Loading Windows Kernel Driver for Debugging
On the system where you want to load your driver (debugee), from an elevated command prompt, disable the driver integrity checks so that we can load our unsigned drivers onto Windows 10:
bcdedit /set nointegritychecks on; bcdedit /set testsigning on
Note that my driver name was
kmdfHelloDriver. We can now confirm the driver loaded successfully by debugging the kernel:0: kd> db kmdfHelloDriver
Additionally, we can check it this way by showing some basic details about the loaded module:
0: kd> ln kmdfHelloDriver
If we check it via the service configuration manager, we also see that our driver is now loaded and running:
sc.exe query kmdfHelloDriver
The benefit of loading a kernel driver this way is that it does not rely on OSR Driver Loader or any other 3rd party tools and also is much more efficient.
Important
In order for this technique to work, the WinDBG debugger needs to be attached to the debugee.
On the debuggee, launch an elevated powershell console and do the following:
notepad $PROFILE.AllUsersAllHosts
in the powershell profile, add the following powershell function:
function Install-Driver($name)
{
$cleanName = $name -replace ".sys|.\\", ""
sc.exe stop $cleanName
sc.exe delete $cleanName
cp $name c:\windows\system32\drivers\ -verbose -force
sc.exe create $cleanName type= kernel start= demand error= normal binPath= c:\windows\System32\Drivers\$cleanName.sys DisplayName= $cleanName
sc.exe start $cleanName
}
The above function
Install-Driver takes one parameter $name, which signifies a driver name that we want to install. The function
Install-Driver will:- Attempt to stop the service (unload the driver) if it's already running (no error checking)
- Attempt to delete the service (no error checking)
- Copy the driver from the current directory to c:\windows\system32\drivers
- Create a service for the driver
- Start the service (load the driver)
Below screenshot shows the two steps explained above:
Once the powershell profile is saved, close the powershell console and open it again for the function
Install-Driver to become usable.Navigate to the folder that contains the .sys file of the driver you want to install, which in my case is
wdm-helloworld.sys in Z:\wdm-helloworld\x64\Debug:
Now, we can install the driver by simply invoking:
Install-Driver wdm-helloworld.sys
If we have source code for the driver we want to debug, we can load its source code and step through it in WinDBG. Load the source code via the
Source > Open Source File and re-load the driver again using Install-Driver function:
Stepping through driver's C code