Greetings and salutations fellow readers.
Recently I’ve had to step into the awful world of kernel debugging. When malware drops a rootkit and conventional userland debugging falls short, you have to step into ring 0. Unfortunately, options are rather limited when it comes to decent ring0 debugging on windows.
What’s that one debugger everyone’s heard of but can’t ever get working? If you said SoftIce, you’re right. Getting softice to run these day’s is a pain in the butt. Especially since its largely broken in Windows 7, support ended in 2006, and the damn thing crashes even if you do get it working. There has got to be SOME alternative right?
There are a few things Syser does that Softice don’t –
2) More than 1 CPU
3) Source debugging
4) Windows 7/8
5) A better looking GUI
At this time however, the website that hosts Syser is offline. This makes obtaining it harder than usual, but not impossible. I think CNET offers a download.
But that doesn’t mean there aren’t a few things you need to do to get shit working right.
Problems I ran into on VirtualBox:
Mouse Not Working
If you can somehow modify the source for VirtualBox, adjust the screen refresh rate to be every 5 seconds or so.
My way around this in VirtualBox is to run windows in 256 color mode. It looks ugly as sin, but it works fine at any resolution.
The alternative to that is clicking outside the window every second. That said, a way to force a refresh would be some sort of app with a time that constantly calls ‘UpdateWindow’. I was thinking something like this:
It beats compiling VirtualBox from source just to adjust the refresh.
-=Mouse Not Working=-
The problem here is that Syser will not attempt to use your USB emulated mouse. It will instead load the driver for a PS/2 mouse (remember those?).
The fix is to set the pointing device to use PS/2 instead of USB.
Easy solution – snapshots. Kinda lame, but expect BSOD’s when working with a kernel debugger. It’s just a part of life.
Problems I ran into on VMWare:
“Unable to start MSI” – I cant even install the piece of shit. For all intents and purposes I’ll be focusing on getting syser working on VirtualBox. If you use vmware, add the following lines to your vmware config file:
vmmouse.present = “FALSE”
svga.maxFullscreenRefreshTick = “5”
This will allow you to make use of the mouse and be able to actually see the syser window without having to switch to the desktop and vm over and over. Or you could run my program from above and disregard the mouse.
Much like Softice, Syser has a keyboard shortcut to invoke the debugger and essentially ‘pause’ execution of the OS. Control + F12.
When paused like this, you can single step just like any other debugger. ‘F5’ will continue execution with Syser running. Pressing control + F12 will unload the Syser driver. F11 to step in, F10 to step over.
Opening processes for access is done via the command ‘addr’ (just like SoftIce) + the process ID in hex. Have a calculator handy.
Anywho, I thought I’d share this awesome tool with you all before my next blog post in which I will be diving deep into the FinFisher malware dropped on WikiLeaks a few weeks back. I saw a writeup done, however it was incomplete after peeking through the malware myself. Except a nice entry / writeup on this malware soon.