SlideShare uma empresa Scribd logo

Windows Kernel Debugging

T
Thomas Roccia

An introduction to Windows Kernel Debugging

Tecnologia
1 de 51
Baixar para ler offline
. McAfee Confidential Kernel Debugging Demystify Thomas ROCCIA | InfoSec Researcher thomas.roccia@intel.com
. McAfee Confidential 2 Overview Summary 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
. McAfee Confidential 3 0000 – $whoami • Thomas ROCCIA | @r1tch1e_ • InfoSec Researcher at Foundstone Intel Security (McAfee) • Forensic / Incident Response • Malware Analysis • Penetration Testing
. McAfee Confidential 4 Overview 0001 – Why debugging Kernel? 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
. McAfee Confidential 5 0001 – Why debugging Kernel? • To better understand how works my system • To better understand what’s happened when I got this… • To analysis how works a driver • To analysis a Rootkit • Or just for play with the kernel…
. McAfee Confidential 6 Overview 0010 – Kerneland VS Userland 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References kerneland Userland
. McAfee Confidential 7 Userland 0010 – Kerneland VS Userland • Userland is the place where every user application running • Userland usually refers to the various programs and libraries that the operating system uses to interact with the kernel • A memory space is assigned to Userland application • Each user space process normally runs in its own virtual memory space • The processus in Userland can normaly not accessed to kerneland
. McAfee Confidential 8 Kerneland 0010 – Kerneland VS Userland • kerneland is a place of Operating System where Input/Output requests from Software are managed • The Kernel is a specific software use for transmit data to processor • The code is usually loaded into a protected area of memory, for avoid overwritten by other programs • The kernel have full access to: – CPU – Memory – Devices
. McAfee Confidential • Operating System uses a protection ring 9 Protection ring 0010 – Kerneland VS Userland • A kernel connect the application software to the hardware
. McAfee Confidential 10 Windows Architecture 0010 – Kerneland VS Userland
. McAfee Confidential 11 Memory distribution 0010 – Kerneland VS Userland • Userland memory space from 0x0000 0000 to 0x7FFF FFFF • Applications process • DLL • Variables • … • kerneland memory space from 0x8000 0000 to 0xFFFF FFFF • Boot Drivers • Kernel • HAL • … Userland kerneland
. McAfee Confidential 12 Who wins? 0010 – Kerneland VS Userland • As we saw, kerneland has some protection to avoid access from Userland • But, what’s happen if user process attempt to access to kerneland? • Normaly a crash! • But sometimes a malicious code can gain full access to your system across vulnerabilities or with a malicious DLL…
. McAfee Confidential 13 Who wins? 0010 – Kerneland VS Userland • And now the attacker is like GOD in your system
. McAfee Confidential 14 Who wins? 0010 – Kerneland VS Userland • If we try to access to the kerneland from userland with a simply piece of code:
. McAfee Confidential 15 Who wins? 0010 – Kerneland VS Userland • We get an error of access violation:
. McAfee Confidential 16 Overview 0011 – Windows Kernel Structure 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
. McAfee Confidential 17 Presentation 0011 – Windows Kernel Structure • The Windows Kernel is the composant that allow secure access from Windows task to Hardware Abstraction Layer (HAL) • Kernel32.dll, ntdll.dll and other dll are loaded in user-mode but this is a gateway for access to kernel • On 32bit architecture the name of the kernel is NTOSKRNL.EXE • The kernel is the only component to have access to the HAL: – DMA (memory) – Bus mapping – Horloge and timer – Interrupt – Privileged architecture
. McAfee Confidential 18 Architecture Kernel 0011 – Windows Kernel Structure • Windows Executive : Services de base du système d’exploitation, gestion mémoire, gestion des processus et des threads, securité, E/S, réseaux, IPC, etc. • Kernel Windows : Fonctions bas niveau du système : gestion des exceptions et des interruptions, scheduling de threads et processus, synchronisation, etc. • Device Driver : comprend les pilotes matèriels mais aussi les pilotes de devices virtuels (système de fichier, réseaux).
. McAfee Confidential 19 Processor initialisation 0011 – Windows Kernel Structure • When a kernel boot up, it performs basic initialization for each processor. • The PCR (Process Control Region) is a structure (one by processor) that stores critical CPU information and state • Inside the PCR there is another data structure called PRCB (Process Region Control Block. This structure contains information about processors (CPU type, model, speed…) – Kd> dt nt!_KPCR / !pcr – Kd> dt nt!_KPRCB / !prcb
