draw me a l ocal k ernel d ebugger
play

Draw me a L ocal K ernel D ebugger Demo Conclusion Samuel Chevet - PowerPoint PPT Presentation

Nov 10, 2022 •35 likes •515 views

Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP Draw me a L ocal K ernel D ebugger Demo Conclusion Samuel Chevet & Clment Rouault 20 November 2015 Samuel Chevet & Clment Rouault Where does this talk

  1. Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP Draw me a L ocal K ernel D ebugger Demo Conclusion Samuel Chevet & Clément Rouault 20 November 2015 Samuel Chevet & Clément Rouault

  2. Where does this talk come from? Draw me a L ocal K ernel D ebugger Introduction DBGEngine B ranch T race F lag Python Level UP Single step on branches Demo IA32_DEBUGCTL_MSR, Eflags Conclusion nt!KiSaveProcessorControlState This feature seems not supported anymore on new CPU We wanted to be able to use this feature on our new CPU (not amd64) Samuel Chevet & Clément Rouault

  3. Where does this talk come from? Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python B ranch T race S tore (BTS) Level UP Demo Store all the branches (src and dst) taken on a CPU to Conclusion a bu ff er nt!VfInitializeBranchTracing Partially implemented, could be nice to have a working POC Samuel Chevet & Clément Rouault

  4. Where does this talk come from? Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python We looked at the options to achieve that Level UP We started looking at WinDbg Demo We wanted easier scriptability Conclusion We looked at how WinDbg works So . . . Let’s draw a Local Kernel Debugger Samuel Chevet & Clément Rouault

  5. Agenda Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP Windows local kernel debugging Demo Conclusion DbgEngine for dummys Python kungfu Demo Samuel Chevet & Clément Rouault

  6. Agenda Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP Introduction 1 Demo Conclusion Samuel Chevet & Clément Rouault

  7. Windows kernel debugging Draw me a L ocal K ernel D ebugger Introduction DBGEngine Use case of kernel debugging Python Level UP Reverse engineering Demo Understand (hidden) features Conclusion Study patch Tuesday Hunt vulnerabilities Exploit development Driver development Low level interaction Samuel Chevet & Clément Rouault

  8. Windows kernel debugging Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Debug settings Level UP Demo Network cable Conclusion USB (3.0 / 2.0) Serial cable Serial over USB Locally Samuel Chevet & Clément Rouault

  9. Windows local kernel debugging Draw me a L ocal K ernel D ebugger Introduction DBGEngine Locally? Python Level UP "Debugger" runs on the same computer Demo Dump memory Conclusion Data structure used by processor (GDT, IDT, . . . ) Windows internal structures Process list, handles, . . . Modify memory, I / O, MSRs Enable hidden features Fix bugs � Samuel Chevet & Clément Rouault

  10. Windows local kernel debugging Draw me a L ocal WinDbg allows to perform local kernel debugging K ernel D ebugger Introduction DBGEngine Python Level UP Demo Conclusion Samuel Chevet & Clément Rouault

  11. Windows local kernel debugging Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Prerequisite Level UP Demo Boot start options must be modified Conclusion nt!KdDebuggerEnabled must be equal to 1 "DEBUG" in HKLM\System\CurrentControlSet\Control\SystemStartOptions bcdedit /debug on || msconfig.exe Samuel Chevet & Clément Rouault

  12. Agenda Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP DBGEngine 2 Demo Conclusion Samuel Chevet & Clément Rouault

  13. DBGEngine Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python WinDbg uses dbgEng.dll : Debugger Engine Level UP Provides interfaces for examining and manipulating Demo targets Conclusion Can acquire targets, set breakpoints, monitor events, . . . Can we write our standalone Local Kernel Debugger? Samuel Chevet & Clément Rouault

  14. Dissecting dbgeng.dll Draw me a L ocal K ernel D ebugger dbgeng.dll Introduction DBGEngine Few exported functions (only one interesting) Python HRESULT DebugCreate(__in REFIID InterfaceId, __out PVOID* Interface); Level UP Creates a new C omponent O bject M odel (COM) interface of Demo type IDebugClient Conclusion IDebugClient Main object, queries other COM interfaces IDebugControl : Controls the debugger IDebugSymbols : Symbols stu ff ( dbghelp.dll , symsrv.dll ) IDebugDataSpaces : Read / Write operations Samuel Chevet & Clément Rouault

