8/13/2023 0 Comments Run bochs in debug![]() ![]() host/guest interaction: communication method used to exchange information between the host and the guest.booting process: page table setup, GDT/IDT setup and exception dispatching.disk structure: file system design and file format structure.This paper explains how we tackled the problem while covering the following aspects: In this talk we present a few techniques on how to use an existing emulator (such as Bochs) and write a program that can construct a custom disk image containing a tailored operating system to run a specific piece of code or malware. Building an emulator from scratch can be time consuming and error prone. Comments and suggestions are welcome.Reverse engineers almost invariably need to emulate some code while reverse engineering. You can still run IDA just once: “start idag -c -A -OIDAPython:mbr.py bochsrc” however you do not call Exit() and you turn off batch mode (with Batch()).Īnd last but not least, how do you debug your MBR code? The second time we run IDA with the “-rbochs” switch telling IDA to open the database and directly run the debugger. If you noticed, we run IDA twice: the first time we run it and pass our script name to IDAPython the script will continue the custom loading process and symbol propagation for us. Now that we addressed all of the issues previously mentioned, let us glue everything with a batch file: If it succeeds it prints how many symbol names were applied This function tries to apply the symbol names in the database # Prepare RE for the line of the following form: Returns a list of tuples (addr, addr_name) or an empty list on failure We will write a simple parser to extract the addresses and names from the map file and copy them to IDA: When we assemble mbr.asm, a map file will also be generated. ![]() What we did is simply extend the segment from 512 to 1024 (our sample MBR is 1024 bytes long) and load into IDA the rest of the MBR code from the compiled mbr.asm binary. ![]() Idc.loadfile(MBRNAME, SECTOR_SIZE, SECTOR2, SECTOR_SIZE) Idc.SetSegBounds(BOOT_START, BOOT_START, BOOT_START + BOOT_SIZE, idaapi.SEGMOD_KEEP) Global SECTOR_SIZE, BOOT_START, BOOT_SIZE, BOOT_END, SECTOR2, MBRNAME It acts as a custom file loader (written with a script) This small routine loads the MBR into IDA To insert the mbr into the disk image, we can write a small Python function:Īs discussed previously, loading the bochsrc file into IDA is not enough (see above) so we need to write another script that acts like a loader: (As a new disk image, It lacks the 55AA signature at the end of the first sector) Inserting the MBR into the disk imageįor your convenience, we included a sample mbr.asm file ready for you to compile. If you see the Bochs debugger prompt, you can press “c” to continue execution but Bochs will complain because our disk image is not bootable. If you don’t have a Bochs image ready, please use the bximage.exe tool to create a disk image.Įdit your bochsrc file and add the ata0 (generated by bximage tool) line to it, and finally run bochsdbg.exe to verify that you can run Bochs properly (outside of IDA).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |