Change User-Mode application’s virtual address through Kernel Debugging

Well, it’s somehow an odd topic but sometimes it could be really helpful in some situations. So what are the situations? Imagine sometimes you need to access windows stuffs that aren’t available from user-mode debuggers like ollydbg or through user-mode debugging (e.g memory after 0x7fffffff). In my experience I see some conditions that protectors make a sophisticated check for finding any debugger in memory and then change their approach to stop reverser from reversing the rest of the code. In such a situation you can make a virtual environment then break the machine completely and change your context to process and continue analyzing image. In this case you can overcome protection levels completely or at least overcome some protection levels. (some protectors never allow to run from a Virtual Machine or call some windows APIs to see if a kernel debugger is present or not and you should check for this stuffs first then continue debugging.) So let’s get down to business, In the following tutorial I use a VMware Virtual Machine that is ready for kernel debugging (if you don’t know how to make one pls see this link ,it describes how to do it). Then a kernel debugger (in my case Windbg) and a user-mode debugger (ollydbg). First run myfile.exe in guest machine and attach to it from guest machine by ollydbg to see any editing that made in kernel debugging takes place in myfile.exe then break the Windbg to edit memory from host machine. So I use the following command to get all the processes to see where you can find myfile.exe :

And it gives you a long list of processes where you can finally find myfile.exe.

So for more details about this process you can run :

It should give you something like :

then for switch to myfile.exe you should run :

Now you’re almost done ! you are in a 32 bit enviroment for myfile.exe which you can run all Windbg commands like what you run in Virtual Address (Instead of physical address.) For a sample run :

It gives you all the memory in myfile.exe’s base address (0x400000) which you can edit memory by something like a command in windbg and see what’s going on after pressing g and then go to Guest Machine where you can find myfile.exe’s base address from ollydbg and see how it changed form kernel debugger. Thanks for reading

This post is written in cooperation with my friend sina

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.