Debugging the windows kernel what. Hardcore debugging with Linice: learning to work in the console kernel debugger

The term "kernel debugging" means examining the internal data structure of the kernel and/or step-by-step tracing the functions in the kernel. This debugging is a very useful way to examine the internal workings of Windows because it allows you to see internal system information that is not available using any other means and gives a clear picture of the progress of code in the kernel.

Before looking at the various ways to debug the kernel, let's examine the set of files that you will need to perform any kind of kernel debugging.

Symbols for kernel debugging

Symbol files contain the names of functions and variables, as well as the design and format of data structures. They are generated by the linker program and are used by debuggers to reference these names and to display them during a debugging session. This information is usually not stored in binary code because it is not needed when the code is executed. This means that without it, the binary code is smaller and runs faster. But this also means that when debugging, you need to ensure that the debugger has access to the symbol files associated with the binary images referenced during the debugging session.

To use any kernel-mode debugging tool to examine the internals of the Windows kernel data structure (list of processes, list of thread blocks, list of loaded drivers, memory usage information, etc.), you need the correct symbol files and, at a minimum, a symbol file for the kernel binary image - Ntoskrnl.exe. Symbol table files must match the version of the binary image from which they were extracted. For example, if you have installed a Windows Service Pack or some kind of patch that updates the kernel, you need to get the symbol files updated accordingly.

It's easy to download and install symbols for different versions of Windows, but updating symbols for patches isn't always possible. The easiest way to obtain the required version of symbols for debugging is to contact the Microsoft symbol server specially designed for this purpose, using the special syntax for the symbol path specified in the debugger. For example, the following symbol path causes the debugging tools to download the symbols from an online symbol server and store a local copy in c:\symbols:srv*c:\symbols*http://msdl.microsoft.com/download/symbols

Detailed instructions for using the symbol server can be found in the debugging tools help file or online at http://msdn.microsoft.com/en-us/windows/hardware/gg462988.aspx.

chPF OELPFPTSCHE KHLBBOYS RP TBVPFE U PFMBDLPK SDTB U BCHBTYKOSHNY DBNRBNY RBNSFY. lBL RTBCHYMP, CHBN OHTSOP VKDEF ЪBDBFSH PDOP YЪ KHUFTPKUFCH RPDLBYULY, RETEYUYUMEOOSCHI CH ZHBKME /etc/fstab . uvtpu pvtbpch RBNSFY O KHUFTPKUFCHB, OE SCHMSAEYEUS KHUFTPKUFCHBNY RPDLBYULY, OBRTYNET, MEOFSHCH, CH DBOOSCHK NPNEOF OE RPDDETSYCHBAFUS.

Note: yURPMSHHKFE LPNBODH dumpon (8) DMS KHLBBOYS SDTH NEUFB, ZDE OHTsOP UPITBOSFSH BCHBTYKOSHCHE DBNRSCH. rPUME OBUFTPKLY RP LPNBODE swapon (8) TBDEMB RPDLBYULY DPMTSOB VSHFSH CHSHCHBOB RTPZTBNNNB dumpon . pVSHYUOP LFP CHSHRPMOSEPHUS ЪBDBOYEN RETENOOOPK dumpdev CH ZHBKME rc.conf (5). еUMY ЪБДБOB ьФБ RATENEOOBS, FP RPUME UVPS RTY RETCHPK NOPZPRPMSHЪPCHBFEMSHULPK RETEЪBZTHЪLE VHDEF BCHFPNBFYUEULY ЪBRHEEOOB RTPZTBNNNB savecore (8). pOB UPITBOIF BCHBTYKOSHCHK DBNR SDTB CH LBFBMPZ, ЪBDBOOSCHK CH RETENEOOOPK dumpdir ZHBKMB rc.conf . rP KHNPMYUBOYA LBFBMPZPN DMS BCHBTYKOSCHI DBNRPCH SCHMSEFUS /var/crash .

