Information:
Intro
========
When IDA Win32 Debugger first came out, I commented:
"hmm, the debugger is nice...I sure wish you implement remote debugging because I hate to debug viruses on my local machine..."
I kept the idea in mind for a while....then one sunday I started to code.
I have no idea how existing remote debuggers work, so the current solution is an implementation of my own ideas and experience.
The only approach that came to mind is Simple API transporting.
I started the project not knowing whether it will yield success or failure...
I had to learn a lot in order to make this possible: winsock, extensive win32 debug api research, idasdk, api hooking, pe structure, ...
If you find RDBG useful please drop me a note telling me your comments and thoughts.
//lallous [lallousx86_at_yahoo.com]
How it works
===============
RDBG.PLW (debug client) is an IDA plugin. Because the plugin will be in IDA's debugger process (win32_user.plw) memory
it can easily patch its import table and replace its imported functions (especially the ones related to debugging).
Having located and replaced the imports, I had to make a remote version of every function I hooked...
Here's the API transport flow:
Client side: IDA Dbg->RDBG.PLW->[cache engine|network]->RAPI server->OS
Server side: OS->RAPI Server->Network->RDBG.PLW->IDA Dbg
How to use it
===============
Client configuration:
-----------------------
1)Open a database
2)Choose menu: Debugger / Process Options
3)Set the application and input file to point to location of the program in the server's machine
4)connect to client
5)Enable RDBG
6)Hit F9 and enjoy!
File Map feature
-------------------
Because it is not always possible to have same drives and location mappings on both client/server, I have created the file mapping
feature. It will allow you to specify how each file on the client match with another file on the server side.
Syntax:
Location of file at server=location of file at client (where IDA is)
Example:
----------
[filemap]
c:\quarantine\virus1.exe=c:\virusresearch\virus1.pe
File Map (server specific)
------------------------------
For every server you can have a different file map.
RDBG will start by using [filemap] then if no mapping is found it will look in current server's file map.
Server specific file map is nice when you have different servers each with a different OS.
That will allow you to map system dlls correctly.
Example:
----------
[192.168.0.66_map]
d:\windowsxp\system32\kernel32.dll=c:\research\os\xp\kernel32.dll
[192.168.0.33_map]
c:\winnt\system32\ntdll.dll=c:\research\os\w2k\ntdll.dll
Debugging Active Processes
----------------------------
RDBG allows you to debug active processes!
If you want to debug an active process that is running under, suppose : C:\myprogram\program.exe, then simply specify the file's
current directory as "[mem]"
Putting current Directory as "[mem]" , RDBG will be instructed to fetch the process from memory and not launch it again.
Notes:
* It is not needed to map any system dll or a module that is loaded by the debugee.
Just map the executables; rdbg.ini can consist only of connection section.
* You do not need to have same OS on both machines (although it is more preferable)
* OSes can be installed on different drives, say client has w2k @ c:\winnt and server has winNT4 @ d:\winnt4
* On the client side you do not need the DLL or other dependencies...again only the .exe file
RAPI Server Configuration
---------------------------
Simply run the server. You will see diagonistic messages in its window.
IDA\Plugins.cfg
-----------------
Simply declare the plugin inside IDADIR\plugins\plugins.cfg
;
; command name plugin hotkey argument
;
rdbg rdbg.plw 0 0
The RDBG interface
---------------------
Connect:
---------
Connects to the debug server.
Disconnect:
------------
Disconnects from RAPI Server. It is suggested that you disconnect and connect everytime you want to launch the process.
This gives the RAPI Server and the OS to cleanup after you've made a long debug session.
Enable RDBG:
-----------------
Makes IDA's debugger a remote debugger.
It does not connect to the server. Do not use this feature if you're not connected.
I haven't added checks if connected or not before proceeding...nor there is checks to detect disconnection.
Disable RDBG
----------------
Restores IDA's debugger original behaviour, that is a local debugger.
It does not disconnect from server.
Edit INI file
----------------
Allows you to edit rdbg.ini file using notepad.
The "T" button
----------------
Toggles "Always On Top"
The "M" button
---------------
In order to keep the RDBG GUI small, I have created this button that will show a popup menu w/ more commands.
