========================WINBAGILITY========================
What is this ?
Winbagility is a tool that gives you ability to connect WinDbg on non /DEBUG Windows x64 systems
How does it work ?
Winbagility simulates a debugged kernel.
It retrieves over the STUB for some essentials information (KDBG, KPCR...) and forward these informations to WinDbg over KD.
link: https://www.reactos.org/wiki/Techwiki:Kd
link: http://articles.sysprogs.org/kdvmware/kdcom.shtml
How to use ?
Winbagility needs PDB to work. You need to set your _NT_SYMBOL_PATH and get the PDB of the kernel your want to debug.
link: https://msdn.microsoft.com/en-us/library/windows/desktop/ee416588(v=vs.85).aspx
link: https://msdn.microsoft.com/en-us/library/windows/hardware/ff558829(v=vs.85).aspx
link: http://programming.realworldrobotics.com/system-kernel/microsoft-symbol-server-1/setting-the-_nt_symbol_path-environment-variable
Winbagility can be connected on 4 types of support:
* Raw Physical Memory Dump Mode
Just do a physical memory dump with a specialized tool
link: https://www.magnetforensics.com/computer-forensics/acquiring-memory-with-magnet-ram-capture/
cmd: winbagility.exe \\.\pipe\client CRASH 10_x64.bin
cmd: "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\\pipe\\client,resets=0,reconnect
* GDB VMWare Mode
You need to start VMWare Virtual Machine with GDB activated.
link: http://wiki.osdev.org/VMware#Guest_debugging
link: http://ddeville.me/2015/08/using-the-vmware-fusion-gdb-stub-for-kernel-debugging-with-lldb/
cmd: winbagility.exe \\.\pipe\client GDB 127.0.0.1:8864
cmd: "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\\pipe\\client,resets=0,reconnect
* LiveKD-like Mode
You need to load WinPmem Driver (winpmem-2.1.post4.exe)
link: https://github.com/google/rekall/releases
cmd(as administrator): winpmem-2.1.post4.exe -l
cmd(as administrator): winbagility.exe \\.\pipe\client LIVEKADAY ?
cmd(as administrator): "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\\pipe\\client,resets=0,reconnect
* Fast Debugging Protocol Mode
! See Fast Debugging Protocol section !
Where can I get the source/binaries ?
The project uses cmake and compile on Visual Studio 2013 and Visual Studio 2015
link: https://github.com/Winbagility/Winbagility
cmd: build.bat
How to contribute ?
* extend Kd Server, some message are missing (ex.: !pci)
* bugfix (Stub and Kd server)
* x86 support (Read Only for the moment)
* create windows profils
* file reorganisation
* extend GDB VMWare stub (Memory breakpoint with Debug Registers)
* add stub
* extend CRASH stub to support more Windows version (Pdb brute force)
* multi-cpu support
* bug repport
========================FAST DEBUGGING PROTOCOL========================
What is this ?
FDP is an introspection API for VirtualBox.
How does it work ?
This is a patch of VirtualBox that provides :
*Virtual memory read
*Virtual memory write
*Physical memory read
*Physical memory write
*Register/MSR read
*Register/MSR write
*Pause of the guest
*Resume of the guest
*Save of the guest
*Restore of the guest
*Stealth memory breakpoint (PageHyperBreakpoint)
*Stealth software breakpoint (SoftHyperBreakpoint)
*Stealth hardware breakpoint (HardHyperBreakpoint)
*Python bindings
How to use ?
1. Apply path on Virtualbox and compile it or,
1. Download precompiled Virtualbox version
2. go to VBoxBin directory
cmd(as administrator): comregister.cmd
cmd(as administrator): loadall.cmd
3. Start virtualbox
cmd: Virtualbox.exe
4. Use FDP library to connect to the virtual machine
Where can I get the source/binaries ?
link: https://github.com/Winbagility/Winbagility
link: https://www.virtualbox.org/wiki/Windows%20build%20instructions
Python Bindinds ?
Volatility and Rekall address space is available.
code example:
from FDP import *
import struct
fdp = FDP("7_SP1_x64")
NtWriteFile = 0xfffff800029ee9a0
fdp.Pause()
fdp.UnsetAllBreakpoint()
fdp.WriteRegister(FDP_CPU0, FDP_DR7_REGISTER, 0x400)
fdp.SetBreakpoint(FDP_CPU0, FDP_SOFTHBP, 0, FDP_EXECUTE_BP, FDP_VIRTUAL_ADDRESS, NtWriteFile, 1)
fdp.Resume()
while True:
if fdp.WaitForStateChanged() & FDP_STATE_BREAKPOINT_HIT:
print ".",
Rsp = fdp.ReadRegister(FDP_CPU0, FDP_RSP_REGISTER)
BufferPtr = fdp.ReadVirtualMemory64(FDP_CPU0, Rsp+(6*8))
BufferSize = fdp.ReadVirtualMemory32(FDP_CPU0, Rsp+(7*8))
if BufferSize > 3 and BufferSize < FDP_1M:
Buffer = fdp.ReadVirtualMemory(FDP_CPU0, BufferPtr, BufferSize)
if Buffer != None and Buffer[1] == 'P' and Buffer[2] == 'N' and Buffer[3] == 'G':
f = open("./test.png", "wb")
f.write(Buffer)
f.close()
print "\nFile Written"
fdp.SingleStep(FDP_CPU0)
fdp.Resume()
Performances ?
*600000 Reads of Virtual 4K per second
*800000 Reads of Physical 4K per second
*2GB VM Restore in 2 seconds
*27000 HardHyperBreapoints per second
*21000 SoftHyperBreakpoints per second
*7000 PageHyperBreapoints per second
Winbagility connection ?
Start a Virtual Machine in a FDP patched version of VirtualBox
cmd: winbagility.exe \\.\pipe\client FDP VBox_Virtual_Machine_Name
cmd: "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k com:pipe,port=\\.\\pipe\\client,resets=0,reconnect
Known bugs ?
* Please don't debug a Virtual machine with more than one CPUs
* FDP_SetFxState is bugged !
* Some <2010 CPU aren't supported (xgetbv/xsetbv)
How to contribute ?
* x86 support
* bugfix
* performance improvement (memory mapping, new breakpoint)
* missing registers read/write
* file reorganisation
* multi-cpu support
* bug repport