Windows Kernel Debugging Using Two VMs on Linux

Posted on 19 July 2021 by [email protected]

Just thought of writing this here, because I keep forgetting how to do this stuff! Also, since OST2 has lots of new courses related to Windbg, I thought this would be helpful for folks who use a Linux Workstation and would like to do Windows Kernel Debugging and follow Xeno‘s new courses (highly recommend you check them out). This post does not explain how to install the Windows 10 SDK on any of the systems, but again check out Xeno’s courses, you will find all of that there.

Basic Info:
VM with WinDbg = Debugger
– Host-Only IP Address = 192.168.16.16
VM to Debug = Debuggee
– Host-Only IP Address = DHCP

Note(s):
1. It does not hurt to test that they can both ping each other (firewall settings for ICMP is required here).
2. Some of the commands below could be used with /dbgsettings directly, but I decided to do it this way to be easier to understand and to have a menu option in some

Let’s get starting! Use whichever method you want, they should all work for you if you follow the settings correctly. First, start cmd.exe with elevated privileges and then pick the method of your desire.

Method #1: Using Serial Ports
Power off both VMs and add a serial port. Both will be socket ports and will be located at some location of your desire (e.g. /tmp/com1). Make sure the Debugger has “From: Client” -> “To: Virtual Machine” and the Debuggee has “From: Server” -> “To: Virtual Machine”.

Now, let’s first create a debugging option to choose from when rebooting/powering on the system.
bcdedit /copy {current} /d "Windows 10 Debugging"

Then use the 32 char identifier in the rest of the commands below (assuming 32-CHAR-Identifier = {AABBCCDD-1A1A-A1A1-BB11-ABCDEF123456}:
bcdedit /debug {AABBCCDD-1A1A-A1A1-BB11-ABCDEF123456} ON
bcdedit /set {AABBCCDD-1A1A-A1A1-BB11-ABCDEF123456} debugtype serial
bcdedit /set {AABBCCDD-1A1A-A1A1-BB11-ABCDEF123456} debugport 1
bcdedit /set {AABBCCDD-1A1A-A1A1-BB11-ABCDEF123456} baudrate 115200

Go to your Debugger VM and start Windbg, then go to File -> Kernel Debug -> COM. Make sure the settings here match those you used above in the bcdedit commands and then click OK to start. After that reboot your Debuggee VM, which can be done like this:
shutdown -r -t 0

If everything went fine, you should see your Debugger now connected to your Debuggee VM…
Continue reading

Posted in Exploitation, Kernel, Virtualization, Windows | Tagged , , , , | Comments Off on Windows Kernel Debugging Using Two VMs on Linux

من مُذكرات مُهاجر

Posted on 11 September 2020 by [email protected]

منذ أكثر من عشرة سنوات وأنا أحاول السفر الى الخارج من خلال الهجرة. والدي ووالدتي يرفضون سفري وغير موافقين على ذلك… كُنت مُلحاً في كل مرة بأن يسمحوا لي بالهجرة، ولكن طلبي كان دائماً يلاقي الرفض… والدي كان أقل تشدداً من والدتي، لانه يعلم رغبتي ولكن والدتي وبحكم خبرتها مع أخوانها، كانت ترفض رفضاً قاطعاً …

المهم أستطعت أقنع والدي وأن أقوم بالتقديم على الهجرة وحين أحصل على الموافقة، أخبر والدتي وأضعها أمام الأمر الواقع… قمت بتعيين محامي وذلك لكي يقوم بإجراءات الهجرة الى استراليا، من خلال برنامج هجرة أصحاب الكفاءات… سارت الأمور بشكل جيد، وتمت المُصادقة على جميع أوراقي، شهاداتي التي تثبت الكفاءة وحصلت كذلك على موافقة جمعية علم الحاسوب لديهم، وهي خطوة جوهرية جداً في الحصول على الموافقة … بعد أن أكملنا جميع الأمور والأوراق، كان مُتبقي إمتحان اللغة الانجليزية (آيليتس) … وكان مطلوب علامة 6 في جميع الأقسام … قمت بالإستهتار في الامتحان ولم أدرس، وذلك لأنني وحسب قناعتي الشخصية، بإن لغتي الانجليزية ممتازة وإجتياز الامتحان سهل للغاية! ولكن أكتشفت إن ذلك غير صحيح ولم أحصل على 6 في المحادثة … وبالتالي المعاملة والهجرة تعطلت قليلاً … المهم رجعت حجزت للإمتحان مرة ثانية … وكذلك ذهبت له بدون أية إستعداد وذلك لأنه الغرور كبر في رأسي وإن الموضوع سهل والمرة السابقة كان مجرد هفوة صغيرة … المهم أمتحنت هذه المرة وحصلت على العلامة 6 في جميع الأقسام !!! يا سلام الهجرة تنتظرني …

