rr0d: the rasta ring0 debugger
DESCRIPTION
Rr0d: The Rasta Ring0 Debugger. Rr0d.droids-corp.org. Summary. What is a debugger? Why os independent - ring0 ? Which x86 feature should be handled? Core debugger . What is a debugger?. The best sentence that fits to programming: « errare humanum est » - PowerPoint PPT PresentationTRANSCRIPT
Rr0d: The Rasta Ring0 Rr0d: The Rasta Ring0 DebuggerDebugger
Rr0d.droids-corp.org
SummarySummary What is a debugger? What is a debugger? Why os independent - ring0 ? Why os independent - ring0 ? Which x86 feature should be handled? Which x86 feature should be handled? Core debugger Core debugger
What is a debugger?What is a debugger?
The best sentence that fits to The best sentence that fits to programming: « errare humanum est »programming: « errare humanum est »
A debugger is there to correct those errors A debugger is there to correct those errors (note: a debugger can be buggy).(note: a debugger can be buggy).
There are 2 debugger families: There are 2 debugger families: Source code debuggerSource code debugger debugger *without* source code debugger *without* source code
Rr0d is a debugger without source codeRr0d is a debugger without source code
What is a debugger?What is a debugger?
What can be done with this kind of debugger?What can be done with this kind of debugger? Study of viruses, exploits, backdoorsStudy of viruses, exploits, backdoors Reverse engineering of applicationsReverse engineering of applications Debugging of low level driversDebugging of low level drivers
Some of those debuggers:Some of those debuggers: Softice, Ollydbg, twr2000, …Softice, Ollydbg, twr2000, …
Debugger versus Disassembler Debugger versus Disassembler
Disassembler:Disassembler: It allows the static study of the whole It allows the static study of the whole
assembly code of the target (W32dasm, IDA).assembly code of the target (W32dasm, IDA). Debugger:Debugger:
It can show the behavior of a program during It can show the behavior of a program during its run time. This allows dynamic study.its run time. This allows dynamic study.
Conclusion: The full study of code needs Conclusion: The full study of code needs both tools.both tools.
Goal of Rr0dGoal of Rr0d To be a Debugger for x86 architecture.To be a Debugger for x86 architecture. To be able to debug low level code.To be able to debug low level code. To keep it not aggressive for the target machine To keep it not aggressive for the target machine
(no kernel modification, …).(no kernel modification, …). To be Kernel-independentTo be Kernel-independent To be Rasta.To be Rasta.
Quick overview of the x86 Quick overview of the x86 2 major modes:2 major modes:
real mode: only one processus controls the whole real mode: only one processus controls the whole processor and the whole memory. processor and the whole memory.
protected mode: nowadays’ OS mode.protected mode: nowadays’ OS mode. 4 level of segregation: ring 0 to 34 level of segregation: ring 0 to 3
the rule: a ring can only interfere with a ring less or the rule: a ring can only interfere with a ring less or equal to itself. equal to itself.
a processus can only interfere in its memory mapping a processus can only interfere in its memory mapping (in a perfect world by the way) (in a perfect world by the way)
only ring 0 can execute privileged instructions only ring 0 can execute privileged instructions
Why ring0?Why ring0? A ring 0 debugger can in theory, debug everything. A ring 0 debugger can in theory, debug everything. A ring 3 debugger needs the help of the OS in order to A ring 3 debugger needs the help of the OS in order to
receive debug messages of the target.receive debug messages of the target. As we are on x86, we know how those messages are As we are on x86, we know how those messages are
triggered: interruptions & exceptions. This is OS triggered: interruptions & exceptions. This is OS independent independent
Lets ride x86Lets ride x86
Basic stuffs we need to hook Basic stuffs we need to hook
Debug interruptions: Debug interruptions: Int 3 for software breakpoint Int 3 for software breakpoint Int 1 for step by step and hardware debugger Int 1 for step by step and hardware debugger
This should be enough to do a light This should be enough to do a light debugger. But what if the application does debugger. But what if the application does div/0 or general protection fault? div/0 or general protection fault?
We need more hooksWe need more hooks
Hurt me plentyHurt me plenty Interruptions we monitor (at least): Interruptions we monitor (at least):
Int 0: If the app does null division Int 0: If the app does null division Int 6: invalid opcode . The app execute non existing mnemonics Int 6: invalid opcode . The app execute non existing mnemonics Int 13: General protection fault Int 13: General protection fault Int 14 (semi) page fault Int 14 (semi) page fault ... ...
But some others should be monitored; for example: But some others should be monitored; for example: Int 8: Double fault Int 8: Double fault Int 12: Stack exception Int 12: Stack exception ... ...
But rr0d is not finished yet! But rr0d is not finished yet!
Mechanism of software breakpointMechanism of software breakpoint
Why software breakpoints?Why software breakpoints? easy: only 4 HW breakpoints are not enough. easy: only 4 HW breakpoints are not enough.
Did you already try to play piano with only 3 Did you already try to play piano with only 3 fingers? Did you ever try to edit a text with vi? fingers? Did you ever try to edit a text with vi?
