Remote Kernel Debugging (HEVD-Part 1)

This post will setup the VMs for Debugger(Win10 x86) and Debuggee(Win7 x86) for the Kernel Debugging using HEVD (HackSysExtremeVulnerableDriver) as case study.

The tools that we need for our installation 

Host

    1. Binary Ninja (personal/trial)


Debugger VM

    1. WinDBG Preview 

    2. HEVD 2.0 pdb


Debuggee VM

    1. HEVD 2.0 sys

    2. OSRLoader.exe

    3. Python 2.7 ( python 3.0+)


Install Window 10 VM (Debugger)

Install Window 7 (Debuggee)


Once the OS have successfully installed on both VM. Download and Install it.

(Debugger)


(Debuggee)


==================================Debugger VM==================================

Add follow sympath for WinDbg on Debugger VM









Variable Name : _NT_SYMBOL_PATH
Variable Value : SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols





Click ok and Shut Down the VM.

Edit the .vmx file configuration. 




serial0.present = "TRUE"
serial0.fileType = "pipe"
serial0.fileName = "\\.\pipe\com_1"
serial0.pipe.endPoint = "server"


Boot up the VM (Debugger) machine and turn on WinDBG.



and click Ok


Let go to Debuggee VM and setup


==================================Debuggee VM==================================

Run follow command on Debuggee VM at cmd.exe (Run as administrator)

bcdedit /copy {current} /d “Debug”

bcdedit /debug {} on

bcdedit /dbgsettings





Start the OSR Driver Loader 




Specify the configuration as above and point to the location of HEVD.sys




 Register Service




Start Service and Shut Down the VM

Edit the .vmx file configuration. 






serial0.present = "TRUE"
serial0.fileType = "pipe"
serial0.fileName = "\\.\pipe\com_1"
serial0.pipe.endPoint = "client"


and boot the Debuggee VM





=====================Back to Debugger Machine and check on the WinDBG=====================

We can see that t he \\.\com1 is connected and is showing Window 7 Kernel Version 7601

Let stop the Kernel Process for awhile and inspect the HEVD is running.

Run lm m HEVD* , to check if HEVD is in the module list.

If yes > Installation is done
If no > Setup once more, something is missing. 











Comments

Post a Comment

Popular posts from this blog

Sub Domain Take Over - Simulate Environment

Image
Sub Domain Take Over - Simulate Environment These few days, I have done some studies on this topic " sub domain take over" , and I found out that most of the blogs does not have end to end tutorial and this blog I would not be explaining the theory. But I will show a simple case study "sub-domain takeover". I have created an environment and ready to show, how the subdomain takeover can be done. Victim (subdomain.tehwinsam.xyz) Let assume that you have found a subdomain through your own unique enumeration technique. We can use a tool call "dig" and to find the DNS information for  subdomain.tehwinsam.xyz. The DNS information shows that subdomain.tehwinsam.xyz  CNAME applebois.asuscomm.com   Since, I bought the tehwinsam.xyz from namecheap.com.  Therefore, from the dashboard of namecheap, the configuration of DNS should look like image below.  Assuming, that the domain for applebois.asuscomm.com is no longer valid/use by anyone and available to register this...
Read more