The Official Radare2 Book — страница 41 из 64

So you can start it as:

$ r2 -

[0x00000000]> =g 8000 /bin/radare2 -

And then connect to it like you would to any gdbserver. For example, with radare2:

$ r2 -d gdb://localhost:8000

WinDBG Kernel-mode Debugging (KD)

The WinDBG KD interface support for r2 allows you to attach to VM running Windows and debug its kernel over a serial port or network.

It is also possible to use the remote GDB interface to connect and debug Windows kernels without depending on Windows capabilities.

Bear in mind that WinDBG KD support is still work-in-progress, and this is just an initial implementation which will get better in time.

Setting Up KD on Windows

For a complete walkthrough, refer to Microsoft's documentation.

Serial Port

Enable KD over a serial port on Windows Vista and higher like this:

bcdedit /debug on

bcdedit /dbgsettings serial debugport:1 baudrate:115200

Or like this for Windows XP: Open boot.ini and add /debug /debugport=COM1 /baudrate=115200:

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Debugging with Cable" /fastdetect /debug /debugport=COM1 /baudrate=57600

In case of VMWare

Virtual Machine Settings -> Add -> Serial Port

Device Status:

[v] Connect at power on

Connection:

[v] Use socket (named pipe)

[_/tmp/winkd.pipe________]

From: Server To: Virtual Machine

Configure the VirtualBox Machine like this:

Preferences -> Serial Ports -> Port 1


[v] Enable Serial Port

Port Number: [_COM1_______[v]]

Port Mode: [_Host_Pipe__[v]]

[v] Create Pipe

Port/File Path: [_/tmp/winkd.pipe____]

Or just spawn the VM with qemu like this:

$ qemu-system-x86_64 -chardev socket,id=serial0,\

path=/tmp/winkd.pipe,nowait,server \

-serial chardev:serial0 -hda Windows7-VM.vdi

Network

Enable KD over network (KDNet) on Windows 7 or later likes this:

bcdedit /debug on

bcdedit /dbgsettings net hostip:w.x.y.z port:n

Starting from Windows 8 there is no way to enforce debugging for every boot, but it is possible to always show the advanced boot options, which allows to enable kernel debugging:

bcedit /set {globalsettings} advancedoptions true

Connecting to KD interface on r2

Serial Port

Radare2 will use the winkd io plugin to connect to a socket file created by virtualbox or qemu. Also, the winkd debugger plugin and we should specify the x86-32 too. (32 and 64 bit debugging is supported)

$ r2 -a x86 -b 32 -D winkd winkd:///tmp/winkd.pipe

On Windows you should run the following line:

$ radare2 -D winkd winkd://\\.\pipe\com_1

Network

$ r2 -a x86 -b 32 -d winkd://::w.x.y.z

Using KD

When connecting to a KD interface, r2 will send a breakin packet to interrupt the target and we will get stuck here:

[0x828997b8]> pd 20

;-- eip:

0x828997b8 cc int3

0x828997b9 c20400 ret 4

0x828997bc cc int3

0x828997bd 90 nop

0x828997be c3 ret

0x828997bf 90 nop

In order to skip that trap we will need to change eip and run 'dc' twice:

dr eip=eip+1

dc

dr eip=eip+1

dc

Now the Windows VM will be interactive again. We will need to kill r2 and attach again to get back to control the kernel.

In addition, the dp command can be used to list all processes, and dpa or dp= to attach to the process. This will display the base address of the process in the physical memory layout.

WinDBG Backend for Windows (DbgEng)

On Windows, radare2 can use DbgEng.dll as a debugging backend, allowing it to make use of WinDBG's capabilities, supporting dump files, local and remote user and kernel mode debugging.

You can use the debugging DLLs included on Windows or get the latest version from Microsoft's download page (recommended).

You cannot use DLLs from the Microsoft Store's WinDbg Preview app folder directly as they are not marked as executable for normal users.

radare2 will try to load dbgeng.dll from the _NT_DEBUGGER_EXTENSION_PATH environment variable before using Windows' default library search path.

