Warning: This tool isdirtyunder construction, at this moment it will only work for Windows 8.1 x86-64 build 9600 !! Winbagility At this time it is just another crappy POC. It gives the ability to open debugged and undebugged 8.1 x64 RAW physical memory dump "directly" in WinDbg. It gives the ability to debug undebugged Windows 8.1 running in patched Vbox. How does it works ? An initial anlysis is done to find and uncrypt nt!KdDebuggerDataBlock (dissector.cpp) and important Windows struct KPCR, KPRCB. A Kd server (kdserver.cpp) is implemented wich simulate a debugged Windows station that received commands thought named pipe. The Kd server give to Windbg unciphered structure, so windbg is happy there :) Memory and register of guest aren't wrote, so patchguard is happy there too :) Why ? Patchguard analysis, DRM analysis, Malicious driver analysis, Forensic (Physical raw dump), Fun How to use (PHYSICAL DUMP MODE)? 1. Create a raw memory dump of 8.1 x64 and place it at "C:\8_1_x64.dmp" 2. Start Winbagility 3. Start Windbg and connect it to named pipe "\\.\pipe\client How to use (VBOX MODE)? 1. Patch Vbox, compile it 2. Add in VM_NAME.vbox: <ExtraData> ... <ExtraDataItem name="VBoxInternal/DBGC/Address" value="127.0.0.1"/> <ExtraDataItem name="VBoxInternal/DBGC/Enabled" value="1"/> <ExtraDataItem name="VBoxInternal/DBGC/Port" value="5000"/> ... </ExtraData> 3. Start the VM 4. Start Winbagility 3. Start Windbg and connect it to named pipe "\\.\pipe\client Why did I commit this s**t ? I wanted to save my work in progress... Why virtualbox ? 1. Open source 2. Working on Windows ! Todo list:Open Debugged 8.1 x64 raw memory dumpOpen Undebugged/Stock 8.1 x64 raw memory dumpIntegrate it in virtualboxSupport "Go" CommandRegister read (some are missing ex: GDTR, IDTR...)Memory searchPhysical memory readPipe ReconnectVirtual_Physical in FDPMemory writes Process Switching (Not easy to do... Windbg inject a SW breakpoint and then "go"...) Register read (some are missing ex: XMM...) Manage multiple CPU support Code cleaning, checks, tests, optimisations... Hardware/Memory breakpoint with EPTViolation Other windows build support Code cleaning Specific register read Register writes Code cleaning Arguments and all Bullshit Code cleaning FDP(Fast Debugging Protocol) with SHM Profits ! Bonus: A Kd proxy is present in the code :)
d4nnyk/Winbagility
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
About
No description, website, or topics provided.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published