Kernel debugging with IDA Pro / Windbg plugin and VirtualKd

The other day we received an email support question asking if IDA Pro / Windbg debugger plugin works with VirtualKd, a tool that allows speeding up (up to 45x) Windows kernel module debugging using VMWare and VirtualBox virtual machines. After we installed and experimented with VirtualKd, our answer was “yes, certainly”. This blog entry aims at illustrating how to configure VirtualKd to be used with IDA Pro / Windbg plugin and VMWare.

Installing VirtualKd

First download the VirtualKd package, unzip its contents and copy the contents of the ‘target’ folder to the VMWare guest OS and run ‘vminstall.exe’. After this step, reboot the guest and run the ‘vmmon.exe’ (or ‘vmmon64.exe’) inside the host. If everything is successful, you should see something like this:

Please take note of the ‘Pipe name’ value as shown in the screenshot. We will use this value when configuring the Windbg plugin.

Configuring IDA Pro / Windbg plugin

First, run IDA Pro without an input database and select Debugger / Attach / Windbg plugin:

Next, we get this screen:

Here we enter a connection string (designating that the com port is a pipe). The pipe name is the same value we read from the ‘vmmon’ tool from the above steps.

Before pressing OK, we need to make sure that the Windbg plugin is properly configured. Let us verify that by pressing on the ‘Debug options’ button:

This dialog is used to configure the debugger in general, it is common to all debugger modules. Since we don’t need to change any of those settings now, let us instead select ‘Set specific options’:

Make sure that these two options are properly configured:

  1. Kernel debugging is selected
  2. Debugging tools path is correctly entered. Please note that even if you’re debugging an x64 kernel you still need to point to the x86 version of the debugging tools.

After we configured everything, simply press OK all the way until the attach dialog shows up:

Pressing OK one last time will start the debugging session:

After debugging for a while, we were really amazed at the speed improvement achieved with the help of VirtualKd (nice work VirtualKd team). Kernel debugging speed using the Windbg plugin is almost comparable to the local win32 debugger plugin.

For a more elaborate tutorial on configuring and using the Windbg plugin please check our support page.

Published by

Elias Bachaalany

Hi, I am Elias, a former Hex-Rays employee and an IDA Pro enthusiast. I love reverse engineering and more especially writing tools and articles about it. I also co-authored a couple of books on the topic, which you can see on Amazon.com (http://amzn.to/1P1G0ID).