flat assembler
Message board for the users of flat assembler.

Index > Projects and Ideas > Ring 0 Debugger

Author
Thread Post new topic Reply to topic
KevinN



Joined: 09 Oct 2012
Posts: 160
KevinN 13 Oct 2012, 01:26
The idea: an os independent x86 ring 0 debugger

Would anybody have an idea how to go about this (a starting point)?
Post 13 Oct 2012, 01:26
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 13 Oct 2012, 14:48
Start with a hypervisor (or a CPU emulator), progress from there Smile
Post 13 Oct 2012, 14:48
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 14 Oct 2012, 14:58
KevinN wrote:
The idea: an os independent x86 ring 0 debugger

Would anybody have an idea how to go about this (a starting point)?


You could try Server - Client way
Post 14 Oct 2012, 14:58
View user's profile Send private message Reply with quote
KevinN



Joined: 09 Oct 2012
Posts: 160
KevinN 15 Oct 2012, 06:05
I might take a look at the rasta ring 0 debugger source. I think it's available and in c or something. I want something like softice, you know.

Ty for replies
Post 15 Oct 2012, 06:05
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 509
Location: Czech republic, Slovak republic
Feryno 15 Oct 2012, 11:00
as f0dder wrote
but not only constructing hypervisor is the problem to solve
you also need to solve at least these 3 things:

[0]
APIC emulation if the guest will support SMP (else your hypervisor will be killed on application CPUs when bootstrap CPU sends INIT IPI during OS startup)

[1]
intercepting at least keyboard input (maybe could be solved by intercepting keyboard port 60h ? but I don't know whether it works with USB keyboards) + optionally intercept mouse input would be good idea

[2]
show some output (writing directly to LFB of graphics card and interfering with OS output ? using serial port ?)

also expect that more problems appears to solve
if you have some specific problem let me know via PM maybe I can help you then
Post 15 Oct 2012, 11:00
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 16 Oct 2012, 08:54
You will have much more success if you constrain it to a VM environment. For example, only target VirtualBox guests. Perhaps you can code it as a plugin to VirtualBox (it is open sources).

A lot of system interfaces (esp. video) are very complex and would be very very challenging to intercept on a broad scale.
Post 16 Oct 2012, 08:54
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1903
DOS386 04 Nov 2012, 14:12
KevinN wrote:
The idea: an os independent x86 ring 0 debugger Would anybody have an idea how to go about this (a starting point)?


Extremely difficult. You need an emulator (check BOCHS and port it to FASM). If you want to debug drivers talking to real hardware, you'll need additionally a "bridge" from the emulator to your real hardware (this is on the wishlist of BOCHS, and will depend from your host OS).
Post 04 Nov 2012, 14:12
View user's profile Send private message Reply with quote
KevinN



Joined: 09 Oct 2012
Posts: 160
KevinN 18 Nov 2012, 01:23
Just learning about hypervisors now. Anyone know if there are open source hypervisors like esx, hyperv, oracle vm server?
Post 18 Nov 2012, 01:23
View user's profile Send private message Reply with quote
KevinN



Joined: 09 Oct 2012
Posts: 160
KevinN 18 Nov 2012, 01:27
http://www.xen.org/
http://www.linux-kvm.org/page/Main_Page

found those with a lazy search..

I think at least one of these are open source: hyperdbg/linice too
Post 18 Nov 2012, 01:27
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 18 Nov 2012, 14:19
Also, there's been at least one leaked version of the vmware kernel around - I won't comment on whether looking at that source code is a good idea or not, just sayin' Smile
Post 18 Nov 2012, 14:19
View user's profile Send private message Visit poster's website Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 509
Location: Czech republic, Slovak republic
Feryno 19 Nov 2012, 11:06
KevinN wrote:
Just learning about hypervisors now. Anyone know if there are open source hypervisors like esx, hyperv, oracle vm server?

Start your own in FASM, I'll help you then (no matter booting via BIOS or UEFI).
Simplest skeleton is smaller than 10 kB executable for AMD as well Intel (about 100 kB of FASM source with comments).
Post 19 Nov 2012, 11:06
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 509
Location: Czech republic, Slovak republic
Feryno 19 Nov 2012, 13:57
The smaller project you study, the easier to learn and find which is important.
I remembered that some time ago I read one great article:
https://github.com/sduverger/ramooflax/wiki/ramooflax_en.pdf
The author also shares source code of his project (I wouldn't expose such my work as it is very desirable for malware writers - new generation of malware living in ring-1)
https://github.com/sduverger/ramooflax/archive/da962835c30f19c682ddec2cc96fe8ce56829042.zip
as obviously the most of project is written in C
it is a project where hypervisor watches Linux guest and interacts with it
the author didn't implement SMP support yet (runs only on 1 CPU which is bootstrap CPU)
code to activate all application CPUs can be done in asm in maybe 100 bytes, it is not too difficult, the main problem is that on AMD every INIT IPI received at application CPU terminates hypervisor (INIT IPI is sent when the bootstrap CPU tries to activate all application CPUs in system during OS startup) - I had to solve that by APIC emulation for AMD (I didn't find another way)
I have planes to explore that on Intel CPUs when I have time and opportunity (whether running hypervisor on application CPU survives received INIT IPI from bootstrap CPU).

and also this project may be interesting:
http://code.google.com/p/hyperdbg/

if you decide to work on AMD then I suggest you to use this emulator:
http://developer.amd.com/tools/cpu-development/simnow-simulator/
the newest emulated CPU is bulldozer
vp_bd_phase1.bsd
(you have to add more CPUs there as it emulates only single CPU)
supports only BIOS, not UEFI

for Intel I recomend you Bochs
http://sourceforge.net/projects/bochs/files/
(recompiling necessary to enable SMP)
supports only BIOS, not UEFI

for UEFI I know only about qemu + OVMF but the support for virtualization is not yet fully implemented in qemu
http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF
Post 19 Nov 2012, 13:57
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
KevinN



Joined: 09 Oct 2012
Posts: 160
KevinN 12 Dec 2012, 08:57
Sorry i was long to reply. Thank you for your input. I must put this project aside for some time as there are other priorities right now.
Post 12 Dec 2012, 08:57
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.