Monday, October 28, 2013

SRDF - Write your Own Debugger

Inline image 2

1. Introduction:

Do you want to write your own debugger? ... Do you have a new technology and see the already known products like OllyDbg or IDA Pro don't have this technology? … Do you write plugins in OllyDbg and IDA Pro but you need to convert it into a separate application? … This article is for you.
In this article, I'm going to teach you how to write a full functional debugger using the Security Research and Development Framework (SRDF) … how to disassemble instructions, gather Process Information and work with PE Files … and how to set breakpoints and work with your debugger.

2. Why Debugging?

Debugging is usually used to detect application bugs and traces its execution … and also, it's used in reverse engineering and analyzing application when you don't have the source code of this application.
Reverse engineering is used mainly for detecting vulnerabilities, analyzing malware or cracking applications.
We will not discuss in this article how to use the debugger for these goals … but we will describe how to write your debugger using SRDF… and how you can implement your ideas based on it.

3. Security Research and Development Framework:

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.
This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

In User-Mode part, SRDF gives you many helpful tools … and they are:
  • Assembler and Disassembler
  • x86 Emulator
  • Debugger
  • PE Parser, ELF Parser, PDF and Android Parsers
  • Process Analyzer (Loaded DLLs, Memory Maps … etc)
  • MD5, SSDeep and Wildlist Scanner (YARA)
  • API Hooker, IAT Hooker and Process Injection
  • Backend Database, XML Serializer
  • Pcap File Anaylzer
  • Packet Analysis
  • Protcol Analysis like: TCP, UDP, ICMP, HTTP, DNS and so on
  • Network Flow Analysis and Network Separation
And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:
  • Object-oriented and easy to use development framework
  • Easy IRP dispatching mechanism
  • SSDT Hooker
  • Layered Devices Filtering
  • TDI Firewall
  • File and Registry Manager
  • Kernel Mode easy to use internet sockets
  • Filesystem Filter
  • Still the Kernel-Mode in progress and many features will be added in the near future. 
Check its website at:
Follow us in Twitter: @winSRDF

Read more: Codeproject
QR: Inline image 1