draw me a l ocal k ernel d ebugger
play

Draw me a L ocal K ernel D ebugger Demo Conclusion Samuel Chevet - PowerPoint PPT Presentation

Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP Draw me a L ocal K ernel D ebugger Demo Conclusion Samuel Chevet & Clment Rouault 20 November 2015 Samuel Chevet & Clment Rouault Where does this talk


  1. Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP Draw me a L ocal K ernel D ebugger Demo Conclusion Samuel Chevet & Clément Rouault 20 November 2015 Samuel Chevet & Clément Rouault

  2. Where does this talk come from? Draw me a L ocal K ernel D ebugger Introduction DBGEngine B ranch T race F lag Python Level UP Single step on branches Demo IA32_DEBUGCTL_MSR, Eflags Conclusion nt!KiSaveProcessorControlState This feature seems not supported anymore on new CPU We wanted to be able to use this feature on our new CPU (not amd64) Samuel Chevet & Clément Rouault

  3. Where does this talk come from? Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python B ranch T race S tore (BTS) Level UP Demo Store all the branches (src and dst) taken on a CPU to Conclusion a bu ff er nt!VfInitializeBranchTracing Partially implemented, could be nice to have a working POC Samuel Chevet & Clément Rouault

  4. Where does this talk come from? Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python We looked at the options to achieve that Level UP We started looking at WinDbg Demo We wanted easier scriptability Conclusion We looked at how WinDbg works So . . . Let’s draw a Local Kernel Debugger Samuel Chevet & Clément Rouault

  5. Agenda Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP Windows local kernel debugging Demo Conclusion DbgEngine for dummys Python kungfu Demo Samuel Chevet & Clément Rouault

  6. Agenda Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP Introduction 1 Demo Conclusion Samuel Chevet & Clément Rouault

  7. Windows kernel debugging Draw me a L ocal K ernel D ebugger Introduction DBGEngine Use case of kernel debugging Python Level UP Reverse engineering Demo Understand (hidden) features Conclusion Study patch Tuesday Hunt vulnerabilities Exploit development Driver development Low level interaction Samuel Chevet & Clément Rouault

  8. Windows kernel debugging Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Debug settings Level UP Demo Network cable Conclusion USB (3.0 / 2.0) Serial cable Serial over USB Locally Samuel Chevet & Clément Rouault

  9. Windows local kernel debugging Draw me a L ocal K ernel D ebugger Introduction DBGEngine Locally? Python Level UP "Debugger" runs on the same computer Demo Dump memory Conclusion Data structure used by processor (GDT, IDT, . . . ) Windows internal structures Process list, handles, . . . Modify memory, I / O, MSRs Enable hidden features Fix bugs � Samuel Chevet & Clément Rouault

  10. Windows local kernel debugging Draw me a L ocal WinDbg allows to perform local kernel debugging K ernel D ebugger Introduction DBGEngine Python Level UP Demo Conclusion Samuel Chevet & Clément Rouault

  11. Windows local kernel debugging Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Prerequisite Level UP Demo Boot start options must be modified Conclusion nt!KdDebuggerEnabled must be equal to 1 "DEBUG" in HKLM\System\CurrentControlSet\Control\SystemStartOptions bcdedit /debug on || msconfig.exe Samuel Chevet & Clément Rouault

  12. Agenda Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP DBGEngine 2 Demo Conclusion Samuel Chevet & Clément Rouault

  13. DBGEngine Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python WinDbg uses dbgEng.dll : Debugger Engine Level UP Provides interfaces for examining and manipulating Demo targets Conclusion Can acquire targets, set breakpoints, monitor events, . . . Can we write our standalone Local Kernel Debugger? Samuel Chevet & Clément Rouault

  14. Dissecting dbgeng.dll Draw me a L ocal K ernel D ebugger dbgeng.dll Introduction DBGEngine Few exported functions (only one interesting) Python HRESULT DebugCreate(__in REFIID InterfaceId, __out PVOID* Interface); Level UP Creates a new C omponent O bject M odel (COM) interface of Demo type IDebugClient Conclusion IDebugClient Main object, queries other COM interfaces IDebugControl : Controls the debugger IDebugSymbols : Symbols stu ff ( dbghelp.dll , symsrv.dll ) IDebugDataSpaces : Read / Write operations Samuel Chevet & Clément Rouault

  15. Dissecting dbgeng.dll Draw me a L ocal K ernel D ebugger Introduction HRESULT AttachKernel( DBGEngine [in] ULONG Flags, Python [in, optional] PCSTR ConnectOptions ); Level UP Demo IDebugClient ( debugger.chm ) Conclusion // Attach to the local machine. If this flag is not set // a connection is made to a separate target machine using // the given connection options. #define DEBUG_ATTACH_LOCAL_KERNEL 0x00000001 dbgeng.h Not documented inside MSDN nor debugger.chm Samuel Chevet & Clément Rouault

