Winbagility project: simulates a debugged kernel

June 28, 2018 ~ hucktech ~ Leave a comment

PyFDP – Python extension used to communicate with the FDP (Fast Debugging Protocol) hypervisor-based debugging server used in the Winbagility project. https://t.co/9Iai0pwYYi

— PythonArsenal (@PythonArsenal) June 28, 2018

https://github.com/Winbagility/Winbagility

https://github.com/Winbagility/Winbagility/tree/master/bindings/python

Winbagility is a tool that gives you ability to connect WinDbg on non /DEBUG Windows x64 systems. Winbagility simulates a debugged kernel. It retrieves over the STUB for some essentials information (KDBG, KPCR…) and forward these informations to WinDbg over KD.

PyFDP is a Python extension used to communicate with the FDP (Fast Debugging Protocol) hypervisor-based debugging server used in the Winbagility project. Winbagility introduced an instrumented version of VirtualBox which can be used to implement a sthealth debugger via Virtual Machine introspection and runtime analysis. While Winbagility simply connect the FDP server to Windbg in order to debug a Windows VM as if the guest was launch with /DEBUG option activated, anyone can write a FDP client. PyFDP expose the FDP client side by wrapping the DLL’s exports via ctypes, enabling any Python program to script a VM debugging session.

Network kernel debugging of virtual Windows via KDNET

June 25, 2018 ~ hucktech ~ Leave a comment

Debug Hyper-V VMs with KDNET – https://t.co/VvlUET8xUP

— Andy Luhrs (@aluhrs13) June 22, 2018

Setting Up Network Debugging of a Virtual Machine – KDNET
This topic describes how to configure a kernel debugging connection to a Hyper-V virtual machine (VM).[…]

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-network-debugging-of-a-virtual-machine-host

NVidia symbol server for Windows binaries

January 16, 2018 ~ hucktech ~ Leave a comment

Microsoft’s debugger stores symbols in sidecar files separate from the executable. They are stored on the Microsoft Symbol Server. For third party symbols, things are not as good. NVidia has improved things for their drivers, though:

Symbol server for nvidia driver binaries. https://t.co/qtU4GfKee7

— Yuriy O'Donnell (@YuriyODonnell) January 12, 2018

https://developer.nvidia.com/nvidia-driver-symbol-server

https://msdn.microsoft.com/en-us/library/windows/desktop/ee416588(v=vs.85).aspx
https://support.microsoft.com/en-us/help/311503/use-the-microsoft-symbol-server-to-obtain-debug-symbol-files
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/microsoft-public-symbols

See-also:

AFAIK, Mozilla was the first open source project to setup a symbol server:
https://developer.mozilla.org/en-US/docs/Mozilla/Using_the_Mozilla_symbol_server

https://gpuopen.com/amd-driver-symbol-server/
https://support.citrix.com/article/CTX118622
http://www.nynaeve.net/?p=71
http://www.symbolsource.org/Public/Home/VisualStudio
https://nuget.smbsrc.net/
https://github.com/electron/electron/blob/master/docs/development/setting-up-symbol-server.md
https://area.autodesk.com/blogs/the-3ds-max-blog/debug_symbol_server_for_3ds_max_2012/
https://www.chromium.org/developers/how-tos/debugging-on-windows

Microsoft adds Time Travel Debugging (TTD) to Windbg

November 7, 2017 ~ hucktech ~ Leave a comment

Time Travel Debugging is now available in WinDbg Preview

We are excited to announce that Time Travel Debugging (TTD) features are now available in the latest version of WinDbg Preview. About a month ago, we released WinDbg Preview which provides great new debugging user experiences. We are now publicly launching a preview version of TTD for the first time and are looking forward to your feedback.[…]

https://blogs.msdn.microsoft.com/windbg/2017/09/25/time-travel-debugging-in-windbg-preview/

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-object-model

Time Travel Debugging is now available in WinDbg Preview https://t.co/E6NT7xERgk pic.twitter.com/WzJEf94n9X

