By: @straight_blast ; straightblast426@gmail.com

The purpose of this post is to share how one would use a debugger to identify the relevant code path that can trigger the crash. I hope this post will be educational to people that are excited to learning how to use debugger for vulnerability analysis.

This post will not visit details on RDP communication basics and MS_T120. Interested readers should refer to the following blogs that sum up the need to know basis:

Furthermore, no PoC code will be provided in this post, as the purpose is to show vulnerability analysis with a debugger.

The target machine (debuggee) will be a Windows 7 x64 and the debugger machine will be a Windows 10 x64. Both the debugger and debuggee will run within VirtualBox.

Setting up the kernel debugging environment with VirtualBox

On the target machine, run cmd.exe with administrative privilege. Use the bcdedit command to enable kernel debugging.

bcdedit /set {current} debug yes

bcdedit /set {current} debugtype serial

bcdedit /set {current} debugport 1

bcdedit /set {current} baudrate 115200

bcdedit /set {current} description "Windows 7 with kernel debug via COM"

When you type bcdedit again, something similar to the following screenshot should display:

2. Shutdown the target machine (debuggee) and right click on the target image in the VirtualBox Manager. Select “Settings” and then “Serial Ports”. Copy the settings as illustrated in the following image and click “OK”:

3. Right click on the image that will host the debugger, and go to the “Serial Ports” setting and copy the settings as shown and click “OK”:

4. Keep the debuggee VM shutdown, and boot up the debugger VM. On the debugger VM, download and install WinDBG. I will be using the WinDBG Preview edition.

5. Once the debugger is installed, select “Attach to kernel”, set the “Baud Rate” to “115200" and “Port” to “com1”. Click on the “initial break” as well.