I am Kernel debugging in Windbg and it's slow , very slow stepping through.
My current setup is using VMWARE and Windbg through a com port on the Virtual Machine.
Is there a faster way to debug the Windows Kernel?
What are some of my options?
4
- 2Check out "Slow kernel dbg with VirtualBox and WinDBG" and "Advice about first steps on reversing windows kernel", you may find your answer there.Megabeets– Megabeets2017-10-20 21:54:44 +00:00Commented Oct 20, 2017 at 21:54
- Thanks for linking this. I looked for an answer but I guess I didn't use the magic keywords )LUser– LUser2017-10-21 08:26:51 +00:00Commented Oct 21, 2017 at 8:26
- 1I didn't used Vmware but, I'm using Hyper-V and serial ports for debugging Windows 7 32-bit. It is fast for me.Kerim Can Kalıpcıoğlu– Kerim Can Kalıpcıoğlu2017-10-22 08:37:17 +00:00Commented Oct 22, 2017 at 8:37
- @de6f I'd like to test this because I want to test drivers.LUser– LUser2017-10-22 16:03:12 +00:00Commented Oct 22, 2017 at 16:03
Add a comment |
3 Answers
You want VirtualKd. It is excellent and robust.
- I will test this out today. Thank you for the answer!LUser– LUser2017-10-21 08:27:04 +00:00Commented Oct 21, 2017 at 8:27
- Tested it . This is indeed a lot more faster.LUser– LUser2017-10-22 11:16:16 +00:00Commented Oct 22, 2017 at 11:16
- For some reason it took forever to get it to connect, it seems fine now though. Ironically this tool requires driver signing to be disabled which is exactly what I am testing. So I am not sure if this is the best tool for what I need but , you did answer the question.LUser– LUser2017-10-22 11:18:42 +00:00Commented Oct 22, 2017 at 11:18
GynvaelColdwind had invited honorary_bot who had 4 streams about Kernel Debugging.
The videos can be found here: Stream 1, Stream 2, Stream 3, Stream 4.
Around 34 min in the stream 1 he mentions the slowness of COM connection and around 38 he mentions usage of VirtualKd and why it works much faster. There's also a short installation/setup process.
Also there are some downsides of this one - as you need to install something on the machine (someone might don't want to do it). So what it's presented as the best solution (for him) is using physical Firewire but the setup requires separate machines.
I recommend to have a watch of those 4 streams if you are new into the topic.
- These are both superb answers that it's hard to pick just one.LUser– LUser2017-10-22 11:17:02 +00:00Commented Oct 22, 2017 at 11:17
- @ApertureSecurity No worries :)Paweł Łukasik– Paweł Łukasik2017-10-22 15:43:52 +00:00Commented Oct 22, 2017 at 15:43
If you are debugging a newer version of Windows (Windows 8 or higher I believe). You should checkout network based debugging. Works like a charm. No third party dependencies.
Just open up a cmd prompt as admin and type: bcdedit /debug on bcdedit /dbgsettings net hostip:w.x.y.z port:n
Checkout the MSDN docs for more info
