WinDbg Debug Kernel Shellcode

Source: Internet
Author: User

Before the NSA SMB vulnerability needs to tune the kernel of the shellcode, so collated a bit of WinDbg debugging Shellcode skills.

It is easier to load shellcode directly in the application layer by following these steps

    1. . Dvalloc 5000
    2. . readmem Shellcodepath allocaddress length
    3. R EIP = allocaddress

Because the. Dvalloc command is not available in dual-machine kernel mode, some special methods need to be taken.

Through the next nt! NtCreateFile Breakpoint, let it break down, other functions can also, use nt! NtCreateFile is primarily concerned with the frequency of its invocation, when it breaks down, it is tantamount to hijacking a thread, calling the function in that thread nt! ExAllocatePool manually allocate a memory page pool.

Directly step to return, EAX is the allocated memory pool.

Load the shellcode through the. Readmem.

Set up an EIP to step into the debug.

In this article, its author sets This step as a WinDbg script loading-and-debugging-windows-kernel-shellcodes-with-windbg-debugging-doublepulsar-shellcode/

But rather bloated, at least I did not run up, in fact the whole step is completely a breakpoint, the following is my integrated breakpoint:

BP nt! NtCreateFile "Ed esp+4 0;ed esp+8 20000; r EIP = nt! EXALLOCATEPOOL;BP exallocatepool+0x15 \ "R eax;. Readmem c:\\\\users\\\\goabout2\\\\desktop\\\\shellcode @eax L; R eip = ea+0x0\ "; g"

Where the red part can be replaced by itself, first, two red boxes to identify the allocated memory pool, and the length of the copy of the Shellcode, the third identifies the shellcode of the entry offset, which is generally directly 0, the effect is as follows:

Reprint please indicate the source

WinDbg Debug Kernel Shellcode

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.