. McAfee Confidential 20 System Calls 0011 – Windows Kernel Structure • The System Calls is used for interact with the hardware • A system call is typically a function in the kernel that users request for services I/O • It’s implemented in the kernel because only high-privilege code can manage such resources • System calls uses a service dispatcher for access to the kernel function • In x86 for call the service dispatcher we use the SYSENTER instruction for access to the kernel mode and SYSEXIT for return to the user mode
. McAfee Confidential 21 System Calls – Service Dispatcher – SSDT 0011 – Windows Kernel Structure
. McAfee Confidential 22 System Calls – Service Dispatcher 0011 – Windows Kernel Structure • Windows stores the System Call into two data structure • KeServiceDescriptorTable: contains native syscall table. • KeServiceDescriptorTableShadow: contains same data in addition to the syscall table for GUI threads. – dps nt!KeServiceDescriptorTable – dps nt!KiServiceTable
. McAfee Confidential 23 Faults, Traps and Interrupts 0011 – Windows Kernel Structure • When a device requires the processor’s attention, it causes an interrupt that forces the processor to pause what it is doing and handle the device request. • There is an Interrupt Descriptor Table (IDT) wich store each information on the interrupt handler. – Kd> dt nt!_KIDTENTRY – Kd> !idt
. McAfee Confidential 24 Faults, Traps and Interrupts 0011 – Windows Kernel Structure
. McAfee Confidential 25 Interrupt Request Level 0011 – Windows Kernel Structure • The Windows Kernel uses an abstract concept called Interrupt Request Level (IRQL). • Kd> !irql • Interrupt can be devided into two general categories: • Software: They are triggered by conditions in the running code • Hardware: They are triggered by devices connected to CPU • There is different level of priorities: • PASSIVE LEVEL (0): This is the lowest IRQL in the system. All the user- mode code and most kernel code executes at this IRQL • APC LEVEL (1): This is the IRQL at which APC (Asynchronous Procedure Calls) • DISPATCH LEVEL (2): This is the highest IRQL. Thread dispatcher and DPC (Deferred Procedure Calls)
. McAfee Confidential 26 Interrupt Request Level 0011 – Windows Kernel Structure
. McAfee Confidential 27 Processes and Threads 0011 – Windows Kernel Structure • A thread is defined by two kernel data structures: • ETHREAD: Structure contains information about thread ⎻ Kd> dt nt!_ETHREAD • KTHREAD: Structure contains scheduling information for the thread dispatcher ⎻ Kd> dt nt!_KTHREAD • An ETHREAD contains a KTHREAD • A process contains at least one thread and is defined by two kernel data: • EPROCESS: Stores basic information about process (PID, list of threads, security token…) – Kd> dt nt!_EPROCESS • KPROCESS: Stores scheduling information about the process – Kd> dt nt!_KPROCESS • An EPROCESS contains a KPROCESS
. McAfee Confidential 28 Execution Context 0011 – Windows Kernel Structure • Every running thread has an execution context • An execution context contains the adresse space, security tokens and other properties of the running thread. • In the kernel three execution context can be defined: – Thread context: context of specific thread – System context: Context of thread executing in the system process – Arbitrary context: Context of whatever thread was running before the scheduler took over
. McAfee Confidential 29 Overview 0100 – Drivers 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
. McAfee Confidential 30 What is a driver? 0100 – Drivers • A driver is a software running in kernel-mode (sometimes in user- mode), use for communicate with hardware or devices. • There are many different type of driver in kernel-mode the following are the most interesting: – Legacy software driver: Software that runs in ring0 and interacts with the kernel through interfaces. – Legacy filter driver: Driver that attach to an existing driver and modify its input. – File system minifilter driver: Drivers that interact with the file system to intercept file I/O requests
. McAfee Confidential 31 Driver Entry Points 0100 – Drivers • The DriverEntry() function is the first call in a driver load: • This function load the structure DRIVER_OBJECT in a kernel memory space where the driver is a loaded • To get information about a driver: – Kd> !drvobj <NameOfDriver> • Windows communicates with drivers by sending IRP (Input Request Packet NTSTATUS DriverEntry ( PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath );
. McAfee Confidential 32 Overview 0101 – Setup a Lab with 2 VM 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
