Antivirus, Debugging, Kernel

Debug user-mode processes using a kernel debugger

When a user-mode process deploys various userland anti-debugging tricks, you can use kernel debugging to attach to the process and debug it easier.

> Create a Windows 8.1 Vmware machine.
> Follow this guide to enable kernel debugging through pipes.
> Run Windbg as administrator on your host machine.
> Open File->Kernel Debug… (Ctrl+K)
> Select COM tab
> Check Pipe and Reconnect checkboxes.
> Leave Baud Rate(115200) and Resets(0) default values
> Set port to \\.\pipe\mykdpipe

> Start or Restart your vm and wait for Windbg to connect.
> Break. Open menu->Debug->Break or Ctrl+Pause
> Wait till you see the message bellow:

> Type

!process 0 0 yourprocess.exe

to get details about your process of interest.
for ex.

The !process extension displays information about the specified process, or about all processes, including the EPROCESS block. More about !process extension here.

> Debug your yourprocess.exe

.process /r /p EPROCESS_address

/r Reloads user-mode symbols after the process context has been set, if you use the /r and /p options.
/p Translates all transition page table entries (PTEs) for this process to physical addresses before access.
ffffe000abec78c0 EPROCESS address
For more on .process command please visit command’s page at Microsoft.

> Now you can debug your user-mode process.
for ex. you can list loaded libraries: