Through IDA+VMWare for debugging any kernel function

 Introduction:

A most of time we used Windbg+VMWare for kernel debugging. But there is a problem that we cannot use it for debugging a Interrupt Service Routine (ISR). In such case system will be hang and occur a infinite loop within a interruption. Such as INT 3 breakpoint interruption. This is because the interrupt cannot be handled normally, the breakpoint exception is never been dispatched normally.

Because of this reason, we actually can able to use a VMWaredebugging interfaces for debugging ISR. VMWare exported a interfaces with GDB, we can enable it through this
configuration in .vmx file


For 64-Bit system should debugStub.listen.guest64 = "TRUE"


For x64 system we can connect to localhost: 8864 , the port of 32bit system is 8832


Select process ID is 0



Although we are attached into kernel, but we may not able to view the code since the memory region is not created, we can use IDA function - debugger->manual memory regions


Right click -> Insert


Set as following , we cannot set the end address to 0xFFFFFFFFFFFFFFFF.


Run the system



Now, IDA will pop this dialog to notify us, the system is running, and we can suspend the VMWare at any given time. (Assuming VMWare is freeze without any BSOD, we also can suspend the system, it will be stopped at the RIP that Guest is executing. 

 Use Case 
- In case we need to debugging with INT 3 ISR.

1. We can use Windbg for normal kernel debugging first, and getting a INT 3 ISR address by executing command !idt, But we DO NOT set a breakpoint through Windbg becoz system will be hanged
2. Then we locate the RIP in IDA and set a breakpoint on that ISR.



Use !Idt command looking for INT 3 ISR.

 Attach to the Guest kernel through IDA, and Press suspend to stop the system.
And locate the Address of INT 3 ISR, We only can see the binary not an assembly code.

  


At that time, we can use c hotkey to disassembly the function, and now we can set a breakpoint by F2’ hotkey, then run the system.   
  

At the any given time, we set a breakpoint , such as break by windbg as following 


IDA will be capture the interruption, since it is emulating the Guest RIP, it has full control of the virtual hardware. Indeed, for now, IDA is similar to hardware debugger now.




These type of trick can be used for kernel debugging, and VT-x debugging.


Comments

Post a Comment

Popular posts from this blog

Android Kernel Development - Kernel compilation and Hello World

Image
Introduction Due to the lack of the material that clearly kick off the  android kernel development , hopefully it will gives the clearer  guide to develop your own android driver and debugging it. p.s. Due to the version differential, this article  is not ensure all of the Android Version , SDK version,  source  code , and   Emulator is compatible , however,  the door of   research is always opened,   just   feel   free   to contact me  and play together :P All the materials   are also  saved   in   the VM  ,   you can just directly leverage  the  existing VM Image for  development or  alternatively, as a research and studying, follow the following guide  to create your own workplace.  Android kernel didn't have dynamically insmod like the other linux, so this tutorial is trying to build a new Android Kernel and make test our kernel driver as well. Material Ubuntu 18.04.2 LTS  Android studio Android ndk-r10 Android SDK Goldfish v3.10 VMWare 15   
Read more

How does Nested-Virtualization works?

Image
What is Nested virtualization? ----------------------------------------------------------------------------------------------------- Nowadays, Software Security is becoming more important criteria in the industry, and in recent years, virtualization as a popular topic for protecting / attacking a software, however, most of the virtualization technology framework (bluepill-liked) is not provide an ability that let a guest virtualize one more layer, we called it "Nested Virtualization", level 2. Basic Virtual Machine Monitor Architecture ------------------------------------------------------------------------------------------------------ Figure[1] Host VMM trap any type of event which wants to monitor, such as, Interrupt, exception, privileged register access, one of this event is VMX instruction, after VMM loaded, VMM can always monitor a any one of the  VMX instructions, which provide a good chance for us. As following chart: Figure[2] VMM Life Cycle
Read more

Understanding ACPI and Device Tree

Image
This blog document and help to understand how ACPI works AML (ACPI Machine Language) AML is compiled binary that written in the ACPI Source Language (ASL) and it is interpreted binary that interpreted by AML interpreter during OS runtime. AML is provided by hardware manufacture and embedded in the firmware, it provides the entire device base hierarchy (all thing that equipped on your motherboard, and cannot be removed.) and function to OS that could interface the dedicated hardware, like PCI-ISA bridge or processor, controlling the power, turn on/off, etc. AML operated by different object type, and defined in definition block in firmware table (DSDT / SSDT) AML object type Scope String   Constant Package Control Method Device   ACPI Object  Naming Convention 1. All object names are 32 bits long. 2. The first byte of a name must be one of 'A' - 'Z', '_'. 3. Each of the remaining bytes of a name must be one of 'A' - 'Z', '0' - '
Read more