Windows Kernel 1:windows Kernel debugging technology

Mastering the Windows Kernel Debugging technology is the basis for learning and studying the Windows kernel, and the way you debug the Windows kernel is broadly divided into two ways:

(1) The WinDbg tool connects to the Windows kernel at the beginning of the Windows system operation and can be debugged after a successful connection, debugging the Windows kernel startup process and debugging a kernel component or application after Windows starts. Or use WinDbg's kernel debugging of the local Mechine feature to debug Windows kernel components or applications after the Windows system is fully booted. This way you need to configure the Windows system to start in debug mode.

(2) running the Windows system through Bochs can debug arbitrary information at any time Windows runs, but the biggest drawback is that the use of Windows Symbols is not currently supported in this way, and the assembly code is not read intuitively when compared to the first method.

This article describes the way (1) to debug the Windows kernel through the WinDbg tool.

1. Introduction of WinDbg tools and ways to obtain them

The WinDbg tool is a debugger developed and published by the Microsoft team dedicated to debugging the Windows kernel and applications, supporting both kernel-level (RING0) debugging and application-level (RING3) debugging. Today's Windows system debugger has a variety of, out of WinDbg, there are olldbg, Immunity debugger and so on. Olldbg and Immunity Debugger do not support kernel-level debugging.

The WinDbg tool is included in the Windows Driver Kit (wdk,windows Driver Development Kit) and can of course be downloaded separately.

(1) If you want to get through the WDK, Windows XP and the previous environment just download the WDK, the entire resource is about 300m~500m, but after Windows vista/windows 7 and other systems, Microsoft will be the WDK and visual The studio environment is integrated so that the entire download resource is approximately 6.0g~7.0g. Because the Windows XP system is no longer supported, and the author's experimental environment for Windows 7 system, in subsequent articles will also be involved in Windows Driver development, so I recommend downloading WDK and VS integration package, although the resources are relatively large.

(2) If you are only temporarily learning Windows kernel debugging, you can download the WinDbg tool separately, the entire resource is about 150M.

The above resources can be obtained on MSDN and get links to: http://msdn.microsoft.com/zh-cn/windows/hardware/hh852365.aspx

2. Introduction to Windows symbols and how to get it

Windows symbols is a Microsoft-exposed Windows System symbol table, and you can intuitively see some variable names, struct structures, function names, and so on when you use WinDbg to debug the Windows kernel and applications.

Windows symbols can be obtained directly on MSDN, and its fetch page is the same as the page link given above to get the WinDbg tool.

However, I do not recommend downloading and installing Windows Symbols directly, because when debugging with the WinDbg tool, you can instantly get the symbolic information of the relevant module (if the network is normal) as needed.

3. Windows Kernel Debugging method

Debugging a Windows system through a virtual machine is a common way to first build the virtual machine environment, install the Windows system in the virtual machine, and then configure the startup mode of the virtual machine Windows system to debug mode. and configure the WinDbg tool and the virtual machine between the Windows system Communication channel, when the WinDbg into the waiting for debugging communication, restart the virtual machine Windows system, the two sides of the debug link after the establishment, you can use the WinDbg tool to debug/control the Windows kernel, The detailed steps are as follows:

(1) Configure the virtual machine Windows system to start in debug mode.

Enter the virtual machine Windows system, run Cmd.exe as administrator, and execute the following command:

Bcdedit/debug on//Enable Windows kernel debugging support

Bcdedit/bootdebug on//enable application startup process debugging support

More information about the Bcdedit command can be learned in MSDN: http://msdn.microsoft.com/zh-cn/library/dn653986 (v=vs.85). aspx

The above method is only valid in Windows VISTA/7 system and later version of Windows system, if do not make special instructions, the author's experiment environment defaults to virtualbox/windows 7 system.

For Windows XP system configuration, please Google yourself.

(2) Configure the debug communication channel WinDbg with the virtual machine Windows system.

Shut down the virtual machine Windows system, in the virtual machine "serial port Configuration", enable a serial port, such as COM1, and the ports mode of this port is set to "host Pipeline", and select "Create Channel", in "Port/File location" Enter the virtual pipe device name to be created, such as "\\.\pipe\ comdbg "(note format," comdbg "name for user customization):

Open WinDbg, and also configure "Port" as "\\.\pipe\comdbg" in the "COM" tab of the "Kernel Debug" (ctrl+k) dialog box:

After clicking OK, WinDbg enters the attempt to establish a communication channel status with the target:

At this point, the Windows system of the virtual machine is started, and after some time the modal communication channel is established successfully:

At this point, pressing the shortcut key "Ctrl+break" in WinDbg will break the startup/run of the virtual machine windows (the first time the symbol table is generally downloaded and you need to wait patiently):

At this point, you can enter various debugging instructions, such as the "G" command to continue the virtual machine Windows running process.

Since the kernel debug directives of WinDbg are related to the principles of the Windows kernel, the WinDbg usage and related directives are described in detail later in the Windows kernel rationale analysis.

Windows Kernel 1:windows Kernel debugging technology