I got a malicious kernel mode driver from VirusTotal. Now, I am trying to debug it using Windbg.
Below are the details of the setup:
Host OS: Win 7 Ultimate 64-bit, Windbg version 6.11.x, VMWare Workstation and Guest OS: Win XP SP3
I placed the kernel mode driver in Guest OS in the path: C:\drivers\test
Added .sys extension to the kernel mode driver.
In Windbg on Host OS, I attached to the guest OS through Named Pipe. Set the breakpoint to break at DriverEntry of the driver as shown below:
bu malicious_driver!DriverEntry Then press g.
In Guest OS, used OSR Driver Loader from osronline.com to load the driver.
Browsed for the Driver, Registered the Service and started the Service.
I break in Windbg however I receive the following error message:
kd> bu malicious_driver!DriverEntry kd> g *** ERROR: Module load completed but symbols could not be loaded for malicious_driver.sys Breakpoint 0's offset expression evaluation failed. Check for invalid symbols or bad syntax. WaitForEvent failed nt!DebugService2+0x11: 8052e4c5 5d pop ebp kd> !drvobj malicious_driver Driver object (b25eb000) is for: b25eb000: is not a driver object Please note that I am able to successfully break at the DriverEntry of known legitimate Microsoft Windows OS drivers like ndis.sys, http.sys
However, how do I break at the entry point of malicious drivers as in this case? I don't have the symbols for them either.
Thanks.
