Archive for the ‘Articles and Presentations’ Category

Part 3 of User-Mode Debugging Internals

Wednesday, January 31st, 2007

The last part in my series on how Windows XP and higher support user-mode debugging is now up on OpenRCE; this part covers the kernel-mode side of things, aka the Dbgk module. Read it and find out how to use the native system calls in your debugger, which let you do things like debug multiple processes from a single debugger!

I will post the article on my Publications page as well, shortly.

Coming up shortly: the secrets of RtlRemoteCall!

Publications

Tuesday, November 21st, 2006

Just realized I forgot to post these in the last update, but perhaps it was better anyways since the post was already large enough.

NTFS On-Disk Structure – A fairly large reference to all the structures used on NTFS as well as some of the technical details behind some implementations. Was going to cover EFS and those structures, but I stopped it short there. This was written quite some time ago, and the structures are in Visual Basic format, but it should still be pretty useful. My explenation of NTFS runs was one of the best things in it.

Process Internals – Was going to become Part 1 of a series of 3 or 4 documents on each of the main executive components of NT, the Process Manger, the Object Manager and the Executive itself. Not very happy about this one in retrospect, since a lot of the fields I had documented aren’t used anymore or the information was wrong, but I still think it’s a good reference (especially the later sections). Again, done when I was younger and writing Visual Basic code.

Visual Basic File FormatOne of the articles I’m most proud of, this one was the result of several weeks of independent study into the Visual Basic file format for compiled executables. It explains every field, structure, relationship, etc, that the compiler inserts into the file that is then read by the runtime. Allowed me to write a simple runtime library that was only 20KB (for basic MsgBoxes). Highly graphical and easy to read.

Native API Compression and Introduction to NT DesignAn older article of mine again, gave a short primer on Native APIs, then presented a set of useful compression APIs burried into NT, and gave some interesting study on their performance and compressibility.

NTFS Alternate Data StreamsBack when alternate data streams weren’t very popular (I think I participated into making them popular, I was approached several times for inclusion of this article into books, magazines and other websites), I wrote code and an article exposing them and the dangers they presented, as well as a scanner that could find them. Again, Visual Basic code, and done when I was younger.

Subverting Windows 2003 Service Pack 1 Kernel Integrity ProtectionMy latest large presentation/project, this one was presented at REcon 2006. Shows a way to defeat the new protection mechanisms added in 2003 to disable access to kernel-mode from user-mode administrative applications, and how to access physical memory again. Exposed a flaw in VDM present in all released (at the time) versions of Windows NT.

Windows XP/2003 User-Mode Debugging Internals, Part 1Part of a series about the User-Mode Debugging framework in kernel32, ntdll and ntoskrnl. This part deals with Win32.

Windows XP/2003 User-Mode Debugging Internals, Part 2Part of a series about the User-Mode Debugging framework in kernel32, ntdll and ntoskrnl. This part deals with Native.

Part 2 of User-Mode Debugging Internals Article

Friday, November 10th, 2006

I’ve almost finished setting up the remaining parts of my blog. I’ve added an About page and pretty much filled my BlogRoll with the blogs I try to read daily. Thanks to everyone that’s visited/linked here in the last few days.

I’m currently working on the “Publications” page of the blog to have a central repository with all my data. I will also duplicate it on OpenRCE, but that site requires a login, and I wanted to make sure anyone could freely access my stuff. The links aren’t live yet, but they should be within the day.

Also, Part 2 of my article should appear soon, but for those that want to beat the clock, you can download it for now directly here. If you haven’t read Part 1 first, make sure you do here.

Brief overview of what’s discussed:

  • Part 1 – Win32: DebugActiveProcess, DebugBreakProcess, DebugSetProcessKillOnExit, CheckRemoteDebuggerPresent, WaitForDebugEvent, ContinueDebugEvent, DebugActiveProcessStop.
  • Part 1 – Win32: Teb->DbgSsReservedData[0] and DBGSS_THREAD_DATA. SaveProcessHandle, SaveThreadHandle, MarkThreadHandle, MarkProcessHandle, RemoveHandles, CloseAllProcessHandles.
  • Part 2 – Native: DbgUiConnectToDbg, DbgUiDebugActiveProcess, DbgUiStopDebugging, DbgUiIssueRemoteBreakin, DbgUiRemoteBreakin, DbgUiGetThreadDebugObject, DbgUiSetThreadDebugObject, DbgUiContinue, DbgUiWaitStateChange, DbgUiConvertStateChangeStructure.
  • Part 2 – Native: Teb->DbgSsReservedData[1], DBGUI_WAIT_STATE_CHANGE, Teb->Tib.ArbitraryUserPointer, DBG_STATE, DBGKM_EXCEPTION, DBGKM_CREATE_THREAD, DBGKM_CREATE_PROCESS, DBGKM_EXIT_THREAD, DBGKM_LOAD_DLL, DBGKM_UNLOAD_DLL.

Part 3 will cover Kernel Mode and the Nt* APIs when it’s out.