Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Windows Kernel Driver and Debugging / Emulator Support #3972

Open
PatchByte opened this issue Feb 7, 2022 · 6 comments
Open

Support for Windows Kernel Driver and Debugging / Emulator Support #3972

PatchByte opened this issue Feb 7, 2022 · 6 comments
Labels
Feature: Debugger Type: Enhancement New feature or request

Comments

@PatchByte
Copy link

I love to use ghidra. I just have a tiny problem, it's quite hard to work with kernel drivers in ghidra!
@d-millar
Copy link
Collaborator

d-millar commented Feb 7, 2022

@PatchByte Agreed, that is an area where we have not focused much attention - our original goals were definitely user-mode functionality. That said, kernel-mode debugging is an area we're interested in.

Could you give us more specifics? Are you having trouble getting connected? Are you experiencing issues after the connection? Send details, and we're happy to try to come up with answers and/or improvements.

@PatchByte
Copy link
Author

Hey yeah i love ghidra, but i also love to reverse kernels. but some kernels are nasty and they are packed!
i have some problems with that.
Maybe its possible to make a kernel emulator. like the emulator in the debugger but with more features for kernel debugging.
of course i know that i am asking for a big thing. but i love ghidra.

@d-millar
Copy link
Collaborator

d-millar commented Feb 7, 2022

The big issue on kernel emulation is how to handle syscalls - we have thought about this some, but no easy answers on that front.

@PatchByte
Copy link
Author

oh yeah i can relate to it. it's hard to "emulate them". thats a big question but i think on of the many ways would be to "emulate ntoskrnl" or more specified emulate the syscalls with an own kind of "emulated system" but just with the functions for the kernels.
good question tho

@angleton
Copy link

angleton commented Oct 6, 2022
edited

I just caught this thread but completely agree with adding support for kernel mode if at all possible. There was a frankly amazing earlier utility called SoftICE and unfortunately nothing has replaced been able to replace it. But, just its installation process abstracted a lot of the complications I later learned were really needed just to set everything up. It ran all the time, giving you absolute real-time control directly from kernel mode. Only later did I learn just how complicated just setting everything up like that really was.

@ryanmkurtz ryanmkurtz added the Type: Enhancement New feature or request label Oct 6, 2022
@d-millar
Copy link
Collaborator

d-millar commented Oct 6, 2022

@angleton Wow, SOFTICE - that was the bomb, easily one of the coolest debuggers ever. The kernel work is in progress. You can do some Windows-specific tasks at the kernel-level with the current dbgeng/dbgmodel variants, but a lot of sharp edges there. Can't promise our kernel versions will be on-par with Softice (they won't), but let us know if you have specific need/requests!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature: Debugger Type: Enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@angleton @ryanmkurtz @d-millar @PatchByte