…using virtual machines and Windbg
Reverse engineering windows using Windbg's kernel debuggin mechanism is the easiest way to find out how windows kernel components work and how they interact with malware and exploitation techniques. Despite that many programmers, pen-testers and security researchers shy away from it because it is something only crazy hackers in dark basements do. Right?
I think not. Poking around inside the windows kernel can get complicated (and those parts should be left to the crazy hackers in dark basements) but a lot of experience can be gained with relatively little effort. In this tutorial i will show how.
My focus will be general kernel research and kernel security. If you want to do things like malware analysis or driver development you can still use my tutorial for the basics but you will have to find out how to apply all that somewhere else.
I would say anyone with basic programming knowledge who has some time to spare can try it out. It's not complicated, it just takes endurance to slog through all of it. If you have no experience in c or c++ and have never heard of assembly language it will be rough. I will try to explain the basics but you will need to branch out to other articles until you mastered all of the low level programming concepts. On the upside you will learn a lot about computers that isn't even specific to Windows.
Start Windbg, then combine the output of:
.formats 73746c1b`400eeab0 + 0x1234567890 # and .formats 4073745a`3fd7ebd5 + 0x1234567890
Write me an email if you have trouble with anything. At the very least I will point you at something to read. I would also appreciate an email if you found this tutorial useful. And feel free to write criticism. I am neither a professional windows kernel researcher nor a native english speaker so I expect a lot of things can be improved.
Everything I will do or explain will be based on x64 architecture, so best use that. The Operating System doesn't really matter as long as you can run virtual machines. Feel free to use a Mac, I won't judge. But if you don't have the computing power to work inside a virtual machine comfortably I would recommend windows as host OS. I will go into host-to-virtual machine and vm-to-vm debugging in Part 1.
I originally wrote this tutorial in dokuwiki and later translated it to markdown while creating this stylish Middleman static site. Any formatting errors and dead links are remnants of that transformation I haven't found yet. I am also not a hundred percent happy about the general look