To debug the kernel, you must connect to your computer using a null modem cable or modem connection. The computer performing debugging will be called “Host”, and the problem computer will be called “Target”.
Both computers must be running the same version of Windows, and the symbol files for the Target computer must be installed on the Host computer. The symbol files are provided on the Windows installation CD in the Support\Debug directory.
To enable debugging, you must make changes to the BOOT.INI file on the Target computer.
1. Change the attributes of the BOOT.INI file:
attrib c:\boot.ini –r –s
2. Edit this file and into the line Windows startup add the /debug parameter (to tell the system to load the kernel debugger into RAM when booting Windows). Additional parameters are /Debugport, which tells the system which COM port must be used (COM2 by default) and /Baudrate - to specify the data transfer rate (the default is 19200 baud, but it is better to use 9600). For example:
multi(0)disk(0)rdisk(0)partition(0)\WINDOWS="Windows NT" /debug /debugport=com2 /baudrate=9600
3. Save the file.
4. Set the previous BOOT.INI file attributes:
attrib c:\boot.ini +r +s
In this example, the Target computer allowed a connection through COM2 at 9600 bps.
The Host computer must be configured with the settings required for debugging. In addition, the symbol files must be installed. To install them, go to the \support\debug directory on the installation CD and enter the following command:
expndsym
For example:
expndsym f: d:\symbols
Installation may take some time. Remember that if service packs have been installed on the Target computer, the symbol files for those packages must also be installed on the Host computer. Symbol files for update packages can be downloaded from the Microsoft website.
The next step is to set up the environment variables needed for debugging, such as variables indicating the location of symbol files, etc. The following is a description of these variables.
Description of system variables
The definition of these variables can be placed in batch file in order to avoid entering the corresponding commands at each boot:
echo off
set_nt_debug_port=com2
set_nt_debug_baud_rate=9600
set _nt_symbol_path=d:\symbols\i386
set _nt_log_file_open=d:\debug\logs\debug.log
Now you need to copy software debugging the kernel, which is located in the support\debug\ directory<процессор>on the installation CD (support\debug\I386). The easiest way is to copy the entire directory, since it is small in size (about 2.5 MB). For the I386 platform, a debugger is used, which is supplied as the I386KD.EXE file. The debugger is launched using the I386KD command. To enter a command, press the key combination
Kernel mode debuggers sit between the CPU and the operating system. This means that when you stop the kernel mode debugger, the operating system also stops completely. It is not difficult to imagine that the transition operating system to hard stop is useful when you are working with timers and timing issues. However, with the exception of one debugger, which will be discussed below (in the "SoftlCE Debugger" section of this chapter), you cannot debug user-mode code using kernel-mode debuggers.
There are not many kernel mode debuggers. Here are some of them: Windows 80386 Debugger (WDEB386), Kernel Debugger (1386KD), WinDBG and SoftlCE. Each of these debuggers is briefly described in the following sections.
Debugger WDBEB386
WDEB386 is a Windows 98 kernel mode debugger distributed as part of the Platform SDK. This debugger is only useful for developers writing virtual drivers. Windows devices 98 (VxD). Like most kernel mode debuggers for Windows operating systems, the WDEB386 debugger requires two machines and a null modem cable to operate. Two machines are needed because the part of the debugger that runs on the target machine has limited access to its hardware so that it sends its output and receives commands from the other machine.
The WDEB386 debugger has interesting story. It started out as an internal background tool for Microsoft during the Windows 3.0 era. It was difficult to use and did not have enough support for debugging source code and other nice properties that the Visual C++ and Visual Basic debuggers spoiled us with.
"Dot" (DOT) commands are the most important feature WDEB386. Through interrupt INT 41, the WDEB386 can be expanded to add commands. This extensibility allows VxD driver authors to create custom debugging commands that give them easy access to information in their virtual devices. Debug Windows version 98 supports a variety of DOT commands that allow you to observe the exact state of the operating system at any point in the debugging process.
Debugger I386KD
Windows 2000 differs from Windows 98 in that the actual working part of the kernel mode debugger is the NTOSKRNL part. EXE - file of the main operating kernel Windows systems 2000. This debugger is available in both free (release) and tested (debug) operating system configurations. To enable kernel mode debugging, set the bootloader option /DEBUG to BOOT. INI and, additionally, the bootloader option /DEBUGPORT, if you need to set the kernel mode debugger communication port to a value other than the default (COM1). I386KD runs on its own machine and communicates with Windows machine 2000 via a null modem cable.
