Debug setup

April 2, 2009

The current setup: Kernel debugging requires two computers to be connected through either a COM port, a 1394 firewire cable, a USB 2.0 cable, or over a network. I will be using a 1394 cable. If you do not have one already, you may purchase a 1394 card for very cheap ($5) on amazon.com, which will come with the driver, the card, and the firewire cable itself. (God I love amazon.com). Both the host and the target computers I am using are running Windows 7 beta, build 7000.

Ok so with Windows 7 all debug settings, as in Vista, must be modified with bcdedit. Don’t forget to run the cmd shell as administrator! I will be editing the {current} boot entry, and not adding a separate debug entry.

First command: bcdedit /debug {current} on

Second command: bcdedit /dbgsettings 1394 CHANNEL:44

Now restart the target computer (the computer to be debugged), and on the host computer run Windbg.exe (as administrator!!!). If you do not have Windbg.exe, just google debugging tools for Windows and you will easily find it and it is free.

We must now edit the symbol file path if we are to gleam any relevant information from the target computer. Symbol files are files which enable us to enter commands into the debugger and they give us important information about system files. If both computers have an internet connection, the easiest thing to do is to use Microsoft’s symbol repository. This is easy to do and involves editing the Symbol file path. In Windbg, go to file->Symbol File Path. Add a new path here which is:

SRV*your local folder for symbols*http://msdl.microsoft.com/download/symbols

I created a folder under C:\symbols. So my symbol file path reads: SRV*C:\symbols*http://msdl.microsoft.com/download/symbols

This is all you need if you want to debug the kernel files. For now this is all we will need, though when we develop our driver we will need to add it’s symbol file to the path. Click reload symbols, and now all the kernel symbols files should be ready to query.

Ok, now connect to the target by going to File->KernelDebug. Now select the 1394 tab, channel is 44, and click ok. We should now be connected to the target machine. Look for the break icon at the top of the Windbg GUI. This icon will be used whenever we wish to halt the target computer and peek into the kernel. We should now be successfully connected to the target machine!

Let’s give it one command to ensure everything is working properly:

dt nt!_EPROCESS. If the symbol files have been properly configured you will receive an output which shows the EPROCESS struct, with all member variables and offsets.

Posted by fightxorflight
Filed in Debugging 101
Tagged: , , , ,
Leave a Comment »

Leave a Reply