What's RR0D ?

RR0D is a ring 0 debugger. It offers the possibility to debug any kind of code (kernel/user/rasta land). Its philosophy is to be OS independent. That's why RR0D can today be installed on Linux, *BSD, Wind0ws. This has some disadvantages: RR0D is only designed to run on x86 (is this really a disadvantage?). Here is a presentation of Rr0d.

How the hell does this work ?

It works fine. Thanks. Actually, the goal is to keep the code low level enough to *not* use any kernel host code. RR0D is a sort of stand-alone module that installs hooks at each important point to realize such a dream. The only part that is OS dependent is the kernel module interface.

This kernel debugger has its own keyboard driver (only PS2 keyboard). Rr0d has its own video drivers: The first one is a VGA driver that manipulates directly the VGA compatible mode of graphic cards (in console mode). Rr0d has a FrameBuffer video driver as well: it is used under X server (or with the Win desktop).


Direct video memory access: Another video driver is based on direct writting into the physical video memory. Recent video card have their memory accessible directly by writting in certain physical memory. Rr0d can use this mecanism to display its interface with card unsing PCI or AGP bus. Thus, rr0d can be easilly used with Windows XP or Xorg/Xfree (without special feature as frame buffer or else).

Rr0d hooks interruptions (0, 1, 3,..) on idt. If the interruption is managed by Rr0d (int 3, ...) iret is done. Else, Rr0d gives back hand to the OS. Rr0d has a little disasm engine (buGGy one :) to display disassembly. Rr0d handles pagination in order to set/clear bp or editing memory.

Note: During Rr0d rasta trace debugging sessions, rr0d loops. So hot processors: take care :)