mYVP CHSC NPTSEFE ЪBDBFSH KHUFTPKUFCHP DMS UVTPUB PVTBB RBNSFY SCHOP YUETE RBTBNEFT dump CH UFTPLE config LPOZHYZHTBGYPOOPZP ZHBKMB CHBYEZP SDTB. fBLPK URPUPV YURPMSHЪPCHBFSH OE TELPNEODHEFUS Y PO DPMTSEO YURPMSHЪPCHBFSHUS, FPMSHLP EUMY CHSCH IPFYFE RPMKHYUBFSH BCHBTYKOSHCH PVTBYSH RBNSFY SDTB, LPFPTPPE BCHBTYKOP ЪBCHETYBEF UCHPA TBVPFH RTY ЪBZTHЪLE.

Note: dBMEE FETNYO gdb PYOBYUBEF PFMBDYUYL gdb , ЪBRHEEOOSCHK CH ``TETSINE PFMBDLY SDTB". RETEIPD CH LFPF TETSYN DPUFYZBEFUS ЪBRHULPN gdb U RBTBNEFTPN -k . h TETSYNE PFMBDLY SDTB gdb YЪNEOSEF UCHPЈ RTYZMBYEOYE ABOUT (kgdb) .

Tip: Eumi Chechi yurpmshhef FreeBSD Cetui 3 ymi tbooaa, Cheshchiki DPMTSOSH Cheshrpmeifsh Huyuye PFMBDPZP SDTB LPNBODPK STRIP, Hufbobchmychbfsh PFMSHYP PFMBDPUOP:

# cp kernel kernel.debug # strip -g kernel

bFPF YBZ OE FBL KhTS Y OEPVIPDYN, OP TELPNEODKHEN. (PhP FreeBSD 4th VPMEE RPJDOYI TEMYBI LFPF YBZ CHSHRPMOSEFUS BCHFPNBFYUEULY CH LPOGE RTPGEUUB RPUFTPEOOYS SDTB make .) lPZDB SDTP HUEYEOP, BCHFPNBFYUEULY YMY RTY RPNPEY LPNBOD CHCHYE, CHCH NPTSEFE KHUFBOPCHYFSH EZP PVSHYUOSCHN PVTBBPN, OVTTBCH make install .

ъBNEFSHFE, YuFP CH UFBTSHCHETUISI FreeBSD (DP 3.1, OE CHLMAYUBS LFPF TEMY), YURPMSHKHEFUS SDTB CH ZHTNBFE a.out, RPFPNH YI FBVMYGSH UYNCHPMPCH DPMTSOSCH TBURPMBZBFSHUS RPUFPSOOP CH RBNSFY. u VPMSHYPK FBVMYGEK UYNCHPMPCH CH OE HUEYOOOPN PFMBDPUOPN SDTE LFP YЪMYYOSS FTBFB. rPUMEDOYE TEMYYSH FreeBSD YURPMSHJHAF SDTB CH ZHTNBFE ELF, ZHE LFP OE SCHMSEFUS RTPVMENPK.

eUMY CHSH FEUFYTHEFE OPCHPE SDTP, ULBTSEN, OBVYTBS YNS OPCHPZP SDTB CH RTYZMBYYEOYY UBZTHYUYLB, OP CHBN OHTSOP ЪBZTHTSBFSH Y TBVPFBFSH U DTHZYN SDTPN, YUFPVSH UOPChB CHETOHFSHUS L OPTNBMSHOPNH ZHOLGYPOYTPCHBOYA, ЪBZTHTSBKFE EZP FPMSHLP CH PDOPRPMSHЪPCHBFEMSHULPN TETSYNE RTY RPNPEY ZHMBZB -s , KHLBSCCHBENPZP RTY ЪBZTHЪLE , B ЪBFEN CHSHRPMOYFE FBLYE YBZY:

