Recon - PREVIEW

Recon 2011

Speakers
Damien Aumaitre
Schedule
Day Friday - 2011-07-08
Room Grand Salon
Start time 16:00
Duration 01:00
Info
ID 119
Event type Lecture
Track Main

Virtdbg

Remote kernel debugging using hardware virtualisation features

This presentation is about a remote kernel debugger leveraging the hardware virtualization facilities provided by modern processors. The hypervisor is loaded "on the fly" with DMA requests and allow to debug the target without rebooting. The client part leverages the metasm framework.

This presentation is about a remote kernel debugger leveraging the hardware virtualization facilities provided by modern processors. This presentation will demonstrate how to load a hypervisor in the kernel of a Windows 7 x64 operating system with DMA requests thus bypassing code signing checks and integrity verification (PatchGuard protection). The VMM (hypervisor) is implemented using a "Blue Pill" approach that is to say we are virtualizing the operating system "on the fly". The debugger leverages a good part of the features provided by the metasm framework (http://metasm.cr0.org). We will also discuss the pros and cons of using virtualization for debugging purposes.