VDM!
novembre 25th, 2008 at 12:40 admin
Putain, ça fait 1000 ans que j’ai pas bloggé, je suis surchargé en ce moment. Vous allez vous foutre de ma gueule mais je suis en train d’étudier des choses comme java/CPP/sql/xml/uml, disons que ce ne sont pas les choses les plus inintéressantes mais c’est très très chiant à bosser. J’ai tellement de projets et de rapports à rendre dessus que je n’ai même plus le temps de jouer avec mon Windows
Bref, je passe vite fait pour vous montrer une feature marrant de Windbg (d’ailleur la version 6.10.3.233 est sortie il y moins d’une semaine). Il s’agit d’une extension aidant au debugging de binaire VDM. Je crois qu’un exemple sera plus parlant qu’autre chose :
0:003> !vdmexts.load 0:003> !vdmexts.help WOW commands are not currently available. ------------- VDMEXTS Debug Extension help:-------------- help [cmd] - Displays this list or gives details on command ApiProfClr - Clears the api profiling table ApiProfDmp [options] - Dumps the api profiling table at 0xXXXX - shows name associated with hex atom # bp <addr> - Sets a vdm breakpoint bd/be <n> - Disables/enables vdm breakpoint 'n' bl - Lists vdm breakpoints chkheap - Checks WOW kernel's global heap cia - Dump cursor/icon alias list d<b|w|d> <addr> [len] - Dump vdm memory ddemem - Dump dde memory thunks ddte <addr> - Dump dispatch table entry pointed to by <addr> denv <bProt> <selEnv> - Dump environment for current task or given selector/segment df [vector] - Dump protect mode fault handler address dfh [fh [pdb]] - Dump DOS file handles for current or given PDB dg <sel> - Dump info on a selector ddh [seg] - Dump DOS heap chain starting at <seg>:0000 dgh [sel|ownersel] - Dump WOW kernel's global heap dhdib [@<address>] - Dump dib.drv support structures (DIBINFO) di [vector] - Dump protect mode interrupt handler address dma - Dump virtual DMA state dpd - Dump DPMI DOS memory allocations dpx - Dump DPMI extended memory allocations dsft [sft] - Dump all or specified DOS system file tables dt [-v] <addr> - Dump WOW Task Info dwp <addr> - Dump WOWPORT structure pointed to by <addr> e<b|w|d> <addr> <data> - Edit vdm memory filter [options] - Manipulate logging filter fs <text to find> - Find text in 16:16 memory (case insensitive) glock <sel> - Increments the lock count on a moveable segment gmem - Dumps Global/heap memory alloc'd by wow32 gunlock <sel> - Decrements the lock count on a moveable segment hgdi16 [-v] <h16> - Returns 32-bit GDI handle for <h16> hgdi32 [-v] <h32> - Returns 16-bit GDI handle for <h32> ica - Dump Interrupt Controller state k - Stack trace kb - Stack trace with symbols LastLog - Dumps Last Logged WOW APIs from Circular Buffer lg [#num] [count] - Dumps NTVDM history log lgr [#num] [count] - Dumps NTVDM history log (with regs) lgt [1|2|3] - Sets NTVDM history log timer resolution lm <sel|modname> - List loaded modules ln [addr] - Determine near symbols LogFile [path] - Create/close toggle for iloglevel capture to file (path defaults to c:\ilog.log) MsgProfClr - Clears the msg profiling table MsgProfDmp [options] - Dumps the msg profiling table ntsd - Gets an NTSD prompt from the VDM prompt r - Dump registers rmcb - Dumps dpmi real mode callbacks SetLogLevel xx - Sets the WOW Logging Level StepTrace - Toggles Single Step Tracing On/Off sx - Displays debugging options sx<d|e> <flag> - Disables/enables debugging options timer - Display 8253 timer 0 information u [addr] [len] - Unassemble vdm code with symbols wc <hwnd16> - Dumps the window class structure of <hwnd16> ww <hwnd16> - Dumps the window structure of <hwnd16> x <symbol> - Get symbol's value -------------- i386 specific commands fpu - Dump 487 state pdump - Dumps profile info to file \profile.out pint - Sets the profile interval pstart - Causes profiling to start pstop - Causes profiling to stop vdmtib [addr] - Dumps the register context in the vdmtib where [options] can be displayed with 'help <cmd>'