  15. Dissecting dbgeng.dll Draw me a L ocal K ernel D ebugger Introduction HRESULT AttachKernel( DBGEngine [in] ULONG Flags, Python [in, optional] PCSTR ConnectOptions ); Level UP Demo IDebugClient ( debugger.chm ) Conclusion // Attach to the local machine. If this flag is not set // a connection is made to a separate target machine using // the given connection options. #define DEBUG_ATTACH_LOCAL_KERNEL 0x00000001 dbgeng.h Not documented inside MSDN nor debugger.chm Samuel Chevet & Clément Rouault

  16. Dissecting dbgeng.dll Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python If we try to call the method, we end up in Level UP dbgeng!LocalLiveKernelTargetInfo::InitDriver Demo This function checks if the current process name is Conclusion WinDbg / kd If TRUE, it extracts a signed driver ( kldbgdrv.sys ) from the binary’s resources lpName = 0x7777 lpType = 0x4444 Samuel Chevet & Clément Rouault

  17. Dissecting kldbgdrv.sys Draw me a L ocal K ernel D ebugger Introduction kldbgdrv.sys DBGEngine Create a device \\.\kldbgdrv Python Level UP Wrapper around nt!KdSystemDebugControl via Demo DeviceIoControl ( dwIoControlCode = 0x22C007 ) Conclusion nt!KdSystemDebugControl Check the value of nt!KdDebuggerEnabled (set during system startup) Read / Write: I / O, Memory, MSR, Data Bus, KPCR, . . . nt!KdpSysReadIoSpace & nt!KdpSysWriteIoSpace broken, allows only aligned I / O Samuel Chevet & Clément Rouault

  18. Stand-Alone application Draw me a L ocal K ernel D ebugger Introduction DBGEngine Custom LKD Python Use dbgeng.dll like WinDbg Level UP Put kldbgdrv.sys inside our own resources Demo > type poc.rc Conclusion 0x7777 0x4444 "dep\\kldbgdrv_64.sys" > rc.exe /nologo poc.rc Add 3 others resources dbgeng.dll dbghelp.dll symsrv.dll No need to install anything � Samuel Chevet & Clément Rouault

  19. Stand-Alone application Draw me a L ocal K ernel D ebugger Introduction Name our executable WinDbg.exe / kd.exe or hook DBGEngine kernel32!GetModuleFileNameW Python Level UP Enable SeDebugPrivilege / SeLoadDriverPrivilege Demo Check if debug mode is enable Conclusion Load dbgeng.dll (from extracted resources) Create an IDebugClient and IDebugControl interface with DebugCreate Call AttachKernel with DEBUG_ATTACH_LOCAL_KERNEL Call WaitForEvent until debugger is attached Samuel Chevet & Clément Rouault

  20. Agenda Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP Python 3 Demo Conclusion Samuel Chevet & Clément Rouault

  21. What we need Draw me a L ocal K ernel D ebugger Introduction DBGEngine Problems Python Call COM interface in Python Level UP kernel32!GetModuleFileNameW must return Demo Conclusion windbg.exe Embed kldbgdrv.sys as a resource Samuel Chevet & Clément Rouault

  22. What we need Draw me a L ocal K ernel D ebugger Introduction DBGEngine Problems Python Call COM interface in Python Level UP kernel32!GetModuleFileNameW must return Demo Conclusion windbg.exe Embed kldbgdrv.sys as a resource Solutions ctypes module I mport A ddress T able (IAT) hooks Samuel Chevet & Clément Rouault

  23. COM with ctypes Draw me a L ocal K ernel D ebugger Introduction DBGEngine /* The SetSymbolPath method sets the symbol path. */ Python HRESULT SetSymbolPath( [in] PCSTR Path Level UP ); Demo int __stdcall IDebugSymbols::SetSymbolPath(PVOID, LPCSTR) Conclusion HOWTO # SetSymbolPath is the 42nd entry in IDebugSymbols’s vtable SetSymbolPathFunction = WINFUNCTYPE(HRESULT, c_char_p)(41, "SetSymbolPath") SetSymbolPathFunction(DebugSymbolsObject, "C: \\ whatever") # Abstract stuffs kdbg.DebugSymbols.SetSymbolPath("C: \\ symbols") Samuel Chevet & Clément Rouault

  24. IAT hooks in Python Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Steps Level UP Find the IAT entry (PEB + PE Parsing) Demo Hook it with a stub able to call our Python function Conclusion What we need Python → native execution native execution → Python Samuel Chevet & Clément Rouault

