How to create a setup for windows kernel debugging using WinDbg and VMware Workstation.
- Installed debugging tools for windows, you can found it here
- Clean Windows 10 machine (in VMware workstation)
Microsoft publishes symbols to every windows version, using symbols we can see functions names and global vars and more. The public symbols are extremely important to the debugging session.
Create local directory (c:\symbols) for symbols caching.
Add to your host machine system environment variables the symbol server path:
Open cmd as Administrator in your host machine and run: set _NT_SYMBOL_PATH=srv*c:\symbols*https://msdl.microsoft.com/download/symbols
- Check that you have a ping between the host and the guest (if you don't have a ping try to configure the network adapter from the workstation to bridged)
- Open cmd as Administrator in your guest machine
- Run: bcdedit /debug on
- Run: bcdedit /dbgsettings net hostip:{hostIP} port:{port}
- Save the output key in your host machine
- Restart the computer
- Open windbg, File->Kernel Debug->NET, enter the port that you choose and the output key
- Break into the debugger using CTRL+Break
- Run in windbg: .reload /f (in order to load the kernel symbols)
- Ensure that all the symbols are loaded using: lm
Now you got a kernel debugging session, don't forget to take a snapshot.
DONE!!!