— Windows Blogs (@windowsblog) September 27, 2017

As I hear, TTD has been used at Microsoft internally for years, just now getting this feature out to the public. Though they are not identical in implementation, GDB has had reverse execution for a while.

https://www.gnu.org/software/gdb/news/reversible.html
https://sourceware.org/gdb/onlinedocs/gdb/Reverse-Execution.html
https://sourceware.org/gdb/wiki/ReverseDebug

WinDbg updated

August 29, 2017 ~ hucktech ~ Leave a comment

New Blog post! New WinDbg! https://t.co/DeG0dzwhlD

— Andy Luhrs (@aluhrs13) August 28, 2017

The new WinDbgX is finally out! Enjoy it’s awesomeness. Integrated JS/LINQ, ribbons, modernized UI and runs in Centennial. Awesomesauce. https://t.co/I9Hi0juCo5

— Alex Ionescu (@aionescu) August 28, 2017

New WinDbg available in preview!
We are excited to announce a preview version of a brand new WinDbg. We’ve updated WinDbg to have more modern visuals, faster windows, a full-fledged scripting experience, built with the easily extensible debugger data model front and center. I’ll start this by saying that WinDbg Preview is using the same underlying engine as WinDbg today, so all the commands, extensions, and workflows you’re used to will still work just as they did before.

https://blogs.msdn.microsoft.com/windbg/2017/08/28/new-windbg-available-in-preview/

Windbg always had restrictions in what UI widgets it could use, since Windbg was used to debug those same UI widgets (OLE, COM, etc.) and had to work even those widgets did not work.

Windbg updated

October 30, 2016 ~ hucktech ~ Leave a comment

Windbg, Microsoft’s Windows system debugger, has been released with new features, one of which is ability to write debugger scripts in JavaScript.

(WordPress renders the MSDN blog URL strangely, if you can’t click on that, click on the URL in Alex’s twtter.)

Been waiting for a while to announce this! For all those that have done training with me & hated WinDBG scripting: https://t.co/d08aHcIoL1

— Alex Ionescu (@aionescu) October 29, 2016

https://blogs.msdn.microsoft.com/windbg/2016/10/27/new-insider-sdk-and-javascript-extensibility/

Voltron integration for Binary Ninja

September 4, 2016 ~ hucktech ~ Leave a comment

Binary Ninja plugins, Based on Binary Ninja, voltron. https://t.co/7OwcQ4IhEx

— PythonArsenal (@PythonArsenal) September 1, 2016

https://github.com/snare/binjatron
https://github.com/snare/voltron
http://ho.ax/

Binary Ninja plugin for Voltron integration.

Features:
* Synchronise the selected instruction in Binary Ninja with the instruction pointer in the debugger
* Mark breakpoints that are set in the debugger in Binary Ninja
* Set and delete breakpoints in the debugger from Binary Ninja

https://firmwaresecurity.com/2016/04/09/voltron/

https://firmwaresecurity.com/2016/06/05/binary-ninja/

Microsoft removes Firewire from kernel debugger

August 18, 2016 ~ hucktech ~ Leave a comment

The Windows kernel debugger needs to operate even when some device drivers fail, and for other reasons, the debugger can’t use the normal Windows drivers for remoting the debugger over serial, network, USB, Firewire (1394), so the debugger needs to write it’s own driver and do other hacks to remote itself. In the beginning, serial was the only requirement, but later faster cables were needed, like USB and 1394.

Well, it looks like Firewire is fading away, Microsoft has removed 1394 support from the mainstream release of the kernel debugger, only keeping it in the WDK build. Also, AFAIK, this is the first time the Windows debugger is being built separately like this.

1394 KD support no longer ships with Windows! (redist only w/SDK). Details in new Debugging Tools for Windows blog https://t.co/SpnsWBEOMu

— OSR (@OSRDrivers) August 16, 2016

https://blogs.msdn.microsoft.com/windbg/2016/08/11/kd-1394-work-around/

Microsoft MEX Windbg extension

July 15, 2016 ~ hucktech ~ Leave a comment

Microsoft recently released a new Windows Windbg debugger extension called MEX. It has a variety of features, dozens of commands for many of Microsoft’s products. It appears to have been removed from the download site for a while, but it is up now, at least for the moment.

