Stealth debugging of programs in Qemu emulator with WinDbg debugger
When programs are analyzed for the presence of vulnerabilities and malicious code, there is a need for a quality isolation of the analysis tools. There are two reasons for this. At first, the program can influence the tool environment. This problem is solved by using the emulator. At second, the too...
| Published in: | Труды Института системного программирования РАН |
|---|---|
| Main Authors: | , |
| Format: | Article |
| Language: | English |
| Published: |
Russian Academy of Sciences, Ivannikov Institute for System Programming
2018-10-01
|
| Subjects: | |
| Online Access: | https://ispranproceedings.elpub.ru/jour/article/view/522 |
| _version_ | 1848651445698560000 |
|---|---|
| author | M. A. Abakumov P. M. Dovgalyuk |
| author_facet | M. A. Abakumov P. M. Dovgalyuk |
| author_sort | M. A. Abakumov |
| collection | DOAJ |
| container_title | Труды Института системного программирования РАН |
| description | When programs are analyzed for the presence of vulnerabilities and malicious code, there is a need for a quality isolation of the analysis tools. There are two reasons for this. At first, the program can influence the tool environment. This problem is solved by using the emulator. At second, the tool environment can influence behavior of the analyzed program. So, the programmer will think that the program is harmless, but in fact it is not. This problem is solved by the mechanism of stealth debugging. The WinDbg debugger has the possibility of connecting to a remote debug service (Kdsrv.exe) in the Windows kernel. Therefore, it is possible to connect to the guest system running in the QEMU emulator. Interaction between WinDbg client and server occurs through packets by protocol KDCOM. However, kernel debugging is possible only with the enabled debugging mode in boot settings. And it reveals the debugging process. We developed special module of WinDbg debugger for Qemu emulator. It is an alternative of the remote debugging service in the kernel. Thus, the debugger client tries to connect to the WinDbg server, but module intercepts all packets, generates all the necessary information from the Qemu emulator and sends response to the client. Module completely simulates the behavior of the server, so the client does not notice the spoofing and perfectly interacts with it. At the same time for debugging there is no need to enable debugging mode in the kernel. This leads to stealth debugging. Our module supports all features of WinDbg regarding remote debugging, besides interception of events and exceptions. |
| format | Article |
| id | doaj-e6a53d6757554e2e93793b7ab4692eb5 |
| institution | Directory of Open Access Journals |
| issn | 2079-8156 2220-6426 |
| language | English |
| publishDate | 2018-10-01 |
| publisher | Russian Academy of Sciences, Ivannikov Institute for System Programming |
| record_format | Article |
| spelling | doaj-e6a53d6757554e2e93793b7ab4692eb52025-11-03T00:48:42ZengRussian Academy of Sciences, Ivannikov Institute for System ProgrammingТруды Института системного программирования РАН2079-81562220-64262018-10-01303879210.15514/ISPRAS-2018-30(3)-6522Stealth debugging of programs in Qemu emulator with WinDbg debuggerM. A. Abakumov0P. M. Dovgalyuk1Новгородский государственный университет имени Ярослава МудрогоНовгородский государственный университет имени Ярослава МудрогоWhen programs are analyzed for the presence of vulnerabilities and malicious code, there is a need for a quality isolation of the analysis tools. There are two reasons for this. At first, the program can influence the tool environment. This problem is solved by using the emulator. At second, the tool environment can influence behavior of the analyzed program. So, the programmer will think that the program is harmless, but in fact it is not. This problem is solved by the mechanism of stealth debugging. The WinDbg debugger has the possibility of connecting to a remote debug service (Kdsrv.exe) in the Windows kernel. Therefore, it is possible to connect to the guest system running in the QEMU emulator. Interaction between WinDbg client and server occurs through packets by protocol KDCOM. However, kernel debugging is possible only with the enabled debugging mode in boot settings. And it reveals the debugging process. We developed special module of WinDbg debugger for Qemu emulator. It is an alternative of the remote debugging service in the kernel. Thus, the debugger client tries to connect to the WinDbg server, but module intercepts all packets, generates all the necessary information from the Qemu emulator and sends response to the client. Module completely simulates the behavior of the server, so the client does not notice the spoofing and perfectly interacts with it. At the same time for debugging there is no need to enable debugging mode in the kernel. This leads to stealth debugging. Our module supports all features of WinDbg regarding remote debugging, besides interception of events and exceptions.https://ispranproceedings.elpub.ru/jour/article/view/522windbgqemuwindowsудаленная отладкаскрытая отладка |
| spellingShingle | M. A. Abakumov P. M. Dovgalyuk Stealth debugging of programs in Qemu emulator with WinDbg debugger windbg qemu windows удаленная отладка скрытая отладка |
| title | Stealth debugging of programs in Qemu emulator with WinDbg debugger |
| title_full | Stealth debugging of programs in Qemu emulator with WinDbg debugger |
| title_fullStr | Stealth debugging of programs in Qemu emulator with WinDbg debugger |
| title_full_unstemmed | Stealth debugging of programs in Qemu emulator with WinDbg debugger |
| title_short | Stealth debugging of programs in Qemu emulator with WinDbg debugger |
| title_sort | stealth debugging of programs in qemu emulator with windbg debugger |
| topic | windbg qemu windows удаленная отладка скрытая отладка |
| url | https://ispranproceedings.elpub.ru/jour/article/view/522 |
| work_keys_str_mv | AT maabakumov stealthdebuggingofprogramsinqemuemulatorwithwindbgdebugger AT pmdovgalyuk stealthdebuggingofprogramsinqemuemulatorwithwindbgdebugger |