How to debug a Virtual Machine with WinDBG Tutorial - KeInitializeDpc
0Learn how to attach the WinDBG kernel debugger to your virtual machine. This WinDBG tutorial will teach you how to debug a virtual machine running in VirtualBox or VMWAre by setting up a serial debugger connection. This VM debugging tutorial is part of an exercise from the Practical Reverse Engineering book, page 25 exercise 5. After we have attached the debugger we will show you a short example of how to use the windbg debugger to reverse engineer the KeInitializeDpc() function.
Time stamps:
0:00 Configuring virtual machine
1:44 Configuring WinDBG
2:12 Virtual machine debugging
2:35 KeInitializeDpc function
WinDBG is a Windows multipurpose debugger by Microsoft. It is used to find errors in code or for reverse engineering purposes. It, also, have the ability to analyze crash dumps. WinDBG is a kernel-mode and user-mode debugger, which means it can debug both kernel code, like drivers, and normal code, like any normal program.
Support us on Patreon: http://bit.ly/38mnveC
Discussion & Download : https://bit.ly/2XJEswp
Virtual machine is an emulation for a computer. It allows running an operating system (called guest) inside the currently running machine (called host) that acts like a full, totally separate computer. It can be used to try out new operating systems or run untrusted programs that may contain malware without having to worry about causing damage to the actual system.
In this video, you will be learning how to debug a virtual machine using WinDBG, which will allow you to debug the kernel code. First, the virtual machine needs to be set up to communicate through a serial port. While VMware is used for the virtual machine in the video, the setup should be similar in other programs like VirtualBox. Then, WinDBG should be configured to use the same serial port used by the virtual machine. Once the setup is done, run the virtual machine and get back to WinDBG. Now, WinDBG should receive a connection and start showing some output. At this point, break the flow exec, and start debugging. KeInitializeDpc will be taken as an example. The tutorial will go through debugging and explaining the _KDPC object and the KeInitializeDpc function, disassembling it and going through the function’s assembly.
By the end of the video, you will be able debug a virtual machine and reverse engineer KeInitializeDpc function, which will allow you to debug kernel mode drivers. This will help you in debugging the kernel drivers you write or debug and reverse engineer drivers of other software like anti cheats.
Donate on our Forum : http://bit.ly/2HkOco9
Follow us on Facebook : http://bit.ly/2vvHfhk
Follow us on Twitter : http://bit.ly/3bC7J1i
Follow us on Twitch : http://bit.ly/39ywOZ2
Follow us on Reddit : http://bit.ly/3bvOB57
Follow us on GitHub : http://bit.ly/2HoNXIS
Follow us on Instagram : http://bit.ly/2SoDOlu