Written by shakuganz

Windbg (kernel debug mode) break when an application starts

Hi everyone! Sometimes we need to debug an application in kernel debug mode. However, there may be cases where hardware breakpoint does not work well for certain cases. However, software breakpoint is unreliable as it does not always break despite the application executes past the breakpoint unless we set context to that process.

Here comes an issue. How do we make the debugger to break immediately when the application executes to set the process context?

Well, there is a quick way which is to use sxeld command. However, we will need to set the gflags for it to work. Below shows an example on how I did it.

Requirements:

  • Windbg in kernel debug mode
  • An application to be tested
    • throwexcept.exe. A dummy program I built. You can use any application you want to research on.

Next, in our kernel debugger, we can run the following commands so that it will break once we run throwexcept.exe such as double clicking it. Note that often it will break first which the process is for vmtoolsd.exe. We can just ignore it and continue execution. Once we confirmed throwexcept.exe process has been created, we can see process context to it so that we can set software breakpoints, such as bp <address>, which will break reliably.

0: kd> !gflag +ksl
New NtGlobalFlag contents: 0x00040000
    ksl - Enable loading of kernel debugger symbols
0: kd> sxeld throwexcept.exe
0: kd> g
nt!DebugService2+0x5:
fffff803`37405295 cc              int     3
1: kd> !process -1 0
PROCESS ffffaf8f52b18080
    SessionId: 1  Cid: 21d8    Peb: 1c79f19000  ParentCid: 12a8
    DirBase: 130a32000  ObjectTable: ffffd58cf03b9500  HandleCount: 1772.
    Image: vmtoolsd.exe

1: kd> g
nt!DebugService2+0x5:
fffff803`37405295 cc              int     3
1: kd> !process -1 0
PROCESS ffffaf8f514760c0
    SessionId: 1  Cid: 0000    Peb: 00000000  ParentCid: 12a8
    DirBase: 099bb000  ObjectTable: ffffd58cf1cb5dc0  HandleCount:   0.
    Image: throwexcept.exe

1: kd> .process ffffaf8f514760c0
Implicit process is now ffffaf8f`514760c0
WARNING: .cache forcedecodeuser is not enabled

1: kd>

Feel free to leave any comments below. If you like my content, do follow me via email. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.