Windows Kernel Debugging Introduction

Рет қаралды 8,494

Күн бұрын

In this video I will demonstrate how you can debug the Windows Kernel.
Dependencies:
- VirtualBox: winget install virtualbox
- windbg: winget install Microsoft.WinDbg
Links:
- Official Guide: learn.microsof...
- Unofficial Native API Docs: ntdoc.m417z.com/

Пікірлер: 34

@nirlichtman 7 ай бұрын

- I used Win7 in this video since I just had the disk around, but you can also grab the Win10 iso from the official Microsoft website and the same method from this video will work (I think it also works with Win11 but I haven't tried yet) - Notice that after enabling debugging on the Windows boot settings, the machine will wait for a debugger connection each time it boots, you can bring it back to working normally by disabling debugging in bcdedit - I recommend making a snapshot before starting - so you can just easily restore it to the beginning state

@marouaniAymen 7 ай бұрын

Thanks for the great video, but how to obtain a windows to run on a virtual machine ?

@nirlichtman 7 ай бұрын

@@marouaniAymen I just installed from a physical installation disk of Windows 7 I have, you can also debug a physical computer

@marouaniAymen 7 ай бұрын

@@nirlichtman Thanks for your answer

@pouf-dk3nq 7 ай бұрын

windows has a really good debugger

@nirlichtman 7 ай бұрын

Agreed, windbg is very powerful and I like the GUI as well

@anonymouscommentator 7 ай бұрын

im curious as to why win 7 32bit was used. is it harder/not possible on modern versions?

@n-uv7vg 7 ай бұрын

Same

@jezura777 7 ай бұрын

I think he mentioned that only because the number that he passed to the function shows as pair of 2 bytes or as 32 bits in the debugger.

@nirlichtman 7 ай бұрын

Reason I chose Win7 32bit is because that is the newest Windows installation disk I have in my room and also it has low system requirements, but this process should work the same in modern versions as well (modern versions even support additional types of kernel debugging - more info in the official docs)

@dono42 7 ай бұрын

Arguments are passed differently between 32 and 64-bit processes. It is arguably easier to learn 32-bit first before moving on to 64-bit.

@uschurch 7 ай бұрын

Wonderful. Hopefully many youtubers learn from you to make concise videos!

@creakffm Ай бұрын

did u know how can i read out my kernel Ntst - baseadress

@Tech69YT 7 ай бұрын

mine stuck at debugge not connected. i am trying to attach to win2016 server. i get connection established but it stuck at system up time and says debuggee not connected. i tried to break but did not work.

@moshixmainframechannel 7 ай бұрын

Another great video !!

@markarthur1083 Ай бұрын

dds esp-0 esp+(4*2) shows the stack much clearer

@satr14-tech 7 ай бұрын

13 hours ago... wow

@haroldcruz8550 7 ай бұрын

Appreciate the video but it would have been better if it was for Windows 11

@uschurch 7 ай бұрын

It's probably very similar.

@FilthyPitDog 7 ай бұрын

great content ✌

@ramorix 7 ай бұрын

Great video as always ! Keep going !

@proto9011 3 ай бұрын

On Hyper-V the GUI interface doesn't have an option to configure COM ports. However, you can use the 'Set-VMComPort' PowerShell command from an elevated prompt to do so. Example) Set-VMComPort -Number 1 -Path \\.\pipe\MyDebugPort

@sauvignonblanc5086 7 ай бұрын

Is it possible to debug playstation kernel?

@nirlichtman 7 ай бұрын

Which playstation model?

@sauvignonblanc5086 7 ай бұрын

@@nirlichtman PS4

@0xSh1m1 26 күн бұрын

Great video! Where do you recommend learning how to use WinDbg?

@nirlichtman 25 күн бұрын

.hh command, learn.microsoft.com has good materials, "Windows Debugging and Troubleshooting" lecture (you can find on YT), "Kernel_Debugging_Tutorial.doc" which is a great kernel debugging guide that comes with Windows SDK.