Attach a debbuger like WinDBG or x64dbg directly to the file system.

[leolongvu]

Dear Ufrisk

Is there a way to attach a debugger like the two above directly to the memory file system with FPGA devices? I have tried to dump the raw binary of a function at the target virtual address and analyze with IDA but honestly without dependencies the disassembler code is not quite meaningful.

Leo

[ufrisk]

If debugging Windows it should auto-generate a memory.dmp file which you should be able to open in WinDbg.

Setting breakpoints and such aren't working though, but it will detect os, kernel and processes and automatically download required symbols and such.

If wanting to patch something you'll have to open process virtual memory (or physical memory) in your hexeditor and patch. Note tho that patching .exe/,dll/.sys image in one process will likely patch it in all processes since writes goes down to physical memory. Patching heaps/stacks and such generally have no such side effects.

[leolongvu]

Is it your intend not to include the dump file per process or is it my PC that doesnt have one?

[ufrisk]

only full dump is currently available, I'm unsure about per-process minidumps, it's on my todo-list to look into but I'm not sure about the complexibility.

you should be able to switch into process context in WinDbg already though .... replace the ffff-value in .process with your process EPROCESS address.

kd> .process /r /p ffff8b8f8a5780c0
kd> lmu
start             end                 module name
00007ff6`d2f40000 00007ff6`d2f48000   LogonUI    (deferred)             
00007ff8`dcc20000 00007ff8`dcf54000   msftedit   (deferred)  
...

0: kd> u 00007ff6`d2f41010
LogonUI!wWinMain:
00007ff6`d2f41010 4053            push    rbx
00007ff6`d2f41012 4883ec70        sub     rsp,70h
00007ff6`d2f41016 498bd8          mov     rbx,r8
00007ff6`d2f41019 ff1561210000    call    qword ptr [LogonUI!_imp_GetCurrentProcess (00007ff6`d2f43180)]
...