flat assembler
Message board for the users of flat assembler.
Index
> Projects and Ideas > Ring 0 Debugger |
Author |
|
KevinN 13 Oct 2012, 01:26
The idea: an os independent x86 ring 0 debugger
Would anybody have an idea how to go about this (a starting point)? |
|||
13 Oct 2012, 01:26 |
|
f0dder 13 Oct 2012, 14:48
Start with a hypervisor (or a CPU emulator), progress from there
|
|||
13 Oct 2012, 14:48 |
|
KevinN 15 Oct 2012, 06:05
I might take a look at the rasta ring 0 debugger source. I think it's available and in c or something. I want something like softice, you know.
Ty for replies |
|||
15 Oct 2012, 06:05 |
|
Feryno 15 Oct 2012, 11:00
as f0dder wrote
but not only constructing hypervisor is the problem to solve you also need to solve at least these 3 things: [0] APIC emulation if the guest will support SMP (else your hypervisor will be killed on application CPUs when bootstrap CPU sends INIT IPI during OS startup) [1] intercepting at least keyboard input (maybe could be solved by intercepting keyboard port 60h ? but I don't know whether it works with USB keyboards) + optionally intercept mouse input would be good idea [2] show some output (writing directly to LFB of graphics card and interfering with OS output ? using serial port ?) also expect that more problems appears to solve if you have some specific problem let me know via PM maybe I can help you then |
|||
15 Oct 2012, 11:00 |
|
comrade 16 Oct 2012, 08:54
You will have much more success if you constrain it to a VM environment. For example, only target VirtualBox guests. Perhaps you can code it as a plugin to VirtualBox (it is open sources).
A lot of system interfaces (esp. video) are very complex and would be very very challenging to intercept on a broad scale. |
|||
16 Oct 2012, 08:54 |
|
DOS386 04 Nov 2012, 14:12
KevinN wrote: The idea: an os independent x86 ring 0 debugger Would anybody have an idea how to go about this (a starting point)? Extremely difficult. You need an emulator (check BOCHS and port it to FASM). If you want to debug drivers talking to real hardware, you'll need additionally a "bridge" from the emulator to your real hardware (this is on the wishlist of BOCHS, and will depend from your host OS). |
|||
04 Nov 2012, 14:12 |
|
KevinN 18 Nov 2012, 01:23
Just learning about hypervisors now. Anyone know if there are open source hypervisors like esx, hyperv, oracle vm server?
|
|||
18 Nov 2012, 01:23 |
|
KevinN 18 Nov 2012, 01:27
http://www.xen.org/
http://www.linux-kvm.org/page/Main_Page found those with a lazy search.. I think at least one of these are open source: hyperdbg/linice too |
|||
18 Nov 2012, 01:27 |
|
f0dder 18 Nov 2012, 14:19
Also, there's been at least one leaked version of the vmware kernel around - I won't comment on whether looking at that source code is a good idea or not, just sayin'
|
|||
18 Nov 2012, 14:19 |
|
Feryno 19 Nov 2012, 11:06
KevinN wrote: Just learning about hypervisors now. Anyone know if there are open source hypervisors like esx, hyperv, oracle vm server? Start your own in FASM, I'll help you then (no matter booting via BIOS or UEFI). Simplest skeleton is smaller than 10 kB executable for AMD as well Intel (about 100 kB of FASM source with comments). |
|||
19 Nov 2012, 11:06 |
|
Feryno 19 Nov 2012, 13:57
The smaller project you study, the easier to learn and find which is important.
I remembered that some time ago I read one great article: https://github.com/sduverger/ramooflax/wiki/ramooflax_en.pdf The author also shares source code of his project (I wouldn't expose such my work as it is very desirable for malware writers - new generation of malware living in ring-1) https://github.com/sduverger/ramooflax/archive/da962835c30f19c682ddec2cc96fe8ce56829042.zip as obviously the most of project is written in C it is a project where hypervisor watches Linux guest and interacts with it the author didn't implement SMP support yet (runs only on 1 CPU which is bootstrap CPU) code to activate all application CPUs can be done in asm in maybe 100 bytes, it is not too difficult, the main problem is that on AMD every INIT IPI received at application CPU terminates hypervisor (INIT IPI is sent when the bootstrap CPU tries to activate all application CPUs in system during OS startup) - I had to solve that by APIC emulation for AMD (I didn't find another way) I have planes to explore that on Intel CPUs when I have time and opportunity (whether running hypervisor on application CPU survives received INIT IPI from bootstrap CPU). and also this project may be interesting: http://code.google.com/p/hyperdbg/ if you decide to work on AMD then I suggest you to use this emulator: http://developer.amd.com/tools/cpu-development/simnow-simulator/ the newest emulated CPU is bulldozer vp_bd_phase1.bsd (you have to add more CPUs there as it emulates only single CPU) supports only BIOS, not UEFI for Intel I recomend you Bochs http://sourceforge.net/projects/bochs/files/ (recompiling necessary to enable SMP) supports only BIOS, not UEFI for UEFI I know only about qemu + OVMF but the support for virtualization is not yet fully implemented in qemu http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=OVMF |
|||
19 Nov 2012, 13:57 |
|
KevinN 12 Dec 2012, 08:57
Sorry i was long to reply. Thank you for your input. I must put this project aside for some time as there are other priorities right now.
|
|||
12 Dec 2012, 08:57 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.