What's RR0D ?

RR0D is a ring 0 debugger. It offers the possibility to debug any kind of code (kernel/user/rasta land). Its philosophy is to be OS independent. That's why RR0D can today be installed on Linux, *BSD, Wind0ws. This has some disadvantages: RR0D is only designed to run on x86 (is this really a disadvantage?). Here is a presentation of Rr0d.

How the hell does this work ?

It works fine. Thanks. Actually, the goal is to keep the code low level enough to *not* use any kernel host code. RR0D is a sort of stand-alone module that installs hooks at each important point to realize such a dream. The only part that is OS dependent is the kernel module interface.

This kernel debugger has its own keybord driver (only PS2 keyboard). Rr0d has its own video drivers: The first one is a VGA driver that manipulates directly the VGA compatible mode of graphic cards (in console mode). Rr0d has a FrameBuffer video driver as well: it is used under X server (or with the Win desktop).

Direct video memory access: Another video driver is based on direct writting into the physical video memory. Recent video card have their memory accessible directly by writting in certain physical memory. Rr0d can use this mecanism to display its interface with card unsing PCI or AGP bus. Thus, rr0d can be easilly used with Windows XP or Xorg/Xfree (without special feature as frame buffer or else).

Rr0d hooks interruptions (0, 1, 3,..) on idt. If the interruption is managed by Rr0d (int 3, ...) iret is done. Else, Rr0d gives back hand to the OS. Rr0d has a little disasm engine (buGGy one :) to display disassembly. Rr0d handles pagination in order to set/clear bp or editing memory.

Note: During Rr0d rasta trace debugging sessions, rr0d loops. So hot processors: take care :)

TOD0

Rr0d doesn't check the eflag overwrite during trace time. So an application can "untrace" to avoid it: Rr0d has to emulate eflag manipulation. Rr0d should emulate cli/sti manipulation too.

An inline assembler should be added in order to dynamik recompile Assembly instructions.

The *Ultimate Weapon* could be to implement a script language.

For now, only some screenshots are available. Shoot are from console mode, X and [rasta/0xf001/normal] mode.

FAQ

• Q: Hey man, your rr0d seems to be a soft-ice like?!
  A: yea man, rr0d seems to have he same beautiful graphic interface as soft-ice.
• Q: Hey man, is rr0d at least has a rasta mode?
  A: yea man, Of course it has.
• Q: Hey man, why rr0d and not KGDB?
  A: man, KGDB is *not* a rasta debugger
• Q: Hey man, how many functionalities rr0d has?
  A: man, it has plenty rasta functionalities
• Q: But man, why ring 0 debugger is more powerfull than ring-3?
  A: man, because ring-0 0wnz ring-[1-3]
• Q: Man, what about Apple users?! Will they never get this piece of tool?
  A: man, keep rasta: we are today in relation with Apple developpers: They decided to forget Power PC and to base their main architecture on X86: be patient.
• Q: Man, will it be possible to write plugins for rr0d?
  A: man, yes: the symbol exporter is a sort of plugin. But a more interesting plugin system will be implemented such as a memory dumper, a process dumper, a tetris, a Frozen bubble, a FireStarter Crazy Zorg Revenge ...

Where can i get rr0d?

In the rr0d folder of the CVS
A dayly cvs shoot is on: rr0d

if you have some interesting questions about rr0d, or if you are sexualy satisfied by using it, you can mail : serpilliere at droids-corp org

(_.-RR0D for dummys-._)

Rr0d supports in theory every OS that runs on x86:

The only thing we can rely on is the processor: X86. Rr0d is OS independant.

The main question is: How the hell can Rr0d control the processor? In usual case, the OS communicates directly with the processor using interruptions, ... When installing Rr0d, Rr0d inserts itself between the processor and the OS.

But this task is done with some precautions in order to be able to remove Rr0d dynamicly

EOF