Loading Windows Kernel Driver for Debugging

Loading a Driver with OSR Driver Loader
On the system where you want to load your driver (debugee), from an elevated command prompt, disable the driver integrity checks so that we can load our unsigned drivers onto Windows 10:
1
bcdedit /set nointegritychecks on; bcdedit /set testsigning on
Copied!
Once you have rebooted the system, open up the OSR Loader and load the driver as shown below:
Note that my driver name was kmdfHelloDriver. We can now confirm the driver loaded successfully by debugging the kernel:
1
0: kd> db kmdfHelloDriver
Copied!
Additionally, we can check it this way by showing some basic details about the loaded module:
1
0: kd> ln kmdfHelloDriver
Copied!
If we check it via the service configuration manager, we also see that our driver is now loaded and running:
1
sc.exe query kmdfHelloDriver
Copied!
Loading a Driver via Command Prompt + WinDBG
The benefit of loading a kernel driver this way is that it does not rely on OSR Driver Loader or any other 3rd party tools and also is much more efficient.
Important
In order for this technique to work, the WinDBG debugger needs to be attached to the debugee.
Preparing Powershell Profile
On the debuggee, launch an elevated powershell console and do the following:
1
notepad $PROFILE.AllUsersAllHosts
Copied!
in the powershell profile, add the following powershell function:
1
function Install-Driver($name)
2
{
3
	$cleanName = $name -replace ".sys|.\\", ""
4
​
5
	sc.exe stop $cleanName
6
	sc.exe delete $cleanName
7
​
8
	cp $name c:\windows\system32\drivers\ -verbose -force
9
	sc.exe create $cleanName type= kernel start= demand error= normal binPath= c:\windows\System32\Drivers\$cleanName.sys DisplayName= $cleanName
10
​
11
	sc.exe start $cleanName
12
}
Copied!
The above function Install-Driver takes one parameter $name, which signifies a driver name that we want to install. 
The function Install-Driver will:
Attempt to stop the service (unload the driver) if it's already running (no error checking)
Attempt to delete the service (no error checking)
Copy the driver from the current directory to c:\windows\system32\drivers
Create a service for the driver
Start the service (load the driver)
Below screenshot shows the two steps explained above:
Once the powershell profile is saved, close the powershell console and open it again for the function Install-Driver to become usable.
Loading the Driver
Navigate to the folder that contains the .sys file of the driver you want to install, which in my case is wdm-helloworld.sys in Z:\wdm-helloworld\x64\Debug:
Now, we can install the driver by simply invoking:
1
Install-Driver wdm-helloworld.sys
Copied!
Stepping through Source Code
If we have source code for the driver we want to debug, we can load its source code and step through it in WinDBG.  Load the source code via the Source > Open Source File and re-load the driver again using Install-Driver function:
Stepping through driver's C code

Compiling a Simple Kernel Driver, DbgPrint, DbgView

Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver

Last modified 1yr ago

Copy link

Contents

Loading a Driver with OSR Driver Loader

Loading a Driver via Command Prompt + WinDBG

Preparing Powershell Profile

Loading the Driver

Stepping through Source Code