I am doing security review for a managed application which is obfuscated. So I am doing a lot of disassembling code at runtime using Windbg. One of the issues is that code gets JIT optimized because of the retail build. This makes it harder for me debug when mapping it back. Realized that I could turnoff JIT Optimization’s using the ini file.
[.NET Framework Debugging Control]
Another use of feature which I guess wasn’t really intended for.
In this post I would show a simple trick to update .NET strings in memory with Windbg. The caveat is make sure the string that you’re updating is long enough to fit into the string buffer. If not there would be a memory corruption.
Here is a simple windows form application with title “Good”
The goal is to update the title from “Good” to “Bad”.
button1.Click += (s,b) => Text = _caption;
I am updating the title in the button click.
Here is the actual string object within the debugger
0:006> !do 0294d0a0
Size: 22(0x16) bytes
MT Field Offset Type VT Attr Value Name
59ba2b30 40000ed 4 System.Int32 1 instance 4 m_stringLength
59ba1f80 40000ee 8 System.Char 1 instance 47 m_firstChar
59b9fb64 40000ef 8 System.String 0 shared static Empty
>> Domain:Value 004b0308:02941228 <<
I would be using the e command to update the memory. The ezu command is used for updating Null-terminated Unicode string .
Notice the first character starts in the 8th offset from the above. So we would have start updating the string only from the 8th offset. The first 8 bytes of object are for syncblock index and method table pointer.
Here is the command to update the string memory.
ezu 0294d0a0+8 “Bad”
And the updated form title.