# fsck -p # mount -a -t ufs # so your filesystem for /var/crash is writable # savecore -N /kernel.panicked /var/crash # exit # ...to multi-user

bFB RPUMEDPCHBFEMSHOPUFSH KHLBSCCHBEF RTPZTBNNE savecore (8) ABOUT YURPMSHЪPCHBOYE DTHZPZP SDTB DMS YЪCHMEYUEOYS UYNCHPMYUEULYI YNEO. YOBYUE POB VHDEF YURPMSHЪPCHBFSH SDTP, TBVPFBAEEE CH DBOOSHCHK NPNEOF Y, ULPTEE CHUEZP, OYUEZP OE UDEMBEF, RPFPNH YuFP BCBTYKOSHCHK PVTB RBNSFY YYNCHPMSCH SDTB VHDHF PFMYUBFSHUS.

b FERETSH, RPUME UVTPUB BCHBTYKOPZP DBNRB, RETEKDYFE CH LBFBMPZ /sys/compile/WHATEVER Y ЪBRKHUFYFE LPNBODH gdb -k . yЪ RTPZTBNNSH gdb UDEMBKFE CHPF SFP:

Symbol-file kernel.debug exec-file /var/crash/kernel.0 core-file /var/crash/vmcore.0 Y CHBMS - CHCH NPTSEFE PFMBTSYCHBFSH BCHBTYKOSHK DBNR, YURPMSHЪHS YUIPDOSCH FELUFSCH SDTB FPYuOP FBLCE, LBL CHSHCH LFP DEM BEFE AT MAVPC DTHZPK RTPZTBNNPK.

chPF TsKHTOBM LPNBOD UEBOUB TBVPFSH gdb, YMMAUFTYTHAEIK bfh RTPGEDHTH. dMYOOSCH UFTPLY VSHMY TBPTCHBOSH DMS KHMHYUYEOYS YUYFBVEMSHOPUFY Y DMS KHDPVUFCHB UFTPLY VSHCHMY RTPOKHNETPCHBOSHCH. CHUE PUFBMSHOPE SCHMSEFUS FTBUUYTPCHLPK PYYVLY, TEBMSHOP CHPOYLOKHCHYEK PE CHTENS TBVPFSCH OBD DTBKCHETPN LPOUPMY pcvt.

