Simple Steps for using windbg and virtualpc to debug third-party drivers

Simple Steps for using windbg and virtualpc to debug third-party drivers (figure)

Security China www.anqn.com Last Updated: 0:25:18 Responsible editor: hot

Hot spot:

Simple Steps for using windbg and virtualpc to debug third-party drivers 1. Configure virtualpc After installing guestos in virtualpc, find COM1 on the settings page of The guestos, and set it according to the data in the figure. (Text description: Select Named Pipe and enter //./pipe/com_1) 2. Configure guestos (currently the configuration method for Win2k, XP, and 2003) Add in Boot. ini Multi (0) disk (0) RDISK (0) Partition (1)/Windows = "Windows Server 2003, standard "/noexecute = optout/fastdetect/debug /Debugport = com 1/baudrate = 115200 Note that you do not need to change the partition parameter settings. 3. Configure windbg D:/Microsoft/windbg/windbg.exe -Y D:/localsymbols; SRV * D:/localsymbols * http://msdl.microsoft.com/download/symbols -K com: pipe, Port = //./pipe/com_1-Q In the shortcut of windbg, set [target] to the data above (modify the path) 4. Start the OS and establish a KD connection. Start guestos, select debug option and enter, and then run windbg from the configured windbg export cut. After windbg is connected to guestos, the related connection success information is displayed: Connected to Windows Server 2003 3790x86 compatible target, ptr64 false Kernel debugger connection established. Symbol search path is: D:/localsymbols; SRV * D:/localsymbols * http://msdl.microsoft.com/download/symbols Executable search path is: Windows Server 2003 kernel version 3790 up free x86 compatible Built by: 3790. srv03_sp1_rtm.050324-1447 Kernel base = 0x80800000 psloadedmodulelist = 0x808a8e48 In this case, press Ctrl + break to interrupt the OS. If no symbols are available, windbg will download the symbols from the M $ website to D:/localsymbols, so it may take a while. After interruption, display kd> prompt 5. enable or disable driveentry If the driver you want to debug is of the boot and system start types, you can interrupt the OS once the windbg establishes a KD connection with guestos, and then break the breakpoint. For example, if your driver The name is drvdbgee. sys, which can be disconnected as follows: bu drvdbgee + entrypoint (This number can be obtained using PE tools, such as peid) and Bu $ iment (drvdbgee). For windbg It may also download the symbol, so the prompt will display "busy" 6. Load the driver You can use kmdmanager.exe, register-> run to manually Mount driver. then, the breakpoint under the first 5th will be hit. 7. Do what you want to do ...... Appendix: 1. When the bu breakpoint is used in windbg, the entire kernel modules will be traversed, and then the download symbol matches the name specified in Bu, so it will be slow, Generally, do not set SRV * D:/localsymbols * http://msdl.microsoft.com/download/symbols. download the SRV * D:/localsymbols * 2. Common commands and types and Data NT! Keservicedescriptortableshadow NT! Keservicedescriptortable (command DDS poi (NT! Keservicedescriptortable), you can view the ssdt table) Win32k! W32pservicetable (= Nt! Keservicedescriptortableshadow + 0x10, command DDS win32k! W32pservicetable, you can view the function table of win32k) _ Image_nt_headers -- PE Header _ Unicode_string -- Unicode string _ Driver_object -- driver object 3. Manually parse whether an ssdt is hooked, DDS poi (NT! Keservicedescriptortable) + 0x4*0x80, where 0x4 is the size of the ssdt entry item and 0x80 is the function number, If no hook exists, 80827afc f8830300 nt should be displayed! Ntopenprocess: 80827afc f8830300 drvdbgee + 0x1300 4. Manually parse whether a win32k ssdt is hooked, DDS win32k! W32pservicetable + 0x4 * (0x114c-0x1000), where 0x114c is the function number. stub of this function usually comes from USER32 and GDI32 5. Other Common commands: D * display data, such as D, da, DB, DC, and dd E. modify data BP is the software breakpoint U address is a disassembly FROM address Ba hardware access, write and execute breakpoints ? Is a computing expression, such? 0x4 * (0x114c-0x1000) . Reload load module, which is used when some modules cannot be seen Normally used. Reload/F forces Loading modules and symbols (it will be quite slow for many modules). Reload/s loads modules but does not load symbols Shortcut: F5-> Run, F7-> Run To cursor, F10-> step over, F11-> step into, Shift + F11 step out 6. This configuration is compatible with VMware. Set Pipe Configure windbg OS interruption