IceBox - Virtual Machine Introspection, Tracing & Debugging

(27 views)

Icebox is a Virtual Machine Introspection solution that enable you to stealthily trace and debug any process (kernel or user). It's based on project Winbagility.

Files which might be helpful:

Demo

Project Organisation

  • fdp: Fast Debugging Protocol sources
  • icebox: Icebox sources
    • icebox: Icebox lib (core, os helpers, plugins...)
    • icebox_cmd: Program that test several features
    • samples: Bunch of examples
  • winbagility: stub to connect WinDBG to FDP
  • virtualbox: VirtualBox sources patched for FDP.

Getting Started

Some sample have been written in samples folder.

You can build them with these instructions after you installed the requirements.

If your using a Windows guest you might want to set the environment variable _NT_SYMBOL_PATH to a folder that contains your guest's pdb. Please note that icebox setup will fail if it does not find your guest's kernel's pdb.

vm_resume:
vm_resume just pause then resume your VM.

cd icebox/bin/$ARCH/
./vm_resume <vm_name>

nt_writefile:
nt_writefile breaks when a process calls ntdll!NtWriteFile, and dumps what's written in a file on your host in the current directory.

cd icebox/bin/$ARCH/
./nt_writefile <vm_name> <process_name>

heapsan:
heapsan breaks ntdll memory allocations from a process and add padding before & after every pointer. It is still incomplete and doesn't do any checks yet.

cd icebox/bin/$ARCH/
./heapsan <vm_name> <process_name>

wireshark:
wireshark breaks when ndis driver reads or sends network packets and creates a wireshark trace (.pcapng). Each packet sent is associated to a callstack from kernel land to userland if necessary.

cd icebox/bin/$ARCH/
./wireshark <name> <path_to_capture_file> 

More at: https://github.com/thalium/icebox 

March 16, 2020

Author

Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023