Debugging Tip: Dump ASMX call payloads

In ASMX services, it is always that request and response payloads are point of interest. As per scenario, we can have crash dumps or manual memory dumps only. How can we read the payloads?

 

Step-1

Get to the thread where we have web service call

Step-2

Dump stack objects on the thread (via !dso command)

Step-3

Find the System.Web.HttpContext type object and dump it

Step-4

Find property called _raw in it and dump it (of type System.Web.HttpRawUploadedContent)

Step-5

Data will appear like the following:

0:026> !do 00000002006e5498
Name:        System.Web.HttpRawUploadedContent
MethodTable: 000007fed82f8488
EEClass:     000007fed7f2dd18
Size:        56(0x38) bytes
File:        C:\Windows\Microsoft.Net\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
000007fef7ee3980  4001167       18         System.Int32  1 instance            81920 _fileThreshold
000007fef7ee3980  4001168       1c         System.Int32  1 instance              487 _expectedLength
000007fef7ee8c48  4001169       2c       System.Boolean  1 instance                1 _completed
000007fef7ee3980 400116a 20 System.Int32 1 instance 487 _length
000007fef7ee6888 400116b 8 System.Byte[] 0 instance 00000002006e54d0 _data
000007fed82ff080  400116c       10 ...dContent+TempFile  0 instance 0000000000000000 _file
000007fef7ee3980  400116d       24         System.Int32  1 instance                0 _chunkOffset
000007fef7ee3980  400116e       28         System.Int32  1 instance                0 _chunkLength

We can see _ length has value of greater than 0. It means we definitely have some contents captured in it.

 

 

Step-6

Dump _data (of type System.Byte[])

0:026> dc 00000002006e54d0
00000002`006e54d0  f7ee6888 000007fe 000001e7 00000000  .h..............
00000002`006e54e0  453a733c 6c65766e 2065706f 6e6c6d78  <s:Envelope xmln
00000002`006e54f0  3d733a73 74746822 2f2f3a70 65686373  s:s="sche
00000002`006e5500  2e73616d 736c6d78 2e70616f 2f67726f  mas.xmlsoap.org/
00000002`006e5510  70616f73 766e652f 706f6c65 20222f65  soap/envelope/"
00000002`006e5520  6e653a73 69646f63 7453676e 3d656c79  s:encodingStyle=
00000002`006e5530  74746822 2f2f3a70 65686373 2e73616d  "schemas.
00000002`006e5540  736c6d78 2e70616f 2f67726f 70616f73  xmlsoap.org/soap

 

Step-7

Format the contents and print

0:026> .printf "%ma", 00000002`006e54e0
<s:Envelope xmlns:s="schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="schemas.xmlsoap.org/soap/encoding/">
       <s:Body>
              <u:my_download xmlns:u="mywebservice">
                     <device1>1231-21212-212</device1>
                     <model>Lumia950</model>

                     <osVer>Version 10.0.3</osVer>

                     <systemVer/>
              </u:my_download>
       </s:Body>
</s:Envelope>

Step-8 (optional)

If we go by netext extension, life will be much easier.

1. dump _data object of type System.Byte[] by !wdo <address>

              >  The payload can be read now.

2. !whttp and can traverse to individual http context objects. It will have all the basic information like request, response, etc. and will have options to go for other relevant objects.

Step-9 (for client side)

When client applications make web service calls, it passes via System.Net.HttpWebRequest.

1. Dump object of type System.Net.HttpWebRequest

2. Dump property called _WriteBuffer of type System.Byte[]

3. In order to read the contents, either dc or !wdo commands can be followed.