Hi,
I am used to tools like ollydbg that can dump and there are import fixer for dumps in windbg.
I am analyzing a kernel mode rootkit. I want to dump the driver module and fix imports.
Is this possible in windbg?
You may want to have a look at Volatility’s moddump [1] and impscan [2]
which, together, can extract the module and determine which APIs were
called (even in the absence of an IAT). It won’t rebuild the .sys for you
(i.e. you won’t be able to load it again on another system), but it can
output labels that you can load in IDA for reversing purposes.
[1]. http://code.google.com/p/volatility/wiki/CommandReference22#moddump
[2]. http://code.google.com/p/volatility/wiki/CommandReferenceMal22#impscan
On Mon, Nov 26, 2012 at 9:28 AM, wrote:
> Hi,
>
> I am used to tools like ollydbg that can dump and there are import fixer
> for dumps in windbg.
> I am analyzing a kernel mode rootkit. I want to dump the driver module and
> fix imports.
> Is this possible in windbg?
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
you can use windbgs .writemem to dump a range
drivers normally have init sections which are discardable
to recover them you need to break before they are disacarded
there is a .fiximports command which can be used in minidump debugging
you can try subverting it
On 11/26/12, Michael Hale Ligh wrote:
> You may want to have a look at Volatility’s moddump [1] and impscan [2]
> which, together, can extract the module and determine which APIs were
> called (even in the absence of an IAT). It won’t rebuild the .sys for you
> (i.e. you won’t be able to load it again on another system), but it can
> output labels that you can load in IDA for reversing purposes.
>
> [1]. http://code.google.com/p/volatility/wiki/CommandReference22#moddump
> [2]. http://code.google.com/p/volatility/wiki/CommandReferenceMal22#impscan
>
>
> On Mon, Nov 26, 2012 at 9:28 AM, wrote:
>
>> Hi,
>>
>> I am used to tools like ollydbg that can dump and there are import fixer
>> for dumps in windbg.
>> I am analyzing a kernel mode rootkit. I want to dump the driver module
>> and
>> fix imports.
>> Is this possible in windbg?
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer