ghidra icon indicating copy to clipboard operation
ghidra copied to clipboard

Published 20 hours ago verified publisher icon NationalSecurityAgency

Support for Windows Kernel Driver and Debugging / Emulator Support

Open PatchByte opened this issue 3 years ago • 6 comments

I love to use ghidra. I just have a tiny problem, it's quite hard to work with kernel drivers in ghidra!

PatchByte avatar Feb 07 '22 14:02 PatchByte

@PatchByte Agreed, that is an area where we have not focused much attention - our original goals were definitely user-mode functionality. That said, kernel-mode debugging is an area we're interested in.

Could you give us more specifics? Are you having trouble getting connected? Are you experiencing issues after the connection? Send details, and we're happy to try to come up with answers and/or improvements.

d-millar avatar Feb 07 '22 19:02 d-millar

Hey yeah i love ghidra, but i also love to reverse kernels. but some kernels are nasty and they are packed! i have some problems with that. Maybe its possible to make a kernel emulator. like the emulator in the debugger but with more features for kernel debugging. of course i know that i am asking for a big thing. but i love ghidra.

PatchByte avatar Feb 07 '22 21:02 PatchByte

The big issue on kernel emulation is how to handle syscalls - we have thought about this some, but no easy answers on that front.

d-millar avatar Feb 07 '22 22:02 d-millar

oh yeah i can relate to it. it's hard to "emulate them". thats a big question but i think on of the many ways would be to "emulate ntoskrnl" or more specified emulate the syscalls with an own kind of "emulated system" but just with the functions for the kernels. good question tho

PatchByte avatar Feb 08 '22 22:02 PatchByte

I just caught this thread but completely agree with adding support for kernel mode if at all possible. There was a frankly amazing earlier utility called SoftICE and unfortunately nothing has replaced been able to replace it. But, just its installation process abstracted a lot of the complications I later learned were really needed just to set everything up. It ran all the time, giving you absolute real-time control directly from kernel mode. Only later did I learn just how complicated just setting everything up like that really was.

angleton avatar Oct 06 '22 02:10 angleton

@angleton Wow, SOFTICE - that was the bomb, easily one of the coolest debuggers ever. The kernel work is in progress. You can do some Windows-specific tasks at the kernel-level with the current dbgeng/dbgmodel variants, but a lot of sharp edges there. Can't promise our kernel versions will be on-par with Softice (they won't), but let us know if you have specific need/requests!

d-millar avatar Oct 06 '22 15:10 d-millar