RE: Windows debugging/vulnerability analysis

Thanks for the reply. Since my original post, I did a little more
research and read up on remote kernel debugging using Windbg and MS
Virtual PC (both free), and emulating the serial connection through a
named pipe. It seems to give me pretty much what I was looking for. Does
SoftICE give me any advantages over this setup?

-----Original Message-----
From: Rob klein Gunnewiek [mailto:rob.kleingunnewiek@xxxxxxxxx]
Sent: Monday, July 31, 2006 5:42 AM
To: Krpata, Tyler
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Windows debugging/vulnerability analysis

On 7/27/06, Krpata, Tyler <tkrpata@xxxxxxx> wrote:
Hi,

I am looking for some resources on analyzing vulnerabilities in
Windows drivers and/or the kernel. Specifically I am interested in the

flaw in srv.sys as detailed in MS06-035. I'm really looking for
details on how to get useful information out of a debugger at that
level, not being a Windows person myself. Can anyone recommend some
reading material?

I hope you have experience in userspace vulnerability analysis before
you go into the kernel-based stuff. Do you know about SoftICE? It is a
Windows debugger capabable of debugging kernel-based code. There should
be a lot of information to be found on Google.

Good luck.

--
Regards,
Rob klein Gunnewiek



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Re: [RFC/PATCH] Documentation of kernel messages
    ... On Fri, 15 Jun 2007 11:51:51 PDT, Randy Dunlap wrote: ... And "for debugging" doesn't cut it IMO. ... people doing support can annotate the messages with real life experience on ... Providing a means for getting localized kernel ...
    (Linux-Kernel)
  • RE: VMWare Workstation 6 for debugging Linux Kernel (!)
    ... maybe somebody make some side by side comparison of vmware & uml regarding kernel debugging. ... Run gdb on the Host, reference it to the kernel with symbols and attach to ...
    (Linux-Kernel)
  • Re: driver probe error reporting
    ... on probe. ... errors that are due to configuration such as missing device configuration ... data error is a bloat of code as a properly debugged kernel should never ... recently I've been debugging suspend-resume quite a lot and I had to ...
    (Linux-Kernel)
  • Re: 6.x hangs on AMD64 again
    ... debugging to figure out the cause. ... debugging the developers handbook; without this information no ... That is indeed almost always failing hardware. ... I compiled the kernel with debug info, but that's totally useless, since it won't dump anything, just hang there; I don't think even DDB would help, since even the keyboard is not working at that time. ...
    (freebsd-questions)
  • Re: CURRENT freezes on Laitude D520
    ... really exists for the purposes of supporting components which are not sufficiently locked to allow the stack to run MPSAFE, rather than as a means of disabling direct dispatch and preemption, which speak to different types of problems. ... In RELENG_6, PREEMPTION is in GENERIC and hence enabled by default, and it can be disabled by removing it from your kernel configuration. ... However, this is also just a debugging step to see if that quiesces the problem, and not a fix for the actual bug. ...
    (freebsd-current)