All Projects → d0c-s4vage → Bnarly

d0c-s4vage / Bnarly

Licence: gpl-2.0
browser narlyness

Programming Languages

184084 projects - #8 most used programming language
  • [Overview] (#bnarly)
  • [API] (#bnarly-api)
  • [API Index] (#bnarly-api-index)


bNarly (browser narly) is a browser exploitation/exploration tool. bNarly is essentially a windbg <--> javascript bridge.

A brief glimpse of bNarly in action can be seen here:

A few screenshots:

Browser Compatibility

bNarly will work on at least the following browser versions

  • IE 8,9,10,11
  • Firefox >= 20

windbg/js bridge

The javascript/windbg bridge works by setting a breakpoint on the Math.min function. Math.min is specifically chosen because it is a variable arity function (can accept a variable number of arguments).

With the breakpoint in place, Math.min essentially takes the form:

function Math.min(in type, in logMsg_or_cmdsToEval, out output, in objRef) {
  // windbg command evaluation
  if(type == WINDBG_CMD_EVAL) {
    if(objRef) {
      @$t0 = &objRef;
    var tmpOutput = windbgEval(logMsg_or_cmdsToEval);
    if(output) {
      *output = tmpOutput;
  // simple logging
  } else if(type == WINDBG_LOGGING) {
  } else {

Note that execution must explicitly be continued if not requesting the output of a command.

bNarly API



Set the window that the debugger will be attached to.


Set whether a symbol cache should be used


Populate the symbol cache with vftable symbols from "popular" browser modules (eg mshtml!*vftable* and jscript9!*vftable*)



Force execution to pause


Print the message and continue. This method should be safe for ANY message content without needing to escape anything.



Return the breakpoint for the current browser. If a breakpoint for the current version has not been explicitly defined, return the default breakpoint for the browser family.


Return the symbol server locations that should be in .sympath in order for bNarly to work correctly.


Return a string that represents the version of the browser. Eg: 10_x86


Return the name/family of the browser. Eg: MSIE


Return true/false whether a debugger is connected and the breakpoint appears to be functioning



Evaluate the given expression and return the result. The result will always be a number. This is the same as running the windbg command ? <expression>.


Begin tracking heap allocs/frees. Retrieve tracked heap events by calling stopHeapTracking()


Stop tracking heap allocs/frees. Returns an object of the form:

	timeline: [...],
	unAllocatedFrees: {...},
	unFreedAllocs: {...}
  • timeline is an array of heap events, in the order they occurred.
  • unAllocatedFrees is an object with keys being addresses that have been freed but were not allocated after startHeapTracking() was called. The values are heap events.
  • unFreedAllocs is an object with keys being addresses that have been allocated and were not freed since startHeapTracking() was called. The values are heap events.

A heap event is of the form:

	type: FREE or ALLOC,
	addr: address,
	(size: allocation size)?,
	(heap: heap allocation belongs to)?,
	(firstPtr: value of poi(addr))?

getObjectPtr(obj, isOnlyObjName)

Return a pointer to the given object. If isOnlyName is true, the obj is assumed to be a string and will be evaluated in the window that setMainWindow(win) was set to.


Return the size of the memory allocation referenced by ptr. An object is returned with at least the two members:

{base: <addr>, size: <size>}

More members might be added to the object, depending on which allocator is used.

If the memory allocation size/base could not be determined, null is returned.

Symbol Resolution


Return the symbol at the provided address. Returns "" if no matching symbol is found.


Return the symbols for each address in addrs in an object of the form {addr: symbol, ...}. If no matching symbol is found, the symbol value will be "".


setBreakpoint(addr, commands, type)

Sets a breakpoint at addr (may also be a symbol). Default breakpoint type is bp, may also pass in bu or bm.

The commands argument is an unescaped string of commands. The commands will automatically be escaped.

Returns the breakpoint id that can be passed to clearBreakpoint(bpId) to remove the breakpoint.


Clear the breakpoint associated with bpId

Memory Read

string functions

da(address, brokenUp, limit)

Return the string referenced by address.

If brokenUp is true, an array of objects of the form {addr:<address>, val:<val>} will be returned.

limit limits the length of the string. Eg: da <addr> L?0n<limit>

du(address, brokenUp, limit)

Return the unicode string referenced by address.

