Debugging Windows kernel under VMWare using IDA's GDB debugger Copyright 2009 Hex-Rays SA



Similar documents
Debugging Windows Applications with IDA WinDbg Plugin Copyright 2011 Hex-Rays SA

Authorware Install Directions for IE in Windows Vista, Windows 7, and Windows 8

How to use the VMware Workstation / Player to create an ISaGRAF (Ver. 3.55) development environment?

Internet Explorer 7. Getting Started The Internet Explorer Window. Tabs NEW! Working with the Tab Row. Microsoft QUICK Source

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

Setting Up a Windows Virtual Machine for SANS FOR526

Table of Contents. FleetSoft Installation Guide

Installing and Configuring vcloud Connector

Vodafone PC SMS (Software version 4.7.1) User Manual

3. Locate the different selections of Styles from the Home Tab, Styles Group

Nero MediaStreaming for MCE Manual

Colligo Contributor File Manager 4.6. User Guide

Important Notes for WinConnect Server VS Software Installation:

Practice Fusion API Client Installation Guide for Windows

Lab - Configure a Windows 7 Firewall

Windows XP Pro: Basics 1

TOSHIBA GA Printing from Windows

MultiSite Manager. Setup Guide

Active Directory Software Deployment

MultiSite Manager. Using HTTPS and SSL Certificates

Installation Guide for Crossroads Software s Traffic Collision Database

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

IBM FileNet eforms Designer

PigCHAMP Knowledge Software. Enterprise Edition Installation Guide

DocuPrint C3290 FS Features Setup Guide

Eclipse installation, configuration and operation

Configuring Network Load Balancing with Cerberus FTP Server

12 NETWORK MANAGEMENT

Fiery E100 Color Server. Welcome

WHAT S NEW IN WORD 2010 & HOW TO CUSTOMIZE IT

Microsoft Dynamics GP Release

Remote access set up for a home PC

How To Test Your Web Site On Wapt On A Pc Or Mac Or Mac (Or Mac) On A Mac Or Ipad Or Ipa (Or Ipa) On Pc Or Ipam (Or Pc Or Pc) On An Ip

Microsoft Migrating to PowerPoint 2010 from PowerPoint 2003

Using Entrust certificates with Microsoft Office and Windows

How to Configure Microsoft System Operation Manager to Monitor Active Directory, Group Policy and Exchange Changes Using NetWrix Active Directory

BIGPOND ONLINE STORAGE USER GUIDE Issue August 2005

I N R O A D S, I N C. T R A I N I N G A N D D E V E L O P M E N T

Windows Server Update Services 3.0 SP2 Step By Step Guide

NetIQ Advanced Authentication Framework. FIDO U2F Authentication Provider Installation Guide. Version 5.1.0

Introduction to Simulink

Sync Appointments from the Schedule Certifications Screen

Q N X S O F T W A R E D E V E L O P M E N T P L A T F O R M v Steps to Developing a QNX Program Quickstart Guide

Enabling Microsoft Windows Server 2003 R2 Hardware Management

? Index. Introduction. 1 of 38 About the QMS Network Print Monitor for Windows NT

IT Quick Reference Guides Using Windows 7

Creating trouble-free numbering in Microsoft Word

Section 1: Ribbon Customization

EVENT LOG MANAGEMENT...

Installation and User Guide Zend Browser Toolbar

How to test and debug an ASP.NET application

Back-up Server DOC-OEMSPP-S/2014-BUS-EN-10/12/13

PTC Integrity Eclipse and IBM Rational Development Platform Guide

Configuring Your Firewall for Client Access in Professional Edition

1 Download & Installation Usernames and... Passwords

MS WORD 2007 (PC) Macros and Track Changes Please note the latest Macintosh version of MS Word does not have Macros.

Forcepoint Sidewinder, Virtual Appliance Evaluation for Desktop. Installation Guide 8.x. Revision A

Integrated Virtual Debugger for Visual Studio Developer s Guide VMware Workstation 8.0

ERIKA Enterprise pre-built Virtual Machine

Single Mailbox Recovery 7.0 Administrative Server Administration Guide

Migrating MSDE to Microsoft SQL 2008 R2 Express

RSA Security Analytics

Using the TASKING Software Platform for AURIX

CODESOFT Installation Scenarios

Witango Application Server 6. Installation Guide for Windows

HTML Code Generator V 1.0 For Simatic IT Modules CP IT, IT, IT

Access Tutorial 1 Creating a Database

Security Analytics Virtual Appliance

Installing Oracle 12c Enterprise on Windows 7 64-Bit

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

Nagios XI Monitoring Windows Using WMI

Stored Documents and the FileCabinet

PostScript User Guide 604P17454_EN

Using your Bluetooth laptop with the Logitech wireless hub

Scan to PC Desktop: Image Retriever 5.2 for Xerox WorkCentre C2424

Synchronizer Installation

How to Create User-Defined Fields and Tables

KPN SMS mail. Send SMS as fast as !

SKP16C62P Tutorial 1 Software Development Process using HEW. Renesas Technology America Inc.

Rx Medical. SMD Utility. Task Scheduler Configuration

How to use

10 STEPS TO YOUR FIRST QNX PROGRAM. QUICKSTART GUIDE Second Edition

Skype for Business Online Meetings

There are several ways of creating a PDF file using PDFCreator.

