6강은 Pass 하였습니다. 내용은 Kernel debugging with VMPlayer 인데, 경우에는 주로 Hyper-v 사용하여 해당 Lab 구성할 수가 없었습니다.

7강은 사실 아래에 Network kernel Debugging 과 거의 같습니다. 강의 노트만 추가적으로 기록하였습니다.

2019/03/10 - [Windbg] - Windbg. Network Kernel Debugging

 

 

Why We need this setup while we have vitual machine?

  • Virtual Machine kernel debugging is for sure convenient easy and a game changer.
  • But it has many limitations.
  • Most of them are para vitualized which menase if you go for some very low level investigation things wont work out as you expect.
  • I personally wont recommend do any lowest level debugging experiments with VMs.
  • Very hardware specific commands like for instance ba (break on access ) rarely works right with any VMs.

 

Via Network

  • Fairly new at the time of this presentation.
  • Make sure you debugger is lastest at least windows 8 or 8.1 SDK/WDK I recommend.
  • Make sure your target is Windows 8 or later.
  • MS says host should be Win XP or later.
  • This can open a great number of production kernel debugging opportunities which use to be a night mare with older ports ( USB,serial, 1394 etc)
  • I will be using this setting a lot in coming presentations.

 

Steps

 

1. Make sure you have all the latest debugger and OS as per previous slide.

2. Make sure your target OS' NIC is in the list of "supported Ethernet NICs for Network Kernel Debugging in Windows 8.1." in msdn.

3. Get the IP of host using ipconfig command.

4. Get select a port number between 49152 to 65535

5. Connect host and target via a router or switch.

  • In my set up I have connected "GreenDog" (host) and "violetcat" (target) which is win 8.1 via 2 network cables connected to a TP Link router.
  • Although the router is wireless I have used the wired ports. This wont work on wireless so far.
  • Violet Cat's Nic is Qualcomm Atheros AR8132 PCI-E Fast Ethernet Controller (NDIS 6.30)
  • Nic is sitting on the position - PCI bus 3, device 0, function 0
  • I would recommend remove additional NICs if you have more than one NIC on the target to avoid complications.

6. Disable all kind of firewalls on both endpoints

7. Get on to target and type following command in Elevated prompt,

bcdedit /debug on

bcdedit /dbgsettings net hostip:w.x.y.z. port:n

 

8. You will get a key which you need to save and transfer it to host.

9. Reboot target

10. On the host computer, open WinDbg. On the File menu, choose Kernel Debug. In the Kernel Debugging dialog box, open the bet tab. Enter your port number and key (we got at step 8).

Click OK

 

Summary

  • KD of physical machine is recommended over VMs.
  • Very convenient with new Network cable method.
  • Two additional information we have discussed which is not there in msdn

+ Recent posts