Installing a software breakpoint is just Installing a software breakpoint is just replacing an instruction we want a break replacing an instruction we want a break on, by another instruction that will trigger on, by another instruction that will trigger the debugger if it is executed (and replace the debugger if it is executed (and replace back the instruction). back the instruction).
Mechanism of software breakpointMechanism of software breakpoint
As we hook int 3, debugger will be triggered by As we hook int 3, debugger will be triggered by executing the mnemonicexecuting the mnemonic
Writing Software breakpointsWriting Software breakpoints
We have to We have to support support pagination in pagination in order to edit order to edit memory. On memory. On X86, 2 X86, 2 indirections indirections are usedare used
Writing Software breakpointsWriting Software breakpoints On X86 the physical address of the page table On X86 the physical address of the page table
directory is stored in the register CR3. But we directory is stored in the register CR3. But we can only access to LINEAR addresses. can only access to LINEAR addresses.
Solution: read OS sources!Solution: read OS sources! On *nux: 16 first Mo of physical memory are mapped On *nux: 16 first Mo of physical memory are mapped
to 0xC0000000-0xC1000000 and we are *lucky*: CR3 to 0xC0000000-0xC1000000 and we are *lucky*: CR3 is in this range! (0xC2690000 on win98).is in this range! (0xC2690000 on win98).
On *bsd: problem, CR3 is not in these range so we On *bsd: problem, CR3 is not in these range so we cannot use this trick. But sources says kernel cannot use this trick. But sources says kernel manages to map PGD at a fixed linear address.manages to map PGD at a fixed linear address.
On win XP: well, read sources too: PGD is at On win XP: well, read sources too: PGD is at 0xC0300000 So we are a bit dependant of the OS 0xC0300000 So we are a bit dependant of the OS because of those addresses (shame on rr0d).because of those addresses (shame on rr0d).
Writing Software breakpointsWriting Software breakpoints
Side effectSide effect Rr0d has to write breakpoints even in read only Rr0d has to write breakpoints even in read only
pages. Solution: turn off write protection. pages. Solution: turn off write protection. Problem: the breakpoint is written to disk!Problem: the breakpoint is written to disk! Why? Why?
Because a binary is mapped into memory. So as we Because a binary is mapped into memory. So as we directly write in the binary image (no copy on write) directly write in the binary image (no copy on write) when the binary is unmapped, modifications are when the binary is unmapped, modifications are written.written.
This is a little side effect This is a little side effect
Side effectSide effect Bad solutions:Bad solutions:
Hooking of the functions responsible of this. But its Hooking of the functions responsible of this. But its heavily OS dependent.heavily OS dependent.
Substitute the physical page we want to write in by Substitute the physical page we want to write in by another one. But reverse mapping of recent kernels another one. But reverse mapping of recent kernels doesn’t seem to enjoy the trickdoesn’t seem to enjoy the trick
Solution: when writing a page for first time, x86 Solution: when writing a page for first time, x86 marks the page as dirty. If we clear back this bit, marks the page as dirty. If we clear back this bit, the OS doesn’t know the page has been written the OS doesn’t know the page has been written and won’t update it to the disk. and won’t update it to the disk.
Rr0d input/outputRr0d input/output To keep rr0d kernel independent we need:To keep rr0d kernel independent we need:
A PS2 driver: rr0d directly control the A PS2 driver: rr0d directly control the keyboard/mouse controller 8042 (port 0x60, keyboard/mouse controller 8042 (port 0x60, 0x64). As we read keys directly in the 0x64). As we read keys directly in the controller, the OS is not aware of that.controller, the OS is not aware of that.
A screen driver.A screen driver.• Console mode: VGA console is at 0xb8000 in Console mode: VGA console is at 0xb8000 in
physical addresses. This is mapped in the first physical addresses. This is mapped in the first 16Mo by the kernel.16Mo by the kernel.
• ““X mode”: we use frame buffer to directly write to X mode”: we use frame buffer to directly write to the video memory. (*nux, win*). the video memory. (*nux, win*).
To DoTo Do
Script languageScript language Bypass encryption layerBypass encryption layer Garbage codeGarbage code
Symbol loaderSymbol loader Binary loderBinary loder Plugins:Plugins:
Heap Visualizator (win, nux, …)Heap Visualizator (win, nux, …) ……
ConclusionConclusion
Being kernel independent has advantages:Being kernel independent has advantages: no ptrace detectionno ptrace detection no IsDebuggerPresent detectionno IsDebuggerPresent detection No modification of the heap structure while No modification of the heap structure while
debugging (win)debugging (win) Debugging ring0 backdoors can be simpleDebugging ring0 backdoors can be simple There are still many things to do!There are still many things to do! Rr0d is rasta.Rr0d is rasta.
Question?Question?
rr0d.droids-corp.orgrr0d.droids-corp.orgwww.droids-corp.orgwww.droids-corp.org
serpilliere at droids-corp dot orgserpilliere at droids-corp dot org