All Questions
Tagged with windbg kernel-mode
37 questions
2
votes
0
answers
721
views
Windows kernel debugging using IDA & WinDbg
I am currently trying to set up WinDbg with IDA 7.7 to perform kernel debugging. My host machine is Windows 11 22H2 64-bit, the target is a Windows 10 22H2 64-bit VM (VMware). Connection method is ...
- 151
3
votes
0
answers
254
views
How find all kernel functions called by a driver in windows 11
I am working on a highly obfuscated driver that is virtualized. In an attempt to work on this driver I asked a question about some python scripts which turned out not to be effective at all so I ...
- 33
0
votes
1
answer
129
views
Find out which struct RaGetUnitStorageDeviceProperty use by reverse engineering
I am trying to find out which struct storport!RaGetUnitStorageDeviceProperty uses by myself. I know I can use google and find out the correct answer is _RAID_UNIT_EXTENSION. However i want to do it ...
- 33
1
vote
1
answer
514
views
recovering a process dump from a memory dump with WinDbg
I have a crash dump (memory.dmp), and I want to extract process (calc.exe) from it.
I tried:
!process 0 0 calc.exe
PROCESS ffffb501f8c23580 <-- this is the address
SessionId: 0 Cid: 035c ...
- 153
1
vote
2
answers
864
views
Why windbg skips syscall on kernel mode?
I have a VM running windows with notepad open, I did list the modules with lm:
start end module name
00007ffc`60fb0000 00007ffc`60fe2000 vertdll (deferred) ...
- 69
0
votes
1
answer
143
views
How much of the kernel does remote kernel debugging allow you to debug?
This is a theoretical question because I've never set up remote kernel debugging before -- but I will do at some point, which should hopefully answer some of the experimental questions I have.
What ...
- 305
1
vote
1
answer
276
views
Windbg .thread command is useless?
The ".thread" command is used to change the thread context in Windows kernel debugging.
MSDN
But I encountered the below situation:
Execute the following two commands consecutively.
The ...
- 137
2
votes
1
answer
274
views
Is there an easier way to break on a rootkit driver load, other than disassembling IopLoadDriver?
The only method i know to break on a DriverEntry of a rootkit driver when its loaded is to disassmble nt!IopLoadDriver and find an indirect call in it and break on it. Setting a break point on ...
- 176
2
votes
1
answer
1k
views
WinDBG doesn't resolve function names when debugging kernel module
I am debugging a kernel driver. When I set a breakpoint with WinDBG in one of its functions but it doesn't complete the function names while on IDA it shows the names (statically).
Here is a picture ...
- 583
2
votes
1
answer
590
views
Get return address from syscall
I'm debugging some 32-bit process using windbg kernel debugger. This process calls some syscalls, so I set few breakpoints at kernel functions like nt!NtQuerySystemInformation. So after breakpoint hit,...
- 103
-1
votes
1
answer
208
views
How to find each interrupt's line in the Interrupt Descriptor Table
I'm trying to find the line number of the 0f05 syscall interrupt with no success.
I searched everywhere and couldn't find any way of doing that, it seems like this information is hard coded in the ...
- 101
0
votes
1
answer
1k
views
Remote debugging using IDA, connecting to windbg server (kernel mode)
I do kernel debugging by using a virtual com port. One machine (host) is debugging the other machine. I have a remote machine that has IDA, and I wish to connect to the debugging session in the host ...
- 238
1
vote
1
answer
698
views
Setting a conditional kernel breakpoint in WinDbg grinds the debuggee OS to a halt
My setup:
Debugger: Win10 Pro, WinDbg Preview v.1.0.1904.18001
Debuggee: Win7 Pro (running in a VM using VMWare Workstation)
I'm trying to follow the SendMessage call from the user space:
Into the ...
- 1,770
2
votes
2
answers
882
views
Analyzing Windows kernel driver
I'm trying to analyze some Windows kernel driver. What I want to achieve is full execution trace, from driver entry to end point. Driver is heavily virtualized and contains multiple anti-debugging ...
- 103
3
votes
2
answers
4k
views
windbg - Why does the GS register resolve to offset 0x0?
I'm trying to understand how to resolve segment addressing (specifically the GS register in X64).
My toy program:
int main()
{
unsigned long long x;
__debugbreak();
x = __readgsqword(...
- 145