This is for someone who wants to jump into kernel debugging but like me thought it was very difficult to get setup and working properly. It turns out its actually a lot easier than you think.The Stuff You Will Need
# IDAPro 6.8+
I am going to be using IDA for some of this, if you need a copy I suggest you call HackingTeam
# VisualStudio 2015 + windows10 SDK + WDK (Windows Driver Kit)
You might want to compile some stuff and its very useful to have.
# WinDBG for Win7
There is a small error with using the newer windbg when debugging a older host. It boils down to not being able to display registers properly. So if you are going to be using a Win7 VM then you will want to install this.http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_220.127.116.114.msi
Because I’m on a slow connect I chose to download my symbols all at once from here. I just install them to the C:\Symbols pathhttps://developer.microsoft.com/en-us/windows/hardware/download-symbols
You want retail symbols most likely, to find out the difference look here.whats-the-difference-between-retail-symbols-and-checked-symbols Install and Configuration
# Symbol Path
Before we start you are going to want to set your Symbol path. Windbg will look for symbols based on this entry. Make sure you obviously have the C:\Symbols directory setup.
_NT_SYMBOL_PATH = srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
# Change ida config for windbbNow you are going to want to change the ida.cfg file located in “ C:\Program Files (x86)\IDA 6.8\cfg ” Look for the line that says DBGTOOLS
it should be commented out, change it accordingly. (
: If you are doing x64 kernel debugging still use the x86 path!)
DBGTOOLS = “C:\\Program Files\\Debugging Tools for Windows (x86)\\”;
DBGTOOLS = “C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\”;Does it work?
Ok so lets do a quick dry run to make sure everything is working, we will use a Windows10 x64 VM for the test since its easy to setup.
# modify bcdedit for network debugging Win8+
As administrator just exicute this and copy the key someplace as you will need it later on.
bcdedit.exe /debug on
bcdedit.exe /dbgsettings NET HOSTIP:192.168.1.101 PORT:50000
# load windbg and connect to kernel
Now load windbg and go under File->Kernel Debug (ctrl+k) and enter your key. You can pause the VM by issuing a break.
# load driver symbols
To force load the driver symbols for all the loaded drivers, be sure to note the difference between kernel and user mode
# change to user mode.process /i [addy_of_user_proc]
.reload /f /user
# change to kernel mode.process /i [addy_of_kernel_proc]
.reload /fVerify IDA can kernel debug
We now have to make sure IDA is setup properly, make sure windbg is closed and your VM is restarted. Now open IDAx64 as admin and go to Debugger->Attach->Widbg Debugger
( Warning : If you didn’t set the dbgtools option you’ll get a cant connect error.)
I have my setting like this.
If it worked you might get a error like this.
Once loaded you should have something like this…
And thats it you should be all setup!What to do now?
There are a few things you can do now, one of them is follow along with this tutorial. I should admit that I have not actually done this myself as I only read through it.
Debug Universal Drivers Step by Step Lab (Echo Kernel-Mode) https://msdn.microsoft.com/en-us/library/windows/hardware/mt269367(v=vs.85).aspx
You could also follow along with @TheColonial as he exploits capcom.sys
Hackingz Ze Komputerz Exploiting CAPCOM.SYS https://www.youtube.com/watch?v=pJZjWXxUEl4
Or just go off and play on your own, there is a lot to learn and it can get VERY complicated at times.
In the next post I will go over how to change your theme to look like the above picture. In another post I will go over some of the awesome plugins you can use and how you can follow along with IDA while directly using windbg.
Anyways Happy Holidays and Good Luck with your BugHunting!
本文系统（windows）相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术