# Kernel Debugging Options

When debugging a user mode application, it is done within the same host. However, when debugging the kernel, a separate debugging host must be connected to the target host being debugged. The exception to this is when we are debugging the local kernel, which is very limited.

## Virtualisation

For the examples given, VMWare Fusion Pro was used on Mac OS. There are many options for virtualising Windows hosts, however it would be prudent to check that the virtualisation platform you are using is supported by WinDbg and the debugging option you choose.

For example, **QEMU** is known to have issues with the **VirtualKD** option.

## Symbol Path

We will be using Windbg Preview as our kernel debugger.

Having the correct symbol path is important when debugging because symbols provide valuable information about the code and modules being debugged. Symbols contain names and addresses of functions, variables, and other program elements, which helps in understanding and interpreting the debugging information accurately.

With the correct symbol path, the debugger can resolve memory addresses to meaningful function names, source code lines, and variable names, making it easier to navigate and analyse the code during debugging. It enables the debugger to provide more accurate call stacks, variable values, and diagnostic information.

Without proper symbol information, debugging becomes challenging.

The correct symbol path can be set up in the OS Environment Variables:

<figure><img src="/files/CBp57lTXkChGHXilZsOg" alt="" width="563"><figcaption><p>Symbol Path</p></figcaption></figure>

The symbol path should be set to:

`srv*c:\symbols*https://msdl.microsoft.com/downloads/symbols`

## Local

**Work in progress**

## Network

For this course I have chosen Network debugging. This method of debugging, supported by Microsoft, offers easier setup and faster performance compared to the Serial method. However, it is limited to Windows 8 and above as supported operating systems.

If at any point we need to debug an older operating system, then serial debugging will be chosen.

Enter the following commands in the debugee/target host:

```
bcdedit /copy {current} /d "Network Debugging"
The entry was successfully copied to {c8596674-0997-11ee-a0f8-e8245697ece2}.

bcdedit /debug {c8596674-0997-11ee-a0f8-e8245697ece2} on
The operation completed successfully.

C:\Windows\system32>bcdedit /dbgsettings net hostip:1.1.1.1 port:50000
Key=1k1rskk979ury.1kpffxl2dgf4y.17soo71vabsba.3abtgwj9gwpce
```

* `bcdedit /copy {current} /d "Network Debugging"`, creates a new entry in the boot configuration data with the description "Network Debugging" based on the current configuration.
* `bcdedit /debug {c8596674-0997-11ee-a0f8-e8245697ece2} on`, enables kernel debugging for the specified debugger connection identified by the GUID.
* `bcdedit /dbgsettings net hostip:1.1.1.1 port:50000`, sets the network debugging settings with the host IP address as 1.1.1.1 and the port number as 50000.

Moving over to the debugger host, start up Windbg Preview and "Attach to kernel", this can be accessed by pressing the "File" tab:

<figure><img src="/files/ZjwXVIheK3Ij9FQyQCjx" alt=""><figcaption><p>Attach to Kernel</p></figcaption></figure>

Press OK and Restart the debugee machine to connect. The debugee will restart and you may be asked to select "Network Debugging" when the OS is rebooting. The debugger will connect to the target as it boots up.

Two commands that can be important when resolving symbols are `.reload`; this will reload the symbols and is often required when first connecting the debugger, and `.symfix` which is used to fix the symbol search path for debugging. It automatically configures the symbol path to include the Microsoft symbol servers and sets it as the default symbol search path

If the symbol path is set correctly we can query a kernel structure by symbol:

```
0: kd> dt nt!_KDPC
   +0x000 TargetInfoAsUlong : Uint4B
   +0x000 Type             : UChar
   +0x001 Importance       : UChar
   +0x002 Number           : Uint2B
   +0x008 DpcListEntry     : _SINGLE_LIST_ENTRY
   +0x010 ProcessorHistory : Uint8B
   +0x018 DeferredRoutine  : Ptr64     void 
   +0x020 DeferredContext  : Ptr64 Void
   +0x028 SystemArgument1  : Ptr64 Void
   +0x030 SystemArgument2  : Ptr64 Void
   +0x038 DpcData          : Ptr64 Void
```

## Other Debugging Options

### Hyper-V

**Work in progress**

### USB

**Work in progress**

### Serial

**Work in progress**

### VirtualKD

**Work in progress**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://open-advanced-windows-exploitati.gitbook.io/open-advanced-windows-exploitation/the-kernel/kernel-basics/kernel-debugging-options.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.