Windows kernel debugging Basics of the serial debug protocol An implementation of the protocol in Perl All of the above in less than 20 minutes, hopefully will have time for a demo
Windows Kernel Debugging ●
●
●
To debug a live system (target) you need another system (host) to run the debugger Windows acheives this via serial connection (latest version also via USB 2.0 or IEEE1394) Add /DEBUG to boot.ini, plug in a nullmodem cable and away we go!
windbg ●
● ●
●
●
Microsoft provides its own debugger, windbg Available in the Windows DDK Full-featured, if a little less-than-userfriendly Extension DLLs can add functionality, API available But the host system has to run Windows... what fun is that?
Windows Serial Debug Protocol ●
● ● ●
Windows uses a packet-based protocol for communication between the host and the target Not officially documented But not terribly complex, either Best reference is available from Albert Almeida: http://www.vsj.co.uk/articles/display.asp?id=265
Packet Classes ●
Three classes of packets – – –
●
Normal packets: used for debug commands or data exchange Control packets: used to govern the protocol Break-in packet: a special packet used to interrupt system execution and pass control to the debugger
Normal and control packets have types, which describe their specific function
Control Packet Types ●
PACKET_TYPE_KD_ACKNOWLEDGE –
●
PACKET_TYPE_KD_RESEND –
●
used to ACK packet received from remote side used to request resend of packet from remote side
PACKET_TYPE_KD_RESET –
used to resynchronize the communication between the two peers
Normal Packet Types ●
PACKET_TYPE_KD_STATE_CHANGE32 –
●
PACKET_TYPE_KD_STATE_MANIPULATE – –
●
Used by debugger to send command/data Used by target to send results of command
PACKET_TYPE_KD_DEBUG_IO –
●
Reports when the target has changed from one state to another
Used to handle debug string print IO
PACKET_TYPE_KD_STATE_CHANGE64 –
64-bit version of state change packet
Packet Header
Packet Leader (4 bytes)
Packet Type (2 bytes)
Byte Count (2 bytes)
Packet ID (4 bytes)
Checksum (4 bytes)
Packet Exchange ●
Typical sequence – – – – – –
Host sends break-in packet Target replies with state change packet Host ACKs state change Host sends command in state_manipulate packet Target ACKs state manipulate Target replies with data in state_manipulate packet
Debug API ●
●
●
●
API is accessed using state manipulate packets _DBGKD_MANIPULATE_STATE32 is the payload of the packet, first element is API number Each API number corresponds to a specific structure which is appended to the state manipulate struct See ReactOS project windbgkd.h for all API structures
windpl ●
●
●
●
Uses Device::SerialPort module to implement the Windows debug protocol Should work on any *nix system where the Device::SerialPort module is supported Now we can debug the Windows kernel from almost any system Using a scripting language makes it easy to hack in new functionality
Nov 24, 2005 - Pentration Testing. Mini-Security Push (if necessary). In Depth Threat Model Review. Special Cleanup Projects. Windows XP. Windows Vista ... Process that host multiple services get union of required privileges. // Set up ..... How much
OS X, FreeBSD) and mobile platforms (iOS, An- droid). ... conclusions in section 6. ... mented on the heap with the use of heap canaries. .... fail: call stack chk fail of proc fdinfo read(). GCC requires the canary value to be located at %gs:0x14.
and mobile platforms (iOS, Android). .... Kernel stack is corrupted in c10e1ebf .... INFO: Slab 0xc7fe5900 objects=15 used=10 fp=0xc7aca850 flags=0x400040c0.
... a userland memory allocator that is being increasingly adopted by software projects as a high performance heap manager. It is used in Mozilla Firefox for the Windows, Mac OS X and Linux .... hold objects important for the functionality of the tar
If you've been to a computer security conference recently ..... Marks can also be found higher on the plug walls, near the pin chambers and internal warding.
Grand Idea Studio: Product development & licensing ... Others include Atlanta, Boston, Chicago, Los Angeles,. New York .... xxx, Sr. Software Designer.
In this regard, the forensic locksmith identifies the method of entry, tools used, skill level of ..... radically different designs, and are generally specific to particular brand or ..... in the digital version of Locks, Safes, and Security, mention
The benefit of this approach is openness and flexibility. ... As this becomes commonplace in software, one must have a means of quickly ... Many people enjoy using Python and thus have created tools around it to aid in ..... insensitive and allows th
is, inject frame busting code when the user agent is an iPhone or Android and do not inject it if the browser is an older ..... In IEEE Oakland Web 2.0 Security and.
Increasing use of C++ code in malware .... test eax, eax ; eax = address of allocated memory ..... Developed in Python ... Automation > Why a Static Approach?