Original address: www.trustwave.com/en-us/resou…

Original author:

Release time: October 23, 2019

Introduction to the

In this blog series, I’ll try to get some basic knowledge of Windows system debugging and exploitation Settings, and show you how to set up an environment for remote kernel debugging. This environment will be useful for learning about the internals of Windows and will be indispensable for future articles on its use. For Windows internals, I really recommend Pavel Yosifovich’s training at Pluralsight, which will expand your familiarity with the system if you are new to the subject.

Windows development is certainly not an easy subject to learn because there are not many Windows challenges. For example, when you look at the current CTF, you’ll find only some basic/introductory writing about Windows protection and memory allocation, but I’ll try to cover this topic in a future article.

This series will also be part of my learning, so hopefully this will help everyone else in the same situation!

The environment

For this environment, you will need a debugger, several virtual machines, and curiosity

WinDBG is a debugger developed by Microsoft that we will need to debug user and kernel space. There are other options, but WinDBG is definitely the best tool for our work, so let’s get started

We need two more virtual machines for our lab. One will be used as the debugger and the other as the target system. In this case, we will use Windows 10 X64 for debugging — chosen because of the availability of the WinDBG preview on that operating system. As the target system, we’ll use Windows 7 X64 because it has fewer protections than Windows 10 and will make our lives easier while we’re learning. By the way, we can enable native kernel debugging, but this does not allow the researcher to do “live” debugging, such as breakpoint functionality on the driver.

The target machine

You will need to enable debug mode on this Windows machine as it is disabled by default. You can do this using a raised prompt command (cmd.exe) and the “bcdedit “tool. In our example, we will configure our target machine to debug using a serial connection as follows.

C:\Windows\system32>bcdedit /dbgsettings serial debugport:1 baudrate:115200
The operation completed successfully.

C:\Windows\system32>bcdedit /debug on
The operation completed successfully.
Copy the code

If we are also using Windows 10, we can enable debugging options through network Settings. However, Windows 7 doesn’t have this option, so we’ll use a serial connection.

The connection

Now that we have the debugger set up to use serial connections, we now need to add and configure a serial port for each machine. In my example, I use VMWare Workstation, but this configuration can be copied to VirtualBox from any virtual machine vendor. On Windows 7, you set “Destination is server”.

Figure 1 – Windows 7 VM Settings

On Windows 10, you set “end is client.” .

Configuration -Windows 10 Figure 2- VM Settings for Windows 10

The commissioning

With debug mode set on the target machine and serial connections configured on both machines, we can now proceed with WinDBG setup.

Open the WinDBG preview, go to “Attach to kernel”, select “COM “and use the following configuration.

Com1-windbg Figure 3 – WinDBG preview COM configuration on the debugger machine

This is tricky, and the port name is not related to the name we gave our port connection in VMWare Settings. This is actually a port in device Manager. Basically, if you don’t have any ports before this new port, you should only have one serial port, so you will use “com1”, however, if there are other ports already, you will use “COM2”, “COM3”, etc.

Start debugging

After confirmation, you will connect to the target.

Microsoft (R) Windows Debugger Version 10.0.19494.1001 Copyright (C) Microsoft Corporation. All rights Reserved. Opened \\.\com1 Waiting to reconnect... Connected to Windows 7 7601 x64 Target at (Fri Oct 18 10:50:26.300 2019 (UTC - 3:00)), ptr64 TRUE Kernel Debugger connection established. ************* Path validation summary ************** Response Time (ms) Location Deferred SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Kernel Version 7601 (Service Pack 1) MP (1 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.17514 amd64fre. Win7sp1_rtm. 101119-1850 Machine Name: Kernel base = 0xfffff800`02a01000 PsLoadedModuleList = 0xfffff800`02c46e90 Debug session time: Fri Oct 18 10:38:56.797 2019 (UTC - 3:00) System Uptime: 0 days 0:04:03.716 Break Instruction Exception - Code 80000003 (First chance) ******************************************************************************* * * * You are seeing this message because you pressed either * * CTRL+C (if you run console kernel debugger) or,                       *
*       CTRL+BREAK (if you run GUI kernel debugger),                          *
*   on your debugger machine's keyboard. * * * * THIS IS NOT A BUG OR A SYSTEM CRASH * * * * If you did not intend to break into the debugger, press the "g" key, then * * press the "Enter" key now. This message might immediately reappear. If it * * does, press "g" and "Enter" again. * * * ******************************************************************************* nt! RtlpBreakWithStatusInstruction+0x1: fffff800`02a79491 c3 retCopy the code

Then we can get started!

You should notice that there is a configuration for “Symbols “. Symbols basically give the user the names of the functions on the API and kernel files. This is very helpful. For example, if you don’t have the ntDLl. DLL symbol, you’ll see a function called NTDLL! 7fff’73049342 (random address), which does not provide any additional information about what is being implemented. However, if you have symbols, you will see what the function name is, for example: NTDLL! RtlUserThreadStart. This saves some time and helps determine what is actually happening in our code.

Microsoft provides a common repository for most, if not all, versions of Windows. Vendors can also provide PDB files for their applications, which is a very good move. It is necessary to configure the server on the debugger, and then the symbol file will be downloaded to your local computer. In WinDBG preview, into the menu, Settings, sets the symbol path to the SRV * C: \ “SymCache * http://msdl.microsoft.com/download/symbols”. This will ensure that all downloaded symbols go to the local path “C:\SymCache”.

Symbol Figure 4 – WinDBG symbol path

conclusion

Now we have set up the environment for our tests. In the next installment, I’ll introduce the features of WinDBG to familiarize myself with debugging Windows systems. Then, I’ll go on to write some internals, applications, and kernel exploits. If you have any questions or comments, please let me know that hopefully by the end of this series you will have a new tool in your Arsenal of security.

Translation via www.DeepL.com/Translator (free version)

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Windows Debugging and Development Part I – Environment Settings

Introduction to the

The environment

The target machine

The connection

The commissioning

Start debugging

conclusion

Windows Debugging and Development Part I – Environment Settings

Introduction to the

The environment

The target machine

The connection

The commissioning

Start debugging

conclusion

Related Posts

You do not know the GraphQL Directives

Block level scope in js

Summary of Litmus code quality platform practice