Enter Syser. SoftIce 2 – Electric Boogaloo. There are a few things Syser does that Softice don’t – <\/p>\n 1) Colors At this time however, the website that hosts Syser is offline. This makes obtaining it harder than usual, but not impossible. I think CNET offers a download. <\/p>\n Can you run Syser in a VM? Of course! But that doesn’t mean there aren’t a few things you need to do to get shit working right.<\/p>\n Problems I ran into on VirtualBox:<\/p>\n -=Screen Refresh=- The alternative to that is clicking outside the window every second. That said, a way to force a refresh would be some sort of app with a time that constantly calls ‘UpdateWindow’. I was thinking something like this:<\/p>\n <\/p>\n It beats compiling VirtualBox from source just to adjust the refresh. <\/p>\n -=Mouse Not Working=-<\/p>\n The problem here is that Syser will not attempt to use your USB emulated mouse. It will instead load the driver for a PS\/2 mouse (remember those?). Also be sure to adjust the mouse sensitivity value in Syser’s config settings. -=Random BSOD’s=-<\/p>\n Easy solution – snapshots. Kinda lame, but expect BSOD’s when working with a kernel debugger. It’s just a part of life.<\/p>\n Problems I ran into on VMWare: This will allow you to make use of the mouse and be able to actually see the syser window without having to switch to the desktop and vm over and over. Or you could run my program from above and disregard the mouse.<\/p>\n -=Running Syser=-<\/p>\n Much like Softice, Syser has a keyboard shortcut to invoke the debugger and essentially ‘pause’ execution of the OS. Control + F12. The command console (control + 2) allows for windbg style commands to be entered: Opening processes for access is done via the command ‘addr’ (just like SoftIce) + the process ID in hex. Have a calculator handy.<\/p>\n If you have a rootkit or driver file and you want to inspect it, just type ‘load Anywho, I thought I’d share this awesome tool with you all before my next blog post in which I will be diving deep into the FinFisher malware dropped on WikiLeaks a few weeks back. I saw a writeup done, however it was incomplete after peeking through the malware myself. Except a nice entry \/ writeup on this malware soon.<\/p>\n
\n![\"SyserLogo\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2014\/10\/SyserLogo.jpg\")
<\/a><\/p>\n
\n2) More than 1 CPU
\n3) Source debugging
\n4) Windows 7\/8
\n5) A better looking GUI<\/p>\n
\n![\"syser1\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2014\/10\/syser1-300x153.png\")
<\/a><\/p>\n\nScreen refresh
\nMouse Not Working
\nRandom BSODs\n<\/ol>\n
\nIf you can somehow modify the source for VirtualBox, adjust the screen refresh rate to be every 5 seconds or so.
\nMy way around this in VirtualBox is to run windows in 256 color mode. It looks ugly as sin, but it works fine at any resolution.
\n![\"syser256\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2014\/10\/syser256-300x224.png\")
<\/a><\/p>\n#include <windows.h><\/span>\r\n\r\nVOID CALLBACK TimerProc<\/span>(HWND hWnd, UINT nMsg, UINT nIDEvent, DWORD dwTime) \r\n{\r\n\tHWND mywind =<\/span> FindWindow(NULL<\/span>,"xp crapbox"<\/span>); \/\/ name in window title<\/span>\r\n\tUpdateWindow(mywind);\r\n}\r\n\r\nint<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) \r\n{\r\n\tMSG Msg;\r\n UINT TimerId =<\/span> SetTimer(NULL<\/span>, 0<\/span>, 5000<\/span>, &<\/span>TimerProc); \/\/ 5 seconds<\/span>\r\n if<\/span> (!<\/span>TimerId)\r\n return<\/span> 16<\/span>;\r\n while<\/span> (GetMessage(&<\/span>Msg, NULL<\/span>, 0<\/span>, 0<\/span>)) \r\n\t{\r\n\tDispatchMessage(&<\/span>Msg);\r\n }\r\n KillTimer(NULL<\/span>, TimerId); \/\/ app exit cleanup<\/span>\r\n return<\/span> 0<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n
\nThe fix is to set the pointing device to use PS\/2 instead of USB.
\n![\"mousework\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2014\/10\/mousework.png\")
<\/a><\/p>\n
\n![\"mousework2\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2014\/10\/mousework2.png\")
<\/a><\/p>\n
\n“Unable to start MSI” – I cant even install the piece of shit. For all intents and purposes I’ll be focusing on getting syser working on VirtualBox. If you use vmware, add the following lines to your vmware config file:
\nvmmouse.present = “FALSE”
\nsvga.maxFullscreenRefreshTick = “5”<\/p>\n
\nWhen paused like this, you can single step just like any other debugger. ‘F5’ will continue execution with Syser running. Pressing control + F12 will unload the Syser driver. F11 to step in, F10 to step over. <\/p>\n
\n![\"syser\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2014\/10\/syser-300x225.png\")
<\/a>.
\nQuite powerful, but one might prefer to see what they’re doing and stick with the system explorer. <\/p>\n
\nThis will allow you to run the driver on your own pace without waiting for it to be loaded externally:
\n![\"syser5\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2014\/10\/syser5-300x224.png\")
<\/a><\/p>\n
![\"1249091581443\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2014\/10\/1249091581443.jpg\")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"