Recently, I’ve been working on a task at work which required debugging a malicious Windows driver. To be able to do so, I had to set up a kernel-debugging environment — attach a debugger on my host to a target machine’s kernel. This took a lot of time, many Google searches and probably some headache for my team leader, but I finally made this beautiful screen appear:

kd.exe attached to the target machine’s kernel

I am not writing this blog post to provide readers with an answer to how to setup KDNET. This has already been (very well) done by Microsoft. I wish to clarify why every step is taken and what it means. These are things I learned along the way and wish to share in a “one stop shop”-kind-of post.

This is what I had when I started:

a Windows 10 host with Debugging Tools for Windows installed;

a virtual machine running Windows 10;

ping working from host to guest and vice versa (see some troubleshooting tips in the last section).

Now let’s attach to a kernel 🤘

On The Target (Debuggee)

What we’re about to do on the target machine is the following:

Create a new boot entry designated for kernel debugging; Edit this entry to have proper settings for our needs; Configure network settings to allow host-guest communication.

To do all these, we will use the bcdedit (Boot Configuration Data Edit) utility.

Note: Make sure you execute all of the following commands as Administrator.

To create a new boot entry, we will simply /copy the entry we’re currently running, which is referred to by the {current} identifier. To keep things neat, we add a description for this entry using the /d option.

> bcdedit /copy {current} /d "KDNet port 50035"

The entry was successfully copied to {dd896c2e-fccb-11e8-9cb7-d481d7c30c24}

Now let’s make this entry our /default using the GUID we just received:

> bcdedit /default {dd896c2e-fccb-11e8-9cb7-d481d7c30c24}

The operation completed successfully.

From now on, we can refer to our newly-created entry as {default} .

It’s time to make this operating system’s boot “debuggable”:

> bcdedit /set {default} debug yes

The operation completed successfully.

Important: Windows 10’s Secure Boot does not allow modifying this setting through bcdedit and must therefore be disabled. On a Hyper-V virtual machine, this is configured in the Security tab of the machine’s settings.

Finally, we need to configure the network /dbgsettings . We set the debug transport (the means via which we connect the host and the target) to net (for network); we decide upon a port number and tell the target what the host-IP address is. We ask for a newkey to be generated, which will be used later on the host.

Note: Choose a port number according to Microsoft’s recommendation.

> bcdedit /dbgsettings net hostip:192.168.1.120 port:50035 newkey

Key=g3mx1h96o5j9.tbdbyy05hfu7.10tkqaj5agj7e.xttvshlq4zsr

To verify these settings, we can type /dbgsettings with no arguments:

> bcdedit /dbgsettings

key g3mx1h96o5j9.tbdbyy05hfu7.10tkqaj5agj7e.xttvshlq4zsr

debugtype NET

hostip 192.168.1.120

port 50035

If you reboot your operating system at this point, you should see this screen:

Our new boot entry is highlighted.

Well, to be honest, you will see this screen only if you run:

> bcdedit /set {default} bootmenupolicy legacy

Otherwise, you will see a beautiful, Windows blueish screen with the same boot entries for options.

We’re done with the target — on to the host!

On the Host (Debugger)

Setting up the host is simpler; you just run the kernel debugging engine in one of its forms —kd for command-line based debugging, WinDbg for GUI, whatever you like.

> kd.exe -k net:port=50035,key=g3mx1h96o5j9.tbdbyy05hfu7.10tkqaj5agj7e.xttvshlq4zsr

Once you run this command or try to attach to a kernel from WinDbg (through File-Kernel Debug) restart the target machine and make sure the chosen boot entry is the one you created earlier.

It should take a couple of seconds until a connection to the debuggee is made. WinDbg will break automatically and will look something like this:

windbg.exe attached to the target machine’s kernel. Looks similar.

Hooray!

What, that didn’t work? Move on to the next section.

Tips and Tricks

IP addresses and Networking