Skip to content

PANDUAN_PENGGUNAAN.md

Latest commit

 

History

History
746 lines (566 loc) · 15.2 KB

PANDUAN_PENGGUNAAN.md

File metadata and controls

746 lines (566 loc) · 15.2 KB

PANDUAN PENGGUNAAN LAB

1. Persiapan Lingkungan

1.1 Kebutuhan Sistem

Komponen Spesifikasi Minimum
RAM 8 GB
Disk 100 GB
CPU 4 Core
OS Host Windows 10/11 64-bit
OS Target VM Windows 10/11 64-bit

1.2 Software yang Diperlukan

1. Visual Studio 2022 (Community Edition gratis)
2. Windows Driver Kit (WDK)
3. Windows SDK (Latest)
4. WinDbg (dari Windows SDK)
5. NASM (untuk assembly shellcode)
6. VMware/Hyper-V untuk VM

1.3 Instalasi Visual Studio + WDK

# Download dari:
# - Visual Studio: https://visualstudio.microsoft.com/
# - WDK: https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk

# Checklist saat install Visual Studio:
# [x] Desktop development with C++
# [x] Linux and embedded development with C++ (optional)
# [x] Windows 10/11 SDK

2. Setup Virtual Machine

2.1 Buat VM Baru (Hyper-V)

# Buka PowerShell sebagai Administrator

# 1. Buat internal switch
New-VMSwitch -Name "KernelLab" -SwitchType Internal

# 2. Konfigurasi IP (host-only network)
New-NetIPAddress -IPAddress 192.168.100.1 -PrefixLength 24 `
    -InterfaceAlias "vEthernet (KernelLab)"

# 3. Buat VM (le GUI atau PowerShell)
New-VM -Name "WindowsKernelLab" -MemoryStartupBytes 4GB `
    -Generation 2 -SwitchName "KernelLab"

# 4. Tambah disk
New-VHD -Path "D:\VM\WindowsKernelLab.vhdx" -SizeBytes 100GB -Dynamic

Add-VMHardDiskDrive -VMName "WindowsKernelLab" `
    -Path "D:\VM\WindowsKernelLab.vhdx"

# 5. Konfigurasi VM
Set-VM -Name "WindowsKernelLab" -ProcessorCount 4

# 6. Install Windows di VM (ISO dari Microsoft)

2.2 Konfigurasi Kernel Debugging

Di VM (Target):

# Buka PowerShell sebagai Administrator

# Method 1: Serial Debug
bcdedit /set {current} debug on
bcdedit /dbgsettings serial baudrate:115200 debugport:1

# Method 2: Network Debugging (lebih mudah)
bcdedit /set {current} debug on
bcdedit /dbgsettings net hostip:192.168.100.1 port:50000

# Reboot VM
Restart-Computer

Di Host (Debugger):

# Buka WinDbg (as Administrator)

# Method 1: Serial
# File -> Kernel Debug -> COM1, 115200

# Method 2: Network
File -> Kernel Debug
Port: 50000
Key: (biarkan default)
OK

# Tunggu koneksi (Status: Waiting for connection)

3. Build Project

3.1 Menggunakan Visual Studio

# Buka "Developer Command Prompt for VS 2022"

cd C:\Lab\WindowsKernelExploitationLab

# Build semua module
build_all.bat

# Atau build per module:
cd Module1_BasicDriver
msbuild ExploitLabDriver.sln /p:Configuration=Debug /p:Platform=x64

3.2 Build Manual per Module

# Module 1: Basic Driver
cd Module1_BasicDriver
msbuild ExploitLabDriver.sln /p:Configuration=Debug /p:Platform=x64

# Module 2: Buffer Overflow
cd ..\Module2_BufferOverflow
msbuild VulnOverflow.sln /p:Configuration=Debug /p:Platform=x64

# Module 3: Use-After-Free
cd ..\Module3_UseAfterFree
msbuild UafDriver.sln /p:Configuration=Debug /p:Platform=x64

# Module 4: Race Condition
cd ..\Module4_RaceCondition
msbuild RaceDriver.sln /p:Configuration=Debug /p:Platform=x64

# Module 5: Privilege Escalation (User Mode)
cd ..\Module5_PrivilegeEscalation
cl /EHsc /W4 /Od TokenManipulation.c /Fe:PrivEsc.exe

# Module 6: Shellcode
cd ..\Module6_Shellcode
nasm -f win64 Assembly\KernelShellcode.asm -o Assembly\KernelShellcode.obj
cl /EHsc /W4 /Od Cpp\ShellcodeWrapper.cpp /Fe:ShellcodeWrapper.exe

