Windbgshark - Windbg Extension for VM Traffic Manipulation & Analysis

Windbgshark - Windbg Extension for VM Traffic Manipulation & Analysis

Windbgshark is a Windbg debugger extension that allows you to manipulate the virtual machine network traffic and to integrate the wireshark protocol analyzer with the windbg commands.


The main idea is to rely on the Windows Filtering Platform capability to inspect traffic at the application level of OSI (however, the method works well on any level introduced by the WFP API).nThis gives us a way to intercept and modify any data, which goes through the Windows TCP/IP stack (even the localhost traffic), regardless of the application type and transport/network protocol. 

Modification and reinjection also work excellent: the operating systems does all the dirty work, reconstructing the transport and network layer headers, for example, as if we were sending the data from the usermode winsock application.

This tool needs a virtualized enviroment (it works fine with VMWare Workstation now) with windbg connected to the virtual machine as a kernel debugger. Installation is done in two steps: driver installation and extension loading in windbg. 

Driver intercepts network traffic, allows the windbg to modify it, and then reinjects packets back into the network stack. The extension on its turn implements simple interface for packet edit and also uses Wireshark to display data flows. 

The extension is executed on the host machine, while the driver is located on the virtual machine. To interact with its driver, windbg extension sets the corresponding breakpoints with its own callbacks right inside the driver code. 

Every time a packet comes in or out, a breakpoint is hit and the windbgshark extracts the app-level payload of the current packet, constructs a new pcap record and sends it to Wireshark. Before the packet is reinjected back, user may modify it, and the Wireshark will re-parse and show the modified record.


  • Step-trace mode on (in windbg), wireshark shows traffic flow:

  • Trying to fuzz a web browser:

  • Localhost traffic is also processed:


The tool is expected to be a proof-of-concept code rather than a reliable software product. There are lots of bugs here, also the main problems are:
  • Wireshark does not reload the pcap file automatically, you still need to press Ctrl + R every time you want to look at the changes.
  • Only IPv4/TCP is supported now.
  • The extension lowers virtual machine bandwidth dramatically.

No comments

Powered by Blogger.