Problem booting

Hi

I am trying to boot up a machine after it got infected with a malicious
MBR with boot.ini set to debugport and baudrate as i normally do (typical
settings) though it doesnt boot ! Any ideas why this might be the case ? It
boots normally otherwise .

Thanks

My guess would be that you’re not connected a debugger correctly, but this is just a guess.

What OS is your target?

mm

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of ahmed zaki
Sent: Saturday, September 11, 2010 6:07 AM
To: Kernel Debugging Interest List
Subject: [windbg] Problem booting

Hi

I am trying to boot up a machine after it got infected with a malicious MBR with boot.ini set to debugport and baudrate as i normally do (typical settings) though it doesnt boot ! Any ideas why this might be the case ? It boots normally otherwise .

Thanks

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

I have tried the connection prior to infection and the machine booted
successfully with Windbg connected to it . Once infection is done booting up
only takes place in the non-debug mode . The target os is XP SP2

On Sat, Sep 11, 2010 at 5:04 PM, M. M. O’Brien <
xxxxx@gmail.com> wrote:

My guess would be that you’re not connected a debugger correctly, but this
is just a guess.

What OS is your target?

mm

*From:* xxxxx@lists.osr.com [mailto:
xxxxx@lists.osr.com] *On Behalf Of *ahmed zaki
*Sent:* Saturday, September 11, 2010 6:07 AM
*To:* Kernel Debugging Interest List
*Subject:* [windbg] Problem booting

Hi

I am trying to boot up a machine after it got infected with a
malicious MBR with boot.ini set to debugport and baudrate as i normally do
(typical settings) though it doesnt boot ! Any ideas why this might be the
case ? It boots normally otherwise .

Thanks

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

  1. Are you sure that the boot.ini settings are the same?

  2. When you say ‘doesn’t boot,’ what happens exactly, both on the target and in windbg?

  3. Have you tried enabling boot debugging? It’s kind of messy and doesn’t seem to always work (based on reports from people that I trust).

I mean, if it’s screwing with the MBR, anything’s possible, I suppose.

mm

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of ahmed zaki
Sent: Saturday, September 11, 2010 12:19 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Problem booting

I have tried the connection prior to infection and the machine booted successfully with Windbg connected to it . Once infection is done booting up only takes place in the non-debug mode . The target os is XP SP2

On Sat, Sep 11, 2010 at 5:04 PM, M. M. O’Brien wrote:

My guess would be that you’re not connected a debugger correctly, but this is just a guess.

What OS is your target?

mm

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of ahmed zaki
Sent: Saturday, September 11, 2010 6:07 AM
To: Kernel Debugging Interest List
Subject: [windbg] Problem booting

Hi

I am trying to boot up a machine after it got infected with a malicious MBR with boot.ini set to debugport and baudrate as i normally do (typical settings) though it doesnt boot ! Any ideas why this might be the case ? It boots normally otherwise .

Thanks

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Your infection may be of the type that doesn’t want a debugger sniffing around where it is not wanted. You say it boots without the debugger connected, does that mean bcdedit is still set for debugging but not physically connected to the host? Or to boot do you have to reset the debugger settings in the target? If you can boot without resetting the target debug settings, then can you connect late? My suspicion is that just like trying to debug MSIL in .Net if target kernel debugging is enabled you won’t be able to do much with WinDbg. Got a logic analyzer handy with a pod for the processor?

Barring that, do a dump and disassembly of the MBR and see what’s happening. Hell, zip the MBR and make it available to those that want it. You might be surprised what a bunch of geeks with disassembly tools can grok. J

Gary G. Little

H (952) 223-1349

C (952) 454-4629

xxxxx@comcast.net

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of ahmed zaki
Sent: Saturday, September 11, 2010 5:07 AM
To: Kernel Debugging Interest List
Subject: [windbg] Problem booting

Hi

I am trying to boot up a machine after it got infected with a malicious MBR with boot.ini set to debugport and baudrate as i normally do (typical settings) though it doesnt boot ! Any ideas why this might be the case ? It boots normally otherwise .

Thanks

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

  1. Are you sure that the boot.ini settings are the same?

Yes definitely .

  1. When you say ‘doesn’t boot,’ what happens exactly, both on the
    target and in windbg?

On the target i get prompted to choose the debugger enabled windows
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft XP - Debugger
Enabled” /fastdetect /debugport=com1 /baudrate=115200

  1. Have you tried enabling boot debugging? It’s kind of messy and
    doesn’t seem to always work (based on reports from people that I trust).

No I havent not sure really how to do that ? Any references / guides ?

Thanks

*From:* xxxxx@lists.osr.com [mailto:
xxxxx@lists.osr.com] *On Behalf Of *ahmed zaki
*Sent:* Saturday, September 11, 2010 12:19 PM

*To:* Kernel Debugging Interest List
*Subject:* Re: [windbg] Problem booting

I have tried the connection prior to infection and the machine booted
successfully with Windbg connected to it . Once infection is done booting up
only takes place in the non-debug mode . The target os is XP SP2

On Sat, Sep 11, 2010 at 5:04 PM, M. M. O’Brien <
xxxxx@gmail.com> wrote:

My guess would be that you’re not connected a debugger correctly, but this
is just a guess.

What OS is your target?

mm

*From:* xxxxx@lists.osr.com [mailto:
xxxxx@lists.osr.com] *On Behalf Of *ahmed zaki
*Sent:* Saturday, September 11, 2010 6:07 AM
*To:* Kernel Debugging Interest List
*Subject:* [windbg] Problem booting

Hi

I am trying to boot up a machine after it got infected with a
malicious MBR with boot.ini set to debugport and baudrate as i normally do
(typical settings) though it doesnt boot ! Any ideas why this might be the
case ? It boots normally otherwise .

Thanks

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer