Reliable Windows Kernel Debugging on a Mac

Read Time: 5 Minutes

 During the process of conducting malware analysis, or software vulnerability analysis, it is sometimes a necessity to perform windows kernel debugging. What has not been working reliably on Mac Os X was Vmware Fusion with a Windows guest setup with debugging enabled over serial. What did work reliably is enabling a windows guest with VT-x and then within that guest hosting a secondary windows guest configured for kernel debugging. 

 An example of this includes configuring the processor correctly on the Fusion guest to enable support of virtualization started by opening hardware settings for debugging client with ⌘E bring you to the screen in Figure 1:
Figure 1: Select Processors and Memory

Within your Processor and Memory settings you want to do the following:

1.  Provision enough resources for the host to function and to be able to allocate a secondary windows guest with appropriate amount of resources for the task.

2.  Enable the ability to run a hypervisor by clicking the checkbox "Enable hypervisor applications in this virtual machine" as seen in Figure 2.

Figure 2: Enabling Hypervisor Support for the Guest

Finally all other steps are applicable on the host and guest as captured here for a windows debugging setup.  Please leave comments if you have questions or an unexpected experience.

References
  1. Endgame. "An Introduction to Windows Kernel Debugging".  https://www.endgame.com/blog/technical-blog/introduction-windows-kernel-debugging
  2. Benoit Sevens. "Windows kernel debugging under Vmware Fusion". https://b3n7s.github.io/2017/11/01/windows-kernel-debugging-under-vmware-fusion.html
  3. Michael Vankuipers, Nemanja Mulasmajic, and Everdox. "Setting up kernel debugging using Windows Windbg and Vmware".  https://www.triplefault.io/2017/07/setting-up-kernel-debugging-using.html 

Comments

Post a Comment

Popular posts from this blog

Digital Forensics Applied to Kubernetes - Enhancing Intruder Dilemma Part III

Image
   Read Time: 5 Minutes Continuing sharing my research that started last year I am releasing my slide deck for " Digital Forensics Applied to K8S " and the presentations of this can be found here . I plan to continue to release content that addresses forensic analysis of containerization related technology and eventually relating that back to full CI/CD forensic analysis.  The release list as of now looks like this: Docker Forensics* Malicious Container Analysis* K8S Forensics* SAAS Containerization Forensics CI/CD Forensics Stay tuned for more content and leave your suggestions below!
Read more

Digital Forensics Applied to Containers - Enhancing Intruder Dilemma Part 1

Image
  Read Time: 5 Minutes In 2020, I worked on several efforts that ranged from Malware targeting Mac OS X to Cloud Forensics.  For the remainder of 2021 I will be releasing the results of my research and I am leading with the release of my efforts on containerization forensics which is imbodied in my talk "Digital Forensics Applied to Containers: Enhancing Intruder Dilemma".  See a video of the original presentation at dc706 , most recent presentation at issacolga , the latest presentation slides , and a docker forensic cheatsheet .   Stay tuned for more content and leave your suggestions below!
Read more

Reverse Engineering Methodology Applied to Containers - Enhancing Intruder Dilemma Part II

Image
  Read Time: 5 Minutes Continuing sharing my research that started last year I am releasing my slide deck for " REM(Containers) - The real Xanthe ".  I just presented on this and plan to continue to release content that addresses forensic analysis of containerization related technology and eventually relating that back to full CI/CD analysis.  The release list as of now looks like this: Docker Forensics* Malicious Container Analysis* K8S Forensics SAAS Containerization Forensics CI/CD Forensics Stay tuned for more content and leave your suggestions below!
Read more