MS released interesting WinDbg ext called MEX. A lot of helpers: C++ pointers, .NET, JS, ROP, LPC/ALPC threads … https://t.co/KgOQUkM9Jw

— Alex Matrosov (@matrosov) July 13, 2016

There’s a copy of the MEX help usage listed here:
https://github.com/REhints/WinDbg/tree/master/MEX

MWR Labs’ Windbg python plugin

April 19, 2016 ~ hucktech ~ Leave a comment

MWR Labs has a new blog post on using Python with Windbg, the Microsoft Windows system debugger.

https://twitter.com/mwrlabs/status/722397141499539456

https://labs.mwrinfosecurity.com/blog/heap-tracing-with-windbg-and-python/

https://github.com/sam-b/windbg-plugins
https://labs.mwrinfosecurity.com/

(I wish Microsoft would properly integrate Python to Windbg, instead of requiring third parties to do so.)

Voltron

April 9, 2016 ~ hucktech ~ Leave a comment

If you have not looked at Voltron, by Jim Fear, please check it out, it is quite powerful:

https://twitter.com/snare/status/718720138866917376

Voltron is an extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers (LLDB, GDB, VDB and WinDbg) by enabling the attachment of utility views that can retrieve and display data from the debugger host. By running these views in other TTYs, you can build a customised debugger user interface to suit your needs. Voltron does not aim to be everything to everyone. It’s not a wholesale replacement for your debugger’s CLI. Rather, it aims to complement your existing setup and allow you to extend your CLI debugger as much or as little as you like. If you just want a view of the register contents in a window alongside your debugger, you can do that. If you want to go all out and have something that looks more like OllyDbg, you can do that too.

https://github.com/snare/voltron

RET-Sync: multi-debugger tool for IDA Dissassembler

January 14, 2016 ~ hucktech ~ Leave a comment

ret-sync is a set of plugins that helps to synchronize a debugging session (WinDbg/GDB/LLDB/Oldbg2/x64dbg) with IDA https://t.co/PsKpFN4Ofw

— `Ivan (@Ivanlef0u) January 12, 2016

ret-sync stands for Reverse-Engineering Tools synchronization. It’s a set of plugins that help to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg2/x64dbg) with IDA disassembler. The underlying idea is simple: take the best from both worlds (static and dynamic analysis).

From debuggers and dynamic analysis we got:

local view, with live dynamic context (registers, memory, etc.)
built-in specialized features/API (ex: Windbg’s !peb, !drvobj, !address, etc.)

From IDA and static analysis we got:

    macro view over modules
    code analysis, signatures, types, etc.
    fancy graph view
    persistent storage of knowledge within IDBs

Keys features:

    Pass data (comment, command output) from debugger to disassembler (IDA)
    Multiple IDBs can be synced at the same time allowing to easily trace through multiple modules
    No need to deal with ALSR, addresses are rebased on-the-fly
    IDBs and debugger can be on different hosts

ret-sync is a fork of qb-sync that I developed and maintained during my stay at Quarkslab.

https://github.com/bootleg/ret-sync
https://github.com/quarkslab/qb-sync

Intel’s Debug Extensions for WinDbg

December 6, 2015 ~ hucktech ~ Leave a comment

Windbg is Microsoft’s Windows system debugger (both user-mode and kernel-mode), which has the ability to load third party extensions. I just noticed some Windbg extensions that Intel has created. One enables Windbg to work over JTAG, the other enables support for Intel PT:

Intel® Debug Extensions for WinDbg* for Intel® Processor Trace https://t.co/pl7FCJukxw

— Francisco Ribeiro (@blackthorne) December 4, 2015

The “Intel Debug Extensions for WinDbg” consists of two sets of debugger extensions:

1) Intel Debug Extensions for WinDbg for IA JTAG debugging (IA JTAG) enables the connection of WinDbg to a target over the JTAG. The server acts as a mediator and forwards the calls from WindDbg* to the IPC interface and back.