4. Menyalin File ke VM

4.1 Transfer File

# Method 1: Shared Folder (Hyper-V)
# Enable Enhanced Session Mode di VM settings

# Method 2: SCP (menggunakan OpenSSH)
scp -r C:\Lab\ root@192.168.100.100:/root/Lab/

# Method 3: PowerShell Remoting
Copy-Item -Path "C:\Lab\*" -Destination "\\VMName\C$\Lab\" -Recurse

4.2 Struktur Folder di VM

C:\
└── Lab\
    ├── Module1\
    │   ├── ExploitLabDriver.sys
    │   └── UserModeClient.exe
    ├── Module2\
    │   ├── VulnOverflow.sys
    │   └── OverflowExploit.exe
    ├── Module3\
    │   ├── UafDriver.sys
    │   └── UafExploit.exe
    ├── Module4\
    │   ├── RaceCondition.sys
    │   └── RaceExploit.exe
    ├── Module5\
    │   └── PrivEsc.exe
    └── Module6\
        ├── KernelShellcode.obj
        └── ShellcodeWrapper.exe

5. Load Driver dan Testing

5.1 Load Driver (Di VM)

# Buka Command Prompt sebagai Administrator

# Load Module 1 Driver
sc create ExploitLabDriver binPath= "C:\Lab\Module1\ExploitLabDriver.sys" type= kernel
sc start ExploitLabDriver
sc query ExploitLabDriver

# Load Module 2 Driver
sc create VulnOverflow binPath= "C:\Lab\Module2\VulnOverflow.sys" type= kernel
sc start VulnOverflow

# Load Module 3 Driver
sc create UafDriver binPath= "C:\Lab\Module3\UafDriver.sys" type= kernel
sc start UafDriver

# Load Module 4 Driver
sc create RaceCondition binPath= "C:\Lab\Module4\RaceCondition.sys" type= kernel
sc start RaceCondition

5.2 Unload Driver

# Stop driver
sc stop ExploitLabDriver

# Hapus service
sc delete ExploitLabDriver

# Hapus file (jika perlu)
del C:\Lab\Module1\ExploitLabDriver.sys

6. Tutorial Module 1: Driver Dasar

6.1 Load Driver

sc create ExploitLabDriver binPath= "C:\Lab\Module1\ExploitLabDriver.sys" type= kernel
sc start ExploitLabDriver

6.2 Test Komunikasi

cd C:\Lab\Module1
UserModeClient.exe

6.3 Output yang Diharapkan

==========================================
  ExploitLab - User Mode Client
  Module 1: Driver Communication
==========================================

[+] Device opened successfully
[>] Testing Write operation...
[+] Wrote 23 bytes: Test data from user mode application
[>] Testing Read operation...
[+] Read 23 bytes: Test data from user mode application
[>] Testing IOCTL_VULNERABLE_OPERATION...
[+] IOCTL completed
[>] Testing IOCTL_COPY_USER_DATA...
[+] IOCTL completed

[+] All tests completed successfully

6.4 Debug dengan WinDbg (Di Host)

# Di WinDbg:

# Break ke kernel
Ctrl+Break

# List loaded modules
lm m ExploitLab

# Set breakpoint di DriverEntry
bp ExploitLabDriver!DriverEntry

# Continue
g

# Run UserModeClient.exe lagi di VM

# Breakpoint akan hit, examine:
r                          ; registers
k                          ; call stack
db poi(rax)                ; examine buffer

7. Tutorial Module 2: Buffer Overflow

7.1 Load Driver

sc create VulnOverflow binPath= "C:\Lab\Module2\VulnOverflow.sys" type= kernel
sc start VulnOverflow

7.2 Build Exploit

cd C:\Lab\Module2
cl /EHsc /W4 /Od Exploit\OverflowExploit.c /Fe:OverflowExploit.exe

7.3 Jalankan Exploit

# Test basic
OverflowExploit.exe

# Leak kernel address
OverflowExploit.exe --debug

# Arbitrary write attempt (akan gagal dengan aman)
OverflowExploit.exe 0xfffff78000000000 0x41414141

7.4 Debug Overflow

# Di WinDbg:

# Set breakpoint di vulnerable function
bp VulnOverflow!VulnerableMemCopy

# Run exploit
g

# Examine registers
r
rax=0000000000000040    ; copy size
rbx=fffff78000000000    ; buffer address
rcx=4141414141414141    ; user data pattern

