KiSystemStartup is the entry function of the kernel module nt. If you want to debug this function, simply using WinDbg and VMware won’t work (or I don’t know how to do it). Below, I will introduce how to use IDA’s GDB debugging feature in conjunction with WinDbg to debug KiSystemStartup. (Only for X64 environment)
Open the .vmx configuration file located in the installation path of VMware virtual machine. My computer is: Windows 10 x64.vmx, then add the following two lines of configuration: debugStub.listen.guest64 = “TRUE” debugStub.hideBreakpoints = “TRUE”
Configuring the WinDbg debugging environment:
In the shortcut of WinDbg, the target is: “C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe” -b -k com:pipe,port=\\.\pipe\com_1,resets=0
2. Start the Windows operating system in VMware. After the system starts, open cmd with administrator privileges, and enter: “bcdedit /bootdebug on” to enable debugging for winload.exe. Copy a copy of the ntoskrnl.exe file from the virtual machine to the real physical machine for later use.
3. Restart the Windows in the virtual machine, then start WinDbg and wait for it to be interrupted.
4. At this point, WinDbg is stopped in the winload.exe process.
5. After loading the kernel module symbol table in WinDbg, look for the function address of OslArchTransferToKernel addr=0x0000000000aa5ce0.
For example, type the command: u OslArchTransferToKernel
6. Start the GDB debugger in IDA, select go to enter the main interface. Select: Debugger->Attach->Remote GDB debugger.
If it is 64bit, make sure to select port:8864.
7. Select Debug option->Set specific options, configure Processor to: Intel X64 as shown below:
8. After the configuration is complete, the following illustration will appear:
Click OK, and IDA will successfully attach to the Windows kernel.
9. Configure IDA’s memory mapping. In IDA’s main interface, Debugger->manual memory regions.
Enter the interface as shown below:
In the blank area, right-click the mouse, select insert, configure the memory mapping area 0-0xfffffffffffffffe.
...
10. At this point, the RIP of the GDB debugger is also in the winload.exe process space.
11. In IDA, press G, and input the address of OslArchTransferToKernel obtained from WinDbg, and set a breakpoint at the end of this function.
12. After pressing F9, the GDB debugger in IDA will execute to the breakpoint. Pressing F7 for step execution will enter the address space of the KiSystemStartup function after executing the retfq instruction.
Next, I will introduce how to let IDA load system symbols for easier debugging. The IDA debugger must know the base address of the module to load symbol information, so we need to find the base address of the kernel nt module currently being debugged. The method is as follows:
(1) Reopen an IDA locally and load the kernel nt module copied from the virtual machine, calculate the offset address between nt!KiSystemStartup and the module base address, e.g., OFFSET = 0x98D010.
(2) Thus, the address of nt!KiSystemStartup in the IDA GDB debugger minus OFFSET is the current base address of the kernel nt module in the debugger, e.g., (FFFFF80768800000).
(3) Load symbols: In the IDA main interface, select File->LoadFile->PDB file.
At this point, we can see that the symbol information has been loaded correctly, and we can happily debug the core functions of the OS.
Kanxue ID: Big Flying Pig
https://bbs.kanxue.com/user-home-773270.htm
*This article is an excellent article from the Kanxue Forum, authored by Big Flying Pig. Please indicate that it is from the Kanxue community when reprinting.
# Previous Recommendations
1、F5 Shape Latest Reverse Analysis – Decryption and Environment Patching
2、IOT Vulnerability Reproduction – PSV-2020-0437
3、Automated Collection of Android System-Level Device Fingerprints for Countermeasures & How to Achieve More with Less?
4、Byte-Level Encryption Verification Program Side-Channel Cracking Based on Frida
5、Frida-Hook-Native Layer Operation Guide
