PMA 434: Debugging a Driver (30 pts extra)

What you need

Purpose

To use WinDbg Preview for full live kernel debugging, with the ability to use breakpoints.

Prepare Two Windows 10 Machines

You need two Windows 10 machines, on the same network, which you prepared in the previous project.

Pick one machine to be the host. The other one is the target.

I used an Azure FLARE-VM as the host and an Azure Window 10 VM as the target.

Installing Software on the Host

You need these things: Now you need the Windows Driver Kit, which is a multi-step process.

Installing Windows 10 SDK (10.0.19041.0)

To install the WDK, click Start and type VISUAL. Launch "Visual Studio Installer".

Click Modify.

In Visual Studio Installer, on the Individual components tab, search for Windows 10. Check the box for "Windows 10 SDK (10.0.19041.0)", as shown below.

At the lower right, click the Modify button.

Finding the MSVC Version

In the "Visual Studio Installer" window, click Modify.

On the Workloads tab, in the right pane, under installation details, expand "Desktop development with C++.

Hover the mouse over MSVC, as shown below. Find the version number at the end of the first line.

On my system it was v14.27.

Installing Spectre-Mitigated Libs

Click the "Individual components" tab. Search for the version number you found in the previous step.

Check both the "x64/x86 build tools" and the corresponding "Spectre-mitigated libs", as shown below.

At the lower right, click the Modify button.

Installing Windows Driver Kit

In Edge, go to

https://go.microsoft.com/fwlink/?linkid=2128854

Click Run.

Install the WDK with the default options.

Turning Off the Firewall on the Target

On the target machine, click Start and type FIREWALL.

Click "Windows Defender Firewall".

In the left pane, click "Turn Windows Defender Firewall on or off".

Click both "Turn off..." buttons, as shown below.

Then click OK.

Testing Networking Between the Machines

On the host computer, click the Start button and type CMD. Click "Command Prompt".

In the Command Prompt, execute this command:

ipconfig
Make a note of the host computer's IP address.

On my system, it was 10.0.0.4, as shown below.

On the target computer, click the Start button and type CMD. Right-click "Command Prompt" and click "Run as Administrator".

If a User Account Control box pops up, click Yes.

In the Administrator Command Prompt, execute this command:

ipconfig
Make a note of the target computer's IP address.

On my system, it was 10.0.0.5. On the host computer, in the Command Prompt and execute this command, replacing the IP address with the IP address of your target computer.

ping 10.0.0.5
You should see replies, as shown below.

Downloading Driver Samples

Right-click the link below and save the Windows-driver-samples-master.zip file in your Downloads folder.

https://github.com/Microsoft/Windows-driver-samples/archive/master.zip

These samples from from Microsoft. You can read about them here:

https://github.com/Microsoft/Windows-driver-samples/blob/97cf5197cf5b882b2c689d8dc2b555f2edf8f418/general/echo/kmdf/ReadMe.md

Extracting the Samples

In Windows Explorer, open your Downloads folder.

If you are using the FLARE-VM, right-click Windows-driver-samples-master.zip, point to 7-Zip, 'Extract to "Windows-driver-samples-master\"'.

If you are using a default Windows 10 machine, right-click Windows-driver-samples-master.zip and click "Extract All", Extract.

Open the Driver Project in Visual Studio 2019

Launch Visual Studio 2019.

In the first page, at the lower right, click "Open a project or solution", as shown below.

In the "Open Project/Solution" box, navigate to your Downloads folder.

Double-click the "Windows-driver-samples-master" folder.

Double-click general, echo, and kmdf.

Double-click the kmdfecho.sln file.

The project opens, as shown below.

Setting the Configuration and Platform

At the top right, in the Solution Explorer, right-click "Solution 'kmdfecho' (3 of 3 projects)" and click "Configuration Manager...". Make sure the configuration and platform are set to Debug and x64 in all four places, as shown below.

Then click Close.

Setting the Runtime Library

In Solution Explorer, expand Driver and Autosync, as shown below.

In Solution Explorer, right-click echo and click Properties.

In the "echo Property Pages" box, on the left, expand C/C++ and click "Code Generation".

On the right side, set the "Runtime Library" to "Multi-threaded Debug (/MTd)", as shown below.

Configuring Code Signing

In the "echo Property Pages" box, on the left, click "Driver Signing".

On the right side, set the "Sign Mode" to "Test Sign", as shown below.

Then click OK.

Building the Solution

From the menu bar, click Build, "Build Solution".

At the bottom, messages scroll by, ending with "3 succeeded", as shown below.

Locate the Built Driver Files

In Windows Explorer, open your Downloads folder.

Open these subfolders:

Windows-driver-samples-master\general\echo\kmdf\driver\AutoSync\x64\Debug
That folder should contains several files, including echo.cer, echo.sys and echo.inf, as shown below.

Locate the Test App

Open another Windows Explorer window.

Open your Downloads folder.

Open these subfolders:

Windows-driver-samples-master\general\echo\kmdf\exe\x64\Debug
That folder should contains several files, including echoapp.exe, as shown below.

Copying Six Files to the Target Computer

Connect to your target windows computer via RDP.

On your host computer, right-click the echo.sys file and click Copy.

On your target computer's desktop, right-click and click Paste.

Repeat the process for these five files, two of which are in different folders than the ones you opened above. Note that your username may be different from the "SuperAdmin" name I used.

