S3SS10N Wednesday – Development & Reverse Engineering (Windows Kernel)

Join Cybrary

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here
< Back to S3SS10NS

S3SS10N Wednesday – Development & Reverse Engineering (Windows Kernel)

Published: December 21, 2016 | By: John Foster | Views: 5060
This post has been saved to your profile

This Weeks S3SS10N Wednesday

In this Sessions Wednesday video, our host, John Foster, takes us on a fascinating exploration of debugging the infamous and dreaded Blue Screen of Death otherwise fondly known as simply the “BSOD.” John’s investigation is actually updated from a similar procedure outlined in a well-known blog post from a few years back entitled “A Blue Screen by any other Color.”

The approach John discusses in this session is tailored for the Windows 10 BSOD. Microsoft’s attempt at making the newer version of the BSOD friendlier by adding a smiley face seems to have fallen a bit short in improving the moods of its hapless victims. In any event, instead of utilizing a software tool as in the previous approach to induce the BSOD, John discusses how to achieve the same effect by tweaking a kernel mode driver in Win10.

The basic setup consists of two Windows machines in a virtualized environment communicating over a serial communications connection using a named pipe. The client machine acts as the debugger running Microsoft Visual Studio 2015.

Attached on the other end of the connection is the debuggee upon which we’ll inflict a catastrophic fault. This is achieved by defining a null pointer and then dereferencing it. Since we’re doing this in kernel mode, the result is a critical fault rather than merely a segmentation fault if we had caused it to occur in user mode. A critical kernel mode fault causes the BSOD to be displayed.

John goes over the full details of setting things up, but in a nutshell, once the debuggee has faulted, the debugger running on the client machine is attached over the serial connection. From there, it’s a matter of stepping through the disassembled code in the VS 2015 debugger to find the bugcheck screen. This area of the code contains the instructions for handling and displaying the Win10 BSOD.

John concludes the session by demonstrating a pretty nifty trick: he pokes a new value for the VGA color code for the screen color into the bugcheck handler. This then forces the BSOD to become the “Yellow Screen of Death!”

< Back to S3SS10NS

About This S3SS10N Wednesday's Contributor

John Foster
John Foster is a security researcher and do-er of things for Point3 Security. . He has a degree in Information Systems from Shippensburg University and an MBA from Texas A&M - Commerce. He worked previously at the United States Navy and the Pentagon, doing cyber-y things. He currently teaches cyber operations and reverse engineering for the DoD.
Enjoy this S3SS10N Wednesday? Want more Cybytes?
Invite a Friend
and share now
Facebook Twitter LinkedIn Email
Join Cybrary
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?