Search code examples
driverwindbgdevice-driverwdk

Driver load/unload fails if WinDbg attached with breakpoint

I just started with driver development. For some experiments with loading, unloading and debugging I have written the following simple driver:

#include <ntddk.h> 

void DriverUnload(PDRIVER_OBJECT pDriverObject) 
{ 
    UNREFERENCED_PARAMETER(pDriverObject);
    DbgPrint("Driver unloading\n"); 
} 

NTSTATUS DriverEntry( 
    PDRIVER_OBJECT DriverObject, 
    PUNICODE_STRING RegistryPath) 
{ 
    UNREFERENCED_PARAMETER(DriverObject);
    UNREFERENCED_PARAMETER(RegistryPath);

    DriverObject->DriverUnload = DriverUnload; 
    DbgPrint("Hello, World\n"); 

    return STATUS_SUCCESS; 
}

I compiled the driver for my target system, Windows 7 64bit, with debug symbols, copied it to target system and loaded and run it with OSR Driver Loader.

Everything works fine and I can unload and load the driver:enter image description here

I can connect with WinDbg using a serial connection and can successfully break and run the target system. However, the problem occurs when I try to set a breakpoint.

I initially tried setting the breakpoint like this:

kd> bp MyDriver1!DriverEntry

but the problem was, if I reloaded the driver and checked the breakpoints:

kd> bl
0 e fffff880`03572010 0001 (0001) < Unloaded_MyDriver1.sys >+0x1010

For me as beginner, it didn't look good (unloaded?) and no breaks occurred when loading.

So, I found out that its possible to set a breakpoint when a module is loaded:

kd> bu MyDriver1

0 e fffff880`03578000 0001 (0001) MyDriver1!DriverEntry < PERF > (MyDriver1+0x0)

When I continue system execution after the above command and load the driver (net start MyDriver1) the system crashes:

Break instruction exception - code 80000003 (first chance)

  • *
  • You are seeing this message because you pressed either *
  • CTRL+C (if you run console kernel debugger) or, *
  • CTRL+BREAK (if you run GUI kernel debugger), *
  • on your debugger machine's keyboard. *
  • *
  • THIS IS NOT A BUG OR A SYSTEM CRASH *
  • *
  • If you did not intend to break into the debugger, press the "g" key, then *
  • press the "Enter" key now. This message might immediately reappear. If it *
  • does, press "g" and "Enter" again. *
  • *

nt!RtlpBreakWithStatusInstruction: fffff800028ca490 cc int 3 kd > bu MyDriver1 kd> bl 0 e fffff88003572010 0001

(0001) MyDriver1!DriverEntry < PERF > (MyDriver1+0x0)

kd > bc 0 kd> bl 1 e fffff880`03578000 0001 (0001)

MyDriver1!DriverEntry (MyDriver1+0x0)

kd> g Access violation - code c0000005 (!!! second chance !!!)

nt!IopUnloadDriver+0x327: fffff800`02cb8b29 0fb74844 movzx

ecx,word ptr [rax+44h]

Finally, if I continue the execution now, I get a BSOD ...

Whats wrong here? Is my code wrong or am I setting the breakpoints not correctly?

Solution

  • The command you are looking for is sxe ld:MyDriver1

    This will break when the driver is mapped into memory but before calling MyDriver1!DriverEntry and will allow you to put breakpoints at DriverEntry.

    The command bu MyDriver1 puts a breakpoint in the first byte of the PE header of the driver image.

    Also, clean up breakpoints after you unload the driver otherwise you cause the debugger to modify memory that could be allocated for something else.