Configuring Kernel Debugging on Windows 7 with VMWare virtual machine



Similar documents
installing UEFi-based Microsoft Windows Vista SP1 (x64) on HP EliteBook and Compaq Notebook PCs

For most Windows users, system startup is an uneventful,

Debugging Windows Applications with IDA WinDbg Plugin Copyright 2011 Hex-Rays SA

Setting Up a Windows Virtual Machine for SANS FOR526

VMware Horizon Toolbox 2.0 Guide VMware End User Computing 2015 November

1 Download & Installation Usernames and... Passwords

Installing SQL Server Express 2008 Version /08/05 sdk

DriveClone 10. Users Manual

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

How to Install and Setup IIS Server

AdminToys Suite. Installation & Setup Guide

ilaw Installation Procedure

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

Equalizer VLB Beta I. Copyright 2008 Equalizer VLB Beta I 1 Coyote Point Systems Inc.

Debugging Network Communications. 1 Check the Network Cabling

StoreGrid Backup Server With MySQL As Backend Database:

for Networks Installation Guide for the application on the server August 2014 (GUIDE 2) Lucid Exact Version 1.7-N and later

Voyager Reporting System (VRS) Installation Guide. Revised 5/09/06

ORACLE BUSINESS INTELLIGENCE WORKSHOP. Prerequisites for Oracle BI Workshop

v1 System Requirements 7/11/07

How to Setup and Connect to an FTP Server Using FileZilla. Part I: Setting up the server

DriveClone Server. Users Manual

How to use the VMware Workstation / Player to create an ISaGRAF (Ver. 3.55) development environment?

HOWTO configure Xinu under Virtual Box

Como configurar o IIS Server para ACTi NVR Enterprise

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

DUKANE Intelligent Assembly Solutions

for Networks Installation Guide for the application on a server September 2015 (GUIDE 2) Memory Booster version 1.3-N and later

Quick Note 32. Using Digi RealPort with a Digi TransPort Router. UK Support September 2012

SQL EXPRESS INSTALLATION...

Microsoft Diagnostics and Recovery Toolset 7 Evaluation Guide

SOLIDWORKS Education Edition Installation Instructions Preparation

Application Note CTAN #374

General Tips: Page 1 of 20. By Khaled Elshaer.

SMS Alarm Messenger. Setup Software Guide. SMSPro_Setup. Revision [Version 2.2]

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

Alteryx Predictive Analytics for Oracle R

File Transfers. Contents

Installation Documentation Smartsite ixperion 1.3

Accessing RCS IBM Console in Windows Using Linux Virtual Machine

Configuring the Switch with the CLI Setup Program

Transferring Scans from your Dolphin into Destiny

I. Create Windows 2012 R2 VMware Template for Guest Customization

Bill Redirect Software How To Schedule Tasks in Bill Redirect

OfficeServ Link. User Guide. Version 2.1 June 2005

Tutorial: Packaging your server build

DSA-1000 / PRT-1000 Device Server / Thermal Printer

1 Serial RS232 to Ethernet Adapter Installation Guide

StarWind iscsi SAN Software: Using StarWind with VMware ESX Server

HP Point of Sale (POS) Peripherals Configuration Guide ap5000 VFD Windows (non-opos)

File Transfers. Contents

Setup Cisco Call Manager on VMware

Quick Start Tutorial. Using the TASKING* Software Development Tools with the Intel 8x930 Family Evaluation Board

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Windows Server 2008 R2 Essentials

ERIKA Enterprise pre-built Virtual Machine

Acronis Backup & Recovery 10 Workstation. Installation Guide

Paragon Boot Media Builder

Nintex Workflow 2010 Installation Guide. Installation Guide Nintex USA LLC, All rights reserved. Errors and omissions excepted.

Acronis Backup & Recovery 11

How to Configure Terminal Services for Pro-Watch in Remote Administration Mode (Windows 2000)

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

Preparing a SQL Server for EmpowerID installation

How to deploy console cable to connect WIAS-3200N and PC, to reset setting or check status via console

Setting Up the Development Workspace

ScanWin Installation and Windows 7-64 bit operating system

NetSupport DNA Configuration of Microsoft SQL Server Express

This user guide describes features that are common to most models. Some features may not be available on your computer.

