Thursday, 17 January 2013

Kernel Debugging and Reversing Primer

- to illustrate a reliable setup for windows 7 kernel debugging
- to demonstrate a live example by debugging and reversing bootmgr.exe 

- 1 X host machine
- 1 X windows 7 vmware virtual machine
- IDA Pro 5.X/6.X
- LZNT1_Tools (for extracting the win32 version of bootmgr.exe from its 16bit boot strap code)
- FTKImager 3.1.X (for forensically extracting the bootmgr.exe binary from the virtual machine)

Setting Up the Windows 7 Virtual Machine
Add a new serial port that outputs to the named pipe. Ensure that the settings "this end is the server" and "the other end is a virtual machine" settings are selected. Ensure the "yield CPU on poll" setting is checked. The settings of the serial port should look similar to the screen shot below.

Log in to the virtual machine and run the following commands to setup the BCD (Boot Configuration Data) for kernel debugging.

bcdedit /set {bootmgr} bootdebug on
bcdedit /set {bootmgr} debugtype serial
bcdedit /set {bootmgr} debugport 1
bcdedit /set {bootmgr} baudrate 115200
bcdedit /debug on
bcdedit /set inherit {dbgsettings}
bcdedit /set inherit {bootloadersettings}
bcdedit /set inherit {globalsettings}
bcdedit /bootdebug on
bcdedit /bootdebug {bootmgr} on

Extracting bootmgr.exe
In a nutshell, use FTKImager to forensically extract the 16bit bootmgr binary from "c:\bootmgr".

Then use a hex editor to extract the compressed 32bit bootmgr.exe from the 16bit bootmgr binary (the second MZ signature, including the 3 bytes before it).

Subsequently, use LZNT1_Decompress.exe to retrieve the 32bit bootmgr.exe binary for reversing.

Setting up the WinDbg
Select "kernel debug" and the "COM" tab. Within the com tab, the settings should mirror the settings of the VM. Assuming you were following the settings in this post, your WinDbg settings should look similar to the screen shot below

Reversing & Kernel Debugging bootmgr.exe 
Once all the settings are done, start up the VM, start kernel debugging on WinDbg and restart the VM. You should hit the following entry point in WinDbg.

Use the "r" command to see the address of EIP. The address \x004436bc is actually a debugger trap.

Step out of the debugger trap, and take a look at EIP.

Now the idea is to get back into the main method of bootmgr.exe called BmMain.

After stepping though the debug initialization and some other initialization routines, you will find yourself at EIP = \x00401178.

This is actually the debug entry point into BmMain. 

From this point in BmMain, you may continue to debug and reverse the desired routines accordingly.

No comments:

Post a Comment