Kernel mode debugger NTOSKRNL. The EXE does only enough to control the CPU so that the operating system can be debugged. Most of the debugging work - symbol processing, extended breakpoints and disassembly - is done on the 1386KD side. One Windows time The NT 4 Device Driver Kit (DDK) documented the protocol used in the null modem cable. However, Microsoft no longer documents it.
The power of the 1386KD is obvious when you look at all the commands it offers to access the internal state of Windows 2000. Knowing how device drivers work in Windows 2000 will help a programmer monitor the output of many commands. Despite all its power, i386KD is almost never used because it is a console application, which is very tedious to use for baseline debugging.
Sometimes I have a situation where Windows is waiting for loading time for the kernel debugger. You see the text "Windows start" but not the logo.
If I attach the debugger now, the Windows 7 logo animation plays. After that, the logo starts pulsing. At this point, the download process no longer progresses. CPU load is reduced to a minimum. I usually wait a few minutes, but nothing happens.
This doesn't always happen. However, if this happens, resetting the VM will not help. To fix this problem I need to use startup repair. Unfortunately, this takes forever.
Any ideas what I can do besides running startup repair?
Thank you in advance!
32 answers
To fix the problem you are facing, simply press F10 during boot. And remove/debug and related parameters. Then press enter.
Suggestion: Do not use /debug for the default boot menu option. Copy the boot configuration to a new entry. Then set it to debug mode. Windows doesn't know when you'll use the debugger. Therefore he must wait.
chPF OELPFPTSCHE KHLBBOYS RP TBVPFE U PFMBDLPK SDTB U BCHBTYKOSHNY DBNRBNY RBNSFY. lBL RTBCHYMP, CHBN OHTSOP VKDEF ЪBDBFSH PDOP YЪ KHUFTPKUFCH RPDLBYULY, RETEYUYUMEOOSCHI CH ZHBKME /etc/fstab . uvtpu pvtbpch RBNSFY O KHUFTPKUFCHB, OE SCHMSAEYEUS KHUFTPKUFCHBNY RPDLBYULY, OBRTYNET, MEOFSHCH, CH DBOOSCHK NPNEOF OE RPDDETSYCHBAFUS.
Note: yURPMSHHKFE LPNBODH dumpon (8) DMS KHLBBOYS SDTH NEUFB, ZDE OHTsOP UPITBOSFSH BCHBTYKOSHCHE DBNRSCH. rPUME OBUFTPKLY RP LPNBODE swapon (8) TBDEMB RPDLBYULY DPMTSOB VSHFSH CHSHCHBOB RTPZTBNNNB dumpon . pVSHYUOP LFP CHSHRPMOSEPHUS ЪBDBOYEN RETENOOOPK dumpdev CH ZHBKME rc.conf (5). еUMY ЪБДБOB ьФБ RATENEOOBS, FP RPUME UVPS RTY RETCHPK NOPZPRPMSHЪPCHBFEMSHULPK RETEЪBZTHЪLE VHDEF BCHFPNBFYUEULY ЪBRHEEOOB RTPZTBNNNB savecore (8). pOB UPITBOIF BCHBTYKOSHCHK DBNR SDTB CH LBFBMPZ, ЪBDBOOSCHK CH RETENEOOOPK dumpdir ZHBKMB rc.conf . rP KHNPMYUBOYA LBFBMPZPN DMS BCHBTYKOSCHI DBNRPCH SCHMSEFUS /var/crash .
mYVP CHSC NPTSEFE ЪBDBFSH KHUFTPKUFCHP DMS UVTPUB PVTBB RBNSFY SCHOP YUETE RBTBNEFT dump CH UFTPLE config LPOZHYZHTBGYPOOPZP ZHBKMB CHBYEZP SDTB. fBLPK URPUPV YURPMSHЪPCHBFSH OE TELPNEODHEFUS Y BY DPMTSEO YURPMSHЪPCHBFSHUS, FPMSHLP EUMY CHSCH IPFYFE RPMKHYUBFSH BCHBTYKOSHCH PVTBSCH RBNSFY SDTB, LPFPTPE BCHBTYKOP ЪBCHETYBEF UCHPA TBVPFH RTY ЪBZTHЪLE.
