OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: December 9, 2007 20:33 CST by wbcuc .

Hi all,
Why can we debug our Windows drivers through debugging tools?
Has the kernel mode debugging principal be pulished by Microsoft? I have known something from the website http://www.vsj.co.uk/articles/display.asp?id=265.
But this is not enough for my developing work.Every one can share something for us. Any comments?

Thanks in advance.

aLS		December 10, 2007 08:12.45 CST
Well, this is a recurrent topic lately. And you are right, that link and the joe stewart's paper are all the documentation available about the kd serial protocol. btw, i've been working in a related project this last months and i expect to be released in short.

anonymouse		December 10, 2007 11:05.48 CST
there are many articles and referances available to use windbg windows drivers (what kind of drivers are you dealing with) there are boot loading drivers , there are drivers that are loaded much much later in the cycle there are drivers which can be demand loaded there are drivers that dont talk to hardware much pnp , upnp , wdm , kmdf , umdf, blah, blah it all depends on what you are trying to debug do you have the source for your drivers are you bug hunting are the symbols available for your drivers there are many question that you need to answer yourself like do you have or can use two machines linked together or are you constrained to use only one machine and would like to debug and develop on the same machine if you are in first scenerio then it is the best scenerio set up one machine as debugee and one as debugger with this setup you can debug the drivers that are loaded even at boot process viz boot loading drivers if in second then you can use vmware or microsofts virtual pc , or several other virtual environemnts including a few open source virtual machines there are many connection facilities avialble and they include serial connections using com port 1394 connection usb connection etc if you are just scratching the surface you can check out setting up windbg connection with vmware here http://silverstr.ufies.org/lotr0/windbg-vmware.html or here http://www.catch22.net/tuts/vmware.asp if you are new to windbg and would like to get your hands dirty you can try looking at toby opfermans series on windbg , cdb , ntsd here http://www.codeproject.com/script/Articles/MemberArticles.aspx?amid=961412 if you prefer microsfts vpc there is a pretty good white paper by vpc team that describes vpc along with how to set it up for kerenl debugging you can downlaod the paper here http://download.microsoft.com/download/E/1/3/E139FC49-B757-4E0D-BA6C-3DD04355166B/VPC_developmentanddebuggingwhitepaper.doc if you dont like virtualization then you can try emulators like qemu, bochs, etc also you should search and read osr onlines mailing list archieves especially windbg mailing lists last but not least you should try to look for skywings articles on http://uninformed.org especially skywing's blog http://nynaeve.net for very informative articles and blog entries regarding usage tips and tricks on windbg and that article you quote is very old windbg was pretty rusty then and softice ruled the kernel debugging world windbg has improved a lot during the intervening period

wbcuc		December 10, 2007 21:19.23 CST
> aLS: Well, this is a recurrent topic lately. And you are right, that link and the joe stewart\'s paper are all the documentation available about the kd serial protocol. > > btw, i\'ve been working in a related project this last months and i expect to be released in short. Well,I am working on a software that can debug efi bios basing on Intel CPUs. As you say,the joe stewart's paper is the only document available,how do you complete your project? Do you know the data structure or the principal? thanks a lot.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit