Thumbnail: logo

Windows XP-SP3 Kernel Debugging on VMware fusion

by on under blog

Something that once was done with heavy and expensive serial cables, can now be achieved in a matter of seconds through virtual machines. I am of course speaking about kernel debugging, what else? Recently I have been following the exceptionally great Intermediate x86 training lead by Xeno Kovah where, in order to keep up with the labs, I had to setup a WinXP-to-WinXP kernel debugging setup. So after a few moments of bewilderment I reached a full working environment with the following steps. Everything below this point has been tested on VMware Fusion pro 11

We are going to have two VMs: a debugger, from where WinDbg is running, and a debuggee machine, our target system. The debuggee will act as a server, while the debugger will be the client, connecting to it, via a named pipe.

1) Power down both WindowsXP vms and edit each VMX file inside the vm folder accordingly.

debugger

serial1.present = "TRUE"
serial1.fileType = "pipe"
serial1.yieldOnMsrRead = "TRUE"
serial1.startConnected = "TRUE"
serial1.fileName = "/tmp/dev_com"
serial1.pipe.endPoint = "client"

debuggee

serial1.present = "TRUE"
serial1.fileType = "pipe"
serial1.yieldOnMsrRead = "TRUE"
serial1.startConnected = "TRUE"
serial1.fileName = "/tmp/dev_com"
serial1.pipe.endPoint = "server"


2) Power up the debuggee machine and edit with nodepad “c:\boot.ini by creating an additional boot option.”

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /debug /debugport=com1 /baudrate=115200

Power down the debuggee machine.

3) Boot the debugger machine and install the winxp symbol file “WindowsXP-KB936929-SP3-x86-symbols-full-ENU.exe”. As XP is no longer supported by Microsoft you will not likely find these symbols on the official site >:) Launch WinDbg x86 (the 32-bit version) and as ‘symbol file path’ set the same location where the XP’s symbols have been installed.

SRC*c:\windows\symbols*

No select kernel debug, ‘COM’ tab and set baud rate to 115200 (make sure to select the right COM port number, as listed in the system device list). ‘Pipe’ and ‘reconnect’ options should be left unchecked. The debugger vm should now be in a waiting state, hoping for the debuggee to come alive.

4) Boot the debuggee machine and select the second boot option (debugging mode). Back to the debugger machine, you should now see WinDbg showing live debugging data from our target system.

windows kernel, debugging, vmware fusion, security, infosec


© 2018 Matteo Malvica. Illustrations by Sergio Kalisiak.