bochspwn's Introduction

Bochspwn

Bochspwn is a system-wide instrumentation project designed to log memory accesses performed by operating system kernels and examine them in search of patterns indicating the presence of certain bugs, such as "double fetches". Information about memory references is obtained by running the guest operating systems within the Bochs IA-32 emulator with the custom instrumentation component compiled in. It was written in 2013, and was used to discover over 50 race conditions in the Windows kernel, fixed across numerous security bulletins (MS13-016, MS13-017, MS13-031, MS13-036). For further information, see Read more.

Support status

The toolset is not actively maintained, and its source code is released "as is", mostly for reference purposes. It was originally released as kfetch-toolkit in 2013 after the Black Hat USA talk, together with a comprehensive documentation at DOCUMENTATION.old.md (now partially obsolete). In 2017, we revised the source code of the project and implemented several new features:

Information about the address space layout of kernel drivers is stored in a separate file (modules.bin by default), and each driver is referenced by its index in the main log file. This was done to save disk space, by preventing the reduntant information (image names and base addresses) from being needlessly saved for every stack trace item in the log.
Information about the presence of an active exception handler in each stack frame was added to the access log protocol buffer, allowing us to detect a number of local Windows DoS vulnerabilities (see examples 1, 2, 3, 4).
Information about the value of PreviousMode at the time of the memory access in Windows was added to the protocol buffer.
The "online" double-fetch detection mode was removed from the code, as it was deemed too slow to be practically useful.
Some symbolization-related and other minor bugs were fixed in the code.

The instrumentation was also ported to Bochs version 2.6.9, the latest one at the time of this writing.

Building and usage

For general instructions, see DOCUMENTATION.old.md.

You may wish to use more recent versions of the referenced software (e.g. Bochs 2.6.9, libprotobuf 3.4.1 etc.), and update the Bochspwn configuration file to account for the 2017 changes. When in doubt, please refer to the source code or contact us with any questions.

Example report

------------------------------ found double-read of address 0x00000000001ef766
Read no. 1:
[pid/tid/ct: 000000fc/00000100/01d27c3a91e567e6] {        smss.exe} 0000001e, 00000042: READ of 1ef764 (5 * 4 bytes), pc = 82a75263 [ rep movsd dword ptr es:[edi], dword ptr ds:[esi] ]
[previous mode: 1]
#0  0x82a75263 ((0026a263) ntoskrnl!SeCaptureSecurityDescriptor+00000067) <===== SEH enabled (#0)
#1  0x82a36a23 ((0022ba23) ntoskrnl!ObpCaptureObjectCreateInformation+000000c2) <===== SEH enabled (#0)
#2  0x82a45de2 ((0023ade2) ntoskrnl!ObOpenObjectByName+0000009b)
#3  0x82a3c7db ((002317db) ntoskrnl!IopCreateFile+00000673) <===== SEH disabled
#4  0x82a60402 ((00255402) ntoskrnl!NtCreateFile+00000034)
#5  0x82848db6 ((0003ddb6) ntoskrnl!KiSystemServicePostCall+00000000)

Read no. 2:
[pid/tid/ct: 000000fc/00000100/01d27c3a91e567e6] {        smss.exe} 0000001e, 00000042: READ of 1ef766 (1 * 2 bytes), pc = 82a752ad [           movzx edx, word ptr ds:[eax+2] ]
[previous mode: 1]
#0  0x82a752ad ((0026a2ad) ntoskrnl!SeCaptureSecurityDescriptor+000000b1) <===== SEH enabled (#1)
#1  0x82a36a23 ((0022ba23) ntoskrnl!ObpCaptureObjectCreateInformation+000000c2) <===== SEH enabled (#0)
#2  0x82a45de2 ((0023ade2) ntoskrnl!ObOpenObjectByName+0000009b)
#3  0x82a3c7db ((002317db) ntoskrnl!IopCreateFile+00000673) <===== SEH disabled
#4  0x82a60402 ((00255402) ntoskrnl!NtCreateFile+00000034)
#5  0x82848db6 ((0003ddb6) ntoskrnl!KiSystemServicePostCall+00000000)

