Results 1 to 4 of 4

Thread: Crazy Idea Time (Kernel Level Debugger)

  1. #1
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647

    Crazy Idea Time

    Shut me up if I am completely over the line.

    Let us post the most desirable features one would like to see in a kernel level debugger.
    I, for example, would like to see a BPR feature in Sice versions 4.26 and up, so I could use Kayaker's tracedump work again in WinXP

    Once we get a collection of ideas of the most desirable debugger for a cracker, let us make one.

    Either by plugins into Sice, a growth from Ollydebug, or from scratch, A concerted effort.
    So we do not have to relay so much on the wimps of numega.

    I have less than 1% of the talent such a project entails, but I know the talent exists, right here

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Interesting idea Naides. Heh, I'd like to see the Tracedump backtrace buffer disassembler work on XP too. In fact Clandestiny has been bugging me to get Win2K at least so we can try working on exactly that. It has proven very effective on 9x, but as you say above that there's no support for the BPR command necessary to produce the backtrace.

    I believe this is an issue with the OS not Softice since DriverStudio ntice.sys still contains the code for all the BPR commands. I haven't read all the DS documentation to see if Numega broaches the subject, what is the actual reason for this, dealing with page permissions? And what happens if you try a BPR command, get an error message or does it just lock up?

    What I'd like to see is a report by someone who has tried IceExt by Sten, a SoftICE NT plugin with full source which tries among other things to emulate the BPR command of the debugger.
    http://stenri.pisem.net/
    He actually doesn't advise using the BPR command because it's still under development, but I think it would be worthwhile to look into. It doesn't necessarily mean you could do traditional backtraces though because the traced instruction addresses still need to be stored in a buffer (the effect of the BPR "T" verb) before you can think about disassembling them.

    What I'd like to try is developing a simple Ring0 tracer (which conceptually I have very little idea how to practically go about that yet), which would dump each of the traced addresses into a buffer. Nothing more, no IT fixups or tracing of redirected addresses or anything else, just a raw dump until the tracing stops. Then these addresses can be disassembled in Ring3 just as we've done with Tracedump on the addresses stored in the Softice backtrace buffer. Perhaps it's time to start looking into this

    Kayaker

  3. #3
    Hi Kayaker

    "What I'd like to try is developing a simple Ring0 tracer.."
    Yep, i agree !!! It's a good idea, we need this kind of tool.

    SV

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Salut SV ;-) For anyone into this tracer engine stuff, or for those of ye who seek the OEP, there's a nice open source project by Christoph Gabler worth looking into. Generic Unpacker Win32 (GUW32) includes surprisingly well commented examples of a Ring0 and Ring3 tracer. As well it incorporates and includes source of MackT's ImpREC dll (v1.1).

    http://www.woodmann.net/protools/files/unpackers/guw32.zip

    There are other snippets by Gabler around in a similar vein that are worth digging up as well...

    Kayaker

Similar Threads

  1. DbgEng based Kernel Debugger
    By blabberer in forum Blogs Forum
    Replies: 0
    Last Post: January 26th, 2013, 13:09
  2. NEW: Syser Kernel Debugger by wuyanfeng
    By Kayaker in forum Advanced Reversing and Programming
    Replies: 15
    Last Post: August 19th, 2005, 23:46
  3. Replies: 6
    Last Post: August 8th, 2005, 03:38
  4. Novell Linux Kernel Debugger available !
    By Zero in forum Linux RCE
    Replies: 2
    Last Post: July 3rd, 2005, 23:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •