========================WINBAGILITY========================
What is this ?
    Winbagility is a tool that gives you ability to connect WinDbg on non /DEBUG Windows x64 systems
    
How does it work ?
    Winbagility simulates a debugged kernel.
    It retrieves over the STUB for some essentials information (KDBG, KPCR...) and forward these informations to WinDbg over KD.
    link: https://www.reactos.org/wiki/Techwiki:Kd
    link: http://articles.sysprogs.org/kdvmware/kdcom.shtml
    
How to use ?
    Winbagility needs PDB to work. You need to set your _NT_SYMBOL_PATH and get the PDB of the kernel your want to debug.
    link: https://msdn.microsoft.com/en-us/library/windows/desktop/ee416588(v=vs.85).aspx
    link: https://msdn.microsoft.com/en-us/library/windows/hardware/ff558829(v=vs.85).aspx
    link: http://programming.realworldrobotics.com/system-kernel/microsoft-symbol-server-1/setting-the-_nt_symbol_path-environment-variable

    Winbagility can be connected on 4 types of support:
        * Raw Physical Memory Dump Mode
            Just do a physical memory dump with a specialized tool
            link: https://www.magnetforensics.com/computer-forensics/acquiring-memory-with-magnet-ram-capture/
        
            cmd: winbagility.exe \\.\pipe\client CRASH 10_x64.bin
            cmd: "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\\pipe\\client,resets=0,reconnect
        
        * GDB VMWare Mode
            You need to start VMWare Virtual Machine with GDB activated.
            link: http://wiki.osdev.org/VMware#Guest_debugging
            link: http://ddeville.me/2015/08/using-the-vmware-fusion-gdb-stub-for-kernel-debugging-with-lldb/
        
            cmd: winbagility.exe \\.\pipe\client GDB 127.0.0.1:8864
            cmd: "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\\pipe\\client,resets=0,reconnect
        
        * LiveKD-like Mode
            You need to load WinPmem Driver (winpmem-2.1.post4.exe)
            link: https://github.com/google/rekall/releases
        
            cmd(as administrator): winpmem-2.1.post4.exe -l
            cmd(as administrator): winbagility.exe \\.\pipe\client LIVEKADAY ?
            cmd(as administrator): "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\\pipe\\client,resets=0,reconnect
        
        * Fast Debugging Protocol Mode
            ! See Fast Debugging Protocol section !  

Where can I get the source/binaries ?
    The project uses cmake and compile on Visual Studio 2013 and Visual Studio 2015
    link: https://github.com/Winbagility/Winbagility
    
    cmd: build.bat
        
How to contribute ?
    * extend Kd Server, some message are missing (ex.: !pci)
    * bugfix (Stub and Kd server)
    * x86 support (Read Only for the moment)
    * create windows profils
    * file reorganisation
    * extend GDB VMWare stub (Memory breakpoint with Debug Registers)
    * add stub
    * extend CRASH stub to support more Windows version (Pdb brute force)
    * multi-cpu support
    * bug repport

========================FAST DEBUGGING PROTOCOL========================
What is this ?
    FDP is an introspection API for VirtualBox.
    
How does it work ?
    This is a patch of VirtualBox that provides :
        *Virtual memory read
        *Virtual memory write
        *Physical memory read
        *Physical memory write
        *Register/MSR read
        *Register/MSR write
        *Pause of the guest
        *Resume of the guest
        *Save of the guest
        *Restore of the guest
        *Stealth memory breakpoint (PageHyperBreakpoint)
        *Stealth software breakpoint (SoftHyperBreakpoint)
        *Stealth hardware breakpoint (HardHyperBreakpoint)
        *Python bindings
    
How to use ?
    1. Apply path on Virtualbox and compile it or,
    1. Download precompiled Virtualbox version
    
    2. go to VBoxBin directory
        cmd(as administrator): comregister.cmd
        cmd(as administrator): loadall.cmd
       
    3. Start virtualbox
        cmd: Virtualbox.exe
        
    4. Use FDP library to connect to the virtual machine
    

Where can I get the source/binaries ?
    link: https://github.com/Winbagility/Winbagility
    link: https://www.virtualbox.org/wiki/Windows%20build%20instructions
    
Python Bindinds ?
    Volatility and Rekall address space is available.
    
    code example:
        from FDP import *
        import struct
        
        fdp = FDP("7_SP1_x64")
        
        NtWriteFile = 0xfffff800029ee9a0
        
        fdp.Pause()
        fdp.UnsetAllBreakpoint()
        fdp.WriteRegister(FDP_CPU0, FDP_DR7_REGISTER, 0x400)
        fdp.SetBreakpoint(FDP_CPU0, FDP_SOFTHBP, 0, FDP_EXECUTE_BP, FDP_VIRTUAL_ADDRESS, NtWriteFile, 1)
        fdp.Resume()
        
        while True:
            if fdp.WaitForStateChanged() & FDP_STATE_BREAKPOINT_HIT:
                print ".",
                Rsp = fdp.ReadRegister(FDP_CPU0, FDP_RSP_REGISTER)
                BufferPtr = fdp.ReadVirtualMemory64(FDP_CPU0, Rsp+(6*8))
                BufferSize = fdp.ReadVirtualMemory32(FDP_CPU0, Rsp+(7*8))
                if BufferSize > 3 and BufferSize < FDP_1M:
                Buffer = fdp.ReadVirtualMemory(FDP_CPU0, BufferPtr, BufferSize)
                if Buffer != None and Buffer[1] == 'P' and Buffer[2] == 'N' and Buffer[3] == 'G': 
                    f = open("./test.png", "wb")
                    f.write(Buffer)
                    f.close()
                    print "\nFile Written"
                fdp.SingleStep(FDP_CPU0)
                fdp.Resume()
                
Performances ?
    *600000 Reads of Virtual 4K per second
    *800000 Reads of Physical 4K per second
    *2GB VM Restore in 2 seconds
    *27000 HardHyperBreapoints per second
    *21000 SoftHyperBreakpoints per second
    *7000 PageHyperBreapoints per second
 
Winbagility connection ?
    Start a Virtual Machine in a FDP patched version of VirtualBox
    cmd: winbagility.exe \\.\pipe\client FDP VBox_Virtual_Machine_Name
    cmd: "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\\pipe\\client,resets=0,reconnect
    
Known bugs ?
    * Please don't debug a Virtual machine with more than one CPUs
    * FDP_SetFxState is bugged !
    * Some <2010 CPU aren't supported (xgetbv/xsetbv)
        
How to contribute ?
    * x86 support
    * bugfix
    * performance improvement (memory mapping, new breakpoint)
    * missing registers read/write
    * file reorganisation
    * multi-cpu support
    * bug repport