Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- The following is a translation of
- http://j00ru.vexillium.org/blog/23_10_14/Ucieczka%20z%20Matrixa.pdf
- using Google Translate.
- That presentation is linked from http://j00ru.vexillium.org/?p=2454
- Escape from the Matrix:
- (un) safe malware analysis
- Matthew "j00ru" Jurczyk
- Mateusz Jurczyk
- ===============
- • ISE @ Project Zero, Google
- • Dragon Sector Team Vice-Captain
- • @j00ru
- • http://j00ru.vexillium.org/
- What will this be about?
- ========================
- • The malware.
- • The tools for their analysis.
- • The security vulnerabilities in these.
- • About their active use in order to implement
- malicious code on a victim machine.
- In short, what dangers lie in wait for analysts
- malicious software on real examples.
- What will this NOT be about?
- ============================
- The passive hindering analysis
- (obfuscation, anti-debugging tricks, steganography
- etc.)
- A year ago, SECURE ...
- =======================
- "The thing about increasing (in) security. Food
- for thought. "
- Gynvael Coldwind
- A year ago, SECURE ...
- ======================
- Gynvael showed that anti-virus applications
- in addition to detecting threats can seriously
- increase the attack surface of the system
- computer.
- A year ago, SECURE ...
- ======================
- • AV programs that in the end a great target for
- bughunter and attacking:
- - Most often written in the native languages (yield) ...
- - Parse complex data formats: files
- executables, archives, documents, ...
- - With administrator rights or the kernel ...
- - Taking as input each file appears in the
- machine.
- The thesis is confirmed
- =======================
- Over the last year there is even more evidence:
- - Joxean Koret, Breaking Anti-Virus Software, Syscan 2014 [1].
- - Dozens of critical errors in most AV products.
- Tavis Ormandy • Denial of Service in Microsoft Malware
- Engine Protection, June 2014 [2].
- The thesis is confirmed
- =======================
- Twitter post from Joxean Koret (@matalaz) on Oct 17: "There are some antivirus that I wonder if they happen to know how to code at all. I'm not talking about secure aware coding."
- Okay, ...
- =========
- ... Anti-virus may not be entirely safe.
- And if you generalize a bit the problem, and we consider the
- the entire set of software that "contact" with malignant
- software?
- For example, the tools for the analysis of
- malware?
- A brief digression
- ==================
- • Year 2012 on a popular website with the tip .cn
- (China) find the SWF file with interesting me
- functionality.
- • Cheerfully I load this file into Sothink SWF Decompiler,
- one of the better decompilers for Flash files.
- • waits for a few seconds, then ...
- A brief digression
- ==================
- (screenshot of crash fo SWFDecompiler.exe)
- A brief digression
- ==================
- Pinning debugger, and there:
- (screenshot of windbg with access violation at 0x41414141)
- Coming back to the topic ...
- =============================
- Can we trust the tools, which on a daily basis
- people use the AV companies, other organizations, and
- properly and ourselves?
- - Who has not started once ProcessExplorer,
- ProcessMonitora or Wireshark?
- Simple answer: Unfortunately not. :(
- (slide 16, can't copy text to translate)
- Examples
- ========
- Hex-Rays IDA Pro
- ================
- • IDA Pro is currently the best available on the market
- disassembler executable files.
- - Runs on Windows, GNU / Linux, OS X.
- - The vast user base: an essential tool
- each reverse-engineer.
- - Opportunity to buy dekompilatorów platforms
- IA-32, IA-64 and ARM 32.
- familiar sight
- ==============
- (screenshot of IDA Pro)
- Hex-Rays invests in safety
- ==========================
- • ASLR, DEP, / GS and other collateral default
- included in the executable and libraries.
- • Self, safer implementation of standard
- C function such as strncat and strncpy.
- • Bug bounty program: for each critical error in
- deasemblerze or dekompilatorze company pays 3000
- USD.
- Bug bounty program
- ==================
- (screenshot of hex-rays.com/bugbounty.shtml)
- On the other hand, ...
- ======================
- • Written entirely in C / C ++.
- • Part of the source code available in the IDA SDK.
- • A partial list of supported file formats:
- (long list of formats)
- On the other hand, ...
