PMA 433: Kernel Debugging with Breakpoints (30 pts extra)

What you need

Purpose

To use WinDbg Preview for full live kernel debugging, with the ability to use breakpoints.

Prepare Two Windows 10 Machines

You need two Windows 10 machines, as shown below.

Click one of your machine names. On the next page, examine the "Virtual network/subnet" name, as shown below.

Repeat the process for your other machine. Make sure both machines are in the same "Virtual network/subnet". If necessary, click the name of the "Virtual network/subnet" on one of the machines and change it.

Pick one machine to be the host. The other one is the target.

I used an Azure FLARE-VM as the host and an Azure Window 10 VM as the target.

Installing WinDbg Preview on the Host

You need WinDbg Preview, which you installed in a previous project

Turning Off the Firewall on the Target

On the target machine, click Start and type FIREWALL.

Click "Windows Defender Firewall".

In the left pane, click "Turn Windows Defender Firewall on or off".

Click both "Turn off..." buttons, as shown below.

Then click OK.

Testing Networking Between the Machines

On the host computer, click the Start button and type CMD. Click "Command Prompt".

In the Command Prompt, execute this command:

ipconfig
Make a note of the host computer's IP address.

On my system, it was 10.0.0.4, as shown below.

On the target computer, click the Start button and type CMD. Right-click "Command Prompt" and click "Run as Administrator".

If a User Account Control box pops up, click Yes.

In the Administrator Command Prompt, execute this command:

ipconfig
Make a note of the target computer's IP address.

On my system, it was 10.0.0.5. On the host computer, in the Command Prompt and execute this command, replacing the IP address with the IP address of your target computer.

ping 10.0.0.5
You should see replies, as shown below.

Configuring BCDEdit for Network Debugging on the Target

This process enables "network" kernel-mode debugging, for full debugging functionality including breakpoints.

On the target computer, in the Administrator Commmand Prompt, press Ctrl+C to stop ncat.

Then execute these commands, replacing the IP address with the IP address of your host computer.

bcdedit /debug on
bcdedit /set TESTSIGNING ON
bcdedit /dbgsettings net hostip:10.0.0.4 port:50000 key:flap.jack.dog.frog
bcdedit /dbgsettings
Verify that all the settings are correct, as shown below.

Launching WinDbg Preview as Administrator on the Host Computer

On your host computer, click the Start button and type WINDBG. Right-click "WinDbg Preview" and click "Run as administrator". Click Yes.

Starting Kernel Debugging

In WinDbg, click File, "Attach to kernel".

In the right pane, on the Net tab, enter these values, replacing the IP address with the IP address of your target computer.

Your screen should look like the image below.

At the lower right, click the OK button.

Restarting the Target Computer

On the target computer, in the Administrator Commmand Prompt, execute this command:
shutdown -r -t 0
You will lose your RDP session.

Wait a minute or two and reconnect it.

Viewing the Network Adapter

On the target computer, in the lower right of the desktop, right-click the Network icon (it looks like a monitor) and click "Open network & Internet settings".

In the "Status" page, click "Change adapter options".

The name of your network adapter is now "Ethernet (Kernel Debugger)", as shown below.

Controlling from the Host

On the host computer, WinDbg now shows information about the target machine, and the message "*BUSY* Debugee is running...", as shown below.

At the top left of WinDbg, click Break.

Try clicking your target computer's desktop. There is no response, and RDP loses the connection. The target computer has stopped at a breakpoint, as shown in WinDbg, as shown below.

Viewing Loaded Modules

In the lower center of WinDbg, execute this command:
lm
There are a lot of modules available now, far more than we saw when doing local debugging, as shown below.

However, most of them don't have symbols.

Loading All Symbols

In the lower center of WinDbg, execute these commands:
!sym noisy
.reload /f
lm
It will take a few minutes to load them, but you end up with symbols for most or all of the loaded modules, as shown below.

Examining fileinfo

In the lower center of WinDbg, execute this command:
x fileinfo!*
There are a lot of symbols in fileinfo. Let's examine the ones referring to memory.

