WinDBG如何打入目标机器的内核？ [英] How does WinDBG break in to the kernel of target machine?

问题描述

我正在使用WinDBG调试内核模式驱动程序。我无法理解WinDBG如何冻结目标机器的内核？特别是我们如何能够放一个 当ISR在DIRQL上运行时断点并逐步执行中断服务例程
的代码？

I am debugging a kernel mode driver using WinDBG. I was not able to understand how does the WinDBG freeze the kernel of the target machine ? Especially how are we able to put a  breakpoint and step through the code of a Interrupt Service Routine , when the ISR is running at DIRQL ?

WinDBG是否在更高的IRQL下运行？如果是这样，WinDBG的IRQL工作是什么？

Does WinDBG work at a higher IRQL ? If so what IRQL does WinDBG work on ?

 

 

推荐答案

正如Pavel建议的那样，Windows支持内核模式调试。这种支持必须在内核中，因为内核能够读取和写入属于调试器中任何进程的内存。调试器要求内核调试某个进程并且内核
允许/拒绝请求。内核可以从debuggie的内存空间查询和设置值，并根据调试器的请求进行注册。 

As Pavel suggested , Windows support kernel mode debugging. This support has to be in kernel as  Kernel is able to read and write memory that belongs to any proces in debugger . Debugger asks kernel that it is going ot debug certain process and kernel either allows / denies the request. Kernel can query and set values from debuggie's memory space and registers as request from debugger . 

当调试器在一个位置放置断点时，它实际上替换了0xcc位置的指令（INT 3 ）。当调试对象到达那一点时，内核信号信号调试器会断点。它再次替换原始指令和
等待调试器。  对于逐步调试，会发生相同的过程。

When debugger put breakpoint at a location , it actually replaces instruction at a location with 0xcc ( INT 3) . When debuggee reaches at that point , Kernel signal signal debugger that breakpoint is hit . It replaces again with original instruction and wait for debugger .  For step by step debugging , same procedure happens.

 

这篇关于WinDBG如何打入目标机器的内核？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！