- ======================
- • Even more supported formats assembly: more than 60 processor families:
- (longer list of processors families)
- Many bugs reported and repaired since 2011
- ==========================================
- (screenshot of 13 bounties paid from hex-rays.com/bugbounty.shtml)
- Is it pays to look further?
- ===========================
- • Question in mid-August 2014.
- • I decided to give it a chance.
- - At 100%, not all formats are supported
- exactly przeaudytowane.
- - High reward is a good motivator.
- • For about three weeks audits the evenings
- open and closed code IDA.
- Results cursory audit
- =====================
- • 12 different classes of errors "memory corruption" found parsers
- formats:
- - QNX, COFF, DBG, EPOC, DEX, PEF
- • 2 errors recognized by the Hex-Rays for NOFIX due to unrealistic
- attack scenario.
- • The remaining 10 vulnerabilities classified as 6 separate problems.
- • Corrected by the manufacturer in less than two weeks.
- - Date of filing: September 6, 2014
- - This patch release: September 15, 2014
- (screenshot of changelog for IDA Pro with vulns from j00ru)
- Types of errors found
- =====================
- • COFF, DBG: Heap Buffer Overflow due to an Integer Underflow.
- • EPOC: 4-byte Heap Buffer Overflow due to an Off-By_one in bounds checking.
- .
- • DEX: Heap Buffer Overflow due to Integer Overflow.
- • PEF: Multiple Heap Buffer Overflows due to Integer Handling Problems.
- • PEF: Heap Memory Corruption due to logical errors in memory management.
- • Many: Heap Buffer Overflows due to logical errors in memory management.
- EPOC 4-byte Heap Overflow is due Off-By-One
- ===========================================
- • EPOC is a simple executable file format used
- on the operating system of the same name.
- - More known as Symbian.
- • It consists of a header, followed by sections
- memory.
- - Data section of the file can be saved to "plain text"
- or compressed or DEFLATE algorithm BYTEPAIR
- EPOC file format overview
- =========================
- (image of file format)
- ```
- +--------------------------+
- | E32 header |
- +--------------------------+
- | | Text section |
- |Code +-----------------+
- |section | Export table |
- | +-----------------+
- | | Import table |
- +--------------------------+
- |BSS section |
- +--------------------------+
- |Data section |
- +--------------------------+
- |Import section |
- +--------------------------+
- |Relocation section |
- +--------------------------+
- ```
- Not so fast ...
- ===============
- • No source code format in the IDA SDK EPOC.
- - It only remains to reverse engineer the file epoc.ldw.
- • Very poor documentation format, in particular
- algorithms (de) compression.
- • The only source of knowledge is meaningful projects GnuPoc [3]
- (SymbianOS SDK) and symbian-dump (publicly available
- Symbian code) [4]
- Further analysis of the
- =======================
- • After a brief analysis, it was found that Hex-Rays
- advantage of DEFLATE decompression code from the package
- GnuPoc.
- - But we can read C code! :)
- • How to decompression, the code is written
- exceptionally well.
- Short exercise: find the error
- ==============================
- (image of some code related to Huffman:InteralizeL on slide 33)
- Off-By-One Error
- ================
- • The condition should read:
- ```
- if (p >= end) {
- ```
- • Error allows for 4-byte (sizeof (Tuint32))
- overwriting a buffer of fixed length 1316 bytes.
- • In the nearby code were more mistakes
- this type.
- Off-By-One Error
- ================
- (slide 36, can't copy text)
- *** glibc detected *** ./idaq: free(): invalid pointer: 0x09dcecf8 ***
- ======= Backtrace: =========
- /lib/i386-linux-gnu/libc.so.6(+0x75b12)[0xf5f41b12]
- /opt/ida-6.6/loaders/epoc.llx(+0xce3c)[0xf55bde3c]
- /opt/ida-6.6/loaders/epoc.llx(+0xd406)[0xf55be406]
- /opt/ida-6.6/libida.so(+0x16c815)[0xf749b815]
- /opt/ida-6.6/libida.so(load_nonbinary_file+0xde)[0xf749bb8e]
- ./idaq[0x80b7ff5]
- ./idaq[0x8134d06]
- /opt/ida-6.6/libida.so(init_database+0x10d6)[0xf73d1c06]
- ./idaq[0x8094a1e]
- ./idaq[0x8284848]
- ./idaq[0x828497f]
- ./idaq[0x809605b]
- ./idaq[0x8096133]
- ./idaq[0x80963f7]
- /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xf5ee54d3]
- ./idaq[0x807ed11]
- PEF Multiple Heap Buffer Overflows due to Integer Handling Problems
- ===================================================================
- - Preferred Executable Format
- - Executable file format used for many years ago in Mac OS.
