IrisWinDbg extension performs basic detection of common Windows exploit mitigations (32 and 64 bits).
The checks implemented, as can be seen in the screenshot above, are (for the loaded modules):
To "install", copy
winextfolder for WinDbg (for
Unless you installed the debug tools in a non standard path you'll find the
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winextOr, for 32 bits:
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext
C:\Program Files\WindowsApps\Microsoft.WinDbg_1.1906.12001.0_neutral__9wekib2d8acweFor 64 bits copy
x86\winextfor 32 bits.
Load the extension
After the steps above, just load the extension with
.load irisand run
!iris.helpto see the available command(s).
0:002> .load iris
[+] Iris WinDbg Extension Loaded
IRIS WinDbg Extension ([email protected]). Available commands:
help = Shows this help
modules = Display exploit mitigations for all loaded modules.
As shown in the screenshot above, just run:
Don't trust blindly on the results, some might not be accurate. I pretty much used as reference PE-bear parser, winchecksec, Process Hacker, and narly. Thank you to all of them.
I put this together in a day to save some time during a specific assignment. It worked for me but it hasn't been thoroughly tested. You have been warned, use at your own risk.
I'll be updating and maintining this, so any issues you may find please let me know. I plan to add a few more mitigations later.
Besides the references mentioned before, if you want to write your own extension (or contribute to this one) the Advanced Windows Debugging book and the WinDbg SDK are your friends.