Whitepaper - Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns
SyScan 2013 slides - Bochspwn: Exploiting Kernel Race COnditions Found via Memory Access Patterns
Black Hat USA 2013 slides - Bochspwn: Identifying 0-days via System-wide Memory Access Pattern Analysis
Black Hat USA 2013 video - Bochspwn: Identifying 0-days via System-wide Memory Access Pattern Analysis on YouTube
Blog post - Kernel double-fetch race condition exploitation on x86 - further thoughts

Bochspwn Reloaded

In 2017, we implemented a new type of full-system instrumentation on top of the Bochs emulator, named Bochspwn Reloaded. The instrumentation performs taint tracking of the guest kernel address space, and detects the disclosure of uninitialized kernel stack/heap memory to user-mode. It helped us identify over 70 bugs in the Windows kernel, and more than 10 lesser bugs in Linux in 2017 and early 2018.

The tool was discussed at the REcon Montreal, Black Hat USA, and INFILTRATE conferences, as well as in the
Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking whitepaper. It is also an open-source project, and its source code can be found in the bochspwn-reloaded repository.

Disclaimer

This is not an official Google product.

bochspwn's Issues

Mingw doesn't compile protoc file as ELF

When I did configure with below commands:
./configure --host=i686-w64-mingw32 --prefix=/usr/i686-w64-mingw32/
Then comment out the unittest_proto_middleman test from the src/Makefile file and run make command.
But I am getting below mentioned error:

libtool: link: i686-w64-mingw32-g++ -pthread -Wall -Wwrite-strings -Woverloaded-virtual -Wno-sign-compare -O2 -g -DNDEBUG -pthread -o .libs/protoc.exe main.o  ./.libs/libprotobuf.dll.a ./.libs/libprotoc.dll.a /home/pwn/protobuf-2.5.0/src/.libs/libprotobuf.dll.a -pthread -L/usr/i686-w64-mingw32/lib
libtool:   error: Could not determine the host path corresponding to
libtool:   error:   '/home/pwn/protobuf-2.5.0/src/.libs'
libtool:   error: Continuing, but uninstalled executables may not work.
libtool:   error: Could not determine the host path corresponding to
libtool:   error:   '/home/pwn/protobuf-2.5.0/src/.libs:/usr/i686-w64-mingw32/lib:/usr/i686-w64-mingw32/bin'
libtool:   error: Continuing, but uninstalled executables may not work.
make[3]: Leaving directory '/home/pwn/protobuf-2.5.0/src'
make[2]: Leaving directory '/home/pwn/protobuf-2.5.0/src'
make[1]: Leaving directory '/home/pwn/protobuf-2.5.0'

After that When I run make install and run protoc command.
I'm getting this error:
The program 'protoc' is currently not installed. It compiles only protoc.exe for Win platforms.

root@ubuntu:/home/pwn/protobuf-2.5.0# ls -la /usr/i686-w64-mingw32/bin/
libprotobuf-8.dll       libprotobuf-lite-8.dll  libprotoc-8.dll         protoc.exe

Missing bochsrc.txt

The documentation (page 8) says that a bochsrc.txt file should be found in the source archive, similar to the config.txt file. Additionally, the documentation provides an example config.txt; however, the bochsrc.txt file appears to be missing from the archive.

Can this file be provided? Thanks!

The following is my understanding of the working principle of Bochspwn, I'm not sure if it's correct.

Bochspwn starts the virtual machine through Bochs, and then detects whether the user's actions (requiring manual operation) may trigger a Double Match vulnerability through libinstrument. a.

update DOCUMENTATION.old.md

"In the LIBS environment variable, choose dbghelp.lib for a 32-bit build and dbghelp.dll for a 64-bit build."

Maybe should be changed to:

"In the LIBS environment variable, choose 32bit dbghelp.lib or dbghelp.dll for a 32-bit build and 64bit dbghelp.lib or dbghelp.dll for a 64-bit build."

googleprojectzero / bochspwn Goto Github PK

bochspwn's Introduction

Bochspwn

Support status

Building and usage

Example report

Read more

Bochspwn Reloaded

Disclaimer

bochspwn's People

Contributors

Stargazers

Watchers

Forkers

bochspwn's Issues

Recommend Projects

Recommend Topics

Recommend Org