Icebox : Virtual Machine Introspection, Tracing & Debugging

Icebox is a Virtual Machine Introspection solution that enable you to stealthily trace and debug any process (kernel or user). It’s based on project Winbagility.

Files which might be helpful:

Project Organization

  • fdp: Fast Debugging Protocol sources
  • icebox: Icebox sources
    • icebox: Icebox lib (core, os helpers, plugins…)
    • icebox_cmd: Program that test several features
    • samples: Bunch of examples
  • winbagility: stub to connect WinDBG to FDP
  • virtualbox: VirtualBox sources patched for FDP.

Also Read – Lst2x64dbg : Extract Labels From IDA .lst or Ghidra .csv File & Export x64dbg Database

Getting Started

Some sample have been written in samples folder.

You can build them with these instructions after you installed the requirements.

If your using a Windows guest you might want to set the environement variable _NT_SYMBOL_PATH to a folder that contains your guest’s pdb. Please note that icebox setup will fail if it does not find your guest’s kernel’s pdb.

vm_resume:
vm_resume just pause then resume your VM.

cd icebox/bin/$ARCH/
./vm_resume
<vm_name>

nt_writefile:
nt_writefile breaks when a process calls ntdll!NtWriteFile, and dumps what’s written in a file on your host in the current directory.

cd icebox/bin/$ARCH/ .
/nt_writefile
<vm_name> <process_name>

heapsan:
heapsan breaks ntdll memory allocations from a process and add padding before & after every pointer. It is still incomplete and doesn’t do any checks yet.

cd icebox/bin/$ARCH/
./heapsan
<vm_name> <process_name>

wireshark:
wireshark breaks when ndis driver reads or sends network packets and creates a wireshark trace (.pcapng). Each packet sent is associated to a callstack from kernel land to userland if necessary.

cd icebox/bin/$ARCH/
./wireshark
<name> <path_to_capture_file>

R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

2 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

2 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

2 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

2 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

2 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

2 weeks ago