Kernel debugging with IDA

When IDA introduced debugging facilities years ago, the task of analyzing hostile code became more enriched: no more looking at static code and figuring out what it does, instead just run the malware in a virtual machine and debug it remotely, even debug just a small code snippet from the database (Bochs based debugger plugin).


With IDA 5.4 release, in addition to the Bochs and GDB plugins, we also introduced a debugger plugin based on Microsoft’s Debugger Engine (the same engine used by Windbg, cdb and kd). With this addition to IDA you can now debug live kernel targets as well.
For user mode debugging the Windbg debugger plugin beats the win32 debugger plugin, by providing you access to a wide range of extensions that ship with the debugging tools from Microsoft.
For kernel debugging, you can use Bochs/Disk Image loader or GDB plugin to debug the whole operating system from Bios code and on.
However when Windbg plugin is used, you get the raw power of the debugging engine (extensions / built-in commands, symbols, …).
We prepared a video showing how to debug kernel mode and user mode at the same time with full symbolic information (provided from the PDB files).
The video also demonstrates how to set breakpoints on user mode APIs and see them get triggered when any application in the system uses those APIs.
Before viewing the video, for those willing to experiment with the Windbg debugger plugin to debug kernel mode and user mode at the same time, here is how to prepare a database:

  1. If you never used the Windbg debugger plugin before please visit the Windbg plugin tutorial page
  2. Setup a process server inside the VM and attach to it from IDA to debug just any user mode application
  3. Once attached, go to desired segments (kernel32, user32, advapi32, gdi32, etc…) and convert them to loader segments
  4. If symbol retrieval mechanism was properly configured then most system DLLs will have symbol information, otherwise only exported names will available
  5. Now we have a database with all user mode components we wish to inspect from the live kernel debugging session
  6. Using the same database, change the connection string so that it connects to the same VM for the purpose of live kernel debugging this time
  7. Once attached to the kernel, IDA will present loaded drivers and kernel mode modules in the debugger / modules list
  8. It is possible to convert to loader segments the kernel mode components of interest
  9. That’s it! The database is now suited for kernel debugging, yet contains names and addresses of user mode components

The video will put everything into perspective!

This entry was posted in IDA Pro. Bookmark the permalink.

4 Responses to Kernel debugging with IDA

  1. Kad says:

    Is it the same for Linux or Mac OS Kernel ?

  2. Elias Bachaalany says:

    Hello Kad,
    It is possible to kernel debug Mac OS or Linux with the GDB debugger plugin, please check here:
    http://www.hex-rays.com/idapro/debugger/gdb_vmware_linux.pdf
    http://www.hex-rays.com/idapro/idasupport.htm

  3. Nayeem says:

    Hi
    I am writing a kernel in C++.
    I am looking for a debugger that can help us debug kernel program running in bochs.
    Can we do debugging similar to how we do in VC++.
    from
    nayeem khan

  4. Elias Bachaalany says:

    Hi Nayeem,
    You can use IDA Bochs Debugger Plugin (added in IDA 5.4) in “Disk Image Loader” mode. This way you will be able to debug any code running in bochs.
    On the other hand, we do not support source code level debugging, so you won’t be able to debug like in VC++, the closest thing you can get currently, is something like VC++ debugging but in disasm view.
    Please also check other Bochs related blog entries:
    http://hexblog.com/2008/10/bochs_emulator_and_ida.html