Monday, January 19, 2015

Windows 8 Kernel Debugging

This inaugural post will guide you through setting up a kernel debugging environment using VMWare and WinDbg. We will create an environment which will allow us to poke at the Windows 8 kernel to further study how its internals work.


We need to start by installing WinDbg on our host machine. We will be using Windows 7 as the host machine for this post, but these instructions should roughly translate to Windows 8 hosts too. There are several options to getting WinDbg as it come packaged with Visual Studio, the Windows Software Developer Kit (SDK), and the Windows Driver Kit (WDK). The Windows 8.1 SDK allows us to install WinDbg in a stand-alone mode on both Windows 7 and 8 - so that's what we'll get. We don't need the full WDK or Visual Studio for this demonstration.

Download and run the SDK. Install it using the default options, until you get to this step.
Make sure to deselect everything except for the "Debugging Tools for Windows", and continue to walk through the rest of the installation steps. You'll have a couple of WinDbg entries in your start menu if all went well.
Now we need to install VMWare Workstation. Installation should be straight forward, as we do not need to change any of the default settings. We used Workstation 10, but 11 should work just fine. For VMWare Workstation, you will need a license to use it. But if you're into hacking, it's worth it. Install Workstation with all the default settings.

The next step is to build and configure the Windows 8 guest VM. This is the OS that we will be attaching our host's WinDbg installation to via a named pipe. We will assume that you have the Windows 8 ISO and license key already. For a refresher on how to install Windows 8 as a VM guest, please refer to this article.

VMWare Configuration

Once the Win 8 guest is created, we will need to add a serial port to it, so that our host's WinDbg can talk to the guest. To do this, start by making sure the Win8 guest is powered down. Right click on the Win 8 VM, and select "Settings". On the "Hardware" tab, click the "Add" button, and select "Serial Port".
On the next page, make sure that "Output to named pipe" is selected.
On the last page, make sure the settings are as follows, and click "Finish."
Back on the "Hardware" tab, enable "Yield CPU on poll." This forces the guest VM to yield processor time if the only task is trying to poll the virtual serial port.

Guest Configuration

Now we have to tell the Windows 8 guest that kernel debugging should be enabled, and that it should communicate on the COM port that VMWare created for us. Open a command prompt as an administrator, and run the following commands.

   bcdedit /set {current} debug on
   bcdedit /set {current} debugtype serial
   bcdedit /set {current} debugport 1
   bcdedit /set {current} baudrate 115200

We're making the assumption that the OS assigned the VMWare COM port to 1. You may have to fiddle with the ports on the guest in bcdedit and the Device Manager to find one that isn't in use. Power down the VM.

WinDbg Configuration

The first thing we need to do with a fresh WinDbg install, is to set up Windows Debug Symbols. Symbols are like debug metadata for a compiled binary. They are special files generated at compile time for a target binary, and provide useful debugging metadata like function and variable names. A lot of Microsoft binaries are compiled with Symbols that are distributed by Microsoft's Symbol Server. We need to tell WinDbg how to connect to that Symbol server.

Start by creating the folder "C:\Symbols" on the host machine. Open WinDbg on the host machine, and go to "File"  "Symbol File Path". Add the following string to the path. 


This will tell WinDbg to download and store symbol files in the C:\Symbols directory whenever it's debugging a binary which has symbols available. Select "File" → "Save Workspace" to save the symbol settings.

Now we need to tell WinDbg how to connect to the Windows 8 VM. Open "File" → "Kernel Debugging" and select the "COM" tab. Make the settings as such
This tells WinDbg to debug the kernel at the end of the "\\.\pipe\com_1" pipe. VMWare will open this pipe for us when the VM boots. Do not click OK yet.

Putting it Together

We should now have a powered down VM, and WinDbg ready to start the connection. The "Kernel Debugging" window in WinDbg should still be up. This next steps requires a bit of good timing. Power up the VM. Then click "OK" in WinDbg after the VM POSTs and before the OS boots.

If WinDbg successfully connected to the VM over the COM pipe, then WinDbg should show something like this. Notice the "Debugee is running..." dialog. This is confirmation that it's connected to the Windows 8 kernel properly.
You're ready to set break points, analyze memory, and hack away.