Search code examples
reverse-engineeringwindbgida

Windbg Local kernel debugging on a .sys file

i am doing local kernel debugging on a driver(.sys file). i am new to local kernel debugging and knew some of debugging. but the situtaion, that i am dealing it is confuses.

i have a driver which is invoked by python and it starts. The drive is on demand based.so now i starts windbg local kernel debugging. i ran "lm" command to see the loaded modules as below:

lkd> lm
start             end                 module name
fffff801`2ca0d000 fffff801`2d47c000   nt         (pdb symbols)   
          c:\symbols\ntkrnlmp.pdb\C710248A0CA3CAB08015A2B18AB495B41\ntkrnlmp.pdb

Unloaded modules:
fffff801`3f430000 fffff801`3f43e000   chipsec_hlpr.sys
fffff806`fdae0000 fffff806`fdba5000   RtsPer.sys
fffff806`fdbb0000 fffff806`fdbe6000   usbaudio.sys
fffff806`fdb70000 fffff806`fdba6000   usbaudio.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdb70000 fffff806`fdb80000   hiber_storport.sys
fffff801`4b8d0000 fffff801`4c41f000   hiber_iaStorA.sys
fffff801`4c420000 fffff801`4c43e000   hiber_dumpfve.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys
fffff806`fdaa0000 fffff806`fdb65000   RtsPer.sys

but the problem is that it comes under unloaded module section. i don't know what to do. i can't see entry point. i tried the IDA, and saw the ep address. Then i put the break point like below.

lkd> bp chipsec_hlpr|DriverEntry which comes error like

^ Operation not supported by current debuggee error in 'bp chipsec_hlpr|DriverEntry'

Also i tried with the VA address that loaded with IDA which comes on 000000014000335B , hence tried to put Break Point. but no result.

I know i am messed somewhere. if anyone has solution, please put your thoughts.

Thanks..

Solution

  • local kernel debugging is not live debugging
    you cannot set breakpoints or see registers or step through in local debugging
    it is a kind of dump debugging a snap shot

    you may either need to use a vm or another physical machine as target
    and connect windbg to the target for live kernel debugging

    when you have a live session you can stop when your module loads using a variety of means like 

    sxe ibp; .reboot

    when windbg breaks on the first initial breakpoint after rebooting
    you can load the symbols
    and set a breakpoint like bp mydriver!DriverEntry and explore further from there.