GitHub

Warning:
This tool is dirty under construction, at this moment it will only work for Windows 8.1 x86-64 build 9600 !!

Winbagility
At this time it is just another crappy POC.
It gives the ability to open debugged and undebugged 8.1 x64 RAW physical memory dump "directly" in WinDbg.
It gives the ability to debug undebugged Windows 8.1 running in patched Vbox.

How does it works ?
An initial anlysis is done to find and uncrypt nt!KdDebuggerDataBlock (dissector.cpp) and important Windows struct KPCR, KPRCB.
A Kd server (kdserver.cpp) is implemented wich simulate a debugged Windows station that received commands thought named pipe.
The Kd server give to Windbg unciphered structure, so windbg is happy there :)
Memory and register of guest aren't wrote, so patchguard is happy there too :)

Why ?
Patchguard analysis,
DRM analysis,
Malicious driver analysis,
Forensic (Physical raw dump),
Fun

How to use (PHYSICAL DUMP MODE)?
1. Create a raw memory dump of 8.1 x64 and place it at "C:\8_1_x64.dmp"
2. Start Winbagility
3. Start Windbg and connect it to named pipe "\\.\pipe\client

How to use (VBOX MODE)?
1. Patch Vbox, compile it
2. Add in VM_NAME.vbox:
<ExtraData>
...
<ExtraDataItem name="VBoxInternal/DBGC/Address" value="127.0.0.1"/>
<ExtraDataItem name="VBoxInternal/DBGC/Enabled" value="1"/>
<ExtraDataItem name="VBoxInternal/DBGC/Port" value="5000"/>
...
</ExtraData>
3. Start the VM
4. Start Winbagility
3. Start Windbg and connect it to named pipe "\\.\pipe\client

Why did I commit this s**t ?
I wanted to save my work in progress...

Why virtualbox ?
1. Open source
2. Working on Windows !

Todo list:
Open Debugged 8.1 x64 raw memory dump
Open Undebugged/Stock 8.1 x64 raw memory dump
Integrate it in virtualbox
Support "Go" Command
Register read (some are missing ex: GDTR, IDTR...)
Memory search
Physical memory read
Pipe Reconnect
Virtual_Physical in FDP
Memory writes
Process Switching (Not easy to do... Windbg inject a SW breakpoint and then "go"...)
Register read (some are missing ex: XMM...)
Manage multiple CPU support
Code cleaning, checks, tests, optimisations...
Hardware/Memory breakpoint with EPTViolation
Other windows build support
Code cleaning
Specific register read
Register writes
Code cleaning
Arguments and all Bullshit
Code cleaning
FDP(Fast Debugging Protocol) with SHM
Profits !

Bonus:
A Kd proxy is present in the code :)

Name		Name	Last commit message	Last commit date
Latest commit History 21 Commits
.gitattributes		.gitattributes
.gitignore		.gitignore
DBGCTcp.cpp		DBGCTcp.cpp
FDP.cpp		FDP.cpp
FDP.h		FDP.h
MyTemplate.vstemplate		MyTemplate.vstemplate
NamedPipeProxy.vcxproj		NamedPipeProxy.vcxproj
NamedPipeProxy.vcxproj.filters		NamedPipeProxy.vcxproj.filters
README.md		README.md
ReadMe.txt		ReadMe.txt
__TemplateIcon.ico		__TemplateIcon.ico
dissectors.cpp		dissectors.cpp
dissectors.h		dissectors.h
kd.cpp		kd.cpp
kd.h		kd.h
kdproxy.cpp		kdproxy.cpp
kdproxy.h		kdproxy.h
kdserver.cpp		kdserver.cpp
kdserver.h		kdserver.h
mmu.cpp		mmu.cpp
mmu.h		mmu.h
stdafx.cpp		stdafx.cpp
stdafx.h		stdafx.h
targetver.h		targetver.h
utils.cpp		utils.cpp
utils.h		utils.h
winbagility.cpp		winbagility.cpp

d4nnyk/Winbagility

Folders and files

Latest commit

History

Repository files navigation

About

Resources

Stars

Watchers

Forks

Languages