C:\Users\SuperAdmin\Downloads\Windows-driver-samples-master\general\echo\kmdf\driver\AutoSync\x64\Debug\echo.cer
C:\Users\SuperAdmin\Downloads\Windows-driver-samples-master\general\echo\kmdf\driver\AutoSync\x64\Debug\echo.sys
C:\Users\SuperAdmin\Downloads\Windows-driver-samples-master\general\echo\kmdf\driver\AutoSync\x64\Debug\echo.inf

C:\Users\SuperAdmin\Downloads\Windows-driver-samples-master\general\echo\kmdf\driver\AutoSync\x64\Debug\echo\kmdfsamples.cat

C:\Program Files (x86)\Windows Kits\10\Tools\x64\devcon.exe
echo.cer, echo.sys and echo.inf, so they are all on the desktop of your target computer, as shown below.

Installing the Certificate

On your target computer's desktop, right-click the echo.cer file and click "Install Certificate", as shown below.

Note that a default Windows 10 machine will not show the file extension, but you can identify the file from its icon.

In the Certificate Import Wizard, click Next, Next, Finish.

Configuring BCDEdit for Network Debugging on the Target

This process enables "network" kernel-mode debugging, for full debugging functionality including breakpoints.

On the target computer, in the Administrator Commmand Prompt, press Ctrl+C to stop ncat.

Then execute these commands, replacing the IP address with the IP address of your host computer.

bcdedit /debug on
bcdedit /set TESTSIGNING ON
bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit /dbgsettings net hostip:10.0.0.4 port:50000 key:flap.jack.dog.frog
bcdedit /dbgsettings
Verify that all the settings are correct, as shown below.

Restarting the Target Computer

Restart the target computer. Reconnect to it via RDP.

Installing the Driver on the Target Computer

On the target computer, in the Administrator Commmand Prompt, press Ctrl+C to stop ncat.

Then execute these commands, replacing "SuperAdmin" with your username.

cd \Users\SuperAdmin\Desktop
devcon install echo.inf root\ECHO
A Windows Security box pops up, as shown below.

Click "Install this driver software anyway".

Troubleshooting

If devcon fails, there is a useful logfile here:
C:\Windows\inf\setupapi.dev.log

Examine the Driver in Device Manager

On the target computer, click Start. Type DEVICE. Open "Device Manager".

Expand "Sample Device" to see the "Sample WDF ECHO Driver", as shown below.

Test the Driver

On the target computer, in the Administrator Command Prompt window, Then execute these commands, replacing "SuperAdmin" with your username.
cd \Users\SuperAdmin\Desktop
echoapp
The output should end with "verified successfully", as shown below.

Launching WinDbg Preview as Administrator on the Host Computer

On your host computer, click the Start button and type WINDBG. Right-click "WinDbg Preview" and click "Run as administrator". Click Yes.

Starting Kernel Debugging

In WinDbg, click File, "Attach to kernel".

In the right pane, on the Net tab, enter these values, replacing the IP address with the IP address of your target computer.

Your screen should look like the image below.

At the lower right, click the OK button.

Controlling from the Host

On the host computer, WinDbg now shows information about the target machine, and the message "*BUSY* Debugee is running...", as shown below.

At the top left of WinDbg, click Break.

Loading All Symbols

In the lower center of WinDbg, execute these commands:
!sym noisy
.reload /f
lm
It will take a few minutes to load them, but you end up with symbols for most or all of the loaded modules, as shown below.

Examining the Echo Driver

In the lower center of WinDbg, execute this command:
lm m echo* v
You see information about ECHO.sys, including its symbol file, as shown below.

To see symbols in the echo driver that begin with Echo, execute this command:

x ECHO!Echo*
You see symbols, as shown below.

Displaying Plug and Play device tree information

To see all the device nodes in the Plug and Play device tree, execute this command:
!devnode 0 1
When I did it, the ECHO.sys driver was at the end of the list, as shown below. If you don't see it, press Ctrl+F and search for ECHO.

Click the blue address after PDO (Peripheral Device Object), as shown in the image below.

The result shows information about the driver, as shown below.

PMA 434.1 DeviceInst (20 pts)

Execute this command to see the Plug and Play information associated with the device driver.

Replace the number below with the number you used in the previous command.

!devstack ffffc40f266c7a10

The flag is covered by a green box in the image below.

Breakpoints and Source Code

On the host computer, in WinDbg, execute this command to see the Event symbols in the ECHO driver:
x ECHO!EchoEvt*
You see several labels, including ECHO!EchoEvtDeviceAdd, as shown below.

To put a breakpoint on that function, execute this command:

bm ECHO!EchoEvtDeviceAdd
In WinDbg Preview, in the Ribbon, on the Home tab, click the Go button.

Disabling and Enabling the ECHO Device

On the target computer, in Device Manager, right-click "Sample WDF ECHO driver" and click Disable, as shown below.

Click Yes

Right-click "Sample WDF ECHO driver" and click "Enable device".

Source Code Debugging

On the host computer, the breakpoint hits, showing the driver source code and where it stopped, as shown below.

PMA 434.2 Status (10 pts)

In the Ribbon, click the "Step Over" button until you reach the "return status" command, as shown below.

The flag is the value of the status local variable, covered by a green rectangle in the image below.

Disabling Debugging

Click the Start button and type CMD. Right-click "Command Prompt" and click "Run as administrator". Click Yes.

Execute this command:

bcdedit /debug off
Restart your Windows machine.

References

Debugging Using WinDbg Preview
Common WinDbg Commands (Thematically Grouped)
Getting Started with WinDbg (User-Mode)
Setting Up Local Kernel Debugging of a Single Computer Manually
Getting Started with WinDbg (Kernel-Mode)
WinDbg cheatsheet
Debugging Malware with WinDbg
Catalog of key Windows kernel data structures
Debug Windows Drivers - Step by Step Lab (Echo Kernel-Mode)
Developing and Installing your first Kernel driver in Windows 10(under 10 min)

Posted 10-22-20