Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Next: Analyzing the output
Up: Stalking with Kernel Debug
Previous: Stalking with Kernel Debug
Contents
Part IFor testing purposes, a Microsoft Operating System needs to be set up inside of a Virtual PC environment. Load the pluto.sys driver inside of the Virtual PC and attach a debug session via Kernel Debug (kd). Once kd is loaded and attached to a process within the Virtual Machine, Debug Stalk can be invoked by calling "!dbgstalk.dbgstalk [switches] [.bpl file path]" at the kd console. For example:
C:\Uninformed>kd -k com:port=\\.\pipe\woo,pipe Microsoft (R) Windows Debugger Version 6.6.0007.5 Copyright (c) Microsoft Corporation. All rights reserved. Opened \\.\pipe\woo Waiting to reconnect... Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE Kernel Debugger connection established. Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp2_rtm.040803-2158 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20 Debug session time: Sat Sep 23 14:40:24.522 2006 (GMT-7) System Uptime: 0 days 0:06:50.610 Break instruction exception - code 80000003 (first chance) nt!DbgBreakPointWithStatus+0x4: 804e3b25 cc int 3 kd> .reload Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE Loading Kernel Symbols ....................................................... Loading User Symbols Loading unloaded module list ........... kd> !dbgstalk.dbgstalk -o -b c:\Uninformed\pluto.sys.bpl [*] - Entering Stalker [*] - Break Point List.....: c:\Uninformed\pluto.sys.bpl [*] - Breakpoint Restore...: OFF [*] - Register Enumerate...: ON [*] - Kernel Stalking:.....: ON current context: eax=00000001 ebx=ffdff980 ecx=8055192c edx=000003f8 esi=00000000 edi=f4be2de0 eip=804e3b25 esp=80550830 ebp=80550840 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202 nt!RtlpBreakWithStatusInstruction: 804e3b25 cc int 3 commands: [m] module list [0-9] enter recorder modes [x] stop recording [v] toggle verbosity [q] quit/close Once Debug Stalk is loaded, a list of commands is available to the user. A breakdown of the command line options offered by Debug Stalk is as follows:
[m] module list [0-9] enter recorder modes [x] stop recording [v] toggle verbosity [q] quit/close At this point, the fuzz tool needs to be executed to send random arbitrary data to the device driver. While the fuzzer is running, Debug Stalk will print out information to kd. Pressing 'g' at the command line prompt will resume execution of the target machine. This invocation will look something like this:
kd> g [*] - Recorder Opened......: pluto.sys.0 [*] - Recorder Opened......: pluto.sys-regs.0 Modload: Processing breakpoints for module pluto.sys at f7a7f000 Modload: Done. 46 of 46 breakpoints were set. 0034c883 T:00000001 [bp] f7a83000 a10020a8f7 mov eax,dword ptr [pluto+0x3000 (f7a82000)] 0034ed70 T:00000001 [bp] f7a8300e 3bc1 cmp eax,ecx 0034eded T:00000001 [bp] f7a83012 a12810a8f7 mov eax,dword ptr [pluto+0x2028 (f7a81028)] 0034ee89 T:00000001 [bp] f7a8302b e9aed1ffff jmp pluto+0x11de (f7a801de) 0034ef16 T:00000001 [bp] f7a801de 55 push ebp 0034ef93 T:00000001 [bp] f7a80219 8b45fc mov eax,dword ptr [ebp-4] 0034f03f T:00000001 [bp] f7a80253 6844646b20 push 206B6444h 0034f0cb T:00000001 [bp] f7a802a2 b980000000 mov ecx,80h 0034f148 T:00000001 [bp] f7a802ab 5f pop edi 00359086 T:00000001 [bp] f7a8006a 8b4c2408 mov ecx,dword ptr [esp+8] 0035920c T:00000001 [bp] f7a800f6 833d0420a8f700 cmp dword ptr [pluto+0x3004 (f7a82004)],0 003592a9 T:00000001 [bp] f7a8010c 8b7760 mov esi,dword ptr [edi+60h] 00359345 T:00000001 [bp] f7a80114 8b4704 mov eax,dword ptr [edi+4] 003593e1 T:00000001 [bp] f7a80122 6a10 push 10h 0035945e T:00000001 [bp] f7a80133 85c0 test eax,eax 003594eb T:00000001 [bp] f7a80147 ff7604 push dword ptr [esi+4] 00359587 T:00000001 [bp] f7a80176 8bcf mov ecx,edi 00359614 T:00000001 [bp] f7a80182 5f pop edi 0035ac5b T:00000001 [bp] f7a8002e 55 push ebp current context: eax=00000001 ebx=0000c271 ecx=8055192c edx=000003f8 esi=00000001 edi=291f0c30 eip=804e3b25 esp=80550830 ebp=80550840 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202 nt!RtlpBreakWithStatusInstruction: 804e3b25 cc int 3 commands: [m] module list [0-9] enter recorder modes [x] stop recording [v] toggle verbosity [q] quit/close kd> q [*] - Exiting Stalker q Debug Stalk has finished Stalking the points in the driver allowed by the fuzzer. Files named "pluto.sys.0," "pluto.sys-regs.0 (optional)," have been saved to the current working directory.
Next: Analyzing the output
Up: Stalking with Kernel Debug
Previous: Stalking with Kernel Debug
Contents
|