Icebox - Virtual Car Introspection, Tracing & Debugging
Icebox is a Virtual Machine Introspection solution that enable you lot to stealthily line together with debug whatever procedure (kernel or user). It's based on projection Winbagility.
Files which mightiness hold upwardly helpful:
- INSTALL.md: how to install icebox.
- BUILD.md: how to construct icebox.
Demo
Project Organisation
- fdp: Fast Debugging Protocol sources
- icebox: Icebox sources
- icebox: Icebox lib (core, bone helpers, plugins...)
- icebox_cmd: Program that attempt several features
- samples: Bunch of examples
- winbagility: stub to connect WinDBG to FDP
- virtualbox: VirtualBox sources patched for FDP.
Getting Started
Some sample bring been written inward samples folder.
You tin construct them amongst these instructions subsequently you lot installed the requirements.
If your using a Windows invitee you lot mightiness desire to railroad train the environement variable _NT_SYMBOL_PATH to a folder that contains your guest's pdb. Please banker's complaint that icebox setup volition neglect if it does non uncovering your guest's kernel's pdb.
vm_resume:
vm_resume simply interruption together with then resume your VM.
cd icebox/bin/$ARCH/ ./vm_resume nt_writefile breaks when a procedure calls ntdll!NtWriteFile, together with dumps what's written inward a file on your host inward the electrical current directory.
cd icebox/bin/$ARCH/ ./nt_writefile heapsan breaks ntdll retention allocations from a procedure together with add together padding earlier & subsequently every pointer. It is all the same incomplete together with doesn't produce whatever checks yet.
cd icebox/bin/$ARCH/ ./heapsan wireshark breaks when ndis driver reads or sends network packets together with creates a wireshark line (.pcapng). Each bundle sent is associated to a callstack from pith province to userland if necessary.
cd icebox/bin/$ARCH/ ./wireshark 