Assuming that you followed the instructions in the previous post and deployed your debugging suite correctly, now is the time to get acquainted with the user interface. In case you configured TProbe to run gshell automatically (the default configuration), several windows will be presented to you. Let's explore the purpose of each one of them.
The console window is where the gdb component resides. It is the heart of the whole suite of plugins, including graphical shell (gshell).
It is also the only window you can send Interrupt signal to (by pressing Ctrl-C). This is due to the nature of UNIX signals and the way GTK+ libraries handle them. This issue will be addressed in future version of TProbe, so that you will be able to send Interrupt signal to any window.
If you choose to operate TProbe using console shell (disable directly_to_gshell option in tprobe.py), you will be working with this window exclusively.
The Main widow is your toolbox. From here you can open any of the remaining window classes that cover their respective functions - by simply clicking the button with required window type in the Main window. At any point you can quit the graphic shell by clicking Exit GShell and return to the classic, console-based flavor of TProbe.
The purpose of Memory View window is to show and provide basic interpretation of the selected memory area.
There are two types of interpretation - DWORD and BYTE+ASCII. The first one converts bytes from selected area into DWORDs (packet of four bytes with respect to endianess of the architecture). This is a convienient way to explore stack, for example. The second type is BYTE+ASCII interpretation, which is a better choice if you need to examine character strings.
Using the options in the context menu, you can synchronise obserwed memory area with register contents.
Remember that the contents of memory in this view is perceived from the process perspective. If you choose another process perspective in Process View window, it is highly probabale that the parts of memory will become inaccessible.
This view presents to you the current contents of processor registers. In the current version you only can modify the content of registers via the console shell. This will change in future versions of TProbe.
In Process View window you are able to perform actions related to particular processes. If you want to view the physical memory the way a particular process views it (i.e. using this process's DTB), you need right-click the selected process and use the Set EPROCESS perspective option from the context menu.
Another important functionality of this view is extracting information on exported functions of modules loaded within particular process (referred to as: symbols). You can easily navigate to particular symbol in particular module by using Modules & symbols option from the context menu of a process.You can also apply this information in the Code View in order to get a more meaningful listing.
Code View is the main source of information on what is being executed at the moment and where the execution is heading. You can move around the code using the Goto function from the context menu.
In order to trace the execution in the CodeView, you need to use various types of commands. You can Step over (F8) the instruction, which means, that if the current instruction is a call, the debugger will not inspect it, but will wait for it to finish and move to the subsequent instruction. You can also inspect calls with the Step into (F7) command, which, in contrast, will follow the call and allow you to trace the code of the function being called. You can also relese the execution with the Run (F9) command, which means that the debugged environment will continue execution until it hits a breakpoint or until the execution will be interrupted by sending a Ctrl-C to the gdb console.
You can also set and delete breakpoints on selected addresses using the context menu of this window.
One of the most powerful features of TProbe is its Interactive Shell (which relies hevily on volshell of volatility). This interactive shell accepts most of volatility commands that enable you to interpret contents of memory. It also interprets python code, so you can use python scripts in order to automate processing on an extensive set of data.
Now, as you learned the fundamentals of TProbe user interface, you can proceed to the first analysis write-up on tracking the injected code with TProbe.