Kernel, Rootkits

Windows Kernel Debugging

Windows Kernel Debugging using VMware Workstation 12+Windows 7 for the target system and Windows 8.1 for the host machine.

> Setup a virtual machine with Windows 7. After Windows installation shut it down.

> Enable virtual printers in VMware Workstation. Goto Edit->Preferences->Devices->Enable virtual printers.

> Download WDK 10 from here and install it on the host machine.

> Setup Debug symbols on the host machine – instructions here.

> Setup System Path variable. Append this: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64. Assuming that you have the same WDK installation path.

> Create named pipe. VM should not be running. Open VM settings and click Add… Create a serial port. Choose Output to named pipe for the port type. Choose a name for pipe, for ex. \.\pipe\mykdpipe. Choose This end is the server. The other end is a virtual machine. Check Connect at power on. Click Finish.

> Goto vm settings, open Serial Port settings and enable Yield CPU on poll.

> Enable debugging. Run virtual machine, run command line as administrator and execute:

bcdedit /debug ON
bcdedit /dbgsettings serial debugport:2 baudrate:115200

Restart virtual machine to enable kernel debugging and shut it down.

> Launching Kernel Debugging session. Run command line as administrator and execute:

kd -logo .\logs.txt -k com:pipe,port=\\.\pipe\mykdpipe,resets=0,reconnect

> Start virtual machine. When the vm has completed system startup, issue a break-point command (CTRL+C) in command line on the host machine to suspend execution of vm(Win 7).

> To exit kd.exe execute the following commands:

bc *

Clears all breakpoints

g

Allow vm to continue executing/working

This guide is also working if Windows 8.1 are installed in the virtual machine.