RE: Windows debugging/vulnerability analysis

Thanks for the reply. Since my original post, I did a little more
research and read up on remote kernel debugging using Windbg and MS
Virtual PC (both free), and emulating the serial connection through a
named pipe. It seems to give me pretty much what I was looking for. Does
SoftICE give me any advantages over this setup?

-----Original Message-----
From: Rob klein Gunnewiek [mailto:rob.kleingunnewiek@xxxxxxxxx]
Sent: Monday, July 31, 2006 5:42 AM
To: Krpata, Tyler
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Windows debugging/vulnerability analysis

On 7/27/06, Krpata, Tyler <tkrpata@xxxxxxx> wrote:
Hi,

I am looking for some resources on analyzing vulnerabilities in
Windows drivers and/or the kernel. Specifically I am interested in the

flaw in srv.sys as detailed in MS06-035. I'm really looking for
details on how to get useful information out of a debugger at that
level, not being a Windows person myself. Can anyone recommend some
reading material?

I hope you have experience in userspace vulnerability analysis before
you go into the kernel-based stuff. Do you know about SoftICE? It is a
Windows debugger capabable of debugging kernel-based code. There should
be a lot of information to be found on Google.

Good luck.

--
Regards,
Rob klein Gunnewiek



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Re: [RFC/PATCH] Documentation of kernel messages
    ... On Fri, 15 Jun 2007 11:51:51 PDT, Randy Dunlap wrote: ... And "for debugging" doesn't cut it IMO. ... people doing support can annotate the messages with real life experience on ... Providing a means for getting localized kernel ...
    (Linux-Kernel)
  • RE: VMWare Workstation 6 for debugging Linux Kernel (!)
    ... maybe somebody make some side by side comparison of vmware & uml regarding kernel debugging. ... Run gdb on the Host, reference it to the kernel with symbols and attach to ...
    (Linux-Kernel)
  • Re: 6.x hangs on AMD64 again
    ... debugging to figure out the cause. ... debugging the developers handbook; without this information no ... That is indeed almost always failing hardware. ... I compiled the kernel with debug info, but that's totally useless, since it won't dump anything, just hang there; I don't think even DDB would help, since even the keyboard is not working at that time. ...
    (freebsd-questions)
  • Re: [klibc] klibc and whats the next step?
    ... User space is only more debuggable if it does ... than kernel space if we have events going back and forth. ... enough debugging code in their (like a real live working shell, ... hellish to debug. ...
    (Linux-Kernel)
  • Re: CURRENT freezes on Laitude D520
    ... really exists for the purposes of supporting components which are not sufficiently locked to allow the stack to run MPSAFE, rather than as a means of disabling direct dispatch and preemption, which speak to different types of problems. ... In RELENG_6, PREEMPTION is in GENERIC and hence enabled by default, and it can be disabled by removing it from your kernel configuration. ... However, this is also just a debugging step to see if that quiesces the problem, and not a fix for the actual bug. ...
    (freebsd-current)