debugger icon indicating copy to clipboard operation
debugger copied to clipboard
verified publisher icon Vector35

Windows Kernel debugger doesn't properly pause execution

Open 0xFDFDFDFD opened this issue 1 year ago • 5 comments

The Windows Kernel debugger doesn't properly pause execution. Because when we pause the execution and we execute the r command twice without unpausing, the content of the registers changes: Screenshot_20240717_122731

The expected behavior should be like this in windbg: Screenshot_20240717_122930 After breaking none of the values are changing.

0xFDFDFDFD avatar Jul 17 '24 11:07 0xFDFDFDFD

Thx for letting me know about this bug, I will fix it ASAP

xusheng6 avatar Jul 18 '24 06:07 xusheng6

Per my testing, the target is properly stopped -- I tried to interact with the VM and the guest system hangs. Also, it seems only the first time when you run "r", you get a different value, the subsequent values are all the same. I will look into it further but this may not be a bug

xusheng6 avatar Jul 18 '24 09:07 xusheng6

Yes it is only the first time i get a different value. Also the RIP changes from nt!DbgBreakPointWithStatus to nt!HalProcessorIdle where it stays. This behavior only happens in the binary ninja debugger not when i debug the kernel with windbg. And its not only the r command also commands like dd @r8 or any other command are changing the state.

0xFDFDFDFD avatar Jul 18 '24 10:07 0xFDFDFDFD

Right, there is definitely something unusual going on, and I need to figure that out

xusheng6 avatar Jul 18 '24 10:07 xusheng6

This may be related to https://github.com/Vector35/debugger/issues/591

xusheng6 avatar Sep 23 '24 16:09 xusheng6