View Full Version : How to go about debugging drivers with IDA Pro?

December 8th, 2012, 07:12
I've spent half a day trying to test out driver debugging on vmmouse.sys and I'm failing at using the tools. IDA Pro, windbg, VMware, VirtualKD.

I'm trying to get an analyzed module into kernel debugging world.
I've tried analyzing the module (the sys file) and then running the kernel mode debugger on it which doesn't seem to work. Best result has been a IDA crash on it's automatic rebasing.
I've tried doing a blank kernel debug session and tried to getting a loaded module analyzed. This one seems to do a raw unknown data to instruction translation without context which is a fail.

I'm really thankful for any help.

December 13th, 2012, 23:04

I'm just curious if you ever got this working. Actually more to the point, whether you found there was any real benefit with having IDA in that mix.

I use the exact same 4 tools for driver debugging, except that IDA is used separately in its normal disassembler persona. I've never found myself wishing I could use IDA as a GUI for the debugging session, nor does it crash when rebasing to a new driver base instance.

January 8th, 2013, 09:28
Yeah, I got it working. Sorry, for not posting an update.

I feel more comfortable with IDA than with anything else. IDA in the mix did no harm.

The crashes and stuff like that were caused by my own dumb errors. At some point I managed to mix up slightly different versions of the PE, that I wanted to get stubbornly analyzed and rebased when attaching the debbuger. The crash was caused by having the wrong DLL directory set for the idb file. So I got all that working, more or less. But that analyzing stuff was all nonsense in this instance, as I figured, it ended up being much simpler to work without all that.