. McAfee Confidential 33 Environment 0101 – Setup a Lab with 2 VM • This lab is setting up on Mac OS Host with Vmware Fusion • You need to have 2 virtual machines with Windows: 1. Target (Kernel Debugging): Windows XP SP3 2. Debugger: Windows 7 with Windbg installed
. McAfee Confidential 34 Target Windows XP 0101 – Setup a Lab with 2 VM • For activate the Kernel debugging mode we need to modify the Boot.ini file. • Thi file is used for load the system in a specific mode or not • C:boot.ini • Add the following line:
. McAfee Confidential 35 Target Windows XP 0101 – Setup a Lab with 2 VM • In a terminal go to the VM file and edit the VMX file • Scroll to the end of the file and add the following lines: serial0.present = "TRUE" serial0.pipe.endPoint = ”server” serial0.fileType = "pipe" serial0.yieldOnMsrRead = "TRUE" serial0.startConnected = "TRUE" serial0.fileName = "/Users/tomroc/serial0"
. McAfee Confidential 36 WinDBG Windows 7 0101 – Setup a Lab with 2 VM • In a terminal go to the VM file and edit the VMX file • Scroll to the end of the file and add the following lines: serial0.present = "TRUE" serial0.pipe.endPoint = ”client” serial0.fileType = "pipe" serial0.yieldOnMsrRead = "TRUE" serial0.startConnected = "TRUE" serial0.fileName = "/Users/tomroc/serial0"
. McAfee Confidential 37 WinDBG configuration 0101 – Setup a Lab with 2 VM • Before start your WinDBG machine you need to boot your Target Machine (WinXP), for create the serial0 server • Then boot on your WinDBG machine • Download the symbols for XP from Microsoft website https://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx • Download WindDBG from Microsoft website http://msdn.microsoft.com/en-US/windows/desktop/bg162891 • Install it!
. McAfee Confidential 38 WinDBG Symbol configuration 0101 – Setup a Lab with 2 VM • Run WinDBG as Administrator • In WinDBG click File >> Symbols File Path and enter: srv*c:symbols*http://msdl.microsoft.com/download/symbols
. McAfee Confidential 39 Starting Kernel Debugging 0101 – Setup a Lab with 2 VM • In Windbg click File >> Kernel Debug • Click in the “COM” tab and verify the information (com1 for us)
. McAfee Confidential 40 Starting Kernel Debugging 0101 – Setup a Lab with 2 VM • Restarting your target Windows XP • Choose Debugger enabled
. McAfee Confidential 41 Overview 0110 – Rootkit analysis 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
. McAfee Confidential 42 What is a Rootkit? 0110 – Rootkit analysis • Rootkit is a malware that modify internal functionalities of the OS to hide their existence. • These modification can hide files, processes or other resources from running program. • There is many way for attackers to create a rootkit (Driver rootkit, Hooking rootkit, DKOM rootkit…) • The most used is the SSDT hooking
. McAfee Confidential 43 SSDT hooking 0110 – Rootkit analysis • As we saw the System Service Dispatch Table (SSDT) is a table of pointers for various Nt functions, that are callable from user-mode • A malicious application can replace pointers in the SSDT with pointers to its own code • All pointers in the SSDT should point to code within ntoskrnl, if any pointer is pointing outside of ntoskrnl it is likely hooked
. McAfee Confidential 44 SSDT hooking 0110 – Rootkit analysis SYSENTER User-mode Kernel-mode KiSystemService() SSDT ntoskrnl.exe ServiceTable Native SSDT CounterTable ServiceLimit ArgumentsTable WinFunction() Native functions table WinFunction() RootkitFunction() WinFunction() User-mode Program
. McAfee Confidential 45 Practical Case 0110 – Rootkit analysis 1. Short analysis of IAT and code in IDA 2. Use malware analysis tools 3. Run the sample and monitor 4. Find the driver 5. Check the SSDT 6. Identify the hooked function 7. Analyze the hooked function
. McAfee Confidential 46 Overview 0111 – Conclusion 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
. McAfee Confidential 47 What I learned here? 0111 – Conclusion • Difference between Userland and Kerneland • Basic concept of Kernel Windows • Basic concept of Driver Windows • How to use Windbg • How to setup kernel debugging with Fusion • How works a Rootkit (SSDT hooking style) and how to analyse
. McAfee Confidential 48 Overview 1000 – Reference 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
. McAfee Confidential 49 1000 – Reference • https://msdn.microsoft.com • http://undocumented.ntinternals.net • https://technet.microsoft.com/fr-fr/sysinternals/bb545021.aspx • Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation • Windows Internals, Part 1 & 2 • Practical Malware Analysis • https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063(v=vs.85).aspx • https://msdn.microsoft.com/en-us/library/windows/hardware/ff558823(v=vs.85).aspx • Hacking Exposed: Malware & Rootkits Secrets & Solutions
. McAfee Confidential 50 Thomas.roccia@intel.com Thank you!
. McAfee Confidential

Recomendados

Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 
Hta w22
Hta w22Hta w22
Hta w22SelectedPresentations
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat Security Conference
 

Recomendados

Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 
Hta w22
Hta w22Hta w22
Hta w22SelectedPresentations
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat Security Conference
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelSUSE Labs Taipei
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹GangSeok Lee
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
Meltdown and Spectre
Meltdown and SpectreMeltdown and Spectre
Meltdown and Spectreyeokm1
 
Defense
DefenseDefense
DefenseTawfiq Shah
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted ComputingOWASP
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNoSuchCon
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwarebinish_hyunseok
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbgFrank Boldewin
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Ransomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisRansomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisThomas Roccia
 

Mais conteúdo relacionado

Mais procurados

ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelSUSE Labs Taipei
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹GangSeok Lee
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
Meltdown and Spectre
Meltdown and SpectreMeltdown and Spectre
Meltdown and Spectreyeokm1
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted ComputingOWASP
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNoSuchCon
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwarebinish_hyunseok
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbgFrank Boldewin
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 

Mais procurados (20)

ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux Kernel
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
Meltdown and Spectre
Meltdown and SpectreMeltdown and Spectre
Meltdown and Spectre
 
Defense
DefenseDefense
Defense
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit Detection
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 
A guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol softwareA guided fuzzing approach for security testing of network protocol software
A guided fuzzing approach for security testing of network protocol software
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbg
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 

Destaque

Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Ransomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisRansomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisThomas Roccia
 
Research Paper on Digital Forensic
Research Paper on Digital ForensicResearch Paper on Digital Forensic
Research Paper on Digital ForensicThomas Roccia
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Sec day cuckoo_workshop
Sec day cuckoo_workshopSec day cuckoo_workshop
Sec day cuckoo_workshopThomas Roccia
 
Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott Sc0tt
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 
3. windows system과 rootkit
3. windows system과 rootkit3. windows system과 rootkit
3. windows system과 rootkitYoungjun Chang
 

Destaque (10)

Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
 
Ransomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisRansomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware Analysis
 
Research Paper on Digital Forensic
Research Paper on Digital ForensicResearch Paper on Digital Forensic
Research Paper on Digital Forensic
 
About rootkit
About rootkitAbout rootkit
About rootkit
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Sec day cuckoo_workshop
Sec day cuckoo_workshopSec day cuckoo_workshop
Sec day cuckoo_workshop
 
Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott Shadow_Hunter Rootkit windows7 xcon2011 Scott
Shadow_Hunter Rootkit windows7 xcon2011 Scott
 
20110415 detour
20110415 detour20110415 detour
20110415 detour
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.
 
