We have already published short tutorial on Windows kernel debugging
with IDA and VMWare on our site, but the debugging experience can
still be improved.
VMWare’s GDB stub is very basic, it doesn’t know anything about processes or
threads (for Windows guests), so for anything high-level we’ll need
to do some extra work. We will show how to get the loaded module list
and load symbols for all them using IDAPython.
Preparing VM for debugging
Let’s assume that you already have a VM with
Windows (32-bit) installed. Before starting the debugging, copy files
for which you want to see symbols to the host. If you’re not sure,
copy nt*.exe and hal.dll from System32, and the whole
Edit the VM’s .vmx file to enable GDB debugger
Add these lines to the file:
debugStub.listen.guest32 = "TRUE"
Save the file.
In VMWare, click "Power on this virtual machine" or click the
green Play button on the toolbar.
Wait until the VM boots.
Debugging in IDA
If you get the welcome dialog, choose "Go".
Choose Debugger | Attach | Remote GDB debugger.
Enter "localhost" for hostname and 8832 for the port number.
Choose <attach to the process started on target> and click OK.
The execution should stop somewhere in the kernel (address above
0x80000000). You can step through the code, but it’s not very
convenient without any names. Let’s try to gather some more
Getting the module list
The list of kernel modules is
stored in the list pointed to by the
symbol in the kernel. To find its address, we will use the so-called
"KPCR trick". KPCR stands for Kernel Processor Control
Region. It is used by the kernel to store various information about
each processor. It is placed at the base of the segment pointed to by
register (similar to TEB in user mode). One of the fields in it is
which points to a structure used by the kernel debugger. It, in
turn, has various pointers to kernel structures, including
Definition of the KPCR
structure can be found in many places, including IDA’s ntddk.til.
Right now we just need to know that
field is situated at offset 0x34 from the start of KPCR. It points to
pointer at offset 0x18.
Let’s write a small Python function
to find the value of that pointer.
To retrieve the base of the segment pointed to by
fs, we can use the VMWare’s debug monitor "r" command. GDB
debugger plugin registers an IDC function
to send commands to the monitor, and we can use IDAPython’s
function to call it:
fs_str = Eval(‘SendGDBMonitor("r fs")’)
Returned string has the following
fs 0x30 base 0x82744a00 limit 0x00002008 type 0x3 s 1 dpl 0 p 1 db 1
We need the address specified after
kpcr = int(fs_str[13:23], 16) #extract and convert as base 16 (hexadecimal) number
Then get the value of
kdversionblock = Dword(kpcr+0x34)
PsLoadedModuleList = Dword(kdversionblock+0x18)
Walking the module list
is declared as
LIST_ENTRY is a
structure which represents a member of a double-linked list:
typedef struct _LIST_ENTRY
} LIST_ENTRY, *PLIST_ENTRY;
So, we just need to follow the
Flink pointer until we come
back to where we started. A single entry of the list has the
Now we can write a small function to walk this list and create a segment
for each module:
#get the first module
cur_mod = Dword(PsLoadedModuleList)
while cur_mod != PsLoadedModuleList and cur_mod != BADADDR:
BaseAddress = Dword(cur_mod+0x18)
SizeOfImage = Dword(cur_mod+0x20)
FullDllName = get_unistr(cur_mod+0x24)
BaseDllName = get_unistr(cur_mod+0x2C)
#create a segment for the module
SegCreate(BaseAddress, BaseAddress+SizeOfImage, 0, 1, saRelByte, scPriv)
#set its name
#get next entry
cur_mod = Dword(cur_mod)
Having the module list is nice, but not very useful without symbols. We can
load the symbols manually for each module using File | Load File |
PDB file… command, but it would be better to automate it.
For that we can use the PDB plugin. From looking at its sources
(available in the SDK), we can see that it supports three "call
//call_code==0: user invoked ‘load pdb’ command, load pdb for the input file
//call_code==1: ida decided to call the plugin itself
//call_code==2: load pdb for an additional exe/dll
// load_addr: netnode("$ pdb").altval(0)
// dll_name: netnode("$ pdb").supstr(0)
Call code 2 looks just like what we need. However, current IDAPython
includes a rather basic implementation of netnode class and it is not
possible to set supvals from Python. However, if we look at handling
of the other call codes, we can see that the plugin retrieves module
"$ PE header" netnode and module
get_input_file_path() function. IDAPython’s
netnode.altset() function does work, and we can use
set_root_filename() to set the input file path. Also, if we pass a
call code 3, we will avoid the "Do you want to load the
#new netnode instance
penode = idaapi.netnode()
#create netnode the in database if necessary
#set the imagebase (-2 == 0xFFFFFFFE)
#set the module filename
#run the plugin
However, we need to replace the kernel-mode path by the local path beforehand:
#path to the local copy of System32 directory
local_sys32 = r"D:\VmWareShared\w7\System32"
#translate into local filename
filename = local_sys32 + FullDllName[20:]
Now we can gather all pieces into a single script. Download it here
After running it, you should have a nice memory map:
…and name list:
Looks much better now. Happy debugging!