# View memory corruption
db @rbx

8. Tutorial Module 3: Use-After-Free

8.1 Load Driver

sc create UafDriver binPath= "C:\Lab\Module3\UafDriver.sys" type= kernel
sc start UafDriver

8.2 Build Exploit

cd C:\Lab\Module3
cl /EHsc /W4 /Od Exploit\UafExploit.c /Fe:UafExploit.exe

8.3 Jalankan Exploit

# Stage 1: Leak kernel address
UafExploit.exe 1

# Stage 2: Manipulate freed object
UafExploit.exe 2

# Full exploit attempt
UafExploit.exe

8.4 Debug UAF

# Di WinDbg:

# Monitor object allocation
bp nt!ExAllocatePoolWithTag

# Set breakpoint di use
bp UafDriver!EvtIoUseObject

# Check object state
!pool poi(rax)

# Look for freed object
!analyze -v

9. Tutorial Module 4: Race Condition

9.1 Load Driver

sc create RaceCondition binPath= "C:\Lab\Module4\RaceCondition.sys" type= kernel
sc start RaceCondition

9.2 Build Exploit

cd C:\Lab\Module4
cl /EHsc /W4 /Od Exploit\RaceExploit.c /Fe:RaceExploit.exe

9.3 Jalankan Exploit

# Direct flag set (tanpa race)
RaceExploit.exe 1

# Timing analysis
RaceExploit.exe 2

# Multi-threaded attack
RaceExploit.exe 3

# Try race condition
RaceExploit.exe

9.4 Debug Race Condition

# Di WinDbg:

# Set breakpoint di flag check
bp RaceDriver!EvtIoCheckAndWrite

# View race window
g

# Examine flag value
db RaceDriver!g_AdminFlag

10. Tutorial Module 5: Privilege Escalation

10.1 Build Tool

cd C:\Lab\Module5
cl /EHsc /W4 /Od TokenManipulation.c /Fe:PrivEsc.exe

10.2 Jalankan

# Stage 1: Analyze current privileges
PrivEsc.exe 1

# Output menunjukkan:
# - User saat ini
# - Privileges yang enabled
# - Interesting privileges

# Stage 2: Analyze System process
PrivEsc.exe 2

# Stage 3: Token duplication
PrivEsc.exe 3

# Stage 4: Impersonation attack
PrivEsc.exe 4

10.3 Output yang Diharapkan

[*] Running as: VM\LabUser

[*] Token Privileges:
    SeShutdownPrivilege: disabled
    SeDebugPrivilege: disabled
    SeSystemtimePrivilege: disabled
    ...

[+] Successfully impersonating System!
[*] Thread is now running with elevated token

11. Tutorial Module 6: Shellcode

11.1 Build NASM (Assembly)

# Install NASM
winget install NASM

# Build shellcode
cd C:\Lab\Module6\Assembly
nasm -f win64 KernelShellcode.asm -o KernelShellcode.obj

11.2 Build C++ Framework

cd C:\Lab\Module6\Cpp
cl /EHsc /W4 /Od ShellcodeWrapper.cpp /Fe:ShellcodeWrapper.exe

11.3 Jalankan Framework

# Stage 1: Shellcode analysis
ShellcodeWrapper.exe 1

# Stage 2: Prepare shellcode
ShellcodeWrapper.exe 2

# Stage 3: Execute (simulation)
ShellcodeWrapper.exe 3

# Stage 4: Encoding
ShellcodeWrapper.exe 4

# Stage 5: Detection evasion
ShellcodeWrapper.exe 5

12. Perintah WinDbg Penting

12.1 Basic Commands

Ctrl+Break          ; Break ke kernel
g                   ; Continue execution
p                   ; Step over
t                   ; Step into
r                   ; Show registers
k                   ; Stack trace
lm                  ; List modules
!analyze -v         ; Analyze crash

12.2 Memory Commands

db address          ; Display bytes
dd address          ; Display dwords
dq address          ; Display qwords
eb address value    ; Edit byte
ed address value    ; Edit dword
s -b start end pat  ; Search memory

12.3 Process/Thread Commands

!process 0 0        ; List all processes
!process address    ; Process details
!thread address     ; Thread details
!pool address       ; Pool allocation info

12.4 Breakpoint Commands

bp address          ; Set breakpoint
bc *                ; Clear all breakpoints
bl                  ; List breakpoints
bd number           ; Disable breakpoint
be number           ; Enable breakpoint

13. Troubleshooting

13.1 Driver Tidak Mau Load

# Error: STATUS_OBJECT_NAME_NOT_FOUND
# Solution:
sc query ExploitLabDriver
# Periksa path di sc create

# Error: STATUS_ACCESS_DENIED
# Solution:
# Jalankan Command Prompt as Administrator
# Disable Secure Boot di VM settings

13.2 Debug Connection Gagal

# Di VM, cek debug settings:
bcdedit /dbgsettings

# Di Host:
# Cek COM port settings di WinDbg
# Cek baud rate (115200)

13.3 VM Crash (Blue Screen)

# Force crash dump:
echo .crash > \\.\pipe\debugpipe

# Atau:
Right Ctrl + Scroll Lock + Scroll Lock

# Di WinDbg:
!analyze -v

13.4 Build Errors

# Cl not found:
# Buka "Developer Command Prompt for VS 2022"

# Missing SDK:
# Install Windows SDK dari Visual Studio Installer

14. Reset Environment

14.1 Hapus Semua Driver

sc stop ExploitLabDriver
sc stop VulnOverflow
sc stop UafDriver
sc stop RaceCondition

sc delete ExploitLabDriver
sc delete VulnOverflow
sc delete UafDriver
sc delete RaceCondition

del C:\Lab\*.sys

14.2 Disable Kernel Debugging

# Di VM:
bcdedit /debug off
Restart-Computer

14.3 Restore VM Snapshot

# Hyper-V:
Restore-VMCheckpoint -Name "Clean State" -VMName "WindowsKernelLab"

# VMware:
# Klik "Revert to Snapshot" di VM menu

15. Tips Keamanan

⚠️ Peringatan Penting

  1. SELALU gunakan VM terisolasi
  2. JANGAN gunakan di sistem produksi
  3. MATIKAN kernel debugging setelah selesai
  4. AMBIL snapshot sebelum testing
  5. HAPUS driver setelah selesai

15.1 Checklist Keamanan

[ ] VM dalam isolated network
[ ] Secure Boot disabled
[ ] Kernel debugging enabled (hanya untuk testing)
[ ] Snapshot diambil sebelum mulai
[ ] Semua driver dihapus setelah selesai
[ ] Kernel debugging disabled setelah selesai
[ ] VM di-shut down dengan benar

16. Struktur File Lab

C:\Lab\WindowsKernelExploitationLab\
│
├── README.md                          ; Overview
├── LAB_GUIDE.md                       ; Panduan lengkap
├── BuildScripts\
│   └── build_all.bat                  ; Script build
│
├── Module1_BasicDriver/               ; Module 1
│   ├── Driver.c                       ; Source driver
│   ├── ExploitLabDriver.inf           ; Install file
│   ├── x64\Debug\ExploitLabDriver.sys ; Driver binary
│   └── UserApp\
│       ├── UserModeClient.c           ; User app source
│       └── x64\Debug\UserModeClient.exe
│
├── Module2_BufferOverflow/            ; Module 2
│   ├── VulnerableDriver.c             ; Vulnerable driver
│   ├── x64\Debug\VulnOverflow.sys
│   └── Exploit\
│       ├── OverflowExploit.c
│       └── x64\Debug\OverflowExploit.exe
│
├── Module3_UseAfterFree/              ; Module 3
│   ├── UafDriver.c                    ; UAF driver
│   ├── x64\Debug\UafDriver.sys
│   └── Exploit\
│       ├── UafExploit.c
│       └── x64\Debug\UafExploit.exe
│
├── Module4_RaceCondition/             ; Module 4
│   ├── RaceDriver.c                   ; Race driver
│   ├── x64\Debug\RaceCondition.sys
│   └── Exploit\
│       ├── RaceExploit.c
│       └── x64\Debug\RaceExploit.exe
│
├── Module5_PrivilegeEscalation/       ; Module 5
│   └── TokenManipulation.c
│   └── x64\Debug\PrivEsc.exe
│
└── Module6_Shellcode/                 ; Module 6
    ├── Assembly\
    │   ├── KernelShellcode.asm        ; Shellcode source
    │   └── KernelShellcode.obj        ; Assembled
    └── Cpp\
        ├── ShellcodeWrapper.cpp
        └── x64\Debug\ShellcodeWrapper.exe

17. Referensi Tambahan

Dokumentasi

Tools

  • WinDbg (dari Windows SDK)
  • Process Hacker
  • API Monitor
  • Sysinternals Suite

Buku

  • "Windows Internals" by Russinovich
  • "Rootkits: Subverting the Windows Kernel" by Hoglund

Catatan: Lab ini HANYA untuk tujuan pendidikan. Gunakan hanya pada sistem yang Anda miliki atau memiliki izin eksplisit untuk diuji. Akses tidak sah ke sistem komputer adalah ilegal.