Geek Answers Handbook

How to break a program entry point when debugging in kernel mode using windbg?

I want to debug a program in kernel mode, and I want to break the entry point to a program, for example ollydbg . But I can not break it with bp , because the program does not start and the symbol cannot be loaded. I found a way to do this, but I think it is not so good.

1.Break in the CreateProcess function in the kernel. But I don’t know what function to break, and I think that there is a long way between CreateProcess and the program entry point.

2. Change the program entry point with cc . But he needs other tools, and I have to change the code in which the byte has changed. I think this is annoying.

3. Using ollydbg . Debugging a program using ollydbg in a virtual machine, which is debugged using windbg. I do not think it's a good idea.

4. Use sxe ld . It can be found on Listing 3.29 in <<Advanced Windows Debugging>> . I tried, but found that it only works for the first time. And I don’t know what exactly I should do after the break.

5. Select the input function with bu . But I don’t know what exactly I should do. For example, how to load a character?

6.Use .create . I do not know if it is right or not what I said.

I believe that redistributing the use of the program entry point when debugging in kernel mode using windbg , and I think that with powerful windbg should be a good way to do this. What is the best way to do this?

By the way, I want to debug the program in kernel mode, because I want to get the token will of the program. I found that windbg can identify the token with !token in user mode, but I don't know how to get the token value in user mode. It seems that I can get the value of the token in kernel mode, right or wrong?

0
debugging windows windbg
source share
2 answers

you can run any exe in the target file via ntsd -d to debug it from the kernel mode debugger running on the host

assuming you run mytarget virtual machine inside myhost

install windbg in myhost
set character path for myhost viz srv * x: \ xxxx * http: \ xxxxxxxxxxxx
create a connection to the kernel in the host (choose the best that is shown below is a serial connection)

X: \ xxxx \ windbg.exe -k com: pipe, port = \\. \ Pipe \ debugPipe, resets = 0, reconnects

install windbg in mytarget
open the shared folder z: \, pointing to the symbolcache folder in myhost, set the symbol path to mytarget, pointing to the shared folder Run ntsd -d calc.exe

kd will be split into $ exentry calc.exe with an Enter Request

while the input prompt is displayed, you are using kd as your own usermode debugger so if you install bp calc! Winmain and g kd problem will break on calc.exe winmain

to switch to using the kd.breakin session

messy stuff, but will work well after you get used to it (i.e. memorize documents)

run pattern

 kd> g <-------------- kd session running in myhost CommandLine: calc.exe Symbol search path is: srv*z:\ *http://msdl.microsoft.com/download/symbols ntdll!DbgBreakPoint: 7c90120e cc int 3 .sympath NOTE: The symbol path for this ntsd is relative to where ntsd.exe is running, not where kd.exe is running. Symbol search path is: srv*z:\ *http://msdl.microsoft.com/download/symbols Expanded Symbol search path is: srv*z:\ *http://msdl.microsoft.com/download/symbols .reload /f calc.exe lm m calc start end module name 01000000 0101f000 calc (pdb symbols) z:\calc.pdb\3B7D84101\calc.pdb 0:000> version <--------------------usermode session in kd via ntsd -d version Windows XP Version 2600 (Service Pack 3) UP Free x86 compatible Live user mode: <Local> command line: 'ntsd -d calc.exe' Debugger Process 0x3F8 ? $exentry;? calc!WinmainCrtstartup Evaluate expression: 16852085 = 01012475 Evaluate expression: 16852085 = 01012475

as for your initial request, I'm not sure which token you are interested in to find

if getting EPROCESS-> Token of your exe is the only requirement that you do not need to complete any kd session

you can get the token of the entire running process in myhost with a local kernel debugging session (using kd -kl or using livekd from sysinternals)

here is a simple script that retrieves the sid of the entire running process using the above method

 :\>cat sid.txt !for_each_process "r $t0 =(@@c++(((nt!_eprocess *) @#Process )->Token.Object)) & @@(~7); r $t1 = @@c++(((nt!_token *) @$t0 )->UserAndGroups->Sid);!sid @$t1 1; ? ? (char *)((nt!_eprocess *) @#Process )->ImageFileName " :\>kd -kl -c "$$>a< sid.txt;q"

result

 WARNING: Local kernel debugging requires booting with kernel debugging support (/debug or bcdedit -debug on) to work optimally. lkd> kd: Reading initial command '$$>a< sid.txt;q' SID is: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM) char * 0x8ac729a4 "System" SID is: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM) char * 0x8a35729c "smss.exe" SID is: S-1-5-20 (Well Known Group: NT AUTHORITY\NETWORK SERVICE) char * 0x8a3619ac "svchost.exe" SID is: S-1-5-19 (Well Known Group: NT AUTHORITY\LOCAL SERVICE) char * 0x8a36ef14 "svchost.exe" SID is: S-1-5-21-602162358-1801674531-1417001333-1003 (User: XXXXXX\Admin) char * 0x8a261b64 "explorer.exe"
+3
source share

Use the method described in the Windbg help file to debug WinLogon. Replace the user mode application for WinLogon:

Windbg | Help | Contents | Windows Debugging | Debugging Methods | Specialized Debugging Techniques | Debugging WinLogon

IFEO will launch your application in user mode and attach the ntsd.exe file. From ntsd.exe, you can set a breakpoint in the image record using bu $exentry , then g to continue.

At any time when ntsd.exe breaks into your user mode, you can issue the .breakin command to switch to kernel mode debugging.

+2
source share

More articles:


All Articles