot <objectAddr> [-nostacks] | Find how an object reference is reachable |
| !refs <objectAddr> [-target|-source] | Displays all references from and to the specified object (sosex) |
| !finalizequeue | all the object that are in finalize queue |
| !finq [genNum] [-stat] | Displays objects in the finalization queue (sosex) |
| !frq [-stat] | Display objects in the Freachable queue (sosex) |
| !dumpdomain | Display app-domains info |
| !FindAppDomain <address> | Determines the application domain of an object at the specified address. |
| !mx <Filter String> | Displays managed type/field/method names matching the specified filter string (sosex) |
| !gchandles | List GC handles statistics |
| !gch [-handleType] | Lists all GC Handles, optionally filtered by specified handle types |
Unmanaged Memory
| gflags /i <pocess name> +ust | Add allocation stack for this process |
| !address -summary | Show summery of memory by types |
| !heap -s | Show all heaps |
| !heap -stat -h <heap addr> | Show blocks of specific heap |
| !heap -flt s <block size> | Show addresses of memory blocks of specific size by heap |
| !heap -p -a <usrPtr> | Display allocation call stack for given block user ptr address |
Object Inspection
| !do <address> | information about object |
| !dumpvc <mt> <address> | Information about struct |
| !mdt [typename | MT] [addr] [-r[:level]] [-e[:level]] | Displays the fields of an object or type, -r optionally recursively, -e optionally collections (sosex) |
| !mroot <addr> | Displays GC roots for the specified object (sosex) |
| !objsize <addr> | The size of the object including all fields |
| !dumpmt -md <addr> | see what methods the object exposes (preJiv – ngen, Jit – jitted, None – never been called) |
| !name2ee * <type name> | Get the class data for specific type |
| !da <addr> [-start #] [-length #] [-details] | Displays the contents of an array at the address 00ad28d0. starts from the second element and continues for five elements. |
| !refs <addr> [-target|-source] | Displays all references from and to the specified object (sosex) |
| !DumpRCW | .NET 4.5 |
Locks
| !syncblk [-all | <syncblkNumber>] | Show all sync blocks that are owned by the current thread but not thinlocks, use !DumpHeap -thinlock |
| !DumpHeap -thinlock | Show all the thin locks |
| !dlk [-d] | Displays deadlocks between SyncBlocks and/or ReaderWriterLocks, only managed (sosex) |
| !critlist | Get critical sections that threads are locked on (sieextpub) |
| !locks | |
| !mlocks [-d] | Lists all managed lock objects and CriticalSections and their owning threads (sosex) |
| !mwaits [-d] | Lists all waiting threads and, if known, the locks they are waiting on (sosex) |
| !rwlock [objectAddr | -nd] | Displays all RWLocks or, if provided a RWLock address, details of the specified lock (sosex) |
| dt <lockAddr> | |
| !handle <handleAddr> f | Show data on the handle, if mutex or event can show the owner (procId.ThreadId) |
Misc
| .cls | Clear screen |
| ~*e <command> | Execute command for all threads |
| !u, u <method intptr> | Show the disassemble of a method |
| !mu [addr] [-s] [-il] [-n] | Displays a disassembly around the current instruction with interleaved source, IL and asm code (sosex) |
| !muf [MD| Code Addr] [-s] [-il] [-n] | Displays a disassembly with interleaved source, IL and asm code (sosex) |
| !dumpil <method intptr> | Show the IL code of the method |
| !address <address> | displays information about the memory that the target process or target computer uses. |
| !runaway | CPU time of each thread |
| sxe ld:<dll name> | why a specific module was loaded |
| vertarget | The time of the dump |
| .foreach | Crazy loops |
| poi(<address>) | Follow reference for the given pointer (handle) address |
| !SaveModule <addr> <path> | Save the module dll to a file (can be used to get its version) |
| !TraverseHeap [-xml] <filename> | Dump heap data that can be used by CLR profiler |
| !teb | displays all elements of the TEB or “Thread Environment Block” |
| !vmstat | |
| !strings [ModuleAddress] [min] [max] [gen#] [filter] | Search the managed heap or a module for strings matching the specified criteria |
| !mln <addr> | Displays the type of managed data located at the specified address or the current instruction pointer |
| lm [v] [m] <moduleName> | Show data on the loaded modules (mscorwks, clr) |
| lmf | list loaded modules with full path |
| !filevers | Show version and paths of all loaded modules (sieextpub) |
| !comcalls | Show COM calls on all threads |
| !rpcreadstack <stack addr> | Get RPC call information (rpcexts) |
| !getendpointinfo <port> | searches the system’s RPC state information for endpoint information (rpcexts) |
Donna Ida Cheat Sheet
Are you getting ready to take the CDL combination test in Idaho? You may have noticed that while the Combination Vehicles section of the permit book is an unrivalled source of study material for this assessment, it does not contain very much in the way of Idaho CDL test questions and answers. Sample questions are a vital addition to your pre-exam preparation routine as without them, you will not have any way of gauging your progress with the study material. With this in mind, our team here at ePermitTest.com have created a comprehensive Idaho CDL Class A combination practice test which is bursting with realistic written test questions and answers. If you have encountered online DMV practice permit test Idaho quizzes before, you might think they’re no better than the permit test study guide. This would be a fair assumption to make, as most Idaho combination CDL practice test resources are based around a brief selection of questions, nearly as limited as the range in the DMV handbook. We are offering you something a little different. This is a comprehensive combination vehicles test cheat sheet, featuring all the CDL exam questions and answers you could ever need!
We realized that the more legitimate Idaho DMV permit test questions a student can attempt to answer prior to their Combination Vehicles permit test, the greater their chances of passing that permit test will be. No Idaho driving practice test can leave you in a better position to pass the assessment than this 2021 DMV cheat sheet, as it is supplied by a nearly bottomless well of authentic permit test questions. What you essentially gain from using this Idaho CDL combination practice test is hundreds of unique and equally legitimate permit test practice quizzes, all under one roof. The individual rounds on the CDL cheat sheet are designed to reflect the real Idaho CDL combination test, with 20 multiple-choice questions and a minimum pass requirement of 16 correct permit test answers. Whenever a participant re-starts the Idaho driving test cheat sheet a new set of questions will be selected from our enormous database of exam content, creating a fresh practice drivers test.
Our Idaho DMV CDL combination practice test has other tricks up its sleeve to prepare you for passing the assessment: student-friendly integrated learning tools. There is no need to access these features if you feel confident answering the questions on your own, though when you run into trouble with a particularly challenging topic they will likely come in very handy! With these tools, students can choose to simplify the questions by removing half the multiple-choice answers, accessing a clue about the answer or both. If you feel it is warranted, you can utilize both these features during every question on the Idaho CDL combination practice test. The extra snippets of knowledge these support tools provide will improve your ability to answer questions unaided, until eventually you can complete the entire Idaho permit test cheat sheet on your own.
The CDL general knowledge cheat sheet and the Air Brakes endorsement driving test practice quiz for Idaho drivers are two other resources here on ePermitTest.com you may wish to check out. Passing these two assessments in addition to the Combination Vehicles exam is obligatory for Class A drivers, with the CDL general knowledge exam being a mandatory starting point. You should only begin using this CDL combination practice test for Idaho drivers when the general knowledge exam is out of the way – good luck!