Syser + VirtualBox = Win

Greetings and salutations fellow readers.

Recently I’ve had to step into the awful world of kernel debugging. When malware drops a rootkit and conventional userland debugging falls short, you have to step into ring 0. Unfortunately, options are rather limited when it comes to decent ring0 debugging on windows.

What’s that one debugger everyone’s heard of but can’t ever get working? If you said SoftIce, you’re right. Getting softice to run these day’s is a pain in the butt. Especially since its largely broken in Windows 7, support ended in 2006, and the damn thing crashes even if you do get it working. There has got to be SOME alternative right?

Enter Syser. SoftIce 2 – Electric Boogaloo.
SyserLogo

There are a few things Syser does that Softice don’t –

1) Colors
2) More than 1 CPU
3) Source debugging
4) Windows 7/8
5) A better looking GUI

At this time however, the website that hosts Syser is offline. This makes obtaining it harder than usual, but not impossible. I think CNET offers a download.

Can you run Syser in a VM? Of course!
syser1

But that doesn’t mean there aren’t a few things you need to do to get shit working right.

Problems I ran into on VirtualBox:

    Screen refresh
    Mouse Not Working
    Random BSODs

-=Screen Refresh=-
If you can somehow modify the source for VirtualBox, adjust the screen refresh rate to be every 5 seconds or so.
My way around this in VirtualBox is to run windows in 256 color mode. It looks ugly as sin, but it works fine at any resolution.
syser256

The alternative to that is clicking outside the window every second. That said, a way to force a refresh would be some sort of app with a time that constantly calls ‘UpdateWindow’. I was thinking something like this:

#include <windows.h>

VOID CALLBACK TimerProc(HWND hWnd, UINT nMsg, UINT nIDEvent, DWORD dwTime) 
{
	HWND mywind = FindWindow(NULL,"xp crapbox"); // name in window title
	UpdateWindow(mywind);
}

int main(int argc, char *argv[]) 
{
	MSG Msg;
    UINT TimerId = SetTimer(NULL, 0, 5000, &TimerProc); // 5 seconds
    if (!TimerId)
    return 16;
    while (GetMessage(&Msg, NULL, 0, 0)) 
	{
	DispatchMessage(&Msg);
    }
    KillTimer(NULL, TimerId); // app exit cleanup
    return 0;
}

It beats compiling VirtualBox from source just to adjust the refresh.

-=Mouse Not Working=-

The problem here is that Syser will not attempt to use your USB emulated mouse. It will instead load the driver for a PS/2 mouse (remember those?).
The fix is to set the pointing device to use PS/2 instead of USB.
mousework

Also be sure to adjust the mouse sensitivity value in Syser’s config settings.
mousework2

-=Random BSOD’s=-

Easy solution – snapshots. Kinda lame, but expect BSOD’s when working with a kernel debugger. It’s just a part of life.

Problems I ran into on VMWare:
“Unable to start MSI” – I cant even install the piece of shit. For all intents and purposes I’ll be focusing on getting syser working on VirtualBox. If you use vmware, add the following lines to your vmware config file:
vmmouse.present = “FALSE”
svga.maxFullscreenRefreshTick = “5”

This will allow you to make use of the mouse and be able to actually see the syser window without having to switch to the desktop and vm over and over. Or you could run my program from above and disregard the mouse.

-=Running Syser=-

Much like Softice, Syser has a keyboard shortcut to invoke the debugger and essentially ‘pause’ execution of the OS. Control + F12.
When paused like this, you can single step just like any other debugger. ‘F5’ will continue execution with Syser running. Pressing control + F12 will unload the Syser driver. F11 to step in, F10 to step over.

The command console (control + 2) allows for windbg style commands to be entered:
syser.
Quite powerful, but one might prefer to see what they’re doing and stick with the system explorer.

Opening processes for access is done via the command ‘addr’ (just like SoftIce) + the process ID in hex. Have a calculator handy.

If you have a rootkit or driver file and you want to inspect it, just type ‘load
This will allow you to run the driver on your own pace without waiting for it to be loaded externally:
syser5

Anywho, I thought I’d share this awesome tool with you all before my next blog post in which I will be diving deep into the FinFisher malware dropped on WikiLeaks a few weeks back. I saw a writeup done, however it was incomplete after peeking through the malware myself. Except a nice entry / writeup on this malware soon.

1249091581443

6 thoughts on “Syser + VirtualBox = Win
  1. Can’t get working with latest Virtual Box.
    Ctrl+F12 doesn’t show Syser window (no matter user or kernel video mode), 256-color mode helps, but mouse still doesn’t work. Selected PS/2, tried to delete VBoxMouse.sys driver from vbox file.
    Guest additions installed (need d3d support)

    1. It’s a bug with the updating of the window. You’ll notice the mouse moves each time you change focus from the main virtualbox window and the host OS. It’s weird as hell, but I wrote a small script / program somewhere on the blog for a fix that basically forces a window message through to update / redraw for syser to work.

      You could also try vmware.

      1. Thank you. I’ve tried latest vmware, but mouse there work only partially (with guest additions installed), movement is perfect, but buttons doesn’t work.

        1. Idea: Register a hotkey that performs the WM_LBUTTONDOWN window message. Something like this:
          #include "stdafx.h"

          int _cdecl _tmain (int argc, TCHAR *argv[])
          {
          RegisterHotKey(NULL, 1, MOD_ALT | MOD_NOREPEAT, 0x42); // alt + b
          MSG msg = {0};
          while (GetMessage(&msg, NULL, 0, 0) != 0)
          {
          if (msg.message == WM_HOTKEY)
          {
          SendMessage(HWND_BROADCAST, WM_LBUTTONDOWN, 0, 0);
          }
          }
          return 0;
          }

  2. A pity, but this program dont works, 🙁
    Only fails the buttons in VMWare (always that you hardware profile 5.5 and add the fix screen line).

    The problem with the button emulator is, when you are in a VM the controls are managed from the VM not the host, so, the host never detect that you press the hotkey.
    And of course, you cant put the program in the VM machine because you are in kernel (and all user land programs are halted).

    Perhaps making another driver that manage this hotkey and always this driver was running (i dont know if the debugger stops all drivers when GUI appear), can emulate a left button or whatever you need.

    What do you think? Thanks!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.