Press "Enter" to skip to content

Posts published in “Debugging”

Import Address Table (IAT) in action

Sina Karvandi 4

Did you ever think about how different dll files with different versions and obviously with different addresses of functions work perfectly together ? The answer is Import Address Table (IAT). In the previous post I describe about how to get SSDT. IAT is somehow a User-Mode version of SSDT and in this post I’m gonna write about what I read and experience about IAT in action. Why IAT is important ? It is important because it gives PE executer a…

Change User-Mode application’s virtual address through Kernel Debugging

Sina Karvandi 1

Well, it’s somehow an odd topic but sometimes it could be really helpful in some situations. So what are the situations? Imagine sometimes you need to access windows stuffs that aren’t available from user-mode debuggers like ollydbg or through user-mode debugging (e.g memory after 0x7fffffff). In my experience I see some conditions that protectors make a sophisticated check for finding any debugger in memory and then change their approach to stop reverser from reversing the rest of the code. In…

How to get every detail about SSDT , GDT , IDT in a blink of an eye

Sina Karvandi 0

  In a few days ago I was looking for something to show me the SSDT and GDT (Which is really important in malware analyzing because most of rootkits are interested in hooking and changing this stuffs.) • SSDT (System Service Descriptor Table) • GDT (Global Descriptor Table) • IDT (Interrupt Descriptor Table) They’re really important table in OSes for example SSDT is something like IAT (Import Address Table) in user-mode applications which holds pointer to exported functions of all…

Kernel Mode Debugging by Windbg

Sina Karvandi 2

Hey there, Today I’m gonna show you how to make a kernel mode debugging using VMWare and Windbg and Windows. So why should you do this ?! It’s clear , everything such as Kernel Mode Driver Debugging , searching for zero days and understanding windows mechanism. There are other types of kernel debugging as described in Windows Internals by Mark Russinovich that I describe in future posts. So let’s start. First you need a Windbg and as I’m working in a…