Windows 7 and Debugging!

 

  1. Windows 7
  2. Virtualization support – XP Mode
  3. Installing and configuring XP Mode
  4. Installing a virtual machine
  5. Setting up debug environment

 

Windows 7

Windows 7 is one of the most amazing product I have ever used. As a debugger and reverse engineer in this new phase of my career, I tried to understand this OS from its very core. Though the core is mostly the same as that of Windows Vista but has been heavily optimised for performance with lots of powerful edition that will surely bring smiles and satisfaction to end user.

Vista was an interim release of this new operating system code but was severely cut down in features because of some diversion of interest into WinXP and Server 2003 as the need of time. However Windows 7 is far ahead of what we imagined looking at Vista!

Windows 7 Features and Releases

 

Virtualization Support – XP Mode

One of the greatest issues that haunted Microsoft from making their customers move from XP to Vista was the application compatibility issue. There has been a slow progress in application migration from XP to Vista and thus resistance in upgrading the OS. However, Win7 addresses this very well and I am sure consumers will accept this new OS pretty easily. Virtual PC beta is available to free download for Win7. With Virtual PC beta and XP Mode beta you can run XP compatible application on windows 7 which otherwise fails.

image Shim was a well known approach to application compatibility but this approach of vitalizing is amazing. Windows XP SP3 virtual machine runs in the virtual pc beta and any application installed in it is then accessible from the host – Windows 7.

We need AMD-V or Intel VT hardware virtualization support to have Virtual PC. I think 64 bit hardware comes with this default. We must ensure from BIOS that it is enabled. If not, check for a BIOS update. On my quad code Hp Workstation XW8400, a BIOS update did the trick.

Before we move ahead a little addition here that XP Mode is available only for Professional and Ultimate editions. Virtual application support is available for Windows XP, Windows Vista and Windows 7 running in Virtual PC beta and not for any other Windows operating system, but our interest is in Virtual PC beta which is available for Home edition and can run any 32bit Windows operating system.

I haven’t tried this with Linux and any other operating system in Virtual PC, but what we are going to see next is of more interest to windows kernel developers and debuggers.

 

Installing and configuring XP Mode

imageOn your Windows 7 installation machine, check BIOS and verify that Virtualization support is enabled. You may need to refer to your hardware vendor manual to find where to enable it from. This link may help. For a note: as the default virtual machine runs on 512 MB RAM and Windows 7 also needs 1 GB for smooth performance, you need to ensure that you are doing this on a good configuration.

Boot your machine to Windows 7 and go to Virtual PC Beta download site.  Here you can download Virtual PC Beta (4.88 MB) and Windows XP Mode Beta virtual machine (445 MB). Download and install both of them.

Boot your Windows XP Virtual machine by selecting it from the program files link. It will ask you login details. Don’t forget to save your password so that virtual machines logs you in automatically on boot every time.

imageOnce your virtual XP is running, look for “Install integration components” in Tools menu on top.

This will enable mouse, keyboard and clipboard sharing between the host and virtual machine. Also you get access to host machine drives.

Run windows update to install any security fix released. And if you are letting this virtual machine access the internet, don’t forget to setup a fort against the internet worms and viruses! Install any required application

 

image Virtual PC Beta running Virtual Windows XP with applications that can be accessed form host machine and host machine drives accessible as network mapped drives.

 
Installing a virtual machine

This was all about Windows XP and using it for installing and running applications. However I shall write one more blog about Application Compatibility some time later, but for now lets concentrate on using this for debug and learning. My personal favourite is a Windows 2003 server that I like to debug and learn.

From Program Files > Virtual PC, Select Virtual Machines explorer.

image

A new virtual machine can be created from here. Use 512 MB RAM with 10 GB Fixed disc. That should be sufficient. Once you have created the base image you can configure and install operating system in your virtual machine environment.

image

 

Configure the following,

  • Installation medium
  • COM port redirection
  • Network configuration

image

image

image

 

 

 

 

Now boot your virtual machine, install the OS and apply security updates. Install integration components and get ready for the real fun.