3. windows system과 rootkit
3. windows system과 rootkit3. windows system과 rootkit
3. windows system과 rootkit
 

Semelhante a Windows Kernel Debugging

A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaumeurobsdcon
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Operating system components
Operating system componentsOperating system components
Operating system componentsSyed Zaid Irshad
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
My First 100 days with an Exadata (PPT)
My First 100 days with an Exadata (PPT)My First 100 days with an Exadata (PPT)
My First 100 days with an Exadata (PPT)Gustavo Rene Antunez
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsNational Cheng Kung University
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoNCCOMMS
 
Windows Architecture Explained by Stacksol
Windows Architecture Explained by StacksolWindows Architecture Explained by Stacksol
Windows Architecture Explained by StacksolStacksol
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)Mike Svoboda
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerTom Keetch
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxseed4mexyz
 
Operating system 15 micro kernel based os
Operating system 15 micro kernel based osOperating system 15 micro kernel based os
Operating system 15 micro kernel based osVaibhav Khanna
 

Semelhante a Windows Kernel Debugging (20)

Os file
Os fileOs file
Os file
 
2. microkernel new
2. microkernel new2. microkernel new
2. microkernel new
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
 
System structure
System structureSystem structure
System structure
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Windows 2000
Windows 2000Windows 2000
Windows 2000
 
Operating system components
Operating system componentsOperating system components
Operating system components
 
L4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewL4 Microkernel :: Design Overview
L4 Microkernel :: Design Overview
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
 
Windows kernel
Windows kernelWindows kernel
Windows kernel
 
My First 100 days with an Exadata (PPT)
My First 100 days with an Exadata (PPT)My First 100 days with an Exadata (PPT)
My First 100 days with an Exadata (PPT)
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
 
Windows Architecture Explained by Stacksol
Windows Architecture Explained by StacksolWindows Architecture Explained by Stacksol
Windows Architecture Explained by Stacksol
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptx
 
Operating system 15 micro kernel based os
Operating system 15 micro kernel based osOperating system 15 micro kernel based os
Operating system 15 micro kernel based os
 
Embedded systems
Embedded systems Embedded systems
Embedded systems
 

Mais de Thomas Roccia

TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetThomas Roccia
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 

Mais de Thomas Roccia (6)

TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 

Último

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Windows Kernel Debugging

  • 1. . McAfee Confidential Kernel Debugging Demystify Thomas ROCCIA | InfoSec Researcher thomas.roccia@intel.com
  • 2. . McAfee Confidential 2 Overview Summary 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
  • 3. . McAfee Confidential 3 0000 – $whoami • Thomas ROCCIA | @r1tch1e_ • InfoSec Researcher at Foundstone Intel Security (McAfee) • Forensic / Incident Response • Malware Analysis • Penetration Testing
  • 4. . McAfee Confidential 4 Overview 0001 – Why debugging Kernel? 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
  • 5. . McAfee Confidential 5 0001 – Why debugging Kernel? • To better understand how works my system • To better understand what’s happened when I got this… • To analysis how works a driver • To analysis a Rootkit • Or just for play with the kernel…
  • 6. . McAfee Confidential 6 Overview 0010 – Kerneland VS Userland 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References kerneland Userland
  • 7. . McAfee Confidential 7 Userland 0010 – Kerneland VS Userland • Userland is the place where every user application running • Userland usually refers to the various programs and libraries that the operating system uses to interact with the kernel • A memory space is assigned to Userland application • Each user space process normally runs in its own virtual memory space • The processus in Userland can normaly not accessed to kerneland
  • 8. . McAfee Confidential 8 Kerneland 0010 – Kerneland VS Userland • kerneland is a place of Operating System where Input/Output requests from Software are managed • The Kernel is a specific software use for transmit data to processor • The code is usually loaded into a protected area of memory, for avoid overwritten by other programs • The kernel have full access to: – CPU – Memory – Devices
  • 9. . McAfee Confidential • Operating System uses a protection ring 9 Protection ring 0010 – Kerneland VS Userland • A kernel connect the application software to the hardware
  • 11. . McAfee Confidential 11 Memory distribution 0010 – Kerneland VS Userland • Userland memory space from 0x0000 0000 to 0x7FFF FFFF • Applications process • DLL • Variables • … • kerneland memory space from 0x8000 0000 to 0xFFFF FFFF • Boot Drivers • Kernel • HAL • … Userland kerneland
  • 12. . McAfee Confidential 12 Who wins? 0010 – Kerneland VS Userland • As we saw, kerneland has some protection to avoid access from Userland • But, what’s happen if user process attempt to access to kerneland? • Normaly a crash! • But sometimes a malicious code can gain full access to your system across vulnerabilities or with a malicious DLL…
  • 13. . McAfee Confidential 13 Who wins? 0010 – Kerneland VS Userland • And now the attacker is like GOD in your system
  • 14. . McAfee Confidential 14 Who wins? 0010 – Kerneland VS Userland • If we try to access to the kerneland from userland with a simply piece of code:
  • 15. . McAfee Confidential 15 Who wins? 0010 – Kerneland VS Userland • We get an error of access violation:
  • 16. . McAfee Confidential 16 Overview 0011 – Windows Kernel Structure 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
  • 17. . McAfee Confidential 17 Presentation 0011 – Windows Kernel Structure • The Windows Kernel is the composant that allow secure access from Windows task to Hardware Abstraction Layer (HAL) • Kernel32.dll, ntdll.dll and other dll are loaded in user-mode but this is a gateway for access to kernel • On 32bit architecture the name of the kernel is NTOSKRNL.EXE • The kernel is the only component to have access to the HAL: – DMA (memory) – Bus mapping – Horloge and timer – Interrupt – Privileged architecture
  • 18. . McAfee Confidential 18 Architecture Kernel 0011 – Windows Kernel Structure • Windows Executive : Services de base du système d’exploitation, gestion mémoire, gestion des processus et des threads, securité, E/S, réseaux, IPC, etc. • Kernel Windows : Fonctions bas niveau du système : gestion des exceptions et des interruptions, scheduling de threads et processus, synchronisation, etc. • Device Driver : comprend les pilotes matèriels mais aussi les pilotes de devices virtuels (système de fichier, réseaux).
  • 19. . McAfee Confidential 19 Processor initialisation 0011 – Windows Kernel Structure • When a kernel boot up, it performs basic initialization for each processor. • The PCR (Process Control Region) is a structure (one by processor) that stores critical CPU information and state • Inside the PCR there is another data structure called PRCB (Process Region Control Block. This structure contains information about processors (CPU type, model, speed…) – Kd> dt nt!_KPCR / !pcr – Kd> dt nt!_KPRCB / !prcb
