Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Configuring Kernel Debugging Environment with kdnet and WinDBG Preview
Compiling a Simple Kernel Driver, DbgPrint, DbgView
Loading Windows Kernel Driver for Debugging
Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver
Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL
Windows Kernel Drivers 101
x64 Calling Convention: Stack Frame
System Service Descriptor Table - SSDT
Interrupt Descriptor Table - IDT
Token Abuse for Privilege Escalation in Kernel
Manipulating ActiveProcessLinks to Hide Processes in Userland
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Configuring Kernel Debugging Environment with kdnet and WinDBG Preview

This is a quick note showing how to start debugging Windows kernel using kdnet.exe and WinDBG Preview (the new WinDBG you can get from the Windows Store).

Terms

  • Debugger - local host on which WinDBG will run. In my case a host with IP 192.168.2.79

  • Debuggee - remote host which will be debugged by the host running the debugger. In my case - a host with IP 192.168.2.68

On the Debuggee

Copy over kdnet.exe and VerifiedNICList.xml to the debugee host. Get these files from a host that has Windows Development Kit installed, in C:\Program Files (x86)\Windows Kits\10\Debuggers\x64:

Then in an elevated prompt:

kdnet 192.168.2.79 50001

The bewlow shows how kdnet prints out the command that needs to be run on the debugger host:

windbg -k net:port=50001,key=1dk3k2bprui6m.26vzkoub4jmjl.3v6rvfqjys3ek.6kyxal1u1w6s

Copy and paste to a notepad and reboot the debugee.

On the Debugger

In WinDBG Preview, navigate to: start debugging > attach to kernel and enter the port and the key you got from running the kdnet on the debugge host:

Click OK and you should now be ready to start debugging the host 192.168.2.68:

References

reversing, forensics & misc - Previous
Windows Kernel / Internals
Next
Compiling a Simple Kernel Driver, DbgPrint, DbgView
Last updated 8 months ago
Contents
Terms
On the Debuggee
On the Debugger
References