  25. ctypes magic once again Draw me a L ocal K ernel D ebugger Introduction DBGEngine def get_peb_addr(): Python # mov rax,QWORD PTR gs:0x60; ret Level UP get_peb_64_code = "65488B042560000000C3".decode("hex") Demo # Declare a function type that takes 0 arg and returns a PVOID func_type = ctypes.CFUNCTYPE([PVOID]) Conclusion addr = write_code(get_peb_64_code) # Create a function of type ‘func_type‘ at addr get_peb = func_type(addr) # Call it return get_peb() Python → Native execution Samuel Chevet & Clément Rouault

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

L ocal A naesthetics (LAs ) Traditional Alternative Cellular Targets a+ Channels

L ocal A naesthetics (LAs ) Traditional Alternative Cellular Targets a+ Channels

SYMPOSIUM L ocal A naesthetics: R eappraisal of their R ole in RA and P ain M anagement L ocal A naesthetics (LAs) NEUROPROTECTION E leni M oka, MD, PhD C onsultant A naesthesiologist H eraklion, C rete, G REECE N ervous S ystem I schaemia

911 views • 43 slides
W INDOWS :: B YPASSING KERNEL /GS There are two ways published in the literature to bypass the

W INDOWS :: B YPASSING KERNEL /GS There are two ways published in the literature to bypass the

P ROTECTING THE C ORE K ERNEL E XPLOITATION M ITIGATIONS Patroklos Argyroudis, Dimitris Glynos { argp, dimitris } at census-labs.com Census, Inc. Black Hat EU 2011 P ROTECTING THE C ORE : K ERNEL E XPLOITATION M ITIGATIONS :: B LACK H AT EU 2011

970 views • 69 slides
DrK DrK: Brea eaking Ker ernel el Addres ess Space e La Layout ut Ra Rando ndomi

DrK DrK: Brea eaking Ker ernel el Addres ess Space e La Layout ut Ra Rando ndomi

DrK DrK: Brea eaking Ker ernel el Addres ess Space e La Layout ut Ra Rando ndomi mization n wi with h In Intel el TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology, August 3, 2016 1 KA KASLR: A A P

875 views • 70 slides
P RINCIPLED K ERNEL P REDICTION FOR S PATIALLY V ARYING BSSRDF S Oskar Elek and Jaroslav K

P RINCIPLED K ERNEL P REDICTION FOR S PATIALLY V ARYING BSSRDF S Oskar Elek and Jaroslav K

P RINCIPLED K ERNEL P REDICTION FOR S PATIALLY V ARYING BSSRDF S Oskar Elek and Jaroslav K ivnek This project has received funding from the European Unions Horizon 2020 research and innovation programme under the Charles University, Prague

315 views • 30 slides
P orting a G AMESS C omputational C hemistry K ernel to F PGAs Uma Klaassen University of Texas

P orting a G AMESS C omputational C hemistry K ernel to F PGAs Uma Klaassen University of Texas

P orting a G AMESS C omputational C hemistry K ernel to F PGAs Uma Klaassen University of Texas at El Paso Shirley Moore Oak Ridge National Lab Mark S. Gordon , Kristopher Keipert Iowa State University Jeffrey Vetter , Seyong Lee Oak

419 views • 7 slides
U NDERSTANDING E MBEDDED L INUX B ENCHMARKING U SING K ERNEL T RACE A NALYSIS A LEXIS M ARTIN

U NDERSTANDING E MBEDDED L INUX B ENCHMARKING U SING K ERNEL T RACE A NALYSIS A LEXIS M ARTIN

U NDERSTANDING E MBEDDED L INUX B ENCHMARKING U SING K ERNEL T RACE A NALYSIS A LEXIS M ARTIN I NRIA / LIG / U NIV . G RENOBLE , F RANCE alexis.martin@inria.fr We do Need Benchmarking ! Benchmark : a standard or point of reference

764 views • 43 slides
L ECTURE 9: D UAL AND K ERNEL Prof. Julia Hockenmaier juliahmr@illinois.edu Linear classifiers

L ECTURE 9: D UAL AND K ERNEL Prof. Julia Hockenmaier juliahmr@illinois.edu Linear classifiers

CS446 Introduction to Machine Learning (Fall 2013) University of Illinois at Urbana-Champaign http://courses.engr.illinois.edu/cs446 L ECTURE 9: D UAL AND K ERNEL Prof. Julia Hockenmaier juliahmr@illinois.edu Linear classifiers so far What

253 views • 22 slides
Draw Seven Park Assembly Square Draw 7 Park Mall Himanshu Dubey & Christopher Cumming

Draw Seven Park Assembly Square Draw 7 Park Mall Himanshu Dubey & Christopher Cumming

Draw Seven Park Assembly Square Draw 7 Park Mall Himanshu Dubey & Christopher Cumming EEOS 476 Prof. A. Frankic Introduction Draw Seven Park: Named after a drawbridge of the same name, which once crossed the Mystic River.

