Closed 0xFF1E071F closed 3 years ago
chompie1337
commented
4 years ago I don't know what could be causing this as I cannot replicate this behavior. Sometimes the lowstub isn't present and perhaps changing to debug mode in your testing env changes the physical memory layout on startup.
0xFF1E071F
commented
4 years ago In my VMWare Workstation 15's Virtual Machine Settings > Processors there are three checkboxes and those are unchecked!
These are unchecked. What about you? I am trying to understand why i can not reached to low stub? How much memory and how many processeors did you set on your target machine?
0xFF1E071F
commented
4 years ago @chompie1337 i want to ask smth. Are you remote kernel debug your target machine or did you local kernel debug?
I am using the commands below to remote kernel debugging:
C:\Windows\system32>bcdedit /set debug yes
C:\Windows\system32>bcdedit /dbgsettings net hostip:192.168.100.113 port:50001 key:1.2.3.4But i cannot manage to find low stub if i am remote debugging? How do you set remote debugging?
Edit: I also use kdnet to remote kernel debug but nothing changed
Edit2:
If i set vmware processor=1 core=1 for target machine both linux and windows attack machines cannot find low stub
At least i should set processor=1 and core=2 to make exploit work
0x-bot
commented
4 years ago Hey, I try to change mdl_flags to 0x0 instead of 0x501C and then find_low_stub work, find_pml4_selfref failed, but I don't know why?? @0xFF1E071F @chompie1337
0xFF1E071F
commented
4 years ago Hey, I try to change mdl_flags to 0x0 instead of 0x501C and then find_low_stub work, find_pml4_selfref failed, but I don't know why?? @0xFF1E071F @chompie1337
Thanks for replying. I have changed the value to zero any my entry value returned:
[ ? ] entry : 0xbThen socket time out :/ I still cannot find low stub on debug mode
@chompie1337 and @0x-bot where did you download the windows iso?
edit:typo
0xFF1E071F
commented
4 years ago @chompie1337 and @0x-bot where did you get the iso? Because i still cannot make my vmware guest win10 debuggee to give low stub address if debug mode on :/
chompie1337
commented
4 years ago In my
VMWare Workstation 15'sVirtual Machine Settings > Processorsthere are three checkboxes and those are unchecked!
- [ ] Virtualize Intel VT-xEPT or AMD-V/RVI
- [ ] Virtualize CPU performance counters
- [ ] Virtualize IOMMU (IO memory management unit)
These are unchecked. What about you? I am trying to understand why i can not reached to low stub? How much memory and how many processeors did you set on your target machine?
All unchecked. I do kernel debugging via serial port (locally from VM to VM) and the ISO was downloaded directly from Microsoft (don't have the direct link anymore but md5 is 70ea72fb3ff11771dcc0a36e2850e29e)
0xFF1E071F
commented
4 years ago Thank you very much @chompie1337
I use VMWare WorkStation 15 for both target and host machines. Target machine: Windows 10 b1903 UEFI Attack Machine: Archlinux When i am not on debug mode, exploit can find
low stubAbove you can see the output of entry value. (On your code it is line 411)
Then i fire up debug mode on target windows 10 1903 vm.
With these settings i can kernel debug. So when i try to exploit, the entry variable is set to
0x2020000or0x202000002020000