  • 20. . McAfee Confidential 20 System Calls 0011 – Windows Kernel Structure • The System Calls is used for interact with the hardware • A system call is typically a function in the kernel that users request for services I/O • It’s implemented in the kernel because only high-privilege code can manage such resources • System calls uses a service dispatcher for access to the kernel function • In x86 for call the service dispatcher we use the SYSENTER instruction for access to the kernel mode and SYSEXIT for return to the user mode
  • 21. . McAfee Confidential 21 System Calls – Service Dispatcher – SSDT 0011 – Windows Kernel Structure
  • 22. . McAfee Confidential 22 System Calls – Service Dispatcher 0011 – Windows Kernel Structure • Windows stores the System Call into two data structure • KeServiceDescriptorTable: contains native syscall table. • KeServiceDescriptorTableShadow: contains same data in addition to the syscall table for GUI threads. – dps nt!KeServiceDescriptorTable – dps nt!KiServiceTable
  • 23. . McAfee Confidential 23 Faults, Traps and Interrupts 0011 – Windows Kernel Structure • When a device requires the processor’s attention, it causes an interrupt that forces the processor to pause what it is doing and handle the device request. • There is an Interrupt Descriptor Table (IDT) wich store each information on the interrupt handler. – Kd> dt nt!_KIDTENTRY – Kd> !idt
  • 24. . McAfee Confidential 24 Faults, Traps and Interrupts 0011 – Windows Kernel Structure
  • 25. . McAfee Confidential 25 Interrupt Request Level 0011 – Windows Kernel Structure • The Windows Kernel uses an abstract concept called Interrupt Request Level (IRQL). • Kd> !irql • Interrupt can be devided into two general categories: • Software: They are triggered by conditions in the running code • Hardware: They are triggered by devices connected to CPU • There is different level of priorities: • PASSIVE LEVEL (0): This is the lowest IRQL in the system. All the user- mode code and most kernel code executes at this IRQL • APC LEVEL (1): This is the IRQL at which APC (Asynchronous Procedure Calls) • DISPATCH LEVEL (2): This is the highest IRQL. Thread dispatcher and DPC (Deferred Procedure Calls)
  • 26. . McAfee Confidential 26 Interrupt Request Level 0011 – Windows Kernel Structure
  • 27. . McAfee Confidential 27 Processes and Threads 0011 – Windows Kernel Structure • A thread is defined by two kernel data structures: • ETHREAD: Structure contains information about thread ⎻ Kd> dt nt!_ETHREAD • KTHREAD: Structure contains scheduling information for the thread dispatcher ⎻ Kd> dt nt!_KTHREAD • An ETHREAD contains a KTHREAD • A process contains at least one thread and is defined by two kernel data: • EPROCESS: Stores basic information about process (PID, list of threads, security token…) – Kd> dt nt!_EPROCESS • KPROCESS: Stores scheduling information about the process – Kd> dt nt!_KPROCESS • An EPROCESS contains a KPROCESS
  • 28. . McAfee Confidential 28 Execution Context 0011 – Windows Kernel Structure • Every running thread has an execution context • An execution context contains the adresse space, security tokens and other properties of the running thread. • In the kernel three execution context can be defined: – Thread context: context of specific thread – System context: Context of thread executing in the system process – Arbitrary context: Context of whatever thread was running before the scheduler took over
  • 29. . McAfee Confidential 29 Overview 0100 – Drivers 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
  • 30. . McAfee Confidential 30 What is a driver? 0100 – Drivers • A driver is a software running in kernel-mode (sometimes in user- mode), use for communicate with hardware or devices. • There are many different type of driver in kernel-mode the following are the most interesting: – Legacy software driver: Software that runs in ring0 and interacts with the kernel through interfaces. – Legacy filter driver: Driver that attach to an existing driver and modify its input. – File system minifilter driver: Drivers that interact with the file system to intercept file I/O requests
  • 31. . McAfee Confidential 31 Driver Entry Points 0100 – Drivers • The DriverEntry() function is the first call in a driver load: • This function load the structure DRIVER_OBJECT in a kernel memory space where the driver is a loaded • To get information about a driver: – Kd> !drvobj <NameOfDriver> • Windows communicates with drivers by sending IRP (Input Request Packet NTSTATUS DriverEntry ( PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath );
  • 32. . McAfee Confidential 32 Overview 0101 – Setup a Lab with 2 VM 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
  • 33. . McAfee Confidential 33 Environment 0101 – Setup a Lab with 2 VM • This lab is setting up on Mac OS Host with Vmware Fusion • You need to have 2 virtual machines with Windows: 1. Target (Kernel Debugging): Windows XP SP3 2. Debugger: Windows 7 with Windbg installed
  • 34. . McAfee Confidential 34 Target Windows XP 0101 – Setup a Lab with 2 VM • For activate the Kernel debugging mode we need to modify the Boot.ini file. • Thi file is used for load the system in a specific mode or not • C:boot.ini • Add the following line:
  • 35. . McAfee Confidential 35 Target Windows XP 0101 – Setup a Lab with 2 VM • In a terminal go to the VM file and edit the VMX file • Scroll to the end of the file and add the following lines: serial0.present = "TRUE" serial0.pipe.endPoint = ”server” serial0.fileType = "pipe" serial0.yieldOnMsrRead = "TRUE" serial0.startConnected = "TRUE" serial0.fileName = "/Users/tomroc/serial0"
  • 36. . McAfee Confidential 36 WinDBG Windows 7 0101 – Setup a Lab with 2 VM • In a terminal go to the VM file and edit the VMX file • Scroll to the end of the file and add the following lines: serial0.present = "TRUE" serial0.pipe.endPoint = ”client” serial0.fileType = "pipe" serial0.yieldOnMsrRead = "TRUE" serial0.startConnected = "TRUE" serial0.fileName = "/Users/tomroc/serial0"
  • 37. . McAfee Confidential 37 WinDBG configuration 0101 – Setup a Lab with 2 VM • Before start your WinDBG machine you need to boot your Target Machine (WinXP), for create the serial0 server • Then boot on your WinDBG machine • Download the symbols for XP from Microsoft website https://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx • Download WindDBG from Microsoft website http://msdn.microsoft.com/en-US/windows/desktop/bg162891 • Install it!
  • 38. . McAfee Confidential 38 WinDBG Symbol configuration 0101 – Setup a Lab with 2 VM • Run WinDBG as Administrator • In WinDBG click File >> Symbols File Path and enter: srv*c:symbols*http://msdl.microsoft.com/download/symbols
  • 39. . McAfee Confidential 39 Starting Kernel Debugging 0101 – Setup a Lab with 2 VM • In Windbg click File >> Kernel Debug • Click in the “COM” tab and verify the information (com1 for us)
  • 40. . McAfee Confidential 40 Starting Kernel Debugging 0101 – Setup a Lab with 2 VM • Restarting your target Windows XP • Choose Debugger enabled
  • 41. . McAfee Confidential 41 Overview 0110 – Rootkit analysis 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
  • 42. . McAfee Confidential 42 What is a Rootkit? 0110 – Rootkit analysis • Rootkit is a malware that modify internal functionalities of the OS to hide their existence. • These modification can hide files, processes or other resources from running program. • There is many way for attackers to create a rootkit (Driver rootkit, Hooking rootkit, DKOM rootkit…) • The most used is the SSDT hooking
  • 43. . McAfee Confidential 43 SSDT hooking 0110 – Rootkit analysis • As we saw the System Service Dispatch Table (SSDT) is a table of pointers for various Nt functions, that are callable from user-mode • A malicious application can replace pointers in the SSDT with pointers to its own code • All pointers in the SSDT should point to code within ntoskrnl, if any pointer is pointing outside of ntoskrnl it is likely hooked
  • 44. . McAfee Confidential 44 SSDT hooking 0110 – Rootkit analysis SYSENTER User-mode Kernel-mode KiSystemService() SSDT ntoskrnl.exe ServiceTable Native SSDT CounterTable ServiceLimit ArgumentsTable WinFunction() Native functions table WinFunction() RootkitFunction() WinFunction() User-mode Program
  • 45. . McAfee Confidential 45 Practical Case 0110 – Rootkit analysis 1. Short analysis of IAT and code in IDA 2. Use malware analysis tools 3. Run the sample and monitor 4. Find the driver 5. Check the SSDT 6. Identify the hooked function 7. Analyze the hooked function
  • 46. . McAfee Confidential 46 Overview 0111 – Conclusion 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
  • 47. . McAfee Confidential 47 What I learned here? 0111 – Conclusion • Difference between Userland and Kerneland • Basic concept of Kernel Windows • Basic concept of Driver Windows • How to use Windbg • How to setup kernel debugging with Fusion • How works a Rootkit (SSDT hooking style) and how to analyse
  • 48. . McAfee Confidential 48 Overview 1000 – Reference 0000 – $whoami 0001 – Why debugging Kernel? 0010 – Kerneland VS Userland 0011 – Windows Kernel Structure 0100 – Drivers 0101 – Setup a Lab with 2 VM 0110 – Rootkit Analysis 0111 – Conclusion 1000 – References
  • 49. . McAfee Confidential 49 1000 – Reference • https://msdn.microsoft.com • http://undocumented.ntinternals.net • https://technet.microsoft.com/fr-fr/sysinternals/bb545021.aspx • Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation • Windows Internals, Part 1 & 2 • Practical Malware Analysis • https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063(v=vs.85).aspx • https://msdn.microsoft.com/en-us/library/windows/hardware/ff558823(v=vs.85).aspx • Hacking Exposed: Malware & Rootkits Secrets & Solutions