Your SlideShare is downloading. ×
0
Windbgshark tool
Windbgshark tool
Windbgshark tool
Windbgshark tool
Windbgshark tool
Windbgshark tool
Windbgshark tool
Windbgshark tool
Windbgshark tool
Windbgshark tool
Windbgshark tool
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Windbgshark tool

10,522

Published on

Slides for the talk at Zeronights 2011 about methods of network traffic tracing and architecture of a new network debugging tool.

Slides for the talk at Zeronights 2011 about methods of network traffic tracing and architecture of a new network debugging tool.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
10,522
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Windbgshark:the unified traffic instrumentation tool [1,2,3]1. Virtualized2. For Windows3. For vulnerability researchers and reverse engineers Andrey Labunets
  • 2. PreambleThere are so many fuzzers, frameworks, codedebuggers, etc.Give me a simple network debugging toolunder windows instead.Why? 2
  • 3. I tried physical MITM* …or virtual+ obvious– no localhost traffic 3
  • 4. I tried user-mode magic* code debuggers* hooks, binary instrumentation* LSP+ stack backtraces available+ ssl decryption is possible (ospy)– not handy for traffic manipulation– x64?– layer < 7? non-winsock? (ICMP, SMB, …) 4
  • 5. I tried handling network interfaces* NDIS+ one driver for all traffic– no localhost traffic– need to reconstruct TCP/IP stack 5
  • 6. I tried some kernel-mode magic* Windows Filtering Platform+ unified+ multi-level (OSI)– only starting from Vista (reasonable trade-off, TDI on WinXP is almost the same) 6
  • 7. We developed windbgshark…VM-based traffic manipulation tool* wfp driver as a mechanism (guest OS)* windbg extension as a control interface (host OS)* wireshark for packet analysis (host OS) 7
  • 8. Theory of operation 8
  • 9. Quickstart> !load windbgshark> !strace on> g…> !packet 100 +AAAAAAAAAAAAAAAAAAA[look in wireshark]> g… 9
  • 10. Quickstart 10
  • 11. Thanks!http://code.google.com/p/windbgsharkQuestions? 11

×