- - Currently seen only on PowerPC under the control of BeOS.
- - Source code available in the IDA SDK.
- The process_loader_data
- =======================
- • The process data addressed shifts defined in the header file.
- (image of code for process_loader_data function)
- structure pef_loader_t
- =======================
- • All offsets are defined as 32-bit, fully controlled field.
- (image of pef_loader_t struct)
- • IDA Pro 6.6 is available only in 32-bit version, which favors
- formation of Integer overflow errors while performing
- operations on indicators and offsets.
- Although the verification is ...
- ================================
- (image of code, and text I can't copy)
- As a result, the buffer overflows
- =================================
- (image of seg fault output)
- more errors
- ===========
- - In process_loader_data were 4 Integer
- Overflowy leading to memory corruption.
- - For the observant: shown earlier in Listing. There is one more logical error.
- - Indicators for semantically distinct structure in the file calculated are based on a single input buffer.
- - Structures can (and should) overlap in memory.
- - A modification can lead to an unexpected change another.
- BADMEMSIZE
- ==========
- • IDA internally uses its own memory container for lists and
- buffers:
- - qvector
- - Bytevec_t (inherited from qvector)
- • These classes provide some standard methods, such as:
- - :: Growfill
- - :: Append
- - :: Reserve
- - :: Resize
- Protection against Integer overflows
- ====================================
- • These methods detect overflow situations
- integer variable.
- • handle them but in a rather unusual way.
- - Rather than return an error code or throw an exception, lined
- the size of the required buffer at a constant BADMEMSIZE.
- - Assumption: malloc (BADMEMSIZE) never
- fail.
- example
- =======
- (image of code for checking an append and setting a var to the value BADMEMSIZE)
- What is BADMEMSIZE?
- ===================
- ```
- #ifdef __X64__
- #define BADMEMSIZE 0xDEADBEEFDEADBEEF
- #else
- #define BADMEMSIZE 0xDEADBEEF
- #endif
- ```
- Hmm ...
- =======
- • IDA is only available in 32-bit, So we consider a fixed 0xDEADBEEF.
- • 0xDEADBEEF = 3 735 928 559
- - Almost the entire 32-bit address space.
- - Well, "Almost". Let's see if in fact allocation of this size never fails.
- Windows
- =======
- (image of process explorer showing memory usages for processes)
- Mac OS X
- ========
- CG image 0ad39000-0ad45000 [ 48K] rw-/rwx SM=PRV
- OpenGL GLSL 0aec8000-0aeca000 [ 8K] rw-/rwx SM=ZER
- MALLOC_LARGE (freed) 0aeca000-0af0b000 [ 260K] rw-/rwx SM=PRV
- MALLOC_LARGE (freed) 0af8c000-0afcd000 [ 260K] rw-/rwx SM=PRV
- CG image 0afed000-0b000000 [ 76K] rw-/rwx SM=PRV
- MALLOC_SMALL 0b000000-0b800000 [ 8192K] rw-/rwx SM=COW
- __DATA 0bfbc000-0bffe000 [ 264K] rw-/rwx SM=COW
- __DATA 0bffe000-0c023000 [ 148K] rw-/rwx SM=PRV
- __DATA 0c12f000-0c145000 [ 88K] rw-/rwx SM=ZER
- MALLOC_LARGE (freed) 0c246000-0c287000 [ 260K] rw-/rwx SM=PRV
- CG image 0c367000-0c3cb000 [ 400K] rw-/rwx SM=PRV
- VM_ALLOCATE 0c3cb000-0c3ce000 [ 12K] rw-/rwx SM=PRV
- Memory Tag 241 0c3cf000-0c3e5000 [ 88K] rw-/rwx SM=COW
- MALLOC_TINY 0c400000-0c500000 [ 1024K] rw-/rwx SM=PRV
- MALLOC_SMALL (freed) 0c800000-0d000000 [ 8192K] rw-/rwx SM=COW
- __DATA 488c5000-49599000 [ 12.8M] rw-/rwx SM=COW
- __DATA 49599000-495a8000 [ 60K] rw-/rwx SM=PRV
- __DATA 8ff08000-8ff0a000 [ 8K] rw-/rwx SM=PRV
- __DATA 8ff0a000-8ff32000 [ 160K] rw-/rwx SM=COW
- __DATA a032f000-a0330000 [ 4K] rw-/rwx SM=COW
- __DATA a0330000-a0331000 [ 4K] rw-/rwx SM=COW
- Linux
- =====
- (092e6000 and f5649000 is highlighted)
- ...
- 08048000-083de000 r-xp 00000000 fc:01 5250367
- 083de000-083e1000 r--p 00395000 fc:01 5250367
- 083e1000-083e6000 rw-p 00398000 fc:01 5250367
- 083e6000-083f8000 rw-p 00000000 00:00 0
- 08e80000-092e6000 rw-p 00000000 00:00 0 [heap]
- f5649000-f56c9000 rw-s 00000000 00:04 12582916
- f56c9000-f56d4000 r-xp 00000000 fc:01 6817133
- f56d4000-f56d5000 r--p 0000a000 fc:01 6817133
- f56d5000-f56d6000 rw-p 0000b000 fc:01 6817133
- f56eb000-f56ec000 rw-p 00000000 00:00 0
- ...
- Linux
- =====
- BINGO
- • The address space of 32-bit process on 64-bit
- Linux, there is a "gap" of size ~ 0xEC000000 bytes!
- • As a result of malloc (BADMEMSIZE) succeeds by assigning
- 0xDEADBEEF size allocation, which really entitled to
- size ≥ 0x100000000.
- Consequences
- ============
- • The error is in multiple classes responsible for memory management, used by the main engine IDA and support for more than half of the input formats.
- • The report for Hex-Rays is presented crash provoked using the Mach-O format.
- BADMEMSIZE: crash w Mach-O
- ==========================
- Program received signal SIGSEGV, Segmentation fault.
- 0xf4d98168 in ?? () from /opt/ida-6.6/loaders/macho.llx
- (gdb) where
- #0 0xf4d98168 in ?? () from /opt/ida-6.6/loaders/macho.llx
- #1 0xf4db4aaf in ?? () from /opt/ida-6.6/loaders/macho.llx
- #2 0xf4db6fec in ?? () from /opt/ida-6.6/loaders/macho.llx
- #3 0xf7d7c815 in ?? () from /opt/ida-6.6/libida.so
- #4 0xf7d7cb8e in load_nonbinary_file () from /opt/ida-
- 6.6/libida.so
- ...
- (gdb) x/10i $eip
- => 0xf4d98168: mov (%edi,%edx,4),%ecx
- 0xf4d9816b: mov %ecx,%eax
- 0xf4d9816d: mov %ecx,%ebx
- Hex-Rays IDA Pro: a summary
- ===========================
- In short, there are errors and easily find them.
- From the perspective of Researcher: not worth the bend and
- report. :)
- From a user perspective: not exactly safe
- software for the analysis of files from untrusted
- sources (probably 90% of use cases).
- What else do you use for analysis?
- ==================================
- Virtual machines!
- Security VM
- ===========
- - Virtual machines used for separation potentially malicious code from the competent environment.
- - The assumption of complete separation of environments executables.
- But are you sure?
- data Flow
- =========
- - Between the guest and the host is mentioned a large amount of information:
- - Virtual machine implemented programmatically by VM (screen, hard disk, card network, etc..)
- - Command graphics card, 3D acceleration.
- - So called. additions - shared folders, drag-n-drop files, shared storage, ...
- attack vectors
- ===============
- • Each communication channel is a potential vector of attack for such isolated applications.
- - Ability to attack the secondary controller VM in order to perform ring-0 code (in gueście).
- - Ability to monitor VM attack in order to execute code ring-3 (in host).
- - In the case of outstanding bugs (eg. CPU), the possibility of nuclear attack host.
- • Example: the gaps in the testes and hypervisors associated with operating instructions SYSRET
- (Rafal Wojtczuk, 2012)
- testability
- ===========
- • Multiple virtual machines is completely
- open-source, allowing audit
- (complex) source code.
- • In addition, the channels of communication are easy targets
- fuzzing (eg. VGA).
- Fuzzing VGA
- ===========
- DEMO
- Random examples
- ===============
- HOW IS IN PRACTICE?
- Security VM VirtualBox
- ======================
- User-mode -> Kernel-mode EOP
- - Tarjei Mandt, Oracle VirtualBox Integer Overflow
- Vulnerabilities, 2011 [5]
- - Mateusz Jurczyk, Oracle VirtualBox Integer Overflow
- Vulnerabilities, 2012 [6]
- - Matt Bergin, Oracle VirtualBox Guest Additions Arbitrary
- Write Privilege Escalation, 2014 [7]
- Security VM VirtualBox
- ======================
- Guest -> host EOP
- • Francisco Falcon, Breaking Out of VirtualBox
- through 3D Acceleration, Recon, 2014 [8]
- • Florian Ledoux, Advanced Exploitation of
- VirtualBox 3D Acceleration VM Escape
- Vulnerability, VUPEN blog, 2014 [9]
- Security VM: Vmware
- ===================
- - Derek Soeder
- – dozens of errors: CVE-2008-4279, CVE-2012-1516, CVE-2012-1517, CVE-2013-1406, CVE-2013-3519 i inne.
- - Kostya Kortchinsky, CLOUDBURST: A VMware Guest to Host Escape Story, 2009 [10]
- - Piotr Bania, VMware CloudBurst - VMware Guest to Host Escape Exploit, 2009 [11]
- - Piotr Bania, Old vmware cloudburst exploit, 2012 [12]
- Security in Xen
- ===============
- 74 errors corrected from the beginning of 2013
- Security in qemu
- ================
- - Nelson Elhage, Virtunoid: A KVM Guest Host privilege escalation exploit, 2011 [13]
- - Dozens of errors primarily in the implementation of
- emulated devices
- Security in qemu
- ================
- (screenshot of CVE list)
- Errors on the side of the user's VM
- ===================================
- • Shared folders
- - Has anyone ever run it in programs stored in shared
- folder VMki executing untrusted code?
- • DLL hijacking or simply infection located in EXEka
- catalog.
- • No separation of network access to the host file system
- through network shares.
- • Other forgotten or obvious communication channels.
- A Since we are already AT
- VIRTUAL MACHINE ...
- Other routes of escape
- ======================
- • If you are using malware to analyze options
- Remote debugging kernel, we create
- another channel of communication that can become
- target of the attack.
- • The immediate objective in this case is
- WinDbg.
- Protocol KDCOM
- ==============
- • WinDbg talking to the kernel using the Guest
- KDCOM protocol.
- - Kernel Debugging Communication
- - Simple packet header format:
- - More than 50 supported message types.
- Protocol KDCOM
- ==============
- • fully described in several references:
- - Kernel and remote Debuggers [14]
- - KD extension DLLs & KDCOM protocol [15]
- • He lived to see the independent implementation.
- - SYSPROGS VirtualKD - accelerating application sessions
- Debug COM port for VirtualBox and VMWare
- - SecureWorks Wind Pill - Perl implementation
- Protocol.
- fuzzing KDCOM
- =============
- • Automate testing by creating a proxy
- modifying the communication between
- WinDbg and the kernel.
- fuzzing KDCOM
- =============
- • After many attempts have failed to provoke
- no error in WinDbg associated
- directly to support the protocol.
- • Crashes occurred while the mutation
- body of the message sent from the virtual
- machines for debugging.
- What does WinDbg parse?
- =======================
- pe files, of course!
- Processing PE files
- ===================
- • WinDbg supports symbols.
- - Public EXEków exports in the table.
- - Private, located in the corresponding PDB file.
- • In order to obtain the information you need to
- process executables Z Guest.
- - WinDbg zczytuje of guest memory modules, memory, and
- then forward them to the responsible DbgHelp API
- for handling symbols.
- A few words about DbgHelp
- =========================
- • The auxiliary library provided by
- Microsoft.
- • Provides high-level functionality
- debuggerach useful.
- - Supports symbols.
- - Create process dumps.
- - Hear the call stack.
