Kernel Debugging Options
The kernel can be debugged using various methods, such as network debugging, Hyper-V debugging, USB debugging, serial debugging, and virtual machine-based debugging with tools like VirtualKD.
When debugging a user mode application, it is done within the same host. However, when debugging the kernel, a separate debugging host must be connected to the target host being debugged. The exception to this is when we are debugging the local kernel, which is very limited.
Virtualisation
For the examples given, VMWare Fusion Pro was used on Mac OS. There are many options for virtualising Windows hosts, however it would be prudent to check that the virtualisation platform you are using is supported by WinDbg and the debugging option you choose.
For example, QEMU is known to have issues with the VirtualKD option.
Symbol Path
We will be using Windbg Preview as our kernel debugger.
Having the correct symbol path is important when debugging because symbols provide valuable information about the code and modules being debugged. Symbols contain names and addresses of functions, variables, and other program elements, which helps in understanding and interpreting the debugging information accurately.
With the correct symbol path, the debugger can resolve memory addresses to meaningful function names, source code lines, and variable names, making it easier to navigate and analyse the code during debugging. It enables the debugger to provide more accurate call stacks, variable values, and diagnostic information.
Without proper symbol information, debugging becomes challenging.
The correct symbol path can be set up in the OS Environment Variables:
The symbol path should be set to:
srv*c:\symbols*https://msdl.microsoft.com/downloads/symbols
Local
Work in progress
Network
For this course I have chosen Network debugging. This method of debugging, supported by Microsoft, offers easier setup and faster performance compared to the Serial method. However, it is limited to Windows 8 and above as supported operating systems.
If at any point we need to debug an older operating system, then serial debugging will be chosen.
Enter the following commands in the debugee/target host:
bcdedit /copy {current} /d "Network Debugging", creates a new entry in the boot configuration data with the description "Network Debugging" based on the current configuration.bcdedit /debug {c8596674-0997-11ee-a0f8-e8245697ece2} on, enables kernel debugging for the specified debugger connection identified by the GUID.bcdedit /dbgsettings net hostip:1.1.1.1 port:50000, sets the network debugging settings with the host IP address as 1.1.1.1 and the port number as 50000.
Moving over to the debugger host, start up Windbg Preview and "Attach to kernel", this can be accessed by pressing the "File" tab:
Press OK and Restart the debugee machine to connect. The debugee will restart and you may be asked to select "Network Debugging" when the OS is rebooting. The debugger will connect to the target as it boots up.
Two commands that can be important when resolving symbols are .reload; this will reload the symbols and is often required when first connecting the debugger, and .symfix which is used to fix the symbol search path for debugging. It automatically configures the symbol path to include the Microsoft symbol servers and sets it as the default symbol search path
If the symbol path is set correctly we can query a kernel structure by symbol:
Other Debugging Options
Hyper-V
Work in progress
USB
Work in progress
Serial
Work in progress
VirtualKD
Work in progress
Last updated
