PMA 410c: Kernel Debugging with LiveKD (15 pts)

What You Need

Purpose

To debug the Windows kernel. To get full functionality, you need to use two machines and a network connection, but the Sysinternals LiveKD utility makes it possible to get a lot of kernel debugging functionality with a single PC, which is very convenient!

Installing Debugging Tools for Windows

Use Internet Explorer, and go to :

https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk

In the "Getting startede" section, click "DOWNLOAD THE INSTALLER", as shown below:

Run the installer.

At the "Specify Location" screen, accept the default options and click Next, as shown below:

At the "Windows Kits Privacy" screen, accept the default options and click Next.

At the "License Agreement" screen, click Accept.

At the "Select the features you want to install" screen, check the "Debugging Tools for Windows" box and clear all the other boxes, as shown below.

Click Install.

In the User Account Control box, click Yes.

When you see the "Welcome to the Windows Software Development Kit" message, click Close.

Setting Up Local Kernel-Mode Debugging

Right-click the Start button.

Click "Command Prompt (Admin)",

In the User Account Control box, click Yes.

In the Administrator Command Prompt window, execute these commands:

bcdedit /debug on
bcdedit /dbgsettings local

Adjusting the PATH

Open Control Panel.

Click "System and Security".

Click System.

On the left side, click "Advanced system settings".

In the System Properties box, on the Advanced tab, at the bottom, click the "Environment Variables..." button.

In the Environment Variables box, in the "System variables" section, scroll down and double-click Path.

In the 'Edit environment variable" box, click the New button.

Add this item, as shown below:

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64

Click OK.

Click OK.

Click OK.

Restart your Windows machine.

Getting LiveKD

If you are using a FLARE-VM, LiveKD is already installed.

Otherwise, follow these steps to get it:

In Internet Explorer, go to

https://technet.microsoft.com/en-us/sysinternals/bb897415.aspx

Click the "Download LiveKD" link. Click Save.

Click "Open Folder".

Right-click LiveKD.zip and click "Extract All...", Extract.

A LiveKD window opens, showing two files, as shown below.

In the top left of the window, click File, "Open command prompt", "Open command prompt as administrator", as shown below.

In the User Account Control box, click Yes.

In the Administrator Command Prompt window, execute this command:

  copy LiveKD64.exe c:\Windows\System32
  
Close the Administrator Command Prompt window.

Using LiveKD

Right-click the Start button.

Click "Command Prompt (Admin)",

In the User Account Control box, click Yes.

In the Administrator Command Prompt window, execute this command:

LiveKD64.exe -w
A "SYSINTERNALS SOFTWARE LICENSE TERMS" box pops up. Click the Agree button.

When LiveKD starts, it asks you whether to set the _NT_SYMBOL_PATH automatically, as shown below.

Type y and press Enter.

If LiveKD asks "Enter the folder to which symbols download", press Enter to accept the default option, as shown below.

Windbg launches, as shown below. If it shows a lot of windows, move the Command window to the top left and close the other windows for now.

To adjust the font size, click View, Font....

Maximize the Command window.

This is a strange combination of a GUI and command-line, like the other debuggers we've used. Commands are typed into the box at the bottom and the results appear in the large top pane.

Listing Modules with lm

At the bottom of the Command window, in the command bar, execute this command:
lm
A long list of all loaded modules scrolls by.

Scroll back to find the module named ntdll, or nt for short, as shown below. It's easy to spot because it'e one of the few modules that shows a Symbols path.

This is Ntoskrnl, the main kernel module.

Viewing Memory

Here are some commands that display memory: In WinDbg, execute this command:

db nt

This displays the bytes on the left, and the ASCII on the right. Now you can see the message "This program cannot be run in DOS mode", which appears at the start of many EXE files.

Examining Symbols

The x command examines symbols, which include function names.

Searching for Functions

In WinDbg, execute this command:

x nt!*

This finds all the functions in Ntoskrnl.

There are a lot of them. It may take a minute or so for them all to scroll by.

In WinDbg, execute this command:

x nt!*CreateFile*

This finds all the symbols in Ntoskrnl that contain the word "CreateFile".

There are only a few of those, including nt!NtCreateFile, as shown below:

Unassembling a Function

In WinDbg, execute this command:

u nt!NtCreateFile

This shows the first few bytes of the function, disassembled, as shown below:

To see more of this function, execute this command:

u nt!NtCreateFile L 20

This shows the entire function, as shown below:

Viewing Type Information for a Structure

In WinDbg, execute this command:

dt nt!_DRIVER_OBJECT

This shows the first few lines of a driver object structure, which stores information about a kernel driver, as shown below. Notice the DriverStart pointer--this contains the location of the driver in memory.

Online Help

At the bottom of the Command window, in the command bar, execute this command:
.hh
This help window is essential to learn how to use WinDbg commands, as shown below.

Flag PMA 410c.1: Function Name (5 pts)

Find the Windows kernel function that has a name fitting this pattern: two characters, RegistryKey, then six more letters, like this:
--RegistryKey------
That's the flag.

Flag PMA 410c.2: nt!NtShutdownSystem (10 pts)

Disassemble the nt!NtShutdownSystem module.

Find the text covered by the green box in the image below. That's the flag.


References

Common WinDbg Commands (Thematically Grouped)
!process


Ported to Google Cloud 10-29-19 by Sam Bowne