Windows Kernel Exploitation – Setting up the Environment

As can be understood from my previous articles, I was doing malware analysis. It will take time to deal with the issues encountered in the beginning. So I will explain these experiences.

The first try on Vmware Fusion

I preferred to use VMware Fusion as in my other analyzes. However, the biggest problem here was Serial Port setting. Although I tried different methods, unfortunately I was not successful.

The second try on VirtualBox

I immediately changed the virtualization application and started using VirtualBox. Setting up serial ports in VirtualBox was much easier when compared to VMware. I was using Windows10Prox64 as a debugger. When I try to use WinDbg on this VM, there was an unexpected error. Although I did that do research but I couldn’t find any solution. That’s why ı removed my VM and I reinstall it again.

Then, I decided to use Windows7Prox86 for both VM machines. After installing the software and other tools, I went to the Serial port configuration section. There was an important point to make a pathway. I made a path to /tmp/pipe for a debugger. I also did the same thing for debuggee. The only difference was that the debuggee machine marked as “Connect to existing pipe/Socket”. There was no problem with Debugger machine, and it was working well. When I try to run the Debugee machine, I got the NS_ERROR_FAILURE error. I was want to find the solution for this issue. I checked StackOverFlow and even the VirtualBox forum but I can say once again I failed.

The third try in VirtualBox with a single difference

I tried two different things when I was waiting for a response from them. Firstly, I set up a new Ubuntu VM as a main host. Then I installed VirtualBox in Ubuntu. After these steps, I created two different VM. But when I try to run the VM, I got a VT-x hardware acceleration error. I can say once again I failed.

I was trying to find new solutions even though getting many errors. I was trying to find new solutions even though getting many errors. So I also wanted to try it on Kali Linux which is based on Debian. I think the update process is not completed due to problems with the internet connection. That’s why I gave up trying it.

LAST TRY WITH VMWARE FUSION

I almost gave up. I tried it indirectly way and it works!! Let me tell you something about this experience.

I created VM with Windows7Prox86 ISO file. It was my main host.
Then, I installed VB in the main host. After that, I created two Windows7Prox86(Debugger and Debugee) VM in Virtual Box.
Lastly, I installed Windows 10 SDK in Debugger VM

STEPS

1- Installed Windows 10 SDK in a Debugger VM. Depending on the machine you used during the installation, you may be able to install some additional software updates.

2- We need to set up Debugging Symbols in the Debugger VM. Fortunately, Microsoft provides public debugging symbols.

Variable Name: _NT_SYMBOL_PATH
Variable Value: SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols

After WinDbg installs, we would need to enable debugging in BCD: Run cmd as administrator, and execute the following commands:

bcdedit
bcdedit /copy {current} /d “Debug”
bcdedit /debug {MY_GUID} on
bcdedit /dbgsettings

3- After everything, we need to establish a connection between the two sides. We need to enable Serial Ports on both the VMs, to make them communicate using a Virtual Serial Port.

4- Turn on the Debugger VM first (always), and select the first option without the [debugger enabled].

5- After the Debugger VM is booted up, open up the WinDbg –> File –> Kernel Debug –> COM.

6- Boot up the Debugee VM, and select the second option with [debugger enabled].

7- After the Debuggee VM is booted up, hit the Break button, and you should get an interactive kd> prompt, ready to take commands.

Thank you for your patience :) :) :)