In the lower center of WinDbg, execute this command:

x fileinfo!*mem*
There are only a few of them, as shown below.

Setting a Breakpoint

In the lower center of WinDbg, execute this command:
bp fileinfo!memcpy
In WinDbg, in the Ribbon, click the View tab.

Click the Breakpoints button.

The breakpoint is shown in the lower right pane, as shown below.

Examining the Stack

In WinDbg, in the Ribbon, click the Hometab.

Click the Go button.

The breakpoint is hit immediately.

In the lower center of WinDbg, execute this command:

k
This shows the stack at the breakpoint. as shown below.

Reading from the bottom, in frame 19 (in the image above) some unnamed process called a CRYPT32 library function.

The CRYPT32 library function called several other functions in CRYPT32, and then called KERNELBASE, which called ntdll.

All these calls happened in userland, with addresses starting with 0000, as shown in the diagram below.

ntdll made the jump to kernelmode, calling a module in nt, with an address starting with ffff.

Several functions in nt were called, including nt!NtOpenFile, nt!IopCreateFile, and nt!IofCallDriver.

nt then called FLTMGR, which called fileinfo, ending up in fileinfo!memcpy, at our breakpoint.

64-Bit Address Space

As shown below, addresses in user land start with 0000, and addresses in kernel land start with ffff.

(Image from here.

Removing the Breakpoint

In WinDbg, in the lower right pane, right-click the breakpoint and click Remove.

Disconnecting RDP

If the RDP connection to your target machine hasn't timed out yet, wait for that to happen. Close that RDP window.

Setting a Breakpoint in rdpdr

In the lower center of WinDbg, execute this command:
bp rdpdr!memset
In WinDbg, in the Ribbon, click the Hometab.

Click the Go button.

PMA 433.1 Module (15 pts)

Connect to your target machine in your RDP client.

WHen the connection starts, the breakpoint is hit.

In the lower center of WinDbg, execute this command:

k
Find the module name covered by a green box in the image below. That's the flag.

Removing the Breakpoint

In WinDbg, in the lower right pane, right-click the breakpoint and click Remove.

Watching File Creation

In the lower center of WinDbg, execute these commands:
bp kernelbase!CreateFileA
g
After a few seconds,the breakpoint hits. If it does not, start connecting to the target machine via RDP.

In the lower center of WinDbg, execute this command:

db @rsp
The stack at the breakpoint is shown. As you can see below, the filename appears on the stack, 0x48 bytes past rsp:

In the lower center of WinDbg, execute these commands:

g
da @rsp+48
You see the filename, as shown below.

Removing the Breakpoint

In WinDbg, in the lower right pane, right-click the breakpoint and click Remove.

Automating the Process

In the lower center of WinDbg, execute these commands:
bp kernelbase!CreateFileA "da @rsp+48;g"
g
Connect to your target computer via RDP.

Click Start. Type CALC. Click Calculator.

You see the various files open, as shown below.

PMA 433.2 Module (15 pts)

On your target computer, in the lower right corner, right-click the Network icon (it looks like a monitor).

Click "Open Network & Internet settings", as shown below.

The "Network status" page opens, as shown below.

In WinDbg, the flag appears, covered by a green box in the image below.

Disabling Debugging

On your target computer, in an Administrator Command Prompt, execute this command:
bcdedit /debug off
Restart your target computer.

References

Debugging Using WinDbg Preview
Common WinDbg Commands (Thematically Grouped)
Getting Started with WinDbg (User-Mode)
Setting Up Local Kernel Debugging of a Single Computer Manually
Getting Started with WinDbg (Kernel-Mode)
WinDbg cheatsheet
Debugging Malware with WinDbg
Catalog of key Windows kernel data structures
Debug Windows Drivers - Step by Step Lab (Echo Kernel-Mode)
System Service Descriptor Table - SSDT
Debugging Malware with WinDbg

Posted 10-18-20
IPCONFIG image fixed 10-22-20