Avec ça on peut voir facilement les exeptions et interrupt handlers mis en place par le binaire ntvdm.exe avec les couples (segment:offset) :
0:000> !vdmexts.df ; Dump protect mode fault handler address 00: 00C7:00001200 01: 00C7:00001205 02: 00C7:0000120A 03: 00C7:0000120F 04: 00C7:00001214 05: 00C7:00001219 06: 00C7:0000121E 07: 00C7:00001223 08: 00C7:00001228 09: 00C7:0000122D 0A: 00C7:00001232 0B: 00C7:00001237 0C: 00C7:0000123C 0D: 00C7:00001241 0E: 00C7:00001246 0F: 00C7:0000124B 10: 00C7:00001250 11: 00C7:00001255 12: 00C7:0000125A 13: 00C7:0000125F 14: 00C7:00001264 15: 00C7:00001269 16: 00C7:0000126E 17: 00C7:00001273 18: 00C7:00001278 19: 00C7:0000127D 1A: 00C7:00001282 1B: 00C7:00001287 1C: 00C7:0000128C 1D: 00C7:00001291 1E: 00C7:00001296 1F: 00C7:0000129B 0:000> !vdmexts.di ; Dump protect mode interrupt handler address 00: 00C7:00000D00 01: 00C7:00001307 02: 00C7:00000D0A 03: 00C7:00001307 04: 00C7:00000D14 05: 00C7:00000D19 06: 00C7:00000D1E 07: 00C7:00000D23 08: 00C7:00000D28 09: 00C7:00000D2D 0A: 00C7:00000D32 0B: 00C7:00000D37 0C: 00C7:00000D3C 0D: 00C7:00000D41 0E: 00C7:00000D46 0F: 00C7:00000D4B 10: 00C7:00001393 11: 00C7:00000D55 12: 00C7:00000D5A 13: 00C7:00002870 14: 00C7:00000D64 15: 00C7:000014A7 16: 00C7:00000D6E 17: 00C7:00000D73 18: 00C7:00000D78 19: 00C7:00001308 1A: 00C7:00000D82 1B: 00C7:00000D87 1C: 00C7:00000D8C 1D: 00C7:00000D91 1E: 00C7:00000D96 1F: 00C7:00000D9B 20: 00C7:00000DA0 21: 00C7:000004E6 22: 00C7:00000DAA 23: 00C7:00000DAF 24: 00C7:00000DB4 25: 00C7:000029CD 26: 00C7:00002A85 27: 00C7:00000DC3 28: 00C7:000012B8 29: 00C7:00000DCD 2A: 00C7:0000315E 2B: 00C7:00000DD7 2C: 00C7:00000DDC 2D: 00C7:00000DE1 2E: 00C7:00000DE6 2F: 00C7:00000DEB 30: 00C7:00001307 31: 00C7:000012DC 32: 00C7:00000DFA 33: 00C7:0000155D 34: 00C7:00000E04 35: 00C7:00000E09 36: 00C7:00000E0E 37: 00C7:00000E13 38: 00C7:00000E18 39: 00C7:00000E1D 3A: 00C7:00000E22 3B: 00C7:00000E27 3C: 00C7:00000E2C 3D: 00C7:00000E31 3E: 00C7:00000E36 3F: 00C7:00000E3B 40: 00C7:00000E40 41: 00C7:00001307 42: 00C7:00000E4A 43: 00C7:00000E4F 44: 00C7:00000E54 45: 00C7:00000E59 46: 00C7:00000E5E 47: 00C7:00000E63 48: 00C7:00000E68 49: 00C7:00000E6D 4A: 00C7:00000E72 4B: 00C7:00000E77 4C: 00C7:00000E7C 4D: 00C7:00000E81 4E: 00C7:00000E86 4F: 00C7:00000E8B 50: 00C7:00000E90 51: 00C7:00000E95 52: 00C7:00000E9A 53: 00C7:00000E9F 54: 00C7:00000EA4 55: 00C7:00000EA9 56: 00C7:00000EAE 57: 00C7:00000EB3 58: 00C7:00000EB8 59: 00C7:00000EBD 5A: 00C7:00000EC2 5B: 00C7:00000EC7 5C: 00C7:0000318B 5D: 00C7:00000ED1 5E: 00C7:00000ED6 5F: 00C7:00000EDB 60: 00C7:00000EE0 61: 00C7:00000EE5 62: 00C7:00000EEA 63: 00C7:00000EEF 64: 00C7:00000EF4 65: 00C7:00000EF9 66: 00C7:00000EFE 67: 00C7:00000F03 68: 00C7:00000F08 69: 00C7:00000F0D 6A: 00C7:00000F12 6B: 00C7:00000F17 6C: 00C7:00000F1C 6D: 00C7:00000F21 6E: 00C7:00000F26 6F: 00C7:00000F2B 70: 00C7:00000F30 71: 00C7:00000F35 72: 00C7:00000F3A 73: 00C7:00000F3F 74: 00C7:00000F44 75: 00C7:00000F49 76: 00C7:00000F4E 77: 00C7:00000F53 78: 00C7:00000F58 79: 00C7:00000F5D 7A: 00C7:00000F62 7B: 00C7:00000F67 7C: 00C7:00000F6C 7D: 00C7:00000F71 7E: 00C7:00000F76 7F: 00C7:00000F7B 80: 00C7:00000F80 