PMA 432: WinDbg Preview: Kernel Debugging (35 pts extra)

What you need

Purpose

To use WinDbg Preview for kernel debugging.

The kernel is the heart of the operating system, and it resides in the file ntoskrnl.exe, as shown in the figure below, from the "Practical Malware Analysis" book.

Installing CFF Explorer

If you are using the "Windows 10 w Tools" VM, CFF Explorer is already installed. If you are using some other machine, go to this URL and install "Explorer Suite":

https://ntcore.com/?page_id=388

Examining ntoskrnl.exe with CFF Explorer

Launch File Explorer and navigate to C:\Windows\System32.

Right-click ntoskrnl.exe and click "Open with CFF Explorer".

In CFF Explorer, in the left pane, click "Export Directory".

As shown below, there are a lot of functions exported by ntoskrnl.exe, including AlpcCreateSecurityContext.

Installing WinDbg Preview

If you don't already have it, install WinDbg Preview from the Microsoft Store.

Using BCDEdit for Local Debugging

This process enables "local" kernel-mode debugging, so you can observe kernel routines and data but you cannot use breakpoints.

Click the Start button and type CMD. Right-click "Command Prompt" and click "Run as administrator". Click Yes.

Execute these commands:

bcdedit /debug on
bcdedit /dbgsettings local

Restart your Windows machine.

Launching WinDbg Preview as Administrator

Click the Start button and type WIN. Right-click "WinDbg Preview" and click "Run as administrator". Click Yes.

Starting Kernel Debugging

In WinDbg, click File, "Attach to kernel".

In the right pane, click the Local tab, as shown below.

At the lower right, click the OK button.

Viewing Loaded Modules

In the lower center of WinDbg, execute this command:
lm
There are several modules loaded, starting with nt, as shown below.

nt is the kernel, a short name for "ntoskrnl.exe".

Click the blue nt link.

Now several more blue links appear, as shown below.

Click functions. Scroll back to the start of the list, as shown below.

There are links for each letter of the alphabet, to make it somewhat less clumsy to sort through the vast number of functions in the kernel.

You see the functions starting with "A", including AlpcCreateSecurityContext. Notice the command executed to produce these list of functions in the nt module starting with "A", as shown below.

x /D /f nt!a*

The graphical elements in WinDbg are still pretty clumsy. To get work done efficiently, you still need to use command-line commands.

Using Help

In WinDbg, in the Ribbon, on the Home tab, on the right, click "Local Help".

In the Debugger window, enter a keyword of x.

Double-click the first result: "x (Examine Symbols), as shown below.

This is a good place to learn how to use the command-line commands.

PMA 432.1 WarBird (5 pts)

Find the function shown in the image below.

The flag is covered by a green box in the image below.

Disassembling a Function

In the lower center of WinDbg, execute this command:
uf nt!NtCreateFile
The assembly code is shown, including the addresses and raw hex bytes, as shown below.

Searching Memory

In the lower center of WinDbg, execute this command:
s nt!NtCreateFile L100 0x44 0x24 0x40
The pattern is found once, as shown below.

Finding Strings

In the lower center of WinDbg, execute this command:
s -sa nt!NtCreateFile L100 
You see all ASCII strings of length three or more, as shown below.

In the lower center of WinDbg, execute this command:

s -[l6]sa nt!NtCreateFile L100 
You see the one ASCII string with length six or more, as shown below.

PMA 432.2 Magic (10 pts)

Find the word Magic in nt.

The flag is covered by a green box in the image below.

Display Memory

In the lower center of WinDbg, execute this command:
db nt
This shows memory contents in hexadecimal and ASCII, as shown below.

Examining a Data Structure

In the lower center of WinDbg, execute this command:
dt nt!_FILE_OBJECT
This shows the syntax of the _FILE_OBJECT data structure used to represent an open file.

Notice the permission bytes, such as ReadAccess, and the FileName string, as shown below.

For a more complete explanation of the _FILE_OBJECT structure, see: FILE_OBJECT structure (wdm.h).

Viewing Processes

In the lower center of WinDbg, execute this command:
.tlist
You see a list of running processes, as shown below.

For more details about the "lsass.exe" process, execute this command:

!process 0 0 lsass.exe
You see a few lines of data, incluing a blue address for the "peb"--the Process Environment Block.

Click that blue address for far more information, as shown below.

Viewing Devices and Drivers

In the lower center of WinDbg, execute this command:
!devnode 0 1 disk
You see a few lines of data, incluing a blue address for the "PDO"--the Physical Device Object.

Click that blue address for more information, including the InstancePath, which shows that I am using a VMware disk, as shown below.

PMA 432.3 Module (20 pts)

Find this code.

The flag is covered by a green box in the image below.

Disabling Debugging

Click the Start button and type CMD. Right-click "Command Prompt" and click "Run as administrator". Click Yes.

Execute this command:

bcdedit /debug off
Restart your Windows machine.

References

Debugging Using WinDbg Preview
Common WinDbg Commands (Thematically Grouped)
Getting Started with WinDbg (User-Mode)
Setting Up Local Kernel Debugging of a Single Computer Manually
Getting Started with WinDbg (Kernel-Mode)
WinDbg cheatsheet
Debugging Malware with WinDbg
Catalog of key Windows kernel data structures

Posted 10-17-20
Minor updates 4-13-2021
Reference to FLARE-VM removed 11-9-21