Note: dBMEE FETNYO gdb PYOBYUBEF PFMBDYUYL gdb , ЪBRHEEOOSCHK CH ``TETSINE PFMBDLY SDTB". RETEIPD CH LFPF TETSYN DPUFYZBEFUS ЪBRHULPN gdb U RBTBNEFTPN -k . h TETSYNE PFMBDLY SDTB gdb YЪNEOSEF UCHPЈ RTYZMBYEOYE ABOUT (kgdb) .
Tip: eUMY CHSH YURPMSHJHEFE FreeBSD CHETUYY 3 YMY VPMEE TBOOAA, CHCH DPMTSOSCH CHSHRPMOYFSH HUEYEOYE PFMBDPUOPZP SDTB LPNBODPK strip, B OE KHUFBOBCHMYCHBFSH VPMSHYPE PFMBDPUOPE SDTP :
# cp kernel kernel.debug # strip -g kernel
bFPF YBZ OE FBL KhTS Y OEPVIPDYN, OP TELPNEODKHEN. (PH FreeBSD 4th VPMEE TEMYYBI LFPF YBZ CHSPRMOSEFUS BCHFPNBFYUEULY CH LPOGE RTPGEUUB RPUFTPEOOYS SDTB make .) lPZDB SDTP HUEYEOP, BCHFPNBFYUEULY YMY RT Y RPNPEY LPNBOD CHCHYE, CHCH NPTSEFE KHUFBOPCHYFSH EZP PVSHCHYUOSCHN PVTBBPN, OVTTBCH make install .
ъBNEFSHFE, YuFP CH UFBTSHCHETUISI FreeBSD (DP 3.1, OE CHLMAYUBS LFPF TEMY), YURPMSHHEFUS SDTB CH ZHTNBFE a.out, RPFPNH YI FBVMYGSH UYNCHPMPCH DPMTSOSCH TBURPMBZBFShu S RPUFPSOOP CH RBNSFY. u VPMSHYPK FBVMYGEK UYNCHPMPCH CH OE HUEYOOOPN PFMBDPUOPN SDTE LFP YЪMYYOSS FTBFB. rPUMEDOYE TEMYYSH FreeBSD YURPMSHJHAF SDTB CH ZHTNBFE ELF, ZHE LFP OE SCHMSEFUS RTPVMENPK.
eUMY CHCH FEUFYTHEFE OPChPE SDTP, ULBTSEN, OBVYTBS YNS OPCHPZP SDTB CH RTYZMBYYE OYBZTHYUYLB, OP CHBN OHTSOP ЪBZTHTSBFSH Y TBVPFBFSH U DTHZYN SDTPN, SC UOPCHB CHETOHFSHUS L OPTNBMSHOPNH ZHOLGYPOYTPCHBOYA, ЪBZTHTSBKFE EZP FPMSHLP CH PDOPRPMSHЪPCHBFEMSHULPN TETSYNE RTY RPNPEY ZHMBZB -s , KHLBSCCHBENPZP RTY ЪБЗТХ ЪLE, B ЪBFEN CHSHRPMOYFE FBLYE YBZY:
# fsck -p # mount -a -t ufs # so your filesystem for /var/crash is writable # savecore -N /kernel.panicked /var/crash # exit # ...to multi-user
bFB RPUMEDPCHBFEMSHOPUFSH KHLBSCCHBEF RTPZTBNNE savecore (8) ABOUT YURPMSHЪPCHBOYE DTHZPZP SDTB DMS YЪCHMEYUEOYS UYNCHPMYUEULYI YNEO. YOBYUE POB VKhDEF YURPMSHЪPCHBFSH SDTP, TBVPFBAEE CH DBOOSHK NPNEOF Y, ULPTEE CHUEZP, OYUEZP OE UDEMBEF, RPFPNH YuFP BCHBTYKOSHCHK PVTB RBNSFY YYNCHPMSCH SDTB F PFMYUBFSHUS.
b FERETSH, RPUME UVTPUB BCHBTYKOPZP DBNRB, RETEKDYFE CH LBFBMPZ /sys/compile/WHATEVER Y ЪBRKHUFYFE LPNBODH gdb -k . yЪ RTPZTBNNSH gdb UDEMBKFE CHPF SFP:
Symbol-file kernel.debug exec-file /var/crash/kernel.0 core-file /var/crash/vmcore.0 Y CHBMS - CHCH NPTSEFE PFMBTSYCHBFSH BCHBTYKOSHK DBNR, YURPMSHЪHS YUIPDOSCH FELUFSCH SDTB FPYuOP FBLCE, LBL CHSHCH LFP D EMBEFE AT MAVPC DTHZPK RTPZTBNNPK.