81: 00C7:00000F85 82: 00C7:00000F8A 83: 00C7:00000F8F 84: 00C7:00000F94 85: 00C7:00000F99 86: 00C7:00000F9E 87: 00C7:00000FA3 88: 00C7:00000FA8 89: 00C7:00000FAD 8A: 00C7:00000FB2 8B: 00C7:00000FB7 8C: 00C7:00000FBC 8D: 00C7:00000FC1 8E: 00C7:00000FC6 8F: 00C7:00000FCB 90: 00C7:00000FD0 91: 00C7:00000FD5 92: 00C7:00000FDA 93: 00C7:00000FDF 94: 00C7:00000FE4 95: 00C7:00000FE9 96: 00C7:00000FEE 97: 00C7:00000FF3 98: 00C7:00000FF8 99: 00C7:00000FFD 9A: 00C7:00001002 9B: 00C7:00001007 9C: 00C7:0000100C 9D: 00C7:00001011 9E: 00C7:00001016 9F: 00C7:0000101B A0: 00C7:00001020 A1: 00C7:00001025 A2: 00C7:0000102A A3: 00C7:0000102F A4: 00C7:00001034 A5: 00C7:00001039 A6: 00C7:0000103E A7: 00C7:00001043 A8: 00C7:00001048 A9: 00C7:0000104D AA: 00C7:00001052 AB: 00C7:00001057 AC: 00C7:0000105C AD: 00C7:00001061 AE: 00C7:00001066 AF: 00C7:0000106B B0: 00C7:00001070 B1: 00C7:00001075 B2: 00C7:0000107A B3: 00C7:0000107F B4: 00C7:00001084 B5: 00C7:00001089 B6: 00C7:0000108E B7: 00C7:00001093 B8: 00C7:00001098 B9: 00C7:0000109D BA: 00C7:000010A2 BB: 00C7:000010A7 BC: 00C7:000010AC BD: 00C7:000010B1 BE: 00C7:000010B6 BF: 00C7:000010BB C0: 00C7:000010C0 C1: 00C7:000010C5 C2: 00C7:000010CA C3: 00C7:000010CF C4: 00C7:000010D4 C5: 00C7:000010D9 C6: 00C7:000010DE C7: 00C7:000010E3 C8: 00C7:000010E8 C9: 00C7:000010ED CA: 00C7:000010F2 CB: 00C7:000010F7 CC: 00C7:000010FC CD: 00C7:00001101 CE: 00C7:00001106 CF: 00C7:0000110B D0: 00C7:00001110 D1: 00C7:00001115 D2: 00C7:0000111A D3: 00C7:0000111F D4: 00C7:00001124 D5: 00C7:00001129 D6: 00C7:0000112E D7: 00C7:00001133 D8: 00C7:00001138 D9: 00C7:0000113D DA: 00C7:00001142 DB: 00C7:00001147 DC: 00C7:0000114C DD: 00C7:00001151 DE: 00C7:00001156 DF: 00C7:0000115B E0: 00C7:00001160 E1: 00C7:00001165 E2: 00C7:0000116A E3: 00C7:0000116F E4: 00C7:00001174 E5: 00C7:00001179 E6: 00C7:0000117E E7: 00C7:00001183 E8: 00C7:00001188 E9: 00C7:0000118D EA: 00C7:00001192 EB: 00C7:00001197 EC: 00C7:0000119C ED: 00C7:000011A1 EE: 00C7:000011A6 EF: 00C7:000011AB F0: 00C7:000011B0 F1: 00C7:000011B5 F2: 00C7:000011BA F3: 00C7:000011BF F4: 00C7:000011C4 F5: 00C7:000011C9 F6: 00C7:000011CE F7: 00C7:000011D3 F8: 00C7:000011D8 F9: 00C7:000011DD FA: 00C7:000011E2 FB: 00C7:000011E7 FC: 00C7:000011EC FD: 00C7:000011F1 FE: 00C7:000011F6 FF: 00C7:000011FB
Je sais, je balance tout cela sans explications mais je connais quelqu’un que ça intéressa au plus haut point. Je continuerais l’exploration de la machine virtuelle DOS prochainement, il faut juste que je trouve du temps pour le faire. Sinon pour ceux qui se le demande Abyss n’est pas mort, je projette aussi d’en faire quelque chose de marrant dans le futur :]
Entry Filed under: RE
6 Comments
1. L33ckma | novembre 25th, 2008 at 13:53
Lorsque j’ai vu le titre, sur le coup j’ai pensé à Vie de merde!
Hope that you’ll show us soon another mad trick about subverting windows, our dear french l33t
^_^
2. admin | novembre 25th, 2008 at 13:55
Il y a un peu de ça L33ckma
3. Taron | novembre 26th, 2008 at 23:32
ben kwa ? T’aimes pas faire des use cases ?..
Allez.. A+
4. undef11 | novembre 27th, 2008 at 21:12
comment peut tu préféré le reversing de windows au uml? :p
vivement les vacances ^^
5. newsoft | novembre 29th, 2008 at 18:50
Ack![:)](http://www.ivanlef0u.tuxfamily.org/wp-includes/images/smilies/icon_smile.gif)
16-bit powa !
6. BoBaLeX | décembre 16th, 2008 at 12:19
Un (Read More…) serait le bienvenu, les listings moisissent la mise en page
!!!
Sinon, ca fait plaisir, en effet y’avait rien eu depuis un moment.
UMLise bien…
Trackback this post