Monday, March 19, 2012

[ Issue ] WinDbg - Waiting to reconnect ?

While reverse engineering and possibly in some cases of malware anlysis (Debugging kernel components like rootkits) you need to manage your environment remotely and when there are kernel drivers, it's better to debug them remotely in an isolated environment .
There is a common issue through Windbg users, and indeed it's not a windbg design flaw, it's the speed rate issue .
Ocassionaly windbg users have issue while connecting to remote guess machine for debugging the underlying application and the common problem faced with the statement "Why it is too slow!?".
Now, I have the solution here, although it is not new but it is nice to introduce it here .
VirtualKD aims to make your speed at remote debugging up to ~450 KB/s .


Prepare for installation and Running

  • First of all, Sysprog's VirtualKd located here,download it (make me aware if you're facing any kind of broken link, fix it up soon possibly)
  • Once you downloaded it, upon running it, main package will start to download, let it get working and download the full content .
  • Once main packaged downloaded completely, run "VirtualKDSetup.exe" for configuration
    • VirtualKd made for VMWare and VirtualBox, but in case of using VirtualKd for remote debugging I highly recommend you, using VirtualBox instead of VMware.
  • Upon running "VirtualKd.exe" you will see the following image
  • Before running one step further, download the latest version of Oracle VirtualBox here. (at time of this writing the current version is 4.1.10)
  • Once the installer detect your clean installation of virtualbox, you will see the statement "VirtualBox 4.x.x detected, No problems found." in bottom of Integrate Into VirtualBox button .
  • Now it's time to click integrate into VirtualBox to let the VKD, make it's configurations and integrations well, so be patient to integrate it .
  • Click Automatic Integration
  • Now run-up your virtual machine (The VM you would like to act  it as debuggee) 
  • From the VirtualKd full package folder, change your path to target folder, you see these contents well :
  • Copy/Paste "vminstall.exe" into your virtual-machine .
  • run & install it for making remote debugging feature enable to kernel
  • Let your VM to restart and see the result of your work



  • Once facing this screen, on the main machine (The machine that runs your debugger for debugging) run up "vmmon.exe" on your debugger machine, you will see it can detect your vm well

 
  • Upon selecting the Os you wanted to enter (I Mean on VM "Microsoft Windows XP Professional [VirtualKD] [Debugger Enabled]), the vmmon.exe will warm up your debugger (in this case WinDbg) and make the right connection to it without any mistakes!
Happy remote-bug-hunting! :]





Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)