RSA Security Analytics

Fax and SMS Quickguide

uh6 efolder BDR Guide for Veeam Page 1 of 36

EntroWatch - Software Installation Troubleshooting Guide

Drafting/Writing. Technology and Drafting

Deployment Guide: Transparent Mode

Monitor Wall 4.0. Installation and Operating Manual

XenClient Enterprise Synchronizer Installation Guide

Quick Connect. Overview. Client Instructions. LabTech

Configure SPLM 2012 on Windows 7 Laptop

1. Click the File tab 2. Click "Options" 3. Click "Save" 4. In the line labeled "Default file location", browse to the desired folder 5.

Presentations and PowerPoint

138 Configuration Wizards

Hyper-V Server 2008 Getting Started Guide

SystemTools Software Inc. Hyena Installation Guide

Transcription:

Debugging Windows kernel under VMWare using IDA's GDB debugger Copyright 2009 Hex-Rays SA Current versions of VMWare Workstation include a GDB stub for remote debugging of the virtual machines running inside it. In version 5.4, IDA includes a debugger module which supports the remote GDB protocol. This document describes how to use it with VMWare. As an example, we'll debug a Windows kernel. Preparing VM for debugging Let's assume that you already have a VM with Windows (32-bit) installed. Before starting the debugging, you can copy the kernel for symbol retrieval later. Copy ntoskrnl.exe or ntkrnlpa.exe (depending on the VM configuration) from Windows/sytem32. Now edit the VM's.vmx file to enable GDB debugger stub: Add these lines to the file: debugstub.listen.guest32 = "TRUE" debugstub.hidebreakpoints= "TRUE" Save the file. In VMWare, click "Power on this virtual machine" or click the green Play button on the

toolbar. Wait until the VM boots. Debugging in IDA Start IDA. If you get the welcome dialog, choose "Go".

Choose Debugger Attach Remote GDB debugger. Enter "localhost" for hostname and 8832 for the port number.

Choose <attach to the process started on target> and click OK. The execution should stop somewhere in the kernel (address above 0x80000000). You can step through the code, but it's not very convenient without any names. Let's try to add some symbols. Identifying kernel base To load the kernel symbols from PDB file, we first need to know at which address it is loaded. There are many ways to find it, but we will use the KernBase pointer in the

DBGKD_GET_VERSION64 structure, which, in turn, is referenced from the KPCR structure pointed to by the fs register. To retrieve the base of the segment pointed to by fs, we can use the VMWare's debug monitor "r" command. Make sure you switch the commandline interpreter to "GDB": Then type "r fs" in the commandline (hint: use "." to switch to commandline and Esc to switch back to disassembly): The address mentioned after "base" will be the address of KPCR. Navigate to the address in IDA (Jump Jump to addres... or just "g"). You will see the start of the KPCR structure.

We could just follow some well-known offsets, but for convenience we will make use of the structure definitions bundled with IDA. Choose View Open subviews Type libraries or press Shift-F11. You might get this warning, which is normal in this situation: Press OK to close it. If you cannot see the Loaded Type Libraries window, right-click the Types tab on the main IDA window and make sure "Desktop window" item is checked: In the Loaded Type Libraries window choose "Load type library..." from the context menu or press Ins.

In the list, choose file named "ntddk" (hint: you can start typing the name to quickly navigate to it) and click OK. This will make available various structures from the Windows Device Driver Kit. Now open the structures window (View Open subviews Structures or Shift-F9). There, press Ins or choose "Add struct type..." from the Edit menu. Click "Add standard structure". The list of predefined structures we loaded will appear.

In the list, choose structure named KPCR (again, you can start typing its name). Click OK. Now let's go back to the disassembly and apply the structure. Make sure you're at the address (fs base) we found earlier, and choose Edit Structs Struct var... or just press Alt-Q. Choose the KPCR structure and click OK. You might get this warning, which can be ignored: The dissassembly will display structure fields nicely represented and commented.

Find the field commented KdVersionBlock and double-click or press Enter to follow it. Name the location KdVersionBlock so that it can be easily found later. Now we need to apply a structure DBGKD_GET_VERSION64, but it is not available in the type libraries shipped with IDA. Its definition is available in the file wdbgexts.h shipped with Debugging Tools for Windows or can be found on the Internet. We could create the structure manually from its definition, but it's much easier to use IDA's built-in C parser. Go to View Open subviews Local types or press Shift-F1. Press Ins or choose "Insert..." from the context menu.

Paste the definition of the DBGKD_GET_VERSION64 structrure from wdbgexts.h file or Internet. Click OK. The structure will appear in the Local Types list, but it will not be available yet in the Structures list or in Struct var... command. Right-click it and choose "Synchronize to idb". Click Yes in the confirmation notice and OK in the info messagebox. Now we can apply the structure. Go to the KdVersionBlock location we noted before and apply the new structure (using Edit Structs Struct var... or Alt-Q). The structure will initially appear collapsed, press Numpad + to uncollapse it (or choose Unhide from the View menu).

Now everything is nicely represented, and we can follow the KernBase pointer (the Fs at the beginning of the address are caused by sign extension and can be ignored here; double-click or Enter key still work). After following the pointer, you can see the familiar MZ signature. Loading symbols To load the symbols, we will make use of the new feature IDA 5.4. Go to File Load File PDB file... Enter path to the kernel.exe you copied from the VM and the kernel base address we found.

Press OK and IDA's PDB loader plugin will retrieve the PDB file for the.exe from Microsoft's symbol store and apply its symbols to the disassembly. This should make your work much easier. Happy debugging! Copyright 2009 Hex-Rays SA

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information