Using the plugin

To use the windbg plugin, pass the same command-line options as you would for WinDBG or kd (see Microsoft's documentation), quoting/escaping when necessary:

> r2 -d "windbg://-remote tcp:server=Server,port=Socket"

> r2 -d "windbg://MyProgram.exe \"my arg\""

> r2 -d "windbg://-k net:port=,key="

> r2 -d "windbg://-z MyDumpFile.dmp"

You can then debug normally (see d? command) or interact with the backend shell directly with the =! command:

[0x7ffcac9fcea0]> dcu 0x0007ffc98f42190

Continue until 0x7ffc98f42190 using 1 bpsize

ModLoad: 00007ffc`ab6b0000 00007ffc`ab6e0000 C:\WINDOWS\System32\IMM32.DLL

Breakpoint 1 hit

hit breakpoint at: 0x7ffc98f42190


[0x7fffcf232190]> =!k4

Child-SP RetAddr Call Site

00000033`73b1f618 00007ff6`c67a861d r_main!r_main_radare2

00000033`73b1f620 00007ff6`c67d0019 radare2!main+0x8d

00000033`73b1f720 00007ff6`c67cfebe radare2!invoke_main+0x39

00000033`73b1f770 00007ff6`c67cfd7e radare2!__scrt_common_main_seh+0x12e

Tools

Radare2 is not just the only tool provided by the radare2 project. The rest if chapters in this book are focused on explaining the use of the radare2 tool, this chapter will focus on explaining all the other companion tools that are shipped inside the radare2 project.

All the functionalities provided by the different APIs and plugins have also different tools to allow to use them from the commandline and integrate them with shellscripts easily.

Thanks to the ortogonal design of the framework it is possible to do all the things that r2 is able from different places:

   • these companion tools

   • native library apis

   • scripting with r2pipe

   • the r2 shell

Rax2

The rax2 utility comes with the radare framework and aims to be a minimalistic expression evaluator for the shell. It is useful for making base conversions between floating point values, hexadecimal representations, hexpair strings to ascii, octal to integer. It supports endianness and can be used as a shell if no arguments are given.

This is the help message of rax2, this tool can be used in the command-line or interactively (reading the values from stdin), so it can be used as a multi-base calculator.

Inside r2, the functionality of rax2 is available under the ? command. For example:

[0x00000000]> ? 3+4

As you can see, the numeric expressions can contain mathematical expressions like addition, substraction, .. as well as group operations with parenthesis.

The syntax in which the numbers are represented define the base, for example:

   • 3 : decimal, base 10

   • 0xface : hexadecimal, base 16

   • 0472 : octal, base 8

   • 2M : units, 2 megabytes

   • ...

This is the help message of rax2 -h, which will show you a bunch more syntaxes

$ rax2 -h

Usage: rax2 [options] [expr ...]

=[base] ; rax2 =10 0x46 -> output in base 10

int -> hex ; rax2 10

hex -> int ; rax2 0xa

-int -> hex ; rax2 -77

-hex -> int ; rax2 0xffffffb3

int -> bin ; rax2 b30

int -> ternary ; rax2 t42

bin -> int ; rax2 1010d

ternary -> int ; rax2 1010dt

float -> hex ; rax2 3.33f

hex -> float ; rax2 Fx40551ed8

oct -> hex ; rax2 35o

hex -> oct ; rax2 Ox12 (O is a letter)

bin -> hex ; rax2 1100011b

hex -> bin ; rax2 Bx63

ternary -> hex ; rax2 212t

hex -> ternary ; rax2 Tx23

raw -> hex ; rax2 -S < /binfile

hex -> raw ; rax2 -s 414141

-l ; append newline to output (for -E/-D/-r/..

-a show ascii table ; rax2 -a

-b bin -> str ; rax2 -b 01000101 01110110