Kernel Debugging

Advanced

Kernel debugging is essential for analyzing rootkits, drivers, and kernel-mode exploits. WinDbg is the primary tool for Windows kernel debugging.

WinDbg Setup

windbg-kernel.txt

bash

# Enable kernel debugging on target VM
bcdedit /debug on
bcdedit /dbgsettings serial debugport:1 baudrate:115200

# Or use network debugging (Windows 8+)
bcdedit /dbgsettings net hostip:192.168.1.100 port:50000

# Connect WinDbg (host)
# File → Kernel Debug → COM / NET

# WinDbg commands
!process 0 0           ; List all processes
!thread               ; Current thread info
!pte <address>        ; Page table entry
!pool <address>       ; Pool allocation info

# Driver analysis
lm                    ; List loaded modules
lm m nt               ; ntoskrnl info
!drvobj \Driver\MyDriver  ; Driver object

# Set breakpoints
bp nt!NtCreateFile    ; Break on syscall
bp mydriver!DriverEntry  ; Break on driver load

# Memory commands
db <addr>             ; Display bytes
dd <addr>             ; Display dwords
dq <addr>             ; Display qwords
u <addr>              ; Unassemble

# Symbols
.sympath srv*c:\symbols*https://msdl.microsoft.com/download/symbols
.reload /f

Kernel Crash

Kernel debugging can cause system instability. Always use virtual machines and save snapshots before debugging sessions.

Kernel Debugging

WinDbg Setup

Related Topics

Dynamic Analysis

Binary Exploitation