Select Correct USB Driver

File Management Utility. T u t o r i a l

SAPIP GUI INSTALLATION. Table of Contents

PP8X Printer Driver Installation Instruction

How To Deploy Office 2016 With Office 2016 Deployment Tool

How to Install Microsoft Windows Server 2008 R2 in VMware ESXi

Windows Server 2003 with SP1 Installation Guide. Version

Table of Contents. FleetSoft Installation Guide

ilaw Server Migration Guide

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

Installing Autodesk Vault Server 2012 on Small Business Server 2008

Installation Guide for Microsoft SQL Server 2008 R2 Express. October 2011 (GUIDE 1)

Team Foundation Server 2012 Installation Guide

Guide to Installing BBL Crystal MIND on Windows 7

WAVES. MultiRack SETUP GUIDE V9.80

EMC NetWorker Module for Microsoft for Windows Bare Metal Recovery Solution

Using Microsoft Visual Studio API Reference

FINS Gateway For OMRON PLCs

[HOW TO RECOVER AN INFINITI/EVOLUTION MODEM IDX ] 1

Installation Guide PSP Installation. Rev SRP-350plusII SRP-352plusII.

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Centurion PLUS CPC4 Download Guide

ANDROID RECOVERY STICK QUICK START GUIDE

Setting up an MS SQL Server for IGSS

Server & Workstation Installation of Client Profiles for Windows

COM Port Stress Test

PowerPanel Business Edition Installation Guide

Testing your Linux Virtual Box

APPLICATION NOTE. How to build pylon applications for ARM

Transcription:

Configuring Kernel Debugging on Windows 7 with VMWare virtual machine Author: Alexandre Borges Revision: ver. A Date: APR/2014 When handling with malware analysis or crash dump analysis is necessary to boot the Windows 7 on debug mode to analyze malware components such as processes running in user mode or even drivers that are running in kernel mode. This case is fundamental to have a ready environment to accomplish such mission and there re some possible configurations: either an environment with two physical machines running Windows 7 that requires a serial cable to connect to machines or a host running Windows 7 and a VMware virtual machine also running Windows 7. As sometimes it s a bit difficult to get a serial cable (RS232), I ll show the second scenario here. The environment deployed for this test is composed by: Host (physical machine) running Windows 7 64 bits VMware Workstation 10 A virtual machine running Windows 7 64 bits The physical machine (host) that is running Windows 7 will have the debug console and the virtual machine running Windows 7 will be the system that we re debugging. Therefore, to configure a Windows 7 we have to execute the following steps: Step 1: Go to http://www.slysoft.com/en/download.html to download Virtual Clone driver product (freeware) that is able to mount.iso files easily. After the download we have to install it: Figure 1 http://alexandreborges.org Page 1

Step 2: Download either the Windows Developer Kit for Windows 7(WDK 7.1.0) from http://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx (Figure 2) or Windows SDK for Windows 7 from http://www.microsoft.com/en-us/download/details.aspx?id=8442 (Figure 3). Both packages bring the Debugging Tools for Windows 7 that will be necessary later and, additionally, It s also possible to download only the Debugging Tools from the latter link (Figure 4) I recommend you to download the Windows SDK (figure 5) or the Debugging Tools standalone version if you don t have any plan to write or develop a Windows device drivers Figure 2 Figure 3 http://alexandreborges.org Page 2

Figure 4 Figure 5 Step 3: As the Virtual Clone Driver is already installed and the Windows SDK was downloaded, it s time to mount the DVD ISO clicking on it with the right mouse button and choosing Mount (Virtual Clone Driver E: like in the Figure 5 and Figure 6: http://alexandreborges.org Page 3

Figure 6 Step 4: The Windows SDK ISO was mounted as the driver E:\ so we can double click it to start the installation. Don t forget that the Windows Debugging Tools MUST be installed: Figure 7 Step 5: The next step is to configure the VMware virtual machine to accept a serial connection. Usually, every virtual machine is configured without a serial port, and then it s time to add it. On the virtual machine with Windows 7 installed (and powered off) you have to click on Edit Virtual Machine Settings and to add a serial port (Figures 8 and 9): http://alexandreborges.org Page 4

Figure 8 Figure 9 http://alexandreborges.org Page 5

Step 6: When we re prompted to configure the Serial Port Type, we have to choose Output to named pipe : Figure 10 Step 7: Most problems when preparing the virtual machine to kernel debugging happen here. We have to make the right options: 1) Named pipe: \\.\pipe\com_1, 2) The end is the server, 3) The other end is an application: Figure 11 http://alexandreborges.org Page 6

Step 8: Retuning to virtual machine configurations, we must mark Yield CPU on pool : Figure 12 Step 8: Boot the virtual machine with Windows 7. In the CLI, execute the following steps to make a new boot entry and to configure the debugging operation to use the serial port 2 and a baud rate of 115200: C:\>bcdedit.exe -------------------- identifier device description locale inherit default resumeobject displayorder {bootmgr} partition=\device\harddiskvolume1 pt-br {globalsettings} {current} {e8f18ae8-9511-11e3-ad5e-cc358344fd1f} {current} http://alexandreborges.org Page 7

toolsdisplayorder {memdiag} timeout 30 ------------------- identifier {current} device path \Windows\system32\winload.exe description Windows 7 locale pt-br inherit {bootloadersettings} recoverysequence {e8f18aea-9511-11e3-ad5e-cc358344fd1f} recoveryenabled Yes osdevice systemroot \Windows resumeobject {e8f18ae8-9511-11e3-ad5e-cc358344fd1f} nx OptIn C:\>bcdedit.exe /copy {current} /d "Windows 7 with Debug" The entry was successfully copied toa {e8f18aec-9511-11e3-ad5ecc358344fd1f}. C:\>bcdedit.exe /debug {e8f18aec-9511-11e3-ad5e-cc358344fd1f} on The operation completed successfully. C:\>bcdedit /dbgsettings serial debugport:2 baudrate:115200 The operation completed successfully. C:\>bcdedit /dbgsettings debugtype Serial debugport 2 baudrate 115200 The operation completed successfully. C:\>bcdedit.exe -------------------- identifier {bootmgr} device partition=\device\harddiskvolume1 description locale pt-br inherit {globalsettings} default {default} resumeobject {e8f18ae8-9511-11e3-ad5e-cc358344fd1f} displayorder {default} {current} toolsdisplayorder {memdiag} timeout 30 ------------------- identifier {default} device path \Windows\system32\winload.exe description Windows 7 locale pt-br inherit {bootloadersettings} recoverysequence {e8f18aea-9511-11e3-ad5e-cc358344fd1f} http://alexandreborges.org Page 8

recoveryenabled osdevice systemroot resumeobject nx ------------------- identifier device path description locale inherit recoverysequence recoveryenabled osdevice systemroot resumeobject nx debug Yes \Windows {e8f18ae8-9511-11e3-ad5e-cc358344fd1f} OptIn {current} \Windows\system32\winload.exe Windows 7 with Debug pt-br {bootloadersettings} {e8f18aea-9511-11e3-ad5e-cc358344fd1f} Yes \Windows {e8f18ae8-9511-11e3-ad5e-cc358344fd1f} OptIn Yes Step 9: On the physical machine running Windows 7(not virtual), call the Windows debugger (you must notice the command path): C:\Program Files\Debugging Tools for Windows (x64)> windbg -k com:pipe,port=\\.\pipe\com_1,resets=0,reconnect Figure 13 http://alexandreborges.org Page 9

Step 10: Boot the virtual machine with Windows 7 installed and choose Windows 7 with Debug (Figure 13). After a few seconds, go to Windows Debugger Debug Break to stop the Windows 7 boot process: If everything has worked, we should see the following output in the Windows Debugger: Figure 14 http://alexandreborges.org Page 10

Figure 15 To continue the Windows 7 boot in the virtual machine: kd> g The Windows 7 boot will be completed and we can return to Debugger sending a new break command through the virtual machine using Windows Debugger Debug Break. Now we re able to list all processes from the debuggee (virtual Windows 7) environment: kd>!process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS fffffa8018e0b990 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00187000 ObjectTable: fffff8a000001790 HandleCount: 456. Image: System PROCESS fffffa8019caba00 SessionId: none Cid: 010c Peb: 7fffffd9000 ParentCid: 0004 DirBase: 76d6b000 ObjectTable: fffff8a00049ff90 HandleCount: 29. Image: smss.exe PROCESS fffffa801a885b30 SessionId: 0 Cid: 0168 Peb: 7fffffdd000 ParentCid: 0160 DirBase: 6f2b7000 ObjectTable: fffff8a002efa8d0 HandleCount: 397. Image: csrss.exe PROCESS fffffa801a8a9b30 SessionId: 0 Cid: 019c Peb: 7fffffda000 ParentCid: 0160 DirBase: 6e93d000 ObjectTable: fffff8a002fb0d50 HandleCount: 75. Image: wininit.exe PROCESS fffffa801a8b0980 SessionId: 1 Cid: 01a8 Peb: 7fffffda000 ParentCid: 0194 DirBase: 6eece000 ObjectTable: fffff8a002fc8620 HandleCount: 78. Image: csrss.exe (truncated output) This article has explained how to setup a debugger in a virtual environment. Next articles will be using this current one to go further. Have a nice day. Alexandre Borges. http://alexandreborges.org Page 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information