If brokenUp is true, an array of objects of the form {addr:<address>, val:<val>} will be returned.

limit limits the length of the unicode string. Eg: du <addr> L?0n<limit>

option to resolve symbols

dd(address, num, symLookup)

Return an array of objects containing the dword values and symbols at each address:

[{addr: <val>, val: <val>, symbol: <val>}, ... ]

dp(address, num, symLookup)

Return an array of objects containing the pointer-sized values and symbols at each address:

[{addr: <val>, val: <val>, symbol: <val>}, ... ]

ddp(address, num, symLookup)

Return an array of objects containing the dword-sized values and symbols at each address:

[{addr: <val>, val: <val>, symbol: <val>}, ... ]

If symLookup is true, an attempt will be made to resolve symbols. The windbg command ddp by default will display the dereferenced pointer and the memory at the resulting location. Any results from symLookup will override the symbols from the windbg output of ddp.

dpp(address, num, symLookup)

Return an array of objects containing the pointer-sized values and symbols at each address:

[{addr: <val>, val: <val>, symbol: <val>}, ... ]

If symLookup is true, an attempt will be made to resolve symbols. The windbg command dpp by default will display the dereferenced pointer and the memory at the resulting location. Any results from symLookup will override the symbols from the windbg output of dpp.

single memory access


Return the byte at the given address


Return the word at the given address


Return the dword at the given address


Return the qword at the given address


Return the pointer at the given address

mass raw memory dump

db(address, num)

Return an array of objects representing num bytes starting at address.

Objects are of the form {addr: <addr>, val: <val>, rep: <rep>}

bytes(address, num)

Return an array of objects representing num bytes starting at address.

Objects are of the form {addr: <addr>, val: <val>, rep: <rep>}

words(address, num)

Return an array of objects representing num words starting at address.

Objects are of the form {addr: <addr>, val: <val>, rep: <rep>}

dwords(address, num)

Return an array of objects representing num dwords starting at address.

Objects are of the form {addr: <addr>, val: <val>, rep: <rep>}

qwords(address, num)

Return an array of objects representing num qwords starting at address.

Objects are of the form {addr: <addr>, val: <val>, rep: <rep>}

Memory Write

eb(/*addr, val1, val2, ...*/)

Overwrite bytes at addr with values val1, val2, ...

ew(/*addr, val1, val2, ...*/)

Overwrite words at addr with values val1, val2, ...

ed(/*addr, val1, val2, ...*/)

Overwrite dwords at addr with values val1, val2, ...

eq(/*addr, val1, val2, ...*/)

Overwrite qwords at addr with values val1, val2, ...


run(/*cmd1, cmd2, ...*/)

Run the given command. Do not return the output. Code execution must be explicitly resumed with g.

evalRaw(/*cmd1, cmd2, ...*/)

Run the given commands found in arguments and return the output. Code execution will automatically be resumed.


Run cmd without waiting for the created process to exit

bNarly API Index

  • [Configuration] (#configuration)
    • [setMainWindow] (#setmainwindowwin)
    • [setUseSymbolCache] (#setusesymbolcachetruefalse)
    • [populateSymbolCache] (#populatesymbolcache)
  • [Utils] (#utils)
    • [int3] (#int3)
    • [log] (#logmsg)
  • [Setup] (#setup)
    • [getWindbgBreakpoint] (#getwindbgbreakpoint)
    • [getSymbolServerLocations] (#getsymbolserverlocations)
    • [getBrowserVersion] (#getbrowserversion)
    • [getBrowserName] (#getbrowserName)
    • [isConnected] (#isconnected)
  • [Candy] (#candy)
    • [evalExpr] (#evalexprexpression)
    • [startHeapTracking] (#startheaptracking)
    • [stopHeapTracking] (#stopheaptracking)
    • [getObjectPtr] (#getobjectptrobj-isonlyobjname)
    • [getObjectSize] (#getobjectsizeptr)
  • [Symbol Resolution] (#symbol-resolution)
    • [getSymbol] (#getsymboladdr)
    • [getSymbols] (#getsymbolsaddrs)
  • [Breakpoints] (#breakpoints)
    • [setBreakpoint] (#setbreakpointaddr-commands-type)
    • [clearBreakpoint] (#clearbreakpointbpid)
  • [Memory Read] (#memory-read)
    • // string functions
    • [da] (#daaddress-brokenup-limit)
    • [du] (#duaddress-brokenup-limit)
    • // option to resolve symbols
    • [dd] (#ddaddress-num-symlookup)
    • [dp] (#dpaddress-num-symlookup)
    • [ddp] (#ddpaddress-num-symlookup)
    • [dpp] (#dppaddress-num-symlookup)
    • // single memory access
    • [by] (#byaddress)
    • [wo] (#woaddress)
    • [dwo] (#dwoaddress)
    • [qwo] (#qwoaddress)
    • [poi] (#poiaddress)
    • // raw memory dump
    • [db] (#dbaddress-num)
    • [bytes] (#bytesaddress-num)
    • [words] (#wordsaddress-num)
    • [dwords] (#dwordsaddress-num)
    • [qwords] (#qwordsaddress-num)
  • [Memory Write] (#memory-write)
    • [eb] (#ebaddr-val1-val2-)
    • [ew] (#ewaddr-val1-val2-)
    • [ed] (#edaddr-val1-val2-)
    • [eq] (#eqaddr-val1-val2-)
  • [Core] (#core)
    • [run] (#run)
    • [evalRaw] (#evalrawcmd1-cmd2-)
    • [shell] (#shell)
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].