October 30, 2017 | | Kasif Dekel & Shaked Reiner
WinDbg is a multi-purpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode (Wikipedia).
WinDbg is typically used by Windows driver developers for debugging kernel-mode code. It is also capable of debugging the memory dumps created after a bug check is issued (blue screen of death). While WinDbg is not a popular debugger among security researchers or malware analysts as OllyDbg or IDA Pro are, it is still used since it has some significant advantages (e.g. kernel debugging). In CyberArk Labs, we use it to explore new attack vectors in kernel mode such as BoundHook.
Often during our work in the labs, we find ourselves debugging a virtual machine’s kernel using WinDbg, trying to get the debugee to a very specific edge case in order to reach our end goal, whether it is to test the behavior of some security mechanism or to develop a new hooking technique. We found the work of setting up the machine’s environment from scratch every time to be pretty cumbersome, so we decided to write a plugin for the debugger to do it for us.
KDSnap is a DLL extension for WinDbg that integrates your debugger with your virtualization platform of choice. We are currently supporting VMware Workstation and Oracle’s VirtualBox.
KDSnap allows you to connect to your debugged VM and save or restore its state, using a command from within the debugger itself. This is highly effective when trying to debug the cause of BSOD for example, when you need get to the point just before the crash multiple times. With this extension, you can get to that state with just a simple command in your debugger, without having to leave your WinDbg workspace and interact with the VM interface.
KDSnap is available on our GitHub. You are more than welcome to contribute and add support for your favorite virtualization platform.