Results 1 to 2 of 2

Thread: Kernel debugging with IDA

  1. #1
    Imported blog (Hex-Rays)
    Join Date
    Nov 2007

    Kernel debugging with IDA

    When IDA introduced debugging facilities years ago, the task of analyzing hostile code became more enriched: no more looking at static code and figuring out what it does, instead just run the malware in a virtual machine and debug it remotely, even debug just a small code snippet from the database (Bochs based debugger plugin).

    With IDA 5.4 release, in addition to the Bochs and GDB plugins, we also introduced a debugger plugin based on Microsoft's Debugger Engine (the same engine used by Windbg, cdb and kd). With this addition to IDA you can now debug live kernel targets as well.

    For user mode debugging the Windbg debugger plugin beats the win32 debugger plugin, by providing you access to a wide range of extensions that ship with the debugging tools from Microsoft.
    For kernel debugging, you can use Bochs/Disk Image loader or GDB plugin to debug the whole operating system from Bios code and on.
    However when Windbg plugin is used, you get the raw power of the debugging engine (extensions / built-in commands, symbols, ...).

    We prepared a video showing how to debug kernel mode and user mode at the same time with full symbolic information (provided from the PDB files).
    The video also demonstrates how to set breakpoints on user mode APIs and see them get triggered when any application in the system uses those APIs.

    Before viewing the video, for those willing to experiment with the Windbg debugger plugin to debug kernel mode and user mode at the same time, here is how to prepare a database:

    1. If you never used the Windbg debugger plugin before please visit the Windbg plugin tutorial page
    2. Setup a process server inside the VM and attach to it from IDA to debug just any user mode application
    3. Once attached, go to desired segments (kernel32, user32, advapi32, gdi32, etc...) and convert them to loader segments
    4. If symbol retrieval mechanism was properly configured then most system DLLs will have symbol information, otherwise only exported names will available
    5. Now we have a database with all user mode components we wish to inspect from the live kernel debugging session
    6. Using the same database, change the connection string so that it connects to the same VM for the purpose of live kernel debugging this time
    7. Once attached to the kernel, IDA will present loaded drivers and kernel mode modules in the debugger / modules list
    8. It is possible to convert to loader segments the kernel mode components of interestThat's it! The database is now suited for kernel debugging, yet contains names and addresses of user mode components
    The video will put everything into perspective!

  2. #2
    not working video ... allways get stuck in the middle

Similar Threads

  1. Kernel Tracing
    By t321 in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: September 17th, 2012, 15:57
  2. Replies: 0
    Last Post: April 30th, 2010, 06:18
  3. Windows Research Kernel
    By omega_red in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: April 12th, 2007, 04:57
  4. Kernel.dos3call Api?
    By Scally in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: August 26th, 2001, 12:00


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts