Overview

WEDP is a native WinDbg extension built for exploit development workflows. Written in C++ with native x86 and x64 support, it provides 20 commands covering gadget search, pattern generation, memory analysis, and more — all from within the debugger. WEDP is MIT licensed and leverages Zydis for disassembly and AsmJit/AsmTk for assembly.

Features

  • ROP gadget search (!wedp_rop)
  • SEH gadget search (!wedp_seh)
  • Redirect gadget search (!wedp_redirect)
  • Stack-pivot gadget search (!wedp_stackpivot)

Module & Memory Analysis

  • Enumerate loaded modules with protection details — ASLR, DEP, SafeSEH, CFG (!wedp_modules)
  • Memory mapping of committed regions (!wedp_memory)
  • IAT dump (!wedp_iat)

Pattern Utilities

  • Generate cyclic patterns (!wedp_pattern_gen)
  • Find pattern offset (!wedp_pattern_off)
  • Auto-scan registers and memory for pattern matches (!wedp_findmsp)

Exploit Utilities

  • Bad character byte array generation and comparison (!wedp_bytearray)
  • Inline assembler — Intel syntax to raw bytes (!wedp_asm)
  • Disassembler — raw bytes to Intel assembly (!wedp_disasm)
  • Search committed memory for strings or byte sequences (!wedp_find)

Output & Filtering

  • JSON output mode for tool integration
  • Filter results by module, protection flags, address range, or bad bytes
  • File output support
  • Session-level defaults with per-command overrides (!wedp_getopts, !wedp_setopts)

Quick Start

1. Download the latest DLL from the Releases page.

2. Load the extension (pick one):

# Copy to WinDbg winext directory, then:
.load wedp

# Or load from an absolute path:
.load C:\tools\wedp.dll

3. Verify it loaded:

!wedp_version
!wedp.help

4. Example usage:

# List loaded modules with protection info
!wedp_modules

# Search for ROP gadgets
!wedp_rop

# Generate a 500-byte cyclic pattern
!wedp_pattern_gen 500

# Find offset in pattern
!wedp_pattern_off Aa4a