Hypervisor-Assisted Ring0 Debugging with Radare2
Offered By: 44CON Information Security Conference via YouTube
Course Description
Overview
Explore hypervisor-assisted Ring0 debugging techniques using radare2 in this 44-minute conference talk from 44CON 2017. Delve into the challenges of reverse engineering protected kernel-mode code and learn how to overcome advanced protection mechanisms that combine obfuscation, encryption, and anti-debugging techniques. Discover how to leverage radare2's comprehensive open-source framework for reverse engineering, including its ASCII art control flow graphs and extensive code analysis capabilities. Follow along as the speaker demonstrates connecting radare2 to a virtual machine, enabling direct access to guest physical memory for debugging Ring0 code running inside a Windows guest from a Linux host. Gain insights into the GDB protocol, memory mapping processes, and debugging techniques for kernel-mode memory. By the end of this talk, acquire valuable knowledge on advanced reverse engineering methodologies and practical applications of hypervisor-assisted debugging for protected code analysis.
Syllabus
Introduction
Project overview
GDB protocol
Demo
How it works
Valid Page
Parse Windows
Virtual Address Descriptor
Target Virtual Address
Prototype ET
Translation process
Memory mapping
kernelmode memory
C code
Debugging new processes
Conclusion
Taught by
44CON Information Security Conference
Related Courses
Computer SecurityStanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network