Published on March 19th, 2012 | by NJ Ouchn1
Blackhat Amsterdam 2012 : ToolsTube with Andrey Labunets on Windbgshark
Windbgshark is an open source network debugging tool, designed to assist in reverse engineering of unknown protocols, traffic manipulation and searching for vulnerabilities in protocols and applications under Windows. Novelty of Windbgshark, relative to other debugging tools, is that it is tightly integrated with both Windbg debugger and Wireshark packet analyzer, which makes handling the traffic and performing simple manual testing very rapid. At the same time, Windbgshark is a framework for building custom fuzzers and is useful for various debugging scenarios.
Other features include:
- Reliable and unified inspection engine for both x86 and x64 applications (no code patching)
- Windbg scripting and automation is possible
- The packet trace is being captured, dissected and visible in Wireshark on-the-fly
- Localhost traffic is also inspected
During the presentation I will demonstrate how to use basic Windbgshark features as well as how to implement a simple network fuzzer, uncover a memory corruption vulnerability and gather accurate reproduction steps and a crash dump with this tool (automatically, of course).
Andrey Labunets is currently a student at the Tyumen State University, pursuing his degree in computer security. His research focuses on reverse engineering of programs and protocols with applications in detection of vulnerabilities and exploit development. With DSecRG Andrey was involved in vulnerability research of business applications and revealed several weaknesses and flaws in Oracle software. Now Andrey is working in the area of traffic analysis mechanisms and is responsible for development of the traffic inspection tool as a part of a corporate DLP solution. His experience and interests encompass a wide range of topics in information security and computer science including formal verification methods, operating systems internals, he also enjoys playing around with debuggers and analyzing crash dumps.