chPF TsKHTOBM LPNBOD UEBOUB TBVPFSH gdb, YMMAUFTYTHAEIK bfh RTPGEDHTH. dMYOOSCH UFTPLY VSHMY TBPTCHBOSH DMS KHMHYUYEOYS YUYFBVEMSHOPUFY Y DMS KHDPVUFCHB UFTPLY VSHCHMY RTPOKHNETPCHBOSHCH. CHUE PUFBMSHOPE SCHMSEFUS FTBUUYTPCHLPK PYYVLY, TEBMSHOP CHPOYLOKHCHYEK PE CHTENS TBVPFSCH OBD DTBKCHETPN LPOUPMY pcvt.
1:Script started on Fri Dec 30 23:15:22 1994 2: # cd /sys/compile/URIAH 3: # gdb -k kernel /var/crash/vmcore.1 4:Reading symbol data from /usr/src/ sys/compile/URIAH/kernel ...done. ./../i386/i386/trap.c line 673) 73:673 error = (*callp->sy_call)(p, args, rval); 74: (kgdb) up 75:Initial frame selected; you cannot go up. 76: (kgdb) quit 77: # exit 78:exit 79: 80:Script done on Fri Dec 30 23:18:04 1994
lPNNEOFBTYY L CHSHCHYYERTYCHEDEOOPNH TSHTOBMKH:
UFTPLB 6:
ьФП DBNR, CHSFSHCHK RTY RPNPEY DDB (UNPFTY OITSE), RPPFPNH LPNNEOFBTYK L BCHBTYKOPNH PUFBOPCHH YNEEF YNEOOP CHYD ``because you said to!'' Y FTBUUYTPCHLB UFELB ZMHVPLB; PDOBLP YOBYUBMSHOPK RTYYUYOPK RETEIPDB CH DDB VSHMB BCHBTYKOBS PUFBOPCHLB RTY CHPOYLOPCHEOYA PYYVLY UFTBOYGSCH RBNSFY.
UFTPLB 20:
lFP NEUFPOBIPTSDEOOYE ZHKHOLGYY trap() CH FTBUUYTPCHLE UFELB.
UFTPLB 36:
rTYOKHDIFEMSHOPE YURPMSHЪPCHBOIE OPChPK ZTBOYGSCH UFELB; FERTSH LFP OE OHTSOP. rTEDRPMBZBEFUS, YuFP ZTBOYGSCH UFELB KHLBSCCHBAF ABOUT RTBCHYMSHOP TBURPMPTSEOYE, DBCE CH UMHUBE BCHBTYKOPZP PUFBOPCHB. zMSDS ABOUT UFTPLH YUIPDOPZP LPDB 403, NPTsOP ULBBFSH, YuFP CHEUSHNB CHETPSFOP, YuFP MYVP CHYOPCHBF DPUFHR RP KHLBBFEMA ``tp"", MYVP VSHM CHSHCHIPD ЪB ZТBOYGSC NBUUYCHB.
UFTPLB 52:
rPIPTSE, YuFP CHYOPCHBF KHLBBFEMSH, OP ON SCHMSEFUS DPRKHUFYNSCHN BDTEUPN.
UFTPLB 56:
pDOBLP, PYUECHYDOP, UFP ON KHLBSCCHBEF ABOUT NHUPT, FBL UFP NSCH OBYMY OBYKH PYYVLH! (DMS FEI, LFP OE OBLPN U LFPC YUBUFSHHA LPDB: tp->t_line UMHTSYF DMS ITBOEOYS TETSYNB LBOBMSB LPOUPMSHOPZP HUFTPKUFCHB, Y LFP DPMTSOP VShchFSH DPUFBFPYuOP NBMEOSHLPE GEMPE YUYUMP .)
This series of articles appeared for two reasons. First of all, I like working with the project HackSysExtremeVulnerableDriver. Secondly, I received a lot of wishes to cover this topic.
All code used in writing this series is in my repository.
IN this cycle In this article we will look at writing kernel-level exploits in Windows. It's important to note that we will be dealing with known vulnerabilities and there is no need for reverse engineering (at least for the driver).