  16. Dissecting dbgeng.dll Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python If we try to call the method, we end up in Level UP dbgeng!LocalLiveKernelTargetInfo::InitDriver Demo This function checks if the current process name is Conclusion WinDbg / kd If TRUE, it extracts a signed driver ( kldbgdrv.sys ) from the binary’s resources lpName = 0x7777 lpType = 0x4444 Samuel Chevet & Clément Rouault

  17. Dissecting kldbgdrv.sys Draw me a L ocal K ernel D ebugger Introduction kldbgdrv.sys DBGEngine Create a device \\.\kldbgdrv Python Level UP Wrapper around nt!KdSystemDebugControl via Demo DeviceIoControl ( dwIoControlCode = 0x22C007 ) Conclusion nt!KdSystemDebugControl Check the value of nt!KdDebuggerEnabled (set during system startup) Read / Write: I / O, Memory, MSR, Data Bus, KPCR, . . . nt!KdpSysReadIoSpace & nt!KdpSysWriteIoSpace broken, allows only aligned I / O Samuel Chevet & Clément Rouault

  18. Stand-Alone application Draw me a L ocal K ernel D ebugger Introduction DBGEngine Custom LKD Python Use dbgeng.dll like WinDbg Level UP Put kldbgdrv.sys inside our own resources Demo > type poc.rc Conclusion 0x7777 0x4444 "dep\\kldbgdrv_64.sys" > rc.exe /nologo poc.rc Add 3 others resources dbgeng.dll dbghelp.dll symsrv.dll No need to install anything � Samuel Chevet & Clément Rouault

  19. Stand-Alone application Draw me a L ocal K ernel D ebugger Introduction Name our executable WinDbg.exe / kd.exe or hook DBGEngine kernel32!GetModuleFileNameW Python Level UP Enable SeDebugPrivilege / SeLoadDriverPrivilege Demo Check if debug mode is enable Conclusion Load dbgeng.dll (from extracted resources) Create an IDebugClient and IDebugControl interface with DebugCreate Call AttachKernel with DEBUG_ATTACH_LOCAL_KERNEL Call WaitForEvent until debugger is attached Samuel Chevet & Clément Rouault

  20. Agenda Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Level UP Python 3 Demo Conclusion Samuel Chevet & Clément Rouault

  21. What we need Draw me a L ocal K ernel D ebugger Introduction DBGEngine Problems Python Call COM interface in Python Level UP kernel32!GetModuleFileNameW must return Demo Conclusion windbg.exe Embed kldbgdrv.sys as a resource Samuel Chevet & Clément Rouault

  22. What we need Draw me a L ocal K ernel D ebugger Introduction DBGEngine Problems Python Call COM interface in Python Level UP kernel32!GetModuleFileNameW must return Demo Conclusion windbg.exe Embed kldbgdrv.sys as a resource Solutions ctypes module I mport A ddress T able (IAT) hooks Samuel Chevet & Clément Rouault

  23. COM with ctypes Draw me a L ocal K ernel D ebugger Introduction DBGEngine /* The SetSymbolPath method sets the symbol path. */ Python HRESULT SetSymbolPath( [in] PCSTR Path Level UP ); Demo int __stdcall IDebugSymbols::SetSymbolPath(PVOID, LPCSTR) Conclusion HOWTO # SetSymbolPath is the 42nd entry in IDebugSymbols’s vtable SetSymbolPathFunction = WINFUNCTYPE(HRESULT, c_char_p)(41, "SetSymbolPath") SetSymbolPathFunction(DebugSymbolsObject, "C: \\ whatever") # Abstract stuffs kdbg.DebugSymbols.SetSymbolPath("C: \\ symbols") Samuel Chevet & Clément Rouault

  24. IAT hooks in Python Draw me a L ocal K ernel D ebugger Introduction DBGEngine Python Steps Level UP Find the IAT entry (PEB + PE Parsing) Demo Hook it with a stub able to call our Python function Conclusion What we need Python → native execution native execution → Python Samuel Chevet & Clément Rouault

  25. ctypes magic once again Draw me a L ocal K ernel D ebugger Introduction DBGEngine def get_peb_addr(): Python # mov rax,QWORD PTR gs:0x60; ret Level UP get_peb_64_code = "65488B042560000000C3".decode("hex") Demo # Declare a function type that takes 0 arg and returns a PVOID func_type = ctypes.CFUNCTYPE([PVOID]) Conclusion addr = write_code(get_peb_64_code) # Create a function of type ‘func_type‘ at addr get_peb = func_type(addr) # Call it return get_peb() Python → Native execution Samuel Chevet & Clément Rouault

Recommend


More recommend