Setup WinDbg Kernel Mode with VMWare

Last modified: 2024-05-08

Malware Reverse Engineering

0. Prerequisites

  • Windows host machine
  • VMWare Windows guest machine
  • WinDbg installed on both host and guest.

1. Set Symbol Path

Open WinDbg on Windows host then run the following commands to set the symbol path and load it.

# Check symbol path
.sympath srv*

# Load symbol files
.reload /f

2. Setup VMWare Serial Port

Assume that we’ve already created Windows guest machine on VMWare.

  1. Open VMWare and choose Windows guest machine and click Edit virtual machine settings.
  2. In the settings windows, click Add... and choose Serial Port then click Finish. The new added item such as Serial Port 2 should be listed in the left pane.
  3. Select the Serial Port in the left pane and check on the Use named pipe in the Connection section. Then fill & choose each value as below:
    • \\.\pipe\com_1
    • This end is the server.
    • The other end is a virtual machine.
  4. Check Yield CPU on poll in the I/O mode section.
  5. Click OK.

3. Setup VMWare Debug Settings

  1. Now start Windows guest machine on VMWare.

  2. Open Command Prompt or PowerShell as Administrator and run the following commands. Please note that the debugport number should be the Serial Port number (here, Serial Port 2) we added earlier.

    # Enable kernel debugger
    bcdedit /debug on
    # Set serial port.
    # /noumex: Avoid user mode exceptions.
    bcdedit /dbgsettings serial debugport:2 baudrate:115200 /noumex

    To check the settings, run the following commands:

    bcdedit /dbgsettings
  3. After that, we can shutdown Windows guest machine.

4. Establish Kernel Debugger

  1. Open WinDbg.
  2. Go to File → Attach to Kernel.
  3. Click COM tab and setup as below:
    • Check the Pipe
    • Check the Reconnect
    • Fill the Port with the value: \\.\pipe\com_1 . This value should be the same as the settings on the VMWare Serial Port.
  4. Click OK.
  5. After that, the debugger waits for connecting the VMWare guest machine.
  6. Now start Windows guest machine again on VMWare. Seeing the WinDbg, Kernel Debugger connection should be established.

5. Start Kernel Debugging

  1. In WinDbg, click Break icon on the menu to break in. Then run the following command to check & load symbols:

    .sympath srv*
  2. After that, see the loaded symbols (modules) with the lm command.

  3. Run the g command to proceed Windows guest machine. In the Windows guest, if we need to operate logon, proceed to logon manually.

  4. After logged on Windows guest, click the Break icon again for further investigation.

  5. Now we can debug like the following commands:

    # 1. Examine the _FILE_OBJECT data type.
    dt nt!_FILE_OBJECT
    # 2. Examine modules.
    x nt!*CreateProcess*
    # 3. Add breakpoint to 'MmCreateProcessAddressSpace'.
    bu nt!MmCreateProcessAddressSpace
    # 4. List breakpoints
    # 5. Run
    # 6. See the stack tract.

    To investigate processes or thread, run the following commands:

    # List all running processes
    !process 0 0
    # Print the detailed information of the target process
    !process <address> 2
    # e.g.
    !process ffffe782ce45f080 2
    # Print information of the target thread
    !thread <address>
    # e.g.
    !thread ffffe782cbd8a080
    # List all device nodes
    !devnode 0 1
    # Print the device nodes and their hardware resources
    !devnode 0 9
    # Print the a device node that has a service name of disk
    !devnode 0 1 disk