9

I'm trying to set up the environment of Windows VM for debugging a kernel driver.

I created a sample of kernel driver in Visual Studio 2017. File->New Project->Kernel Mode Driver (basic project; just for testing - autogenerated trace macro, required procedures, etc.) and want to test it on the target machine.

There are my steps (target machine):

  1. Install Windows 10 to a virtual machine (VirtualBox);
  2. Turn on Test mode and set BCDEdit as local;
  3. Install WDK;
  4. Download OSR Loader;
  5. Copy files after a building to a VM (C:\DriverTest\TestKernelDriver2\; .cer, .inf, .pdb, .sys);
  6. Create traces folder; C:\DriverTest\TestKernelDriver2\traces\
  7. Install the cerificate - TestKernelDriver2.sys; (Sign mode: Test Sign)
  8. Run OSR Driver Loader, choose the driver, press Register service (Success).

  9. Run tracelog with params (GUID was generated by templates; no via Tools->Create GUID) - success:

    tracelog -start TestKernelDriver2 -guid #0f4fbb98-1569-495b-88d1-f654b1e2d68e -f C:\DriverTest\TestKernelDriver2\traces\trace.etl -flag 2 -level 0xFFFF

  10. Check C:\DriverTest\TestKernelDriver2\traces\trace.etl; (exist - 64KB size)

  11. OSR Driver Loader: press Start Service (fail). Error message: The specified procedure could not be found.

  12. Stop tracelog - success:

    tracelog -stop TestKernelDriver2

  13. Open Event Viewer. Windows logs->System. The last error:

    The TestKernelDriver2 service failed to start due to the following error: The specified procedure could not be found.

    Details: EventData param1 TestKernelDriver2 param2 %%127 54006500730074004B00650072006E0065006C0044007200690076006500720032000000

  14. Open C:\DriverTest\TestKernelDriver2\traces\trace.etl via Event Viewer and don't see any logs.

How can I find out what is procedure was missed?

I tried to investigate it via Dependency Walker and revealed that some .sys files are missed (WppRecorder.sys, WdfLdr.sys, msrpc.sys, EXT-MS-WIN-###.DLL). These filed are located in C:\Windows\System32\drivers. I copied the files to C:\Windows\System32 and Dependency Walker calmed down. What about EXT-MS-WIN-*.DLL - I read in this topic that these files can be missed.

Thanks to @magicandre1981. I installed my driver via PnPUtil. But now, I see it in the list of pnputil /enum-drivers command.

enter image description here

But when I run the following commands in WinDbg, I don't see my driver in the list:

!load wdfkd.dll
!wdfkd.wdfldr

enter image description here

I'm trying to make steps of Session 1 from this Microsoft ttutoriall.

slinkin
  • 375
  • 3
  • 15
  • use [this new tool](https://stackoverflow.com/a/54256372/1466046) it supports the API sets – magicandre1981 Feb 20 '19 at 18:06
  • Thank you so much - this is a really useful tool. I see which **.sys** files are missed, but I can't realize the next thing. I see these missing files in **C:\Windows\System32\drivers**, but Windows tries to search these in **C:\Windows\System32**. Maybe do you know why is this happening? Copying files from **..\drivers** to **System32** folder is an awful idea. This need not be so. – slinkin Feb 21 '19 at 13:36
  • this is expected . install the driver each time with devcon.exe which places the sys in system32/drivers. – magicandre1981 Feb 21 '19 at 18:36
  • Why can't I use **OSR Loader**? As I understand, I need to force **OSR Loader** search **.sys** files in **C:\Windows\System32\drivers**. – slinkin Feb 22 '19 at 15:48
  • I haven't used this tool before. https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debug-universal-drivers--kernel-mode-#install – magicandre1981 Feb 22 '19 at 15:53
  • Thanks for your help. I handled with installing via PnPUtil. https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-examples – slinkin Feb 22 '19 at 18:02
  • ok and now everything works and you can debug the driver? – magicandre1981 Feb 23 '19 at 15:04
  • If be honest - no. I can't see any trace in WinDbg. But your comments helped me to resolve the problem with installing. If you know what is the reason for the empty log traces I will be glad to know. I restart PC with disabling Driver signature, run WinDbg for local kernel debugging, wait to connect and after that install driver. Debugging console doesn't change. Traces in the driver via macro *TraceEvents(...)*. – slinkin Feb 24 '19 at 15:46
  • So, it seems the driver wasn't installed. I ran in WinDbg: **!wdfkd.wdfldr** and didn't see my driver on the list. However, via **pnputil /enum-drivers** I see it. – slinkin Feb 24 '19 at 16:30
  • I've updated the question. – slinkin Feb 24 '19 at 16:42

1 Answers1

1

I found the solution via tracefmt generator and TraceView application.

Step 0: Generate tmf file by command:

tracefmt С:\TestDriver\TestKernelDriver2\TestKernelDriver2.etl -i С:\TestDriver\TestKernelDriver2\TestKernelDriver2.sys -r С:\TestDriver\TestKernelDriver2\TestKernelDriver2 -p С:\TestDriver\TestKernelDriver2\tmfs -o С:\TestDriver\TestKernelDriver2\TestKernelDriver2.txt -v

Step 1: Create Session in TraceView: File -> Create New Session. Fill Manually Entered Control GUID. (0f4fbb98-1569-495b-88d1-f654b1e2d68e)

Step 2: Choose Source of WPP Format Information (Set TMF Search Path option) and fill path: C:\DriverTest\TestKernelDriver2\tmfs

Step 3: Next, fill Log Session Name and Real-Time Display is checked. Finish.

TraceView settings

slinkin
  • 375
  • 3
  • 15
  • 1
    Ooopppss. For generating tmf files should be used the following command: **tracepdb.exe -f TestKernelDriver2\TestKernelDriver2.pdb -p TestKernelDriver2\tmfs** – slinkin Mar 08 '19 at 09:22