373 views • 23 slides
Playoff Draw Procedures European Zone Playoff Draw Procedures Playoff Format: 8 best runners-up

Playoff Draw Procedures European Zone Playoff Draw Procedures Playoff Format: 8 best runners-up

2014 FIFA World Cup TM Preliminary Competition European Zone Playoff Draw Procedures European Zone Playoff Draw Procedures Playoff Format: 8 best runners-up from stage 1 Draw on 21 st October 2013 to Playoff Series match playoff opponents

283 views • 7 slides
Expert 2D Shape Drawing Aim I can accurately draw a range of 2D shapes using the measurements

Expert 2D Shape Drawing Aim I can accurately draw a range of 2D shapes using the measurements

Expert 2D Shape Drawing Aim I can accurately draw a range of 2D shapes using the measurements given. Success Criteria I can follow instructions to accurately draw shapes. I can draw lines accurately using a ruler. I can draw

819 views • 18 slides
Topic 6 Draw cdr pointers to the right Hierarchical Data and the Closure Draw car

Topic 6 Draw cdr pointers to the right Hierarchical Data and the Closure Draw car

Box and pointer notation Topic 6 Draw cdr pointers to the right Hierarchical Data and the Closure Draw car pointers downward (cons 1 2) Property 2 Section 2.2.1 September 2008 1 Spring 2008 Programming Development 1 Spring 2008

299 views • 3 slides
About Taslie Taslie Skin Care Ltd. is a loc ocal Ca Canadia ian nat natural & & org

About Taslie Taslie Skin Care Ltd. is a loc ocal Ca Canadia ian nat natural & & org

About Taslie Taslie Skin Care Ltd. is a loc ocal Ca Canadia ian nat natural & & org organic ic sk skin incare co company for or bab babie ies and and chil children. Our skincare product line was created in 2008 by Tami

731 views • 17 slides
A DAPTATION L AND U SE P LANNING : G UIDANCE FOR M ARIN C OUNTY L OCAL G OVERNMENTS SLR =

A DAPTATION L AND U SE P LANNING : G UIDANCE FOR M ARIN C OUNTY L OCAL G OVERNMENTS SLR =

A DAPTATION L AND U SE P LANNING : G UIDANCE FOR M ARIN C OUNTY L OCAL G OVERNMENTS SLR = increased volume of seawater from thermal expansion + increased mass of water from melting land ice. 2008 IPCC Sea Level Rise Scenarios High = 3 ft 36

587 views • 20 slides
mattsura.law@gmail.com Colorados Oil and Gas Basins Loc ocal al Regio gional al Global

mattsura.law@gmail.com Colorados Oil and Gas Basins Loc ocal al Regio gional al Global

Matthe thew Sura Attorne orney at Law (720) 563-1866 mattsura.law@gmail.com Colorados Oil and Gas Basins Loc ocal al Regio gional al Global bal Dust Front Range in Non-Attainment Methane is 20 X for Ozone Toxic

740 views • 51 slides
L ECTURE 14: P OTENTIAL F IELDS FOR L OCAL P LANNING , N AVIGATION I NSTRUCTOR : G IANNI A. D I C

L ECTURE 14: P OTENTIAL F IELDS FOR L OCAL P LANNING , N AVIGATION I NSTRUCTOR : G IANNI A. D I C

16-311-Q I NTRODUCTION TO R OBOTICS L ECTURE 14: P OTENTIAL F IELDS FOR L OCAL P LANNING , N AVIGATION I NSTRUCTOR : G IANNI A. D I C ARO RECAP: BEHAVIOR ARBITRATION Conflict resolution It might be needed also to module access / adjust

579 views • 21 slides
L OCAL E CONOMI C DE VE L OPME NT SUMMIT PURPOSE OF T HE SUMMI T Pre se nt ide

