Click one of your machine names. On the next page, examine the "Virtual network/subnet" name, as shown below.
Repeat the process for your other machine. Make sure both machines are in the same "Virtual network/subnet". If necessary, click the name of the "Virtual network/subnet" on one of the machines and change it.
Pick one machine to be the host. The other one is the target.
I used an Azure FLARE-VM as the host and an Azure Window 10 VM as the target.
Click "Windows Defender Firewall".
In the left pane, click "Turn Windows Defender Firewall on or off".
Click both "Turn off..." buttons, as shown below.
Then click OK.
In the Command Prompt, execute this command:
ipconfig
Make a note of the
host computer's IP address.
On my system, it was 10.0.0.4, as shown below.
On the target computer, click the Start button and type CMD. Right-click "Command Prompt" and click "Run as Administrator".
If a User Account Control box pops up, click Yes.
In the Administrator Command Prompt, execute this command:
ipconfig
Make a note of the
target computer's IP address.
On my system, it was 10.0.0.5. On the host computer, in the Command Prompt and execute this command, replacing the IP address with the IP address of your target computer.
ping 10.0.0.5
You should see replies,
as shown below.
On the target computer, in the Administrator Commmand Prompt, press Ctrl+C to stop ncat.
Then execute these commands, replacing the IP address with the IP address of your host computer.
bcdedit /debug on
bcdedit /set TESTSIGNING ON
bcdedit /dbgsettings net hostip:10.0.0.4 port:50000 key:flap.jack.dog.frog
bcdedit /dbgsettings
Verify that all the settings are correct,
as shown below.
In the right pane, on the Net tab, enter these values, replacing the IP address with the IP address of your target computer.
At the lower right, click the OK button.
shutdown -r -t 0
You will lose your RDP session.
Wait a minute or two and reconnect it.
In the "Status" page, click "Change adapter options".
The name of your network adapter is now "Ethernet (Kernel Debugger)", as shown below.
At the top left of WinDbg, click Break.
Try clicking your target computer's desktop. There is no response, and RDP loses the connection. The target computer has stopped at a breakpoint, as shown in WinDbg, as shown below.
lm
There are a lot of modules available
now, far more than we saw when
doing local debugging,
as shown below.
However, most of them don't have symbols.
!sym noisy
.reload /f
lm
It will take a few minutes to load them,
but you end up with symbols for most or
all of the loaded modules,
as shown below.
x fileinfo!*
There are a lot of symbols in fileinfo.
Let's examine the ones referring
to memory.
In the lower center of WinDbg, execute this command:
x fileinfo!*mem*
There are only a few of them,
as shown below.
bp fileinfo!memcpy
In WinDbg, in the Ribbon,
click the View tab.
Click the Breakpoints button.
The breakpoint is shown in the lower right pane, as shown below.
Click the Go button.
The breakpoint is hit immediately.
In the lower center of WinDbg, execute this command:
k
This shows the stack at the breakpoint.
as shown below.
Reading from the bottom, in frame 19 (in the image above) some unnamed process called a CRYPT32 library function.
The CRYPT32 library function called several other functions in CRYPT32, and then called KERNELBASE, which called ntdll.
All these calls happened in userland, with addresses starting with 0000, as shown in the diagram below.
ntdll made the jump to kernelmode, calling a module in nt, with an address starting with ffff.
Several functions in nt were called, including nt!NtOpenFile, nt!IopCreateFile, and nt!IofCallDriver.
nt then called FLTMGR, which called fileinfo, ending up in fileinfo!memcpy, at our breakpoint.
(Image from here.
bp rdpdr!memset
In WinDbg, in the Ribbon,
click the Hometab.
Click the Go button.
PMA 433.1 Module (15 pts)
Connect to your target machine in your RDP client.WHen the connection starts, the breakpoint is hit.
In the lower center of WinDbg, execute this command:
Find the module name covered by a green box in the image below. That's the flag.
k
bp kernelbase!CreateFileA
g
After a few seconds,the breakpoint
hits. If it does not, start
connecting to the target
machine via RDP.
In the lower center of WinDbg, execute this command:
db @rsp
The stack at the breakpoint is
shown. As you can see below,
the filename appears on the
stack, 0x48 bytes past rsp:
In the lower center of WinDbg, execute these commands:
g
da @rsp+48
You see the filename,
as shown below.
bp kernelbase!CreateFileA "da @rsp+48;g"
g
Connect to your target
computer via RDP.
Click Start. Type CALC. Click Calculator.
You see the various files open, as shown below.
PMA 433.2 Module (15 pts)
On your target computer, in the lower right corner, right-click the Network icon (it looks like a monitor).Click "Open Network & Internet settings", as shown below.
The "Network status" page opens, as shown below.
In WinDbg, the flag appears, covered by a green box in the image below.
bcdedit /debug off
Restart your target computer.
Posted 10-18-20
IPCONFIG image fixed 10-22-20
Name changed to include Azure 5-4-2021