Continue reading

Posted in Life | Comments Off on من مُذكرات مُهاجر

Linux Forensics Workshop

Posted on 13 May 2020 by [email protected]

Hello,

I’ve been invited by the Saudi Federation for Cyber Security and Programming (SAFCSP) to do a Linux Forensics workshop during their series of Cybersecurity Nights. My session will be next Thursday, May 14th, 2020 at 10:00 PM (KSA time) and will be 3:00 PM (EST). If you’re interested in Linux Forensics or have the will to learn, please download the files found here and join me then.

In Arabic:

قام الإتحاد السعودي للأمن السيبراني والبرمجة والدرونز بدعوتي لعقد ورشة عمل تخص التحقيقات الرقمية الجنائية في أنظمة التشغيل لينُكس. إن كنت مُهتم في ذلك، أرجوا أن تتابع البث المُباشر أو تقوم بحضور التسجيل من عبر مواقع الإتحاد.
ورشة العمل سوف تكون يوم الخميس القادم 14/5/2020 الساعة 10 مساءاً بتوقيت السعودية، والساعة 3 ظهراً في توقيت الولايات المتحدة. يمكن تحميل ملفات الورشة للمشاركة بشكل مُبشار معي من خلال هذا الرابط.

Thanks to SAFCSP for the invitation and see you on Thursday :)

Posted in Forensics, Investigations, Workshops | Tagged , , , , | Comments Off on Linux Forensics Workshop

Investigating USB Drives using Mount Points Not Drive Letters

Posted on 4 April 2020 by [email protected]

Yes, another excellent question came up by one of my students:
If a user mounts the volume to a mount point, what artifacts could we find for the USB?

Starting I think from Windows 8.1 or 10, a user could mount a volume into an empty directory. Which means, that a USB could be mounted to a directory and then the user accesses the content of the volume using that directory. A feature in the past was only seen on POSIX operating systems, such as Linux. The scenario I will be using for this experiment, is a user mounts a volume (USB) to a directory and also removes the drive letter. I will be using the C:\Mountpoint as the mount point for the USB.

Note(s) before you continue reading:
1. This post does not cover all USB artifacts (registry keys, registry values, events, etc), only the ones needed to answer the question above
2. The experiment in this post was repeated three times and they all led to the same results you will find below

PART#1 – SETUP
First as we can see in figure 1.1, the USB labeled FOR340USB has a drive letter E:, so let’s remove it.

Figure 1.1 – Drives Available
Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , , , | Comments Off on Investigating USB Drives using Mount Points Not Drive Letters

No Drive Letter, No USB Evidence? Think Again!

Posted on 3 April 2020 by [email protected]

This post is about a question asked:
If the user removes the drive letter to hide the presence of a mounted USB drive, could we still locate that drive in the Windows Registry?

Short answer is, YES it will still be seen in Disk Management. But let’s assume you do not have access to the computer anymore, but you do have the registry files. In other words, you imaged the drive but missed imaging the USB for some reason.

Note(s) before you continue reading:
1. This post does not cover all USB artifacts (registry keys, registry values, events, etc), only the ones needed to answer the question above
2. The experiment in this post was repeated three times and they all led to the same results you will find below

I will be listing all the registry locations that we can still check and find entries that the USB was plugged into the system, but it’s not seen currently. Also, I won’t go over all the USB artifacts, there are so many posts out there and good books too (WR 2ED, WFA 4ED, etc). In this post, I will just focus on some might have not been used before and then just need to correlate them together. So, let’s say you start by loading your registry files into Registry Explorer or RegRipper (System, Software, and NTUSER), will use both here.
Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , | Comments Off on No Drive Letter, No USB Evidence? Think Again!