L OCAL E CONOMI C DE VE L OPME NT SUMMIT PURPOSE OF T HE SUMMI T Pre se nt ide

Urban-Econ: Development Economists 1088 Pretorius Street, Hatfield Email: pta@urban-econ.com Tel: 012 342 8686 L OCAL E CONOMI C DE VE L OPME NT SUMMIT PURPOSE OF T HE SUMMI T Pre se nt ide ntifie d de ve lo pme nt o ppo

544 views • 41 slides
Write Your C Extension for Ruby (Jian Weihang) @tonytonyjan Bonjour Jian,

Write Your C Extension for Ruby (Jian Weihang) @tonytonyjan Bonjour Jian,

Write Your C Extension for Ruby (Jian Weihang) @tonytonyjan Bonjour Jian, Weihang tonytonyjan.net tonytonyjan tonytonyjan tonytonyjan tonytonyjan tonytonyjan tonytonyjan Double Keyboard Player Ruby Postgraduate

1.07k views • 102 slides
Settj ttjng ng the the s stage Bruce Becker: Coordinator, Africa-Arabia ROC |

Settj ttjng ng the the s stage Bruce Becker: Coordinator, Africa-Arabia ROC |

Settj ttjng ng the the s stage Bruce Becker: Coordinator, Africa-Arabia ROC | bbecker@csir.co.za 1 Why are we here ? Plus ca change, plus c'est la meme chose There is nothing new under the sun Our goals: Take a

758 views • 38 slides
High Performance for Small Sites John Bickar, Stanford Web

High Performance for Small Sites John Bickar, Stanford Web

High Performance for Small Sites John Bickar, Stanford Web Services 1 What is a small site? Shared hos=ng Limited/no access to Linux/Apache layer

780 views • 40 slides
8.6.20 1 English Term 6 Week 2.notebook June 06, 2020 8.6.20 2 English Term 6 Week 2.notebook

8.6.20 1 English Term 6 Week 2.notebook June 06, 2020 8.6.20 2 English Term 6 Week 2.notebook

English Term 6 Week 2.notebook June 06, 2020 8.6.20 1 English Term 6 Week 2.notebook June 06, 2020 8.6.20 2 English Term 6 Week 2.notebook June 06, 2020 8.6.20 3 English Term 6 Week 2.notebook June 06, 2020 Awongalema 9.6.20 Can you

706 views • 13 slides
Wrap-up Part 1 Web IE, Wrappers and Information Integration using Karma Extracting Data from

Wrap-up Part 1 Web IE, Wrappers and Information Integration using Karma Extracting Data from

Wrap-up Part 1 Web IE, Wrappers and Information Integration using Karma Extracting Data from Semi-structured Sources NAME Casablanca Restaurant STREET 220 Lincoln Boulevard CITY Venice PHONE (310) 392-5751 Approaches to Wrapper

229 views • 21 slides
Kyrgyzstan: Open SDG Platform Kerimalieva Nazira Open SDG webinar 17th June 2020 Role of NSO in

Kyrgyzstan: Open SDG Platform Kerimalieva Nazira Open SDG webinar 17th June 2020 Role of NSO in

Kyrgyzstan: Open SDG Platform Kerimalieva Nazira Open SDG webinar 17th June 2020 Role of NSO in the national SDG monitoring and reporting system NATIONAL INSTITUTIONS National Statistical Office MINISTRY 3 MINISTRY 4 MINISTRY 1 MINISTRY 2

233 views • 9 slides
LLDC Implementation of the Trade Facilitation Agreement in 4 slides! 1. Progress 2. Challenges

LLDC Implementation of the Trade Facilitation Agreement in 4 slides! 1. Progress 2. Challenges

LLDC Implementation of the Trade Facilitation Agreement in 4 slides! 1. Progress 2. Challenges 3. Opportunities 1 Progress achieved (As of yesterday) Category A, Category B, Category C, Not yet notified Status of Least Developed Countries

226 views • 5 slides
Long-Term Growth Model (LTGM) MTI Forum Learning Module Presenters: Steven Pennings (DECMG,

Long-Term Growth Model (LTGM) MTI Forum Learning Module Presenters: Steven Pennings (DECMG,

Long-Term Growth Model (LTGM) MTI Forum Learning Module Presenters: Steven Pennings (DECMG, spennings@worldbank.org ) and Jorge Guzmn (DECMG, jguzmancorrea@worldbank.org) 13 November 2019 (updated 25 September 2020) www.worldbank.org/LTGM

1.52k views • 36 slides

More recommend