1:Script started on Fri Dec 30 23:15:22 1994 2: # cd /sys/compile/URIAH 3: # gdb -k kernel /var/crash/vmcore.1 4:Reading symbol data from /usr/src/ sys/compile/URIAH/kernel ...done. 5:IdlePTD 1f3000 6:panic: because you said to! 7:current pcb at 1e3f70 8:Reading in symbols for ../../i386/i386/machdep.c...done. 9: (kgdb) where 10:#0 boot (arghowto=256) (../../i386/i386/machdep.c line 767) 11:#1 0xf0115159 in panic () 12:#2 0xf01955bd in diediedie ( ) (../../i386/i386/machdep.c line 698) 13:#3 0xf010185e in db_fncall () 14:#4 0xf0101586 in db_command (-266509132, -266509516, -267381073) 15:#5 0x f0101711 in db_command_loop () 16:#6 0xf01040a0 in db_trap () 17:#7 0xf0192976 in kdb_trap (12, 0, -272630436, -266743723) 18:#8 0xf019d2eb in trap_fatal (...) 19:#9 0xf0 19ce60 in trap_pfault ( ...) 20:#10 0xf019cb2f in trap (...) 21:#11 0xf01932a1 in exception:calltrap () 22:#12 0xf0191503 in cnopen (...) 23:#13 0xf0132c34 in spec_open () 24: #14 0xf012d014 in vn_open () 25:#15 0xf012a183 in open () 26:#16 0xf019d4eb in syscall (...) 27: (kgdb) up 10 28:Reading in symbols for ../../i386/i386 /trap.c...done. 29:#10 0xf019cb2f in trap (frame=(tf_es = -260440048, tf_ds = 16, tf_\ 30:edi = 3072, tf_esi = -266445372, tf_ebp = -272630356, tf_isp = -27\ 31:2630396, t f_ebx = - 266427884, tf_edx = 12, tf_ecx = -266427884, tf\ 32:_eax = 64772224, tf_trapno = 12, tf_err = -272695296, tf_eip = -26\ 33:6672343, tf_cs = -26646936 8, tf_eflags = 66066, tf_esp = 3072, tf_\ 34:ss = -266427884)) (../../i386/i386/trap.c line 283) 35:283 (void) trap_pfault(&frame, FALSE); 36: (kgdb) frame frame->tf_ebp frame->tf_eip 37:Reading in symbols for ../../i386/isa/pcvt/pcvt_drv.c...done. 38:#0 0xf01ae729 in pcopen (dev=3072, flag=3, mode=8192, p=(struct p\ 39:roc *) 0xf07c0c00) (../../i386/isa/pcvt/pcvt_drv.c line 403) 40:403 return ((*linesw.l_open)(dev, tp)); 41: (kgdb) list 42:398 43:399 tp->t_state |= TS_CARR_ON; 44:400 tp->t_cflag |= CLOCAL; /* cannot be a modem (:-) */ 45:401 46:402 #if PCVT_NETBSD || (PCVT_FREEBSD >= 200) 47:403 return ((*linesw.l_open)(dev, tp)); 48:404 #else 49:405 return ((*linesw.l_open)(dev, tp, flag)); 50:406 #endif /* PCVT_NETBSD || (PCVT_FREEBSD >= 200) */ 51:407 ) 52: (kgdb) print tp 53:Reading in symbols for ../../i386/i386/cons.c...done. 54:$1 = (struct tty *) 0x1bae 55: (kgdb) print tp->t_line 56:$2 = 1767990816 57: (kgdb) up 58:#1 0xf0191503 in cnopen (dev=0x00000000, flag=3, mode=8192 , p=(st\ 59:ruct proc *) 0xf07c0c00) (../../i386/i386/cons.c line 126) 60: return ((*cdevsw.d_open)(dev, flag, mode, p) ); 61: (kgdb) up 62:#2 0xf0132c34 in spec_open () 63: (kgdb) up 64:#3 0xf012d014 in vn_open () 65: (kgdb) up 66:#4 0xf012a183 in open () 67: (kgdb) up 68:#5 0xf019d4eb in syscall (frame=(tf_es = 39, tf_ds = 39, tf_edi =\ 69: 2158592, tf_esi = 0, tf_ebp = -272638436, tf_isp = -272629788, tf\ 70:_ebx = 7086 , tf_edx = 1, tf_ecx = 0, tf_eax = 5, tf_trapno = 582, \71:tf_err = 582, tf_eip = 75749, tf_cs = 31, tf_eflags = 582, tf_esp \72:= -272638456, tf_ss = 39)) (. ./../i386/i386/trap.c line 673) 73:673 error = (*callp->sy_call)(p, args, rval); 74: (kgdb) up 75:Initial frame selected; you cannot go up. 76: (kgdb) quit 77: # exit 78:exit 79: 80:Script done on Fri Dec 30 23:18:04 1994

lPNNEOFBTYY L CHSHCHYYERTYCHEDEOOPNH TSHTOBMKH:

UFTPLB 6:

ьФП DBNR, CHSFSHCHK RTY RPNPEY DDB (UNPFTY OITSE), RPPFPNH LPNNEOFBTYK L BCHBTYKOPNH PUFBOPCHH YNEEF YNEOOP CHYD ``because you said to!'' Y FTBUUYTPCHLB UFELB ZMHVPLB; PDOBLP YOBYUBMSHOPK RTYYUYOPK RETEIPDB CH DDB VSHMB BCHBTYKOBS PUFBOPCHLB RTY CHPOYLOPCHEOYA PYYVLY UFTBOIGSC RBNSFY.

UFTPLB 20:

lFP NEUFPOBIPTSDEOOYE ZHKHOLGYY trap() CH FTBUUYTPCHLE UFELB.

UFTPLB 36:

rTYOKHDIFEMSHOPE YURPMSHЪPCHBOIE OPChPK ZTBOYGSCH UFELB; FERTSH LFP OE OHTSOP. rTEDRPMBZBEFUS, YuFP ZTBOYGSCH UFELB KHLBSCCHBAF ABOUT RTBCHYMSHOP TBURPMPTSEOYE, DBCE CH UMHUBE BCHBTYKOPZP PUFBOPCHB. zMSDS ABOUT UFTPLH YUIPDOPZP LPDB 403, NPTsOP ULBBFSH, YuFP CHEUSHNB CHETPSFOP, YuFP MYVP CHYOPCHBF DPUFHR RP KHLBBFEMA ``tp"", MYVP VSHM CHSHCHIPD ЪB ZТBOYGSC NBUUYCHB.

UFTPLB 52:

rPIPTSE, YuFP CHYOPCHBF KHLBBFEMSH, OP ON SCHMSEFUS DPRKHUFYNSCHN BDTEUPN.

UFTPLB 56:

pDOBLP, PYUECHYDOP, YuFP PO KHLBSHCHCHBEF ABOUT NHUPT, FBL YuFP NSCH OBYMY OBYKH PYYVLH! (DMS FEI, LFP OE ЪOBLPN U LFPC YUBUFSHHA LPDB: tp->t_line UMHTSYF DMS ITBOEOYS TETSYNB LBOBMMB LPOUPMSHOPZP KHUFTPKUFCHB, Y LFP DPMTSOP VShchFSH DPUFBFPYuOP NBMEOSHLPE GEMPE YUYUMP. )

How to start the kernel debugger?

Master's answer:

There is one very important component in the software development process - debugging. In relation to application programs, it is carried out by means that operate in user mode and are often built into the IDE. In order to be able to debug, for example, drivers, you need to run the kernel debugger.

You need to start the cmd command processor. Open the Start menu on the taskbar. In the window that appears, click on the “Run…” item. The “Run Program” window will appear. In the text box, enter cmd, then click OK.

Now back up your boot.ini file. First, find out the installation path of your current copy of Windows using the command: echo %SystemRoot%

Next, go to the disk with the installed operating system by entering the device letters, followed by a colon. Using the cd command, go to the root directory. Now, using the attrib command, remove the "hidden", "read-only" and "system" attributes from the boot.ini file. Use the copy command to create a backup copy, and then set the attributes in place.

To display the current list of boot options, use the bootcfg /query command. Look through the list and determine the element on the basis of which new settings will be created with the ability to debug in kernel mode. The boot entry ID should be remembered.

Use the bootcfg/copy command to create a boot entry. To specify the identifier of the record that you will copy, use the /id parameter. Using the /d option, specify the name of the entry that will be displayed. Now you need to go back to the list of boot options using the bootcfg /query command, and look at the ID of the added entry.

Now you need to include options to launch the kernel debugger in the previously created boot entry. If you will be debugging on the target machine, you just need to add the /debug option.

If you want to perform remote debugging by connecting the target computer via a com port to the host machine, then use the /port and /baud options to specify the port number and baud rate.

If you will be performing remote debugging via a FireWire cable (IEEE 1394 interface), then use the /dbg1394 option to enable the corresponding mode and the /ch option to specify the channel number.

To ensure that the changes have been made, check your boot files using the bootcfg command with the /query parameter. After executing the exit command, close the shell window.

If necessary, change the operating system boot settings. Open the Control Panel through the Start menu, and in it open the System item. In the “System Properties” window that opens, select the “Advanced” tab. In this tab, select the section called “Boot and Recovery” and click on the “Options” button. In the “Boot and Recovery” window that appears, you need to activate the “Display list of operating systems” option. Close both dialog boxes with the OK button.

Restart your computer. Select boot with debugger. Log in and start working on the target machine or start debugging remotely. Use tools such as WinDbg and KD.

To debug the kernel, you must connect to your computer using a null modem cable or modem connection. The computer performing debugging will be called “Host”, and the problem computer will be called “Target”.

Both computers must be running the same version of Windows, and the symbol files for the Target computer must be installed on the Host computer. The symbol files are provided on the Windows installation CD in the Support\Debug directory.

To enable debugging, you must make changes to the BOOT.INI file on the Target computer.

1. Change the attributes of the BOOT.INI file:

attrib c:\boot.ini –r –s

2. Edit this file and add the /debug parameter to the Windows startup line (to tell the system to load the kernel debugger into RAM when Windows boots). Additional parameters are /Debugport, which tells the system which COM port to use (default is COM2) and /Baudrate - to specify the baud rate (default is 19200 baud, but 9600 is better). For example:

multi(0)disk(0)rdisk(0)partition(0)\WINDOWS="Windows NT" /debug /debugport=com2 /baudrate=9600

3. Save the file.

4. Set the previous attributes of the BOOT.INI file:

attrib c:\boot.ini +r +s

In this example, the Target computer allowed a connection on COM2 at 9600 bps.

The Host computer must be configured with the settings required for debugging. In addition, the symbol files must be installed. To install them, go to the \support\debug directory on the installation CD and enter the following command:

expndsym : <целевой диск и каталог>

For example:

expndsym f: d:\symbols

Installation may take some time. Remember that if service packs have been installed on the Target computer, the symbol files for those packages must also be installed on the Host computer. Symbol files for update packages can be downloaded from the Microsoft website.

The next step is to set up the environment variables needed for debugging, such as variables indicating the location of symbol files, etc. The following is a description of these variables.

Description of system variables

The definition of these variables can be placed in a batch file in order to avoid entering the corresponding commands at each boot:

echo off
set_nt_debug_port=com2
set_nt_debug_baud_rate=9600
set _nt_symbol_path=d:\symbols\i386
set _nt_log_file_open=d:\debug\logs\debug.log

Now you need to copy the kernel debugging software, which is located in the support\debug\ directory<процессор>on the installation CD (support\debug\I386). The easiest way is to copy the entire directory, since it is small in size (about 2.5 MB). For the I386 platform, a debugger is used, which is supplied as the I386KD.EXE file. The debugger is launched using the I386KD command. To enter a command, press the key combination and wait for the kd> command prompt to appear.

• Authors:

  Barinov S.S., Shevchenko O.G.

• Year:
• Source:

  Informatics and computer technologies / Materials of the VI international scientific and technical conference of students, graduate students and young scientists - November 23-25, 2010, Donetsk, DonNTU. - 2010. - 448 p.

annotation

A comparative analysis of debugging user mode and kernel mode in relation to the Microsoft Windows operating system is provided, the differences and problems of organizing debugging of the latter are highlighted. Based on the results obtained, the basic requirements for building kernel mode debuggers in the event of emergency and interactive debugging are formulated. An analysis of existing solutions for compliance with the requirements was carried out. In particular, special attention is paid to the Microsoft Windows Debugger.

Main part

Debugging is the process of identifying and eliminating the causes of errors in software. In some projects, debugging takes up to 50% of the total development time. Debugging can be greatly simplified by using specialized tools that are constantly being improved. The main such tool is a debugger, which allows you to control the execution of software, monitor its progress and interfere with it. Kernel debugging tools are primarily used by driver developers.

Application software development tools offer the programmer a wide range of possibilities. Any integrated development environment includes the ability to debug without the need to use third-party utilities. If we are talking about system software and driver development in particular, then due to its specifics, the development process is extremely difficult and little automated. All development phases, including debugging, are separate. To carry out each of them, special conditions are required: writing program code is performed on a full-fledged computer system, debugging is performed on a debugging system, testing is performed depending on the circumstances, etc. The kernel mode debugger itself is more difficult to learn and, accordingly, less friendly.

In general, we can talk about the lack of kernel debugging tools. Although such means are available, there is often no talk about alternatives. For example, the Microsoft Windows Debugger has a very high entry threshold. Many programmers talk about the first negative experience when meeting it, and most of its capabilities remain unclaimed.

Based on the structure of the virtual address space, if an application makes an error that causes the application to write data to an arbitrary memory location, the application will only damage its own memory and will not affect the operation of other applications and the operating system. While the kernel mode program code is able to damage important data structures of the operating system, which will inevitably lead to a general failure. An ineffectively written driver can also cause serious degradation of the entire operating system.

