Support for Windows Kernel Driver and Debugging / Emulator Support

[PatchByte]

I love to use ghidra. I just have a tiny problem, it's quite hard to work with kernel drivers in ghidra!

[d-millar]

@PatchByte Agreed, that is an area where we have not focused much attention - our original goals were definitely user-mode functionality. That said, kernel-mode debugging is an area we're interested in.

Could you give us more specifics? Are you having trouble getting connected? Are you experiencing issues after the connection? Send details, and we're happy to try to come up with answers and/or improvements.

[PatchByte]

Hey yeah i love ghidra, but i also love to reverse kernels. but some kernels are nasty and they are packed!
i have some problems with that.
Maybe its possible to make a kernel emulator. like the emulator in the debugger but with more features for kernel debugging.
of course i know that i am asking for a big thing. but i love ghidra.

[d-millar]

The big issue on kernel emulation is how to handle syscalls - we have thought about this some, but no easy answers on that front.

[PatchByte]

oh yeah i can relate to it. it's hard to "emulate them". thats a big question but i think on of the many ways would be to "emulate ntoskrnl" or more specified emulate the syscalls with an own kind of "emulated system" but just with the functions for the kernels.
good question tho

[angleton]

I just caught this thread but completely agree with adding support for kernel mode if at all possible. There was a frankly amazing earlier utility called SoftICE and unfortunately nothing has replaced been able to replace it. But, just its installation process abstracted a lot of the complications I later learned were really needed just to set everything up. It ran all the time, giving you absolute real-time control directly from kernel mode. Only later did I learn just how complicated just setting everything up like that really was.

[d-millar]

@angleton Wow, SOFTICE - that was the bomb, easily one of the coolest debuggers ever. The kernel work is in progress. You can do some Windows-specific tasks at the kernel-level with the current dbgeng/dbgmodel variants, but a lot of sharp edges there. Can't promise our kernel versions will be on-par with Softice (they won't), but let us know if you have specific need/requests!

[d-millar]

OK, so we have, at least nominal, support for kernel-mode debugging using dbgeng/dbgmodel. (Would recommend dbgmodel of the two, as dbgeng still shows processors in place of processes and has very little insight into kernel structure.) We also have some support through the ghidra-volatility extension for debugging virtualized kernels via existing gdbstubs, e.g. qemu, vmware, etc. All that said, this is likely yo be an ongoing effort, so am converting this issue to a discussion.