Virtdbg: Remote kernel debugging using hardware virtualisation features

Presented at REcon 2011, July 8, 2011, 4 p.m. (60 minutes)

This presentation is about a remote kernel debugger leveraging the hardware virtualization facilities provided by modern processors. The hypervisor is loaded "on the fly" with DMA requests and allow to debug the target without rebooting. The client part leverages the metasm framework. This presentation is about a remote kernel debugger leveraging the hardware virtualization facilities provided by modern processors. This presentation will demonstrate how to load a hypervisor in the kernel of a Windows 7 x64 operating system with DMA requests thus bypassing code signing checks and integrity verification (PatchGuard protection). The VMM (hypervisor) is implemented using a "Blue Pill" approach that is to say we are virtualizing the operating system "on the fly". The debugger leverages a good part of the features provided by the metasm framework (http://metasm.cr0.org). We will also discuss the pros and cons of using virtualization for debugging purposes.

Presenters:

Links:

Similar Presentations: