Skip to main content
  1. Posts/

Note

·2 mins
Jinn
Writeup Note
Table of Contents

Note #

Setup Kernel Debug #

  1. Download Virtual-KD redux.
  2. Install Windbg Preview.
  3. In the guest machine, run target64\install.exe and wait for computer restart. Then press F8 and chose Disable enforcement driver signature.
  4. In the host machine, run vmon64.exe to attach debugger to VM kernel.

There are some useful command in Windebugger:

commandfunction
ggo
ctrl + breakbreak
db view raw bytes from start to end

Cheat sheet here: https://github.com/repnz/windbg-cheat-sheet

Run dll function in C #

Sample program in Flare-on challenge:

#include <Windows.h>
#include <stdio.h>
#include <stdint.h>

int main(){
	FARPROC func;
	HMODULE hLib = LoadLibraryA("flareon2016challenge.dll");
	int ord = 30;
	while (ord!=51){
		func = GetProcAddress(hLib, MAKEINTRESOURCE(ord));
		ord = func();
	}
	printf("%d\n",ord); // check
	func = GetProcAddress(hLib, MAKEINTRESOURCE(ord));
	func();
	return 0;
}

Then, if we want to dump bytes from this program, try to attach by debugger and use get_bytes(indx,len) with IDAPthon or using this script:

    //dump plaintext to file
	plaintxt = *(uint32_t*)((uint32_t)exp+0x2e);
	hFile = CreateFile("out", GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 
	FILE_ATTRIBUTE_NORMAL, 0);
	WriteFile(hFile, (LPCVOID)plaintxt, 0x1A10, 0, 0);
	CloseHandle(hFile);

Define prototype of our function:

typedef VOID (*FunctionName)(
<TypeData1> <Name arg1>,    //can be DWORD, BYTE *, ...
<TypeData2> <Name arg2>,    //
...
);

Note: We can using GetProcAddress(hDll,"nameOfFunction") to reference function from dll.

Tips while using z3 #

Using z3 to find the flag:

import z3
FLAGLENGTH = ...
flag = []
for i in range(FLAGLENGTH):
    flag.append(z3.BitVec('f'+str(i),8))

s.add(...)

while s.check()==sat:
    m = m.model()
    print(m)

When we have a model contain flag, using this code to print flag:

for i in range(FLAGLENGTH):
    print(chr(m[flag[i]].as_long()),end = "")
print()

Linux kernel #

Decompress kernel:

mkdir initramfs
cd initramfs
cp ../initramfs.cpio.gz .
gunzip ./initramfs.cpio.gz
cpio -idm < ./initramfs.cpio
rm initramfs.cpio

Debug kernel with gdb:

gdb -q vmlinux

target remote:1234

At VM startup time by appending “-s -S” to the QEMU command line

For more information: https://docs.kernel.org/dev-tools/gdb-kernel-debugging.html