CODEWITHSUNDEEP
reverse-engineeringwindbgida
Bikash Dash
Bikash Dash

Reputation: 13

Windbg Local kernel debugging on a .sys file

i am doing local kernel debugging on a driver(.sys file). i am new to local kernel debugging and knew some of debugging. but the situtaion, that i am dealing it is confuses.

i have a driver which is invoked by python and it starts. The drive is on demand based.so now i starts windbg local kernel debugging. i ran "lm" command to see the loaded modules as below:

lkd> lm
start             end                 module name
fffff801`2ca0d000 fffff801`2d47c000   nt         (pdb symbols)   
          c:\symbols\ntkrnlmp.pdb\C710248A0CA3CAB08015A2B18AB495B41\ntkrnlmp.pdb

Unloaded modules:
fffff801`3f430000 fffff801`3f43e000   chipsec_hlpr.sys
fffff806`fdae0000 fffff806`fdba5000   RtsPer.sys
fffff806`fdbb0000 fffff806`fdbe6000   usbaudio.sys
fffff806`fdb70000 fffff806`fdba6000   usbaudio.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdb70000 fffff806`fdb80000   hiber_storport.sys
fffff801`4b8d0000 fffff801`4c41f000   hiber_iaStorA.sys
fffff801`4c420000 fffff801`4c43e000   hiber_dumpfve.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys

but the problem is that it comes under unloaded module section. i don't know what to do. i can't see entry point. i tried the IDA, and saw the ep address. Then i put the break point like below.

lkd> bp chipsec_hlpr|DriverEntry which comes error like

^ Operation not supported by current debuggee error in 'bp chipsec_hlpr|DriverEntry'

Also i tried with the VA address that loaded with IDA which comes on 000000014000335B , hence tried to put Break Point. but no result.

I know i am messed somewhere. if anyone has solution, please put your thoughts.

Thanks..

Upvotes: 0

Views: 1091

Answers (1)

blabb
blabb

Reputation: 9007

local kernel debugging is not live debugging
you cannot set breakpoints or see registers or step through in local debugging
it is a kind of dump debugging a snap shot

you may either need to use a vm or another physical machine as target
and connect windbg to the target for live kernel debugging

when you have a live session you can stop when your module loads using a variety of means like 

sxe ibp; .reboot

when windbg breaks on the first initial breakpoint after rebooting
you can load the symbols
and set a breakpoint like bp mydriver!DriverEntry and explore further from there.

Upvotes: 1

Related Questions