📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  OS Independent Ring-0/Kernel Mode Debugger

Topic created on: March 29, 2007 14:56 CDT by dennis .

I've just stumbled on this OS independent r0 debugger.

http://rr0d.droids-corp.org/

comes with a "funny" explanation in ppt format ;-)

  apridgen   March 29, 2007 15:49.17 CDT
If for anything, you should visit to see the pictures describing some of the feature :-).  Looks interesting, I'll give it try in a few days, since I typically work across a Linux and Windows Platform.

  dennis     March 29, 2007 16:13.35 CDT
i personally like the rastamode. it's so colorful ;-P

  nezumi     March 30, 2007 16:34.17 CDT
I've fixed some minor errors and compiled this debugger under
w2k, but it doesn't work, crashing the system in text mode
(full-screen console) and freezes in GUI under VMWare
(driver was compiled for 1024x768, 16-bit color). well, as
its readme says: rr0d doesn't seem to detect vmware driver...

if you want to test it on your hardware, just place certain
version of cancel.sys and driver_loader.exe in the same
directory and run driver_loader.exe under root, after that
run popup.exe and see what happens.

http://nezumi.org.ru/souriz/rr0d-w2k-bin.zip

  dennis     March 31, 2007 02:42.59 CDT
softice is still the only r0 debugger working for me on a VM, did anyone get syser to work on a VM?

  serpilliere   March 31, 2007 09:18.51 CDT
Hi!

It's normal rr0d doesn't work in text mode on win2K: the text mode is called so because it directly manipulate the vga video card (like on linux console) so it supposes you are *already* in console mode.

The fact is that I have only compiled it on windows xp sp2 and win98 (which i think dones't compile anymore) not on win2k. The problem is there is one (maybe to) addresses  needed for rr0d that are humm hardcoded for example the adresse of the mirror mapping betweeen lienar and physical addresses (the 15 Mo for hardware compliance).
On linux this it 0xC0000000, on xp it's 0xC2690000, and maybe on 2K it's another one.

Another point is if rr0d freezez but the machine doesn't reboot, maybe you are on the right track: maybe rr0d is launched, but graphic doesn't display (a bit like under vmware)

but im working a bit on maybe an independant video driver (a bit like sice) with will be kernel dependant and so moving the problem elsewhere

In a nutshel, there is a bunch of explaination (and non examplanation) revealing rr0d is humm non user friendly like commercials says.

maybe all these should be fixed one day. The easy way maybe be to split it in different version for os, but breaking the rasta spirit of rr0d and so will angry rasta's god.

The fact softice guys stop it angryed rasta god as well. This may push some more devel to rr0d source. (by the way I meet a sice guy one day and I ask : but what the hell ?? he said: humm sice costs too much and erf, has mosts users are crackers and don't pay there license, it's not really money maker. Maybe devel ring0 code on vmware kill the market as well).

the problem is some people need sice not to devel but for other stuffs.

I should have respond to that ok I will release rr0d with a license now but with it's rrOd.ZIP-XXXX-[INCLUDE-KEYGEN-WORKING]

rasta'em all.

serpilliere

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit