Through IDA+VMWare for debugging any kernel function

 Introduction:

A most of time we used Windbg+VMWare for kernel debugging. But there is a problem that we cannot use it for debugging a Interrupt Service Routine (ISR). In such case system will be hang and occur a infinite loop within a interruption. Such as INT 3 breakpoint interruption. This is because the interrupt cannot be handled normally, the breakpoint exception is never been dispatched normally.

Because of this reason, we actually can able to use a VMWaredebugging interfaces for debugging ISR. VMWare exported a interfaces with GDB, we can enable it through this
configuration in .vmx file


For 64-Bit system should debugStub.listen.guest64 = "TRUE"


For x64 system we can connect to localhost: 8864 , the port of 32bit system is 8832


Select process ID is 0



Although we are attached into kernel, but we may not able to view the code since the memory region is not created, we can use IDA function - debugger->manual memory regions


Right click -> Insert


Set as following , we cannot set the end address to 0xFFFFFFFFFFFFFFFF.


Run the system



Now, IDA will pop this dialog to notify us, the system is running, and we can suspend the VMWare at any given time. (Assuming VMWare is freeze without any BSOD, we also can suspend the system, it will be stopped at the RIP that Guest is executing. 

 Use Case 
- In case we need to debugging with INT 3 ISR.

1. We can use Windbg for normal kernel debugging first, and getting a INT 3 ISR address by executing command !idt, But we DO NOT set a breakpoint through Windbg becoz system will be hanged
2. Then we locate the RIP in IDA and set a breakpoint on that ISR.



Use !Idt command looking for INT 3 ISR.

 Attach to the Guest kernel through IDA, and Press suspend to stop the system.
And locate the Address of INT 3 ISR, We only can see the binary not an assembly code.

  


At that time, we can use c hotkey to disassembly the function, and now we can set a breakpoint by F2’ hotkey, then run the system.   
  

At the any given time, we set a breakpoint , such as break by windbg as following 


IDA will be capture the interruption, since it is emulating the Guest RIP, it has full control of the virtual hardware. Indeed, for now, IDA is similar to hardware debugger now.




These type of trick can be used for kernel debugging, and VT-x debugging.


Comments

Post a Comment

Popular posts from this blog

How does Nested-Virtualization works?

Image
What is Nested virtualization? ----------------------------------------------------------------------------------------------------- Nowadays, Software Security is becoming more important criteria in the industry, and in recent years, virtualization as a popular topic for protecting / attacking a software, however, most of the virtualization technology framework (bluepill-liked) is not provide an ability that let a guest virtualize one more layer, we called it "Nested Virtualization", level 2. Basic Virtual Machine Monitor Architecture ------------------------------------------------------------------------------------------------------ Figure[1] Host VMM trap any type of event which wants to monitor, such as, Interrupt, exception, privileged register access, one of this event is VMX instruction, after VMM loaded, VMM can always monitor a any one of the  VMX instructions, which provide a good chance for us. As following chart: Figure[2] VMM Life Cycle ...
Read more

Understanding ACPI and Device Tree

Image
This blog document and help to understand how ACPI works AML (ACPI Machine Language) AML is compiled binary that written in the ACPI Source Language (ASL) and it is interpreted binary that interpreted by AML interpreter during OS runtime. AML is provided by hardware manufacture and embedded in the firmware, it provides the entire device base hierarchy (all thing that equipped on your motherboard, and cannot be removed.) and function to OS that could interface the dedicated hardware, like PCI-ISA bridge or processor, controlling the power, turn on/off, etc. AML operated by different object type, and defined in definition block in firmware table (DSDT / SSDT) AML object type Scope String   Constant Package Control Method Device   ACPI Object  Naming Convention 1. All object names are 32 bits long. 2. The first byte of a name must be one of 'A' - 'Z', '_'. 3. Each of the remaining bytes of a name must be one of 'A' - 'Z', '0' - ...
Read more

Windows Mini Class and Class Driver internal research notes

Image
Background ------------------------------------- This is a first windows driver research notes in my blogger. And I will try to keep it simple and clear in this article, for who wants to understand the internal behavior of Class And Mini-Class Driver. ------------------------------------- Audience ------------------------------------- For who wants to understand Mini-Class and Class Driver internal. And understanding more about Hid Device stack. ------------------------------------- Introduction ------------------------------------- First, We are going to take a example of HidUsb and HidClass, the former is a Mini-Class Driver of a HidClass. We can simply think the relationships between them, is a child and parent relationship, Hidusb is one of the child of HidClass. HidClass can be thought as a helper module( like Dll do) in kernel mode, for helping all Driver who wants to join a hid family. ------------------------------------- Research ----...
Read more