The "M/Kill IDA"
-----------------
Kills IDA. Sometimes IDA would crash (because of many reasons, including reasons induced by RDBG) but RDBG will still
be responding, you can then use this command.
The "M/Start Hidden"
----------------------
For your convenience, now RDBG can be started as hidden and only showed when needed from the Edit/Plugins/RDBG menu.
Toggle cache:
-------------
The remote debug client by default intelligently cache some requests instead of re-sending them over the network.
This is to speed up the remote debugging process and to make it more convenient.
Use this command to clear all cached data and allow debugger client to fetch data from server again.
Please note that when caching is enabled, you might fail to view memory addresses allocated by the program during runtime.
But in other cases you are only interested in the flow of the program you're tracing
so you enable caching and gain more remote debugging speed (by saving traffic).
IDA\plugins\rdbg.ini
-----------------------
Contains the following:
; connection section, configure mostly the server related things
[connection]
server=192.168.0.52
port=1001
caching=1
; client to server file mapping configuration
; when IDA Dbg looks for a file, it will not find it because it exists only on the server
; with the map below, you can make map server locations to local locations
; RDBG will start first by look in this section and if no entry is found it will then look in the server specific map section
[filemap]
; on IDA's side, I do not name my files as .exe instead .pe so I don't accidently execute them
; on the server side, I leave as is
h:\program files\pinball\pinball.exe=C:\idb\pinball.pe
z:\common programs\notepadx.exe=c:\idb\notepadx.pe
; server specific map section
[192.168.0.52_map]
; here put server/os specific configuration
E:\winnt\system32\ole32.dll=C:\Temp\vfolder\192.168.0.52\dlls\OLE32.DLL
Todo
========
. Bulletproof c/s connection handling
FAQ
======
Q: I see weird behaviours when debugging...who should I report to?
A: IDA's win32 debugger has reached a very robust state and in almost rare cases that it will behave abnormally.
The problem might be with the RDBG itself.
1)try to reproduce same behaviour again w/ RDBG and w/o it
2)If problem is only w/ rdbg you might want to report me
Q: I keep getting 'System hardware breakpoint at XXXXXXXX ???'
A: This is a known issue, it will be resolved in the future releases.
AFAIK, it is not affecting the debug session.
Q: I cannot trace into other DLLs from inside my program?
A: Make sure you disable caching. Or you have correct server specific file map.
You can try to have both client/server w/ same OS too.
Q: I enabled RDBG, now as I opened a new database it seems that RDBG has been disabled again.
A: Yes, everytime you load a new database IDA will load plugins again. So make sure you enable RDBG again.
History:
v0.55 - Sunday, April 20, 2003
---------------------------------
fixed: if 'command line' was empty, rdbg would crash.
added: now if RDBG has focus and you press any F4 to F10 keys, they will be passed to IDA.
This helps if you forget to switch focus back to IDA and you want to press F7 let's say.
added: M/Start hidden: option to allow RDBG to start hidden. You can show it again from the Edit/Plugins/RDBG menu
added: M/Kill IDA: sometimes IDA Debugger would crash when RDBG looses the connection with the server. This command allows
you to kill IDA.
v0.5 - Sunday, April 6, 2003
---------------------------------
added: Now can debug multiple targets same time.
added: RDBG now supports DLL debugging.
added: Remote Debug Server is now RemoteApiServer, independant from IDA RDBG pluggin.
It can/will serve any remote api client.
Future updates of RDBG will not include the API server binary.
fixed: Lots of bugs in the api client
added: RDBG can now debug remote active processes! (Server must be on non win9x machine)
added: RDBG is now a GUI tool window
v0.2 - Tuesday, March 18, 2003
---------------------------------
added: Alt+7 = edit configuration file
added: client to server (c2s) file mapping support. Now you don't need to have same files location on client/server!
added: server specific c2s file mapping section (check release.txt or rcmd.ini for usage info)
added: option to turn caching on/off (check release.txt to understand more about rdbg's caching)
v0.1b - Tuesday, March 11, 2003
---------------------------------
This release has only been tested w/ exe files (no dlls).
Server successfully ran under WinME, NT4, W2K, XP; Client was only tested on W2k.
Download
This page was last modified on May 25 2003 05:39:53 AM