PMA 436: Kernel Debugging Using Two Local VMs (15 pts extra)

What you need

Purpose

To use WinDbg Preview for full live kernel debugging, with the ability to use breakpoints.

Prepare Two Windows 10 Machines

You need two Windows 10 machines. Pick one machine to be the host. The other one is the target.

Installing WinDbg Preview on the Host

You need WinDbg Preview, which you installed in a previous project

Turning Off the Firewall on the Target

On the target machine, click Start and type FIREWALL.

Click "Windows Defender Firewall".

In the left pane, click "Turn Windows Defender Firewall on or off".

Click both "Turn off..." buttons, as shown below.

Then click OK.

Testing Networking Between the Machines

On the host computer, click the Start button and type CMD. Click "Command Prompt".

In the Command Prompt, execute this command:

ipconfig
Make a note of the host computer's IP address.

On my system, it was 10.0.0.4, as shown below.

On the target computer, click the Start button and type CMD. Right-click "Command Prompt" and click "Run as Administrator".

If a User Account Control box pops up, click Yes.

In the Administrator Command Prompt, execute this command:

ipconfig
Make a note of the target computer's IP address.

On my system, it was 10.0.0.5. On the host computer, in the Command Prompt and execute this command, replacing the IP address with the IP address of your target computer.

ping 10.0.0.5
You should see replies, as shown below.

Configuring BCDEdit for Network Debugging on the Target

This process enables "network" kernel-mode debugging, for full debugging functionality including breakpoints.

On the target computer, in an Administrator Commmand Prompt, execute these commands:

bcdedit /debug on
bcdedit /set TESTSIGNING ON
Restart the target computer.

On the target computer, in an Administrator Commmand Prompt, execute these commands, replacing the IP address with the IP address of your host computer.

bcdedit /dbgsettings net hostip:10.0.0.4 port:50000 key:flap.jack.dog.frog
bcdedit /dbgsettings
Verify that all the settings are correct, as shown below.

Restart the target computer again.

Launching WinDbg Preview as Administrator on the Host Computer

On your host computer, click the Start button and type WINDBG. Right-click "WinDbg Preview" and click "Run as administrator". Click Yes.

Starting Kernel Debugging

In WinDbg, click File, "Attach to kernel".

In the right pane, on the Net tab, enter these values, replacing the IP address with the IP address of your target computer.

Your screen should look like the image below.

At the lower right, click the OK button.

Viewing the Network Adapter

On the target computer, in the lower right of the desktop, right-click the Network icon (it looks like a monitor) and click "Open network & Internet settings".

In the "Status" page, click "Change adapter options".

The name of your network adapter is now "Ethernet (Kernel Debugger)", as shown below.

Controlling from the Host

On the host computer, WinDbg now shows a message saying "Connected to target" and the message "*BUSY* Debugee is running...", as shown below.

At the top left of WinDbg, click Break.

Try clicking your target computer's desktop. There is no response. The target computer has stopped at a breakpoint, as shown in WinDbg, as shown below.

Viewing Loaded Modules

In the lower center of WinDbg, execute this command:
lm
There several modules available now, as shown below.

However, most of them don't have symbols.

Loading All Symbols

In the lower center of WinDbg, execute these commands:
!sym noisy
.reload /f
lm
It will take a few minutes to load them, but you end up with symbols for most or all of the loaded modules, as shown below.

Examining fileinfo

In the lower center of WinDbg, execute this command:
x fileinfo!*
There are a lot of symbols in fileinfo. Let's examine the ones referring to memory.

In the lower center of WinDbg, execute this command:

x fileinfo!*mem*
There are only a few of them, as shown below.

Setting a Breakpoint

In the lower center of WinDbg, execute this command:
bp fileinfo!memcpy
In WinDbg, in the Ribbon, click the View tab.

Click the Breakpoints button.

The breakpoint is shown in the lower right pane, as shown below.

Examining the Stack

In WinDbg, in the Ribbon, click the Home tab.

Click the Go button.

The breakpoint is hit immediately.

In the lower center of WinDbg, execute this command:

k
This shows the stack at the breakpoint. as shown below.

Reading from the bottom, in frame 19 (in the image above) some unnamed process called a CRYPT32 library function.

The CRYPT32 library function called several other functions in CRYPT32, and then called KERNELBASE, which called ntdll.

All these calls happened in userland, with addresses starting with 0000, as shown in the diagram below.

ntdll made the jump to kernelmode, calling a module in nt, with an address starting with ffff.

Several functions in nt were called, including nt!NtOpenFile, nt!IopCreateFile, and nt!IofCallDriver.

nt then called FLTMGR, which called fileinfo, ending up in fileinfo!memcpy, at our breakpoint.

64-Bit Address Space

As shown below, addresses in user land start with 0000, and addresses in kernel land start with ffff.

(Image from here.

Removing the Breakpoint

In WinDbg, in the lower right pane, right-click the breakpoint and click Remove.

Setting a Breakpoint in rdpdr

In the lower center of WinDbg, execute this command:
bp rdpdr!memset
In WinDbg, in the Ribbon, click the Hometab.

Click the Go button.

Enabling Remote Access

On your target machine, in Control Panel, click "System and Security".

In the System section, Click "Allow remote access".

In the System Properties box, click "Allow remote connections to this computer", as shown below.

Click OK.

PMA 436.1 Module (15 pts)

The breakpoint is hit.

In the lower center of WinDbg, execute this command:

k
Find the module name covered by a green box in the image below. That's the flag.

Removing the Breakpoint

In WinDbg, in the lower right pane, right-click the breakpoint and click Remove.

Disabling Debugging

On your target computer, in an Administrator Command Prompt, execute this command:
bcdedit /debug off
Restart your target computer.

References

Debugging Using WinDbg Preview
Common WinDbg Commands (Thematically Grouped)
Getting Started with WinDbg (User-Mode)
Setting Up Local Kernel Debugging of a Single Computer Manually
Getting Started with WinDbg (Kernel-Mode)
WinDbg cheatsheet
Debugging Malware with WinDbg
Catalog of key Windows kernel data structures
Debug Windows Drivers - Step by Step Lab (Echo Kernel-Mode)
System Service Descriptor Table - SSDT
Debugging Malware with WinDbg

Posted 10-18-20
IPCONFIG image fixed 10-22-20
Rewritten for local machines 5-4-2021