Icebox is a Virtual Machine Introspection solution that enable you to stealthily trace and debug any process (kernel or user). It’s based on project Winbagility.
Files which might be helpful:
Project Organization
Also Read – Lst2x64dbg : Extract Labels From IDA .lst or Ghidra .csv File & Export x64dbg Database
Getting Started
Some sample have been written in samples folder.
You can build them with these instructions after you installed the requirements.
If your using a Windows guest you might want to set the environement variable _NT_SYMBOL_PATH to a folder that contains your guest’s pdb. Please note that icebox setup will fail if it does not find your guest’s kernel’s pdb.
vm_resume:
vm_resume just pause then resume your VM.
cd icebox/bin/$ARCH/
./vm_resume <vm_name>
nt_writefile:
nt_writefile breaks when a process calls ntdll!NtWriteFile, and dumps
what’s written in a file on your host in the current directory.
cd icebox/bin/$ARCH/ .
/nt_writefile <vm_name> <process_name>
heapsan:
heapsan breaks ntdll memory allocations from a process and add padding
before & after every pointer. It is still incomplete and doesn’t do
any checks yet.
cd icebox/bin/$ARCH/
./heapsan <vm_name> <process_name>
wireshark:
wireshark breaks when ndis driver reads or sends network packets and
creates a wireshark trace (.pcapng). Each packet sent is associated to a
callstack from kernel land to userland if necessary.
cd icebox/bin/$ARCH/
./wireshark <name> <path_to_capture_file>
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…
MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…
"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…
CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…
The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…
The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…