Uninformed: Informative Information for the Uninformed

Vol 5» 2006.Sep


Part I

For testing purposes, a Microsoft Operating System needs to be set up inside of a Virtual PC environment. Load the pluto.sys driver inside of the Virtual PC and attach a debug session via Kernel Debug (kd). Once kd is loaded and attached to a process within the Virtual Machine, Debug Stalk can be invoked by calling "!dbgstalk.dbgstalk [switches] [.bpl file path]" at the kd console. For example:

C:\Uninformed>kd -k com:port=\\.\pipe\woo,pipe

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\woo
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
Debug session time: Sat Sep 23 14:40:24.522 2006 (GMT-7)
System Uptime: 0 days 0:06:50.610
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus+0x4:
804e3b25 cc              int     3
kd> .reload
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
.......................................................
Loading User Symbols

Loading unloaded module list
...........
kd> !dbgstalk.dbgstalk -o -b c:\Uninformed\pluto.sys.bpl
[*] - Entering Stalker
[*] - Break Point List.....: c:\Uninformed\pluto.sys.bpl
[*] - Breakpoint Restore...: OFF
[*] - Register Enumerate...: ON
[*] - Kernel Stalking:.....: ON

current context:

eax=00000001 ebx=ffdff980 ecx=8055192c edx=000003f8 esi=00000000 edi=f4be2de0
eip=804e3b25 esp=80550830 ebp=80550840 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
nt!RtlpBreakWithStatusInstruction:
804e3b25 cc              int     3

commands:

        [m] module list         [0-9] enter recorder modes
        [x] stop recording      [v] toggle verbosity
        [q] quit/close

Once Debug Stalk is loaded, a list of commands is available to the user. A breakdown of the command line options offered by Debug Stalk is as follows:

[m]    module list
[0-9]  enter recorder modes
[x]    stop recording
[v]    toggle verbosity
[q]    quit/close

At this point, the fuzz tool needs to be executed to send random arbitrary data to the device driver. While the fuzzer is running, Debug Stalk will print out information to kd. Pressing 'g' at the command line prompt will resume execution of the target machine. This invocation will look something like this:

kd> g
[*] - Recorder Opened......: pluto.sys.0
[*] - Recorder Opened......: pluto.sys-regs.0
Modload: Processing breakpoints for module pluto.sys at f7a7f000
Modload: Done. 46 of 46 breakpoints were set.
0034c883 T:00000001 [bp] f7a83000 a10020a8f7      mov     eax,dword ptr [pluto+0x3000 (f7a82000)]
0034ed70 T:00000001 [bp] f7a8300e 3bc1            cmp     eax,ecx
0034eded T:00000001 [bp] f7a83012 a12810a8f7      mov     eax,dword ptr [pluto+0x2028 (f7a81028)]
0034ee89 T:00000001 [bp] f7a8302b e9aed1ffff      jmp     pluto+0x11de (f7a801de)
0034ef16 T:00000001 [bp] f7a801de 55              push    ebp
0034ef93 T:00000001 [bp] f7a80219 8b45fc          mov     eax,dword ptr [ebp-4]
0034f03f T:00000001 [bp] f7a80253 6844646b20      push    206B6444h
0034f0cb T:00000001 [bp] f7a802a2 b980000000      mov     ecx,80h
0034f148 T:00000001 [bp] f7a802ab 5f              pop     edi
00359086 T:00000001 [bp] f7a8006a 8b4c2408        mov     ecx,dword ptr [esp+8]
0035920c T:00000001 [bp] f7a800f6 833d0420a8f700  cmp     dword ptr [pluto+0x3004 (f7a82004)],0
003592a9 T:00000001 [bp] f7a8010c 8b7760          mov     esi,dword ptr [edi+60h]
00359345 T:00000001 [bp] f7a80114 8b4704          mov     eax,dword ptr [edi+4]
003593e1 T:00000001 [bp] f7a80122 6a10            push    10h
0035945e T:00000001 [bp] f7a80133 85c0            test    eax,eax
003594eb T:00000001 [bp] f7a80147 ff7604          push    dword ptr [esi+4]
00359587 T:00000001 [bp] f7a80176 8bcf            mov     ecx,edi
00359614 T:00000001 [bp] f7a80182 5f              pop     edi
0035ac5b T:00000001 [bp] f7a8002e 55              push    ebp

current context:

eax=00000001 ebx=0000c271 ecx=8055192c edx=000003f8 esi=00000001 edi=291f0c30
eip=804e3b25 esp=80550830 ebp=80550840 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
nt!RtlpBreakWithStatusInstruction:
804e3b25 cc              int     3


commands:

        [m] module list         [0-9] enter recorder modes
        [x] stop recording      [v] toggle verbosity
        [q] quit/close

kd> q
[*] - Exiting Stalker
q

Debug Stalk has finished Stalking the points in the driver allowed by the fuzzer. Files named "pluto.sys.0," "pluto.sys-regs.0 (optional)," have been saved to the current working directory.