 
 
Setting up Debug Environment

As our virtual machine has already been configures to redirect COM port data to a pipe, we now need to configure guest machine to use this port for debug and the host machine debugger to connect to the guest machine debug port through this pipe. First we will configure the guest machine.

We will use msconfig to make debug kernel boot. Start > Run > msconfig brings up configuration window. In BOOT.INI tab > Advanced Options we enable /DEBUG switch with /DEBUGPORT= COM1 and /BAUDRATE=115200, which otherwise we can directly add to default entry in c:Boot.ini

image

Now that our kernel is ready to boot to debug, we can configure Windows debugger on host machine. You can download this debugger from WDK and Developer tools site for free. Install your debugger to C:DEBUGGERS. You may also need to download and install public symbols from the same DevTools site. Install symbols to C:SYMBOLS if you do not have any space constraints. These paths will be easy to access when you access them from command line.

Start Debugger, File > Kernel Debug and configure as following to connect to the debug machine’s COM port through the pipe.

image

Once your debug starts waiting for a connection, you can press Ctrl+Break to break into the debug kernel and configure your environment for debugging.

image

You have setup symbols, now setup a few break points and let it go. Your virtual machine will defreeze and you can continue to work on it and whenever you hit the breakpoint or exceptions are thrown around, you get the control back in debugger. There you can analyze the call stack and do whatever you want with the guest operating system.

kd> k
ChildEBP RetAddr 
8089457c 80887449 nt!RtlpBreakWithStatusInstruction
8089457c 80a57552 nt!KeUpdateSystemTime+0x129
80894600 80887da2 hal!HalProcessorIdle+0x2
80894604 00000000 nt!KiIdleLoop+0xa

kd> .process -p -r 81c07620
Implicit process is now 81c07620
.cache forcedecodeuser done
Loading User Symbols
………………………………….

kd> !thread 81836db0 
THREAD 81836db0  Cid 0538.05d0  Teb: 7ffae000 Win32Thread: 00000000 WAIT: (Unknown) UserMode Non-Alertable
    81839d38  Semaphore Limit 0x7fffffff
    81836e28  NotificationTimer
Not impersonating
DeviceMap                 e1000198
Owning Process            81c07620       Image:         svchost.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      167596         Ticks: 1042 (0:00:00:10.435)
Context Switch Count      379            
UserTime                  00:00:00.040
KernelTime                00:00:00.040
Start Address kernel32!BaseThreadStartThunk (0x77e617ec)
Stack Init f51bc000 Current f51bbc24 Base f51bc000 Limit f51b9000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0
ChildEBP RetAddr  Args to Child             
f51bbc3c 8082ffd7 81836db0 81836e58 00000100 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4])
f51bbc54 808287d4 0000c185 00000000 8089f660 nt!KiSwapThread+0x83 (FPO: [0,2,0])
f51bbc98 8091a5f1 81839d38 00000010 ffffff01 nt!KeWaitForSingleObject+0x2e0 (FPO: [5,12,4])
f51bbd48 80883938 00000110 00c9ff74 000a6708 nt!NtReplyWaitReceivePortEx+0x521 (FPO: [SEH])
f51bbd48 7c82860c 00000110 00c9ff74 000a6708 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f51bbd64)
00c9fe18 7c827859 77c885ac 00000110 00c9ff74 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
00c9fe1c 77c885ac 00000110 00c9ff74 000a6708 ntdll!NtReplyWaitReceivePortEx+0xc (FPO: [5,0,0])
00c9ff84 77c88792 00c9ffac 77c8872d 000ba1d8 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198 (FPO: [0,14,0])
00c9ff8c 77c8872d 000ba1d8 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [1,0,0])
00c9ffac 77c7b110 0009adc0 00c9ffec 77e6482f RPCRT4!BaseCachedThreadRoutine+0x9d (FPO: [1,2,4])
00c9ffb8 77e6482f 000ba310 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b (FPO: [1,0,0])
00c9ffec 00000000 77c7b0f5 000ba310 00000000 kernel32!BaseThreadStart+0x34 (FPO: [SEH])

 

Advertisements

One thought on “Windows 7 and Debugging!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s