2) Intel Debug Extensions for WinDbg for Intel Processor Trace (Intel PT) is designed to help WinDbg users by extending their debugging tool set with execution tracing. The extension allows for easy setup of Intel PT by abstracting hardware configuration and then reconstructing and displaying execution flow from the collected trace data. It will integrate with other WinDbg* features like symbolization and high-level source display. Intel PT is a new technology for low-overhead execution tracing. It facilitates debugging a program by exposing an accurate and detailed trace of the program’s activity, and its triggering and filtering capabilities help identifying and isolating the relevant program executions. Intel PT records information about software execution on each hardware thread using dedicated hardware facilities. After execution completes, a software can process the recorded trace data and reconstruct the exact program flow.
[…]
BIOS / UEFI firmware: With firmware that is Intel PT-aware, you can set up an Intel PT-specific memory allocation. In this case, the firmware allocates a dedicated memory area and reserves it in a memory map for further use. Operating systems will recognize this reserved memory range and will not use it. When firmware reserves a memory region for Intel PT, it also configures the Intel PT output MSRs accordingly and indicates that Intel PT output configuration is ready to be used. The extension will recognize this setup. No further configuration (from user’s side) is required.

I presume these extensions are only available as part of the commercial-only Intel System Studio product. If you use Windbg, you may want to try to get these extensions, they sound useful.

More information:

https://software.intel.com/en-us/iss-2016-windbg-pt-user-guide-windows
https://software.intel.com/en-us/articles/intel-system-studio-release-notes
https://software.intel.com/en-us/iss-2016-get-started-debug-extensions-windbg-windows
https://software.intel.com/en-us/intel-system-studio

Memory Explorer added to DbgKit

November 17, 2015 ~ hucktech ~ Leave a comment

Love #RamMap by @markrussinovich ? Check out Memory Explorer from #DbgKit #WinDbg https://t.co/vWtnJvrYsZ pic.twitter.com/4K21sJIr87

— Andrey Bazhan (@AndreyBazhan) November 16, 2015

Andrey Bazhan has announced Memory Explorer, a new tool for DbgKit, a fancy add-on to Microsoft’s Windbg debugger. If you do Windows debugging or forensic analysis, you might want to check this out.

http://www.andreybazhan.com/dbgkit.html

Debugging Tools for Windows 10

November 11, 2015 ~ hucktech ~ Leave a comment

It looks like Microsoft has updated Windbg for Windows 10, one of the new features is support of Visual Studio’s NatVis expression model:

dt is dead, long live dx! NatVis now supported in WinDbg: https://t.co/x7nHTdKfWV

— OSR (@OSRDrivers) November 6, 2015

dx (Display NatVis Expression) – Describes the new dx debugger command, which displays object information using the NatVis extension model and LINQ support.
New commands that work with the NatVis visualization files in the debugger environment.

    .nvlist (NatVis List)
    .nvload (NatVis Load)
    .nvunload (NatVis Unload)
    .nvunloadall (NatVis Unload All)

https://msdn.microsoft.com/en-us/library/windows/hardware/mt219728%28v=vs.85%29.aspx

DbgKit 1.3 released

September 15, 2015 ~ hucktech ~ Leave a comment

Andrey Bazhan has released version 1.3 of DbgKit, a GUI extension to WinDbg, the Microsoft Windows system debugger, included in the “Debugging Tools for Windows” package. Given that most Windbg extensions are command line, a GUI extension to Windbg is fairly impressive!

Debugging processes in #WinDbg just got even simpler with new #DbgKit v1.3 http://t.co/vWtnJvrYsZ

— Andrey Bazhan (@AndreyBazhan) September 15, 2015

“DbgKit is the first GUI extension for Debugging Tools for Windows (WinDbg, KD, CDB, NTSD). It will show you hierarchical view of processes and detailed information about each process including its full image path, command line, start time, memory statistics, vads, handles, threads, security attributes, modules, environment variables and more.”

http://www.andreybazhan.com/dbgkit.html