It is expected that after reading all the articles, you will know all the most common classes of vulnerabilities and methods of exploitation, and will also be able to port exploits from x86 architecture to x64 architecture (if possible) and become familiar with new protection methods in Windows 10.
Kernel debug circuit
Unlike user-level debugging, which suspends the execution of a single process, kernel-level debugging involves the entire system, and we will not be able to use this method. Accordingly, we need a separate debugging machine that can communicate with the system where the kernel is being debugged, view memory and kernel structures, and also catch system crashes.
Additional material to study:
Exploiting kernel vulnerabilities
This process is much more fun than operating at the user J level.
The main goal is to achieve privileged execution in the kernel context. And then everything depends on our imagination, from a feast with homemade beer to the introduction of state-sponsored malware.
In general, our task is to obtain a shell with system privileges.
Topics of articles in this series
- Part 1: Setting up your work environment
- Configuring three virtual machines and a system that will act as a debugger.
- Configuring the WinDBG debugger.
- Part 2: Payloads
- Explore the most common payloads. Subsequent parts will address specific vulnerabilities and, where appropriate, provide links to this article.
- The remaining parts.
- Consideration of vulnerabilities.
Kernel exploit development life cycle
- Finding a vulnerability. This topic will not be discussed in this series, since we already know exactly where the gaps are.
- Intercepting the thread of execution. Some vulnerabilities involve code execution, and some have additional requirements.
- Privilege escalation. The main goal is to get a shell with system privileges.
- Restoring the thread of execution. Unchecked exceptions at the kernel level cause the system to crash. If you are not going to write an exploit for a DoS attack, you should take this fact into account.
Types of target systems
We will work with vulnerabilities in the following systems (the specific version is not important):
- Win7 x86 VM
- Win7 x64 VM
- Win10 x64 VM
Let's start with the x86 architecture, and then we will port the exploit to the Win7 x64 system. Some exploits will not run on Win10 machines due to the presence of new protections. In this case, we will either change the logic of the exploit or use a completely different approach.
Software used:
- Hypervisor (lots of options).
- Windows 7 x86 VM
- Windows 7 x64 VM
- Windows 10 x64 VM
Setting up systems for debugging
The debug systems we will be interacting with are designed to load the vulnerable driver. These machines will crash frequently, since most exceptions in the kernel contribute to this type of phenomenon. It is necessary to allocate enough random access memory for these systems.
On each machine that will be debugged, you need to do the following:
- Inside the VirtualKD directory, run the file target\vminstall.exe. A new one will be added boot record and debugging functions and automatic connection to the VirtualKD server installed on the system, which acts as a debugger, will be available.
In the case of Windows 10, the VM must be enabled test mode signing, which allows unsigned drivers to be loaded into the kernel.
After running the command bcdedit /set testsing on and rebooting, “Test Mode” will appear on the desktop.
Brief description of the HEVD module
The DriverEntry procedure is the starting procedure for each driver:
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) (
UINT32 i = 0;
PDEVICE_OBJECT DeviceObject = NULL;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
UNICODE_STRING DeviceName, DosDeviceName = (0);
UNREFERENCED_PARAMETER(RegistryPath);
PAGED_CODE();
RtlInitUnicodeString(&DeviceName, L"\\Device\\HackSysExtremeVulnerableDriver");
RtlInitUnicodeString(&DosDeviceName, L"\\DosDevices\\HackSysExtremeVulnerableDriver");
//Create the device
Status = IoCreateDevice(DriverObject,
0,
&DeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE
&DeviceObject);
- This procedure contains a call to the IoCreateDevice function, which contains the name of the driver that we will use during communication.
- The necessary structures and function pointers will be added to the DriverObject object.
- What is important for us is the function pointer associated with the DriverObject->MajorFunction procedure, which is responsible for processing IOCTL (I/O Control);
- In HEVD this function is called IrpDeviceIoCtlHandler, which is a large conditional expression with many branches for each IOCTL. Each vulnerability has a unique IOCTL.
Example: HACKSYS_EVD_IOCTL_STACK_OVERFLOW is an IOCTL used to trigger a stack overflow exploit.
This concludes the first part. In the next article we will talk about payloads. On this moment The only payload available is one designed to steal tokens, which will be used in the third part.
P.S. I understand that there are a lot of intricacies and problems that you may encounter. Since this series focuses on developing exploits, you will have to solve all the associated problems yourself. However, you can ask any questions you have in the comments.
Loading...