Proj 12: Kernel Debugging with Livekd and Windows Server 2008 (20 pts.)

What You Need

A Windows Server 2008 machine, real or virtual.

Purpose

To debug the Windows kernel. To get full functionality, you need to use two machines and a network connection, but the Sysinternals Livekd utility makes it possible to get a lot of kernel debugging functionality with a single PC, which is very convenient!

Installing Debugging Tools for Windows

Open a Web browser and go to :

https://www.microsoft.com/en-us/download/details.aspx?id=3138

Install the Software Development Kit, with the Installation Options shown below:

Editing the Path

Open a Command Prompt and execute this command:
windbg
If Windbg opens, everything is working and you can close it.

If it fails to open, which is very common, that means the SDK did not adjust the Path. To fix it, click Start. Right-click Computer and click Properties.

Click "Advanced System Settings".

In System Properties, on the Advanced tab, click the "Environment Variables" button.

In the Environment Variables box, in the "System variables" section, scroll down and click Path. Click the Edit... button.

At the end of the Path, append a semicolon followed by the path to Windbg, which will be similar to this:

C:\Program Files\Debugging Tools for Windows (x86)\
Your window should look like the image below.

Click OK three times.

Setting Up Local Kernel-Mode Debugging

Open an Administrator Command Prompt window.

In the Administrator Command Prompt window, execute this command:

bcdedit /debug on

Click Start, Power, Restart.

Getting LiveKD

In a Web browser, go to

https://technet.microsoft.com/en-us/sysinternals/bb897415.aspx

Click the "Download LiveKd" link.

Click "Open Folder".

Right-click LiveKD.zip and click "Extract All...", .

A LiveKd window opens, showing two files, as shown below.

Click Start. Click "File Explorer".

In the left pane, double-click "This PC".

In the left pane, expand "Local Disk (C:)".

In the left pane, expand Windows.

In the left pane, scroll down to find System32 and click it.

Resize both File Exporer windows so you can see them both at once, as shown below.

Drag livekd.exe onto the System32 folder in the left pane of the other File Explorer window and drop it there.

A "Destination Folder Access Denied" box should pop up, as shown below. Check to make sure the destination folder is Sytem32. Then click Continue.

Using LiveKd

Open an Administrator Command Prompt window.

In the Administrator Command Prompt window, execute this command:

livekd -w
A "SYSINTERNALS SOFTWARE LICENSE TERMS" box pops up. Click the Agree button.

If you see "Error finding windbg.exe", as shown below, fix that with the Troublehooting advice in the box below.

Using Livekd

When Livekd starts, it asks you whether to set the _NT_SYMBOL_PATH automatically, as shown below.

Type y and press Enter.

Livekd asks "Enter the folder to which symbols download". Press Enter to accept the default option.

Windbg launches, as shown below.

If you wish to change the font, click View, Font.

Make the "Command" window larger, as shown below.

This is a strange combination of a GUI and command-line, like the other debuggers we've used. Commands are typed into the box at the bottom and the results appear in the large top pane.

At the bottom of the Command window, in the command bar, execute this command:

!process
You should see the "kd> !process" command, and its output, showing a PROCESS number, as shown below.

Saving the Screen Image

Make sure you can see the "kd> !process" command and a PROCESS number.

On your keyboard, press the PrntScrn key.

Open Paint and paste in the image.

YOU MUST SUBMIT WHOLE-DESKTOP IMAGES TO GET FULL CREDIT.

Save the image with a filename of "Proj 12 from YOUR NAME".

Turning in Your Project

Email the images to: cnit.126sam@gmail.com with a subject line of Proj 12 From Your Name, replacing Your Name with your own first and last name. Send a Cc to yourself.

Sources

Setting Up Local Kernel Debugging of a Single Computer Manually

Getting Started with WinDbg (Kernel-Mode)

Windows 7 x64 Local and Live Kernel Debugging


Posted: 4-12-16 5:16 PM by Sam Bowne