Virtdbg: Remote kernel debugging using hardware virtualisation features

Presented at REcon 2011, July 8, 2011, 4 p.m. (60 minutes).

This presentation is about a remote kernel debugger leveraging the hardware virtualization facilities provided by modern processors. The hypervisor is loaded "on the fly" with DMA requests and allow to debug the target without rebooting. The client part leverages the metasm framework. This presentation is about a remote kernel debugger leveraging the hardware virtualization facilities provided by modern processors. This presentation will demonstrate how to load a hypervisor in the kernel of a Windows 7 x64 operating system with DMA requests thus bypassing code signing checks and integrity verification (PatchGuard protection). The VMM (hypervisor) is implemented using a "Blue Pill" approach that is to say we are virtualizing the operating system "on the fly". The debugger leverages a good part of the features provided by the metasm framework (http://metasm.cr0.org). We will also discuss the pros and cons of using virtualization for debugging purposes.

Presenters:

• Damien Aumaitre

Links:

• https://recon.cx/2011/schedule/events/119.en.html

Similar Presentations:

• DEF CON 19 (2011) / Owned Over Amateur Radio: Remote Kernel Exploitation in 2011
• DEF CON 25 (2017) / macOS/iOS Kernel Debugging and Heap Feng Shui
• Black Hat USA 2016 / Ouroboros: Tearing Xen Hypervisor with the Snake