Before we start to exploit Windows Kernel, we must setup our environment. This blog is going to instruct how to setup debugging environment for Windows Kernel Exploitation steps-by-steps. Typical there are three popular ways to setup the debugging environment:

  • Local Kerenl Debugging (LKD)
  • Remote Kernel Debugging through TCP
  • Remote Kernel Debugging through Named Pipe (COM port)

Remote Kernel Debugging through TCP

Here are some notes for setting up the debugging environment through TCP.

Example

Below is the setting information of the example:

  • The host and guset both are Windows 10 VM.
  • The network interface is Virtual Box Host-Only Ethernet Adapter
  • Debuggee: 192.168.56.101
  • Debugger: 192.168.56.102
  • Nice picture from www.nakivo.com

Debuggee (192.168.56.101)

In order to install unsigned driver, set Windows OS to test-mode

PS> bcdedit /set testsigning on
PS> bcdedit /debug on

Setup debugger information and retrieve the key

PS> bcdedit /dbgsettings NET HOSTIP:192.168.56.102 PORT:50000

Setup debug through which network interface Copy VerifiedNICList.xml and kdnet.exe from host C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\ to guest

PS> kdnet.exe
PS> bcdedit /set "{dbgsettings}" busparams b.d.f # choose the Virtual Box Host-Only Adapter

Show up the debug setting

PS> bcdedit /dbgsettings

Debugger (192.168.56.102)

  • WinDBG Preview is available on Microsoft Store WinDBG Preview -> File -> Attach To Kernel -> Net

  • Configure kernel symbols Settings -> Debugging settings 
    srv*c:\symbols*https://msdl.microsoft.com/download/symbols

  • References
    • https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection-automatically
    • https://medium.com/@ophirharpaz/kdnet-tutorial-for-noobs-68669778bbd4

Remote Kernel Debugging through Named Pipe (COM port)

Here is another example for setting up kernel debugging through Named Pipe

Example

Below is the setting information of the example:

  • The host and guset both are Windows 10 VM.
  • Debuggee: \\.\pipe\com2
  • Debugger: Host machine

Debugee

To debug a VMWARE virtual machine, once you have added the COM port to the VM, then in the VM settings:

Note:

  1. The name of the named pipe is \\.\pipe\com2 (you can use whatever you want after \.\pipe) The COM port number is 2 (see in the picture where it is mentioned “Serial Port 2” on the left pane) The two dropboxes with this end is the server and the other end is an application.

  2. According to the documentation, about “Yield CPU on Poll”: This configuration option forces the affected virtual machine to yield processor time if the only task it is trying to do is poll the virtual serial port.

Don’t forget to configure the Windows VM with bcdedit:

bcdedit /debug on
bcdedit /dbgsettings serial debugport:2 baudrate:115200

Restart your VM once this is done. In this case I use the serial port 2 (usually, the first COM port in VMWARE is used by the printer).

Debugger

  • Windbg (command line) windbg -k com:pipe,port=\\.\pipe\com2,resets=0,reconnect

  • Windbg (preview)

Note:

  1. The host (windng.exe) must gain the admin privilege to have capability to talk with serial port.
  • reference
    • https://stackoverflow.com/questions/33820520/kernel-debug-with-a-vmware-machine

After setting up the debugging enviroment, Here are some debugging cheatsheet which might be helpful for kernel debugging.

WinDbg Command Cheatsheet

  • Display current process of token privileges 
      dx ((nt!_TOKEN*)(@$curprocess.KernelObject.Token.Object & ~0xf))->Privileges
  • Common commands g: Continue execution. dq: Display data in hex format every qword(8-bytes) at the specific address. This command is similiar to gdb command x/10gx. E.g., dq 0x403000. u: Display assembly instruction at the specific address. This command is similiar to gdb command x/10i. E.g., u 0x401000 l10. l: Indicate how many line should be displayed. bp: Setup breakpoint at the specific address. E.g., bp 0x401530. bl: List breakpoints bd 1: Disable breakpoint 1 lm: List all loaded modules(DLL) r: Show registers .reload /u driver.sys: Unload driver.sys kb: Display call frame trace

Enable DbgPrint/KdPrint

  • temporarily during runtime from WinDbg (lost once session is closed) 
    kd> ed nt!Kd_IHVDRIVER_Mask 0xffffffff
kd> ed nt!Kd_DEFAULT_MASK  0xFFFFFFFF
  • permanently from registry hive (in Admin prompt on Debuggee) 
    reg add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\Debug Print Filter" /v DEFAULT /t REG_DWORD /d 0xFFFFFFFF
  • Reference
    • https://www.easefilter.com/Forums_Files/WinDbg_Commands.htm
    • https://github.com/repnz/windbg-cheat-sheet
    • https://github.com/hugsy/defcon_27_windbg_workshop/blob/master/windbg_cheatsheet.md#registers–memory-access

Now, enjoy your kernel debugging!