In this post you will learn how to install, configure and run TProbe debugger. You can read more about TProbe here.
This chapter covers the DEB packages installation process. According to this tutorial, you will be able to perform installation in Ubuntu and Debian systems and their derivatives.
First, verify that your workstation meets the hardware & software requirements. The emulator component is can be very demanding in terms of computational power in newer and larger systems. If you have well-performing server, you can check this article to find out how to deploy on it the emulator separately. If you only have a personal computer with average computational power, we suggest using Windows XP as a guest operating system.
Ubuntu or Debian Linux
4 threads+ processor (2.70 GHz)
10GB free disk space
Qemu machine under control of Windows XP or Windows 7 32bit
Also, install these TProbe dependencies:
Download necessary deb packages from the following site:
Alternatively, use the following commands to download necessary deb packages:
When downloaded, verify the integrity of packages with relevant checksums:
Install the packages using the following commands:
Before launching TProbe, open & verify the configuration file with your favourite editor:
Choose the appropriate profile (please keep in mind that only WinXPSP2x86 and Win7SP0x86 have been verified for now).
You can use directly_to_gshell option to spawn graphic shell (gshell) automatically upon TProbe startup.
After you're done with adjusting configuration, proceed to running you virtual machine. The recommended command is similar to the following:
The parameters used are described below:
- drive - used to determine path to your guest system's hard drive
- s - connect to tcp::1234 and wait for gdbstub connection. This setting is compatible with current TProbe configuration
- monitor stdio -the current shell will be used to interact with Qemu monitor, giving you control over what happens with your guest machine
After spawning the guest machine, it's time to attach to it with the debugger.
WARNING!!! You need to wait until the guest operating system configures fundamental kernel data structures in order for volatility component to properly interpret the memory contents. It's safe to attach to machine when the login screen is presented.
During the attaching process, the following actions take place.
First, GDB debugger is spawned. It's attached to remote gdbstub socket by connecting to localhost:1234. When connection is made, the Python interpreter spawns modified volatility (tprobe-volatility component) in order to interpret the memory contents properly. It has to find the DTB strutures of processes within the physical memory. In order to do that, it scans the whole physical memory in search of DTB.
DTB scanning takes a little while, especially in newer versions of Windows, so please be patient.
When DTB is successfully located, TProbe proceeds to displaying user interface. Depending on your configuration, it will be graphical shell (gshell) or volshell-based commandline interpreter.
After you successfully deployed your TProbe suite, take some time to explore its functionality. You might find this overview of TProbe features helpful.
If you feel you have a well, intuitive grasp on the functionality, you can proceed to the first analysis write-up on tracking the injected code with TProbe.