A second tool, developed by SecureWorks Senior Security Researcher Joe Stewart, helps in automating tasks involved in debugging the Windows kernel. Stewart developed the tool, called Windpill, to give researchers the ability to debug the Windows kernel code, read and write virtual and physical memory addresses, and parse undocumented structures in an easier way, SecureWorks officials said.
For example, one job that could be made easier with this tool is pulling userland-injected code out of kernel-level malware, SecureWorks officials said. With this tool, a null modem cable, and some Perl and Windows kernel knowledge, users could script it in just a few hours, officials said, adding that automating the process with traditional kernel debugging tools under Windows would take much longer.
"The speed-up in automation/development time is due to the fact that Perl is a scripting language as opposed to a compiled language like C," Stewart said. "With the currently available Windows kernel debugging tools, you must compile a DLL to load into the debugger—with each change you have to recompile it. Plus, working in lower-level languages is always more time-consuming, as you have to deal with memory management issues or objects. Perl doesnt require any of that, so you can concentrate purely on the functional aspects of the code."
Both tools will be available Aug. 3 at no cost on the SecureWorks Web site.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.