When IDA introduced debugging facilities years ago, the task of analyzing hostile code became more enriched: no more looking at static code and figuring out what it does, instead just run the malware in a virtual machine and debug it remotely, even debug just a small code snippet from the database (Bochs based debugger plugin).
With IDA 5.4 release, in addition to the Bochs and GDB plugins, we also introduced a debugger plugin based on Microsoft’s Debugger Engine (the same engine used by Windbg, cdb and kd). With this addition to IDA you can now debug live kernel targets as well.
For user mode debugging the Windbg debugger plugin beats the win32 debugger plugin, by providing you access to a wide range of extensions that ship with the debugging tools from Microsoft.
For kernel debugging, you can use Bochs/Disk Image loader or GDB plugin to debug the whole operating system from Bios code and on.
However when Windbg plugin is used, you get the raw power of the debugging engine (extensions / built-in commands, symbols, …).
We prepared a video showing how to debug kernel mode and user mode at the same time with full symbolic information (provided from the PDB files).
The video also demonstrates how to set breakpoints on user mode APIs and see them get triggered when any application in the system uses those APIs.
Before viewing the video, for those willing to experiment with the Windbg debugger plugin to debug kernel mode and user mode at the same time, here is how to prepare a database:
- If you never used the Windbg debugger plugin before please visit the Windbg plugin tutorial page
- Setup a process server inside the VM and attach to it from IDA to debug just any user mode application
- Once attached, go to desired segments (kernel32, user32, advapi32, gdi32, etc…) and convert them to loader segments
- If symbol retrieval mechanism was properly configured then most system DLLs will have symbol information, otherwise only exported names will available
- Now we have a database with all user mode components we wish to inspect from the live kernel debugging session
- Using the same database, change the connection string so that it connects to the same VM for the purpose of live kernel debugging this time
- Once attached to the kernel, IDA will present loaded drivers and kernel mode modules in the debugger / modules list
- It is possible to convert to loader segments the kernel mode components of interest
- That’s it! The database is now suited for kernel debugging, yet contains names and addresses of user mode components
The video will put everything into perspective!