- A few words about DbgHelp
- =========================
- • Parse complex
- file formats such as PE or
- PDB.
- • The quality of the code is he made a,
- practically lack of any
- input validation.
- "GREAT
- Sample susceptibility DbgHelp
- =============================
- • Many out-of-bounds reads by the lack of validation fields PE structures, for example.
- IMAGE_FILE_HEADER.NumberOfSections.
- • Arbitrary read while operating the Export Table.
- • Out-of-bounds read by the lack of validation of serial numbers in Import
- Table.
- • Arbitrary read the manual COFF Symbol Table.
- • Out-of-bounds write by the lack of validation of serial numbers in
- Export Table.
- • Integer overflow during dynamic allocation of the internal array to
- Operating Export Table.
- In carrying out the code from the kernel virtual
- the machine can lead to violations of
- WinDbg memory integrity, and potentially
- controlled to run the code.
- Research described precisely in 2010, the blog
- [16]
- WinDbg and logical errors
- =========================
- • Exactly at the same time Alex Ionescu found that
- KDCOM protocol allows the execution of any
- WinDbg command from the Guest.
- • This command allows you to run any .shell
- program with controlled parameters.
- • The result is 100% stable performance
- controlled code on the host from the Guest.
- WinDbg and logical errors
- =========================
- Solution: run windbg.exe with flag -Secure.
- Secure Mode disables the debugger any options for him
- tampering with the system on which it is running.
- THIS IS NOT THE END!
- Wireshark
- =========
- (list of vuln counts)
- Other tools
- ===========
- Any kind of dissectory, less known deasemblery etc.
- are often equally susceptible.
- Just devotes less attention to them, which are the most
- tested worse than the widely known applications.
- Example: said at the beginning of Sothink SWF Decompiler.
- The moral?
- Are there currently active malware attacks on analysts or detection systems?
- ============================================================================
- probably* not
- * At least I do not know.
- And could they?
- ===============
- Definitely yes
- Conclusion?
- ===========
- Obviously not in this thing to stop
- use of these tools. :)
- Well, however, apply the basic practices
- security - but it all depends on
- situation and threat model
- suggestions
- ============
- • Use new operating systems
- - Each program is much more secure than Windows 8.1 to Windows
- Vista.
- - Which is the way "fault" Microsoft, but it is a topic for a separate discussion.
- • Reduce the attack surface
- - Enable only the strictly necessary devices in the VM.
- - Use of additions and other additional technologies (eg. 3D acceleration)
- only if necessary.
- - In general: reducing to a minimum the number of lines of code that process
- untrusted data
- suggestions
- ===========
- Whether it is likely that someone will create a
- stable exploit our version of IDA Pro?
- Sure.
- suggestions
- ===========
- And whether it is likely that someone will attack
- exploit host under our version of IDA Pro,
- fired in sandboksie operating in truncated
- Microsoft virtual machine?
- Possible, but unlikely.
- The end
- =======
- j00ru.vx@gmail.com
- http://j00ru.vexillium.org
- @j00ru
- Materials
- =========
- [1] http://mincore.c9x.org/breaking_av_software.pdf
- [2] https://technet.microsoft.com/en-us/library/security/2974294.aspx
- [3] https://github.com/mstorsjo/gnupoc-package
- [4] http://sourceforge.net/projects/symbiandump/
- [5] http://mista.nu/blog/2011/07/19/oracle-virtualbox-integer-overflow-vulnerabilities/
- [6] http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
- [7] https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt
- [8] http://recon.cx/2014/slides/Breaking_Out_of_VirtualBox_through_3D_Acceleration-Francisco_Falcon.pdf
- [9] http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php
- [10] http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf
- [11] http://blog.piotrbania.com/2009/09/vmware-cloudburst-vmware-guest-to-host.html
- [12] http://blog.piotrbania.com/2012/07/old-vmware-cloudburst-exploit.html
- [13] https://media.blackhat.com/bh-us-11/Elhage/BH_US_11_Elhage_Virtunoid_WP.pdf
- [14] http://www.developerfusion.com/article/84367/kernel-and-remote-debuggers/
- [15] http://articles.sysprogs.org/kdvmware/kdcom.shtml
- [16] http://j00ru.vexillium.org/?p=405
Add Comment
Please, Sign In to add comment