Windbgshark:the unified traffic instrumentation tool [1,2,3]1. Virtualized2. For Windows3. For vulnerability researchers a...
PreambleThere are so many fuzzers, frameworks, codedebuggers, etc.Give me a simple network debugging toolunder windows ins...
I tried physical MITM* …or virtual+ obvious– no localhost traffic                         3
I tried user-mode magic* code debuggers* hooks, binary instrumentation* LSP+ stack backtraces available+ ssl decryption is...
I tried handling network interfaces* NDIS+ one driver for all traffic– no localhost traffic– need to reconstruct TCP/IP st...
I tried some kernel-mode magic* Windows Filtering Platform+ unified+ multi-level (OSI)– only starting from Vista (reasonab...
We developed windbgshark…VM-based traffic manipulation tool* wfp driver as a mechanism (guest OS)* windbg extension as a c...
Theory of operation                      8
Quickstart> !load windbgshark> !strace on> g…> !packet 100 +AAAAAAAAAAAAAAAAAAA[look in wireshark]> g…                    ...
Quickstart             10
Thanks!http://code.google.com/p/windbgsharkQuestions?                                       11
Upcoming SlideShare
Loading in …5
×

Andrey Labunets - Methods of network traffic tracing for reverse engineering and vulnerability research

1,121 views

Published on

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,121
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Andrey Labunets - Methods of network traffic tracing for reverse engineering and vulnerability research

  1. 1. Windbgshark:the unified traffic instrumentation tool [1,2,3]1. Virtualized2. For Windows3. For vulnerability researchers and reverse engineers Labunets Andrey
  2. 2. PreambleThere are so many fuzzers, frameworks, codedebuggers, etc.Give me a simple network debugging toolunder windows instead.Why? 2
  3. 3. I tried physical MITM* …or virtual+ obvious– no localhost traffic 3
  4. 4. I tried user-mode magic* code debuggers* hooks, binary instrumentation* LSP+ stack backtraces available+ ssl decryption is possible (ospy)– not handy for traffic manipulation– x64?– layer < 7? non-winsock? (ICMP, SMB, …) 4
  5. 5. I tried handling network interfaces* NDIS+ one driver for all traffic– no localhost traffic– need to reconstruct TCP/IP stack 5
  6. 6. I tried some kernel-mode magic* Windows Filtering Platform+ unified+ multi-level (OSI)– only starting from Vista (reasonable trade-off, TDI on WinXP is almost the same) 6
  7. 7. We developed windbgshark…VM-based traffic manipulation tool* wfp driver as a mechanism (guest OS)* windbg extension as a control interface (host OS)* wireshark for packet analysis (host OS) 7
  8. 8. Theory of operation 8
  9. 9. Quickstart> !load windbgshark> !strace on> g…> !packet 100 +AAAAAAAAAAAAAAAAAAA[look in wireshark]> g… 9
  10. 10. Quickstart 10
  11. 11. Thanks!http://code.google.com/p/windbgsharkQuestions? 11

×