Giter Site home page Giter Site logo

crackercat / symseghelper Goto Github PK

View Code? Open in Web Editor NEW

This project forked from therealdreg/symseghelper

0.0 0.0 0.0 442 KB

Helper scripts for windows debugging with symbols for Bochs and IDA Pro (PDB files). Very handy for user mode <--> kernel mode

Home Page: https://rootkit.es/

License: GNU General Public License v3.0

Python 91.28% Batchfile 8.72%

symseghelper's Introduction

symseghelper

Helper scripts for a simple debugging session with symbols for Bochs and IDA Pro (PDB files)

betweenrings

names

Demo video

(windbg_output.txt was generated in Guest off the record)

https://youtu.be/7o3JBIzP1bI

Instructions

pip install pefile

Editing symseghelper.py

Copy windows guest system32 to host and update:

path_guest_system32 = r"C:\dreg\system32"

git clone pdbdump_bochs

git clone https://github.com/therealdreg/pdbdump_bochs.git

Update pdbdump paths:

filepath_pdbdump32 = r"C:\Users\leno\Desktop\pdbdump_bochs\x32\x32_pdbdump_bochs.exe"
filepath_pdbdump64 = r"C:\Users\leno\Desktop\pdbdump_bochs\x64\x64_pdbdump_bochs.exe"

Update windbg_output path:

filepath_windbg_output = r"C:\Users\leno\Desktop\symseghelper\windbg_output.txt"

Update output paths:

filepath_pdbdumpbat = r"C:\Users\leno\Desktop\symseghelper\pdbdumpbat.bat"
filepath_ida_segments = r"C:\Users\leno\Desktop\symseghelper\ida_segments.txt"
filepath_bochs_segments = r"C:\Users\leno\Desktop\symseghelper\bochs_segments.txt"
filepath_windbg_output = r"C:\Users\leno\Desktop\symseghelper\windbg_output.txt"

Download windows debug symbols to host & guest in the SAME PATH (VERY IMPORTANT)

I use C:\winsymbols

Generating a valid windbg_output.txt

Open Guest

Install windows debugging tools (windbg)

Open Windbg

Go to File -> Kernel Debug -> Local

Go to File -> Symbol File Path -> Browse

Select your symbol path (for me its C:\winsymbols), Select Reload -> OK

List all processes with command:

!process 0 0

Attach to explorer.exe (it has a a lot of user mode dlls):

!process 0 0 

PROCESS: 86448734 ....
DirBase: ...
IMAGE: explorer.exe

!process 86448734

type:

.reload -a

type:

.reload /f

copy lm vo command output to windbg_output.txt

lm vo

806d0000 806f0300   hal        (pdb symbols)          c:\winsymbols\dll\halaacpi.pdb
    Loaded symbol image file: halaacpi.dll
    Image path: halaacpi.dll
    Image name: halaacpi.dll
    Timestamp:        Sun Apr 13 11:31:27 2008 (4802517F)
    CheckSum:         00024F17
    ImageSize:        00020300
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
bf800000 bf9c2980   win32k     (pdb symbols)          c:\winsymbols\sys\win32k.pdb
    Loaded symbol image file: \SystemRoot\System32\win32k.sys
    Image path: \SystemRoot\System32\win32k.sys
    Image name: win32k.sys
    Timestamp:        Sun Apr 13 12:29:46 2008 (48025F2A)
    CheckSum:         001CC002
    ImageSize:        001C2980
    File version:     5.1.2600.5512
    Product version:  5.1.2600.5512
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     win32k.sys
    OriginalFilename: win32k.sys
    ProductVersion:   5.1.2600.5512
    FileVersion:      5.1.2600.5512 (xpsp.080413-2105)
    FileDescription:  Multi-User Win32 Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
    ....

Done!

Execute scripts

run symseghelper.py

it generates some files:

bochs_segments.txt

0x00b30000 kext
0x00e40000 odbcint
0x01000000 windbg
0x01400000 ext
...

you can use this file in Bochs debugger with ldsym global, example:

ldsym global "C:\\Users\\leno\\Desktop\\symseghelper\\bochs_segments.txt"

ida_segments.txt

0x00b30000 0x00b66000 1 kext
0x00e40000 0x00e57000 1 odbcint
0x01000000 0x01097000 1 windbg
0x01400000 0x016f9000 1 ext
0x01900000 0x01975000 1 exts
...

Open IDA PRO, start a debug session and go to File -> Script File

Select idaloadsegs.py

And now idaloadsegs.py ask you for ida_segments.txt, just select ida_segments.txt

segments

pdbdumpbat.bat

You must execute pdbdumpbat.bat to generate bochs_syms_and_ida_names.txt

bochs_syms_and_ida_names.txt

0x7c801160 kernel32!_imp__NtFindAtom
0x7c825e00 kernel32!c_PmapEntries_apphelp
0x7c863ca4 kernel32!GetThreadTimes
...

IDA PRO

Open IDA PRO, start a debug session and go to File -> Script File

Select idaloadnames.py

And now idaloadnames.py ask you for bochs_syms_and_ida_names.txt, just select bochs_syms_and_ida_names.txt

names

Bochs

Open Bochs Debugger, start a debug session, Press Ctrl + C (break). Use ldsym global bochs_syms_and_ida_names.txt

Example:

ldsym global "C:\\Users\\leno\\Desktop\\symseghelper\\bochs_syms_and_ida_names.txt"

Done!

betweenrings

Related

symseghelper's People

Contributors

therealdreg avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.