The kernel is the heart of the operating system, and it resides in the file ntoskrnl.exe, as shown in the figure below, from the "Practical Malware Analysis" book.
https://ntcore.com/?page_id=388
Right-click ntoskrnl.exe and click "Open with CFF Explorer".
In CFF Explorer, in the left pane, click "Export Directory".
As shown below, there are a lot of functions exported by ntoskrnl.exe, including AlpcCreateSecurityContext.
Click the Start button and type CMD. Right-click "Command Prompt" and click "Run as administrator". Click Yes.
Execute these commands:
bcdedit /debug on
bcdedit /dbgsettings local
Restart your Windows machine.
In the right pane, click the Local tab, as shown below.
At the lower right, click the OK button.
lm
There are several modules loaded,
starting with nt,
as shown below.
nt is the kernel, a short name for "ntoskrnl.exe".
Click the blue nt link.
Now several more blue links appear, as shown below.
Click functions. Scroll back to the start of the list, as shown below.
There are links for each letter of the alphabet, to make it somewhat less clumsy to sort through the vast number of functions in the kernel.
You see the functions starting with "A", including AlpcCreateSecurityContext. Notice the command executed to produce these list of functions in the nt module starting with "A", as shown below.
x /D /f nt!a*
The graphical elements in WinDbg are still pretty clumsy. To get work done efficiently, you still need to use command-line commands.
In the Debugger window, enter a keyword of x.
Double-click the first result: "x (Examine Symbols), as shown below.
This is a good place to learn how to use the command-line commands.
PMA 432.1 WarBird (5 pts)
Find the function shown in the image below.The flag is covered by a green box in the image below.
uf nt!NtCreateFile
The assembly code is shown, including the
addresses and raw hex bytes,
as shown below.
s nt!NtCreateFile L100 0x44 0x24 0x40
The pattern is found once,
as shown below.
s -sa nt!NtCreateFile L100
You see all ASCII strings of length
three or more,
as shown below.
In the lower center of WinDbg, execute this command:
s -[l6]sa nt!NtCreateFile L100
You see the one ASCII string
with length six or more,
as shown below.
PMA 432.2 Magic (10 pts)
Find the word Magic in nt.The flag is covered by a green box in the image below.
db nt
This shows memory contents
in hexadecimal and ASCII, as shown below.
dt nt!_FILE_OBJECT
This shows the syntax of the
_FILE_OBJECT data structure
used to represent an open file.
Notice the permission bytes, such as ReadAccess, and the FileName string, as shown below.
For a more complete explanation of the _FILE_OBJECT structure, see: FILE_OBJECT structure (wdm.h).
.tlist
You see a list of running processes,
as shown below.
For more details about the "lsass.exe" process, execute this command:
!process 0 0 lsass.exe
You see a few lines of data, incluing
a blue address for the "peb"--the
Process Environment Block.
Click that blue address for far more information, as shown below.
!devnode 0 1 disk
You see a few lines of data, incluing
a blue address for the "PDO"--the
Physical Device Object.
Click that blue address for more information, including the InstancePath, which shows that I am using a VMware disk, as shown below.
PMA 432.3 Module (20 pts)
Find this code.The flag is covered by a green box in the image below.
Execute this command:
bcdedit /debug off
Restart your Windows machine.
Posted 10-17-20
Minor updates 4-13-2021
Reference to FLARE-VM removed 11-9-21