Modern debuggers provide the following basic functions:
• debugging at the source code level;
• execution management;
• viewing and changing memory;
• viewing and changing the contents of processor registers;
• viewing the call stack.

To make it easier to work with disassembled code, the so-called. debugging symbols. While the linker is running, in addition to the image of the executable file, a data file can also be created containing information that is not required when executing the program, but is extremely useful when debugging it: names of functions, global variables, descriptions of structures. Debugging symbols are available for all Windows operating system executables.

Execution control refers to the ability to interrupt and resume execution of program code upon reaching a specified command in the program code. If the program code is executed in step-by-step mode, an interrupt occurs for each programming language token or when exiting a subroutine. In free execution, execution interruptions occur in predetermined sections of code - places where breakpoints are set.

When interrupting kernel mode code, the following dilemma arises. The debugger uses a user interface to interact with the programmer. Those. at least the visible part of the debugger runs in user mode and naturally uses an application programming interface (Windows API), which in turn relies on kernel mode modules, to build it. Thus, pausing kernel mode code can result in a deadlock: the system will stop responding to user requests.

To access kernel memory, parts of the debugger must also run in kernel mode. This leads to two problems at once, which are an obvious consequence of organizing memory in the processor's protected mode.

The first problem concerns the translation of virtual memory addresses. Drivers constantly interact with user-mode applications by accessing their memory. The Windows operating system translates virtual addresses into physical ones based on the concept of thread context. Thread context is a structure that reflects the state of a thread and includes, in particular, a set of registers and some other information. When control is transferred to another thread, a context switch occurs, which saves information about one thread and restores information about another. When a thread's context is switched to another process's thread, the page directory used to translate virtual addresses into physical ones also switches.

The peculiarity is that when dispatching system calls, the Windows operating system does not switch the context. This allows kernel-mode code to use user-mode virtual addresses.

The situation is different when dispatching interrupts or executing system threads. An interrupt can occur at any time, so there is no way to predict which thread context will be used. System threads do not belong to any process and cannot translate user-mode virtual addresses. It follows that user mode memory cannot be accessed in these situations.

The second problem is accessing relocatable memory. Most of the information in memory is relocatable and can be moved from physical memory to the hard disk into a page file at any time. If a page is accessed that is not in physical memory, the processor would normally generate a Page Fault interrupt, which would be handled by the memory manager, resulting in the page being read from the page file and loaded into physical memory.

This behavior breaks down if the debugger code is forced to use high interrupt request levels (IRQL). If the IRQL matches or exceeds the IRQL of the memory manager, the latter will not be able to load the missing page, because the operating system will block the Page Fault interrupt. This will cause the operating system to crash.

Debugging is usually divided into interactive and emergency. In interactive local debugging, the debugger runs on the same system as the debugger. In interactive remote debugging, the debugger and the debug object run on different systems. When debugging kernel code, the system must be controlled starting from the first stages of its boot, when the network is not yet functioning, therefore, simple serial interfaces such as COM, FireWire, USB are used to communicate between systems. Recently, thanks to the development trends of software virtualization at different levels of abstraction, virtual machines are increasingly being used. The guest OS acts as the debug OS, the hosted OS includes a debugger user interface.

Therefore, emergency debugging does not require the debugging tool to be installed on the test computer. The Windows operating system distribution includes mechanisms for implementing emergency debugging. Before rebooting, the operating system can save information about its state, which the developer can analyze and find out the reason. Such information saved to a file is called a memory dump.

Basic kernel mode debugging tools are provided by the Windows operating system manufacturer itself as part of the freely distributed Debugging Tools for Windows package. The tools include graphical and console debuggers WinDbg and KD, respectively (hereinafter referred to as Windows Debugger). The work of these debuggers is based on mechanisms provided by the operating system developers and embedded in its kernel.

The main mode for Windows Debugger is command interpreter mode. Thanks to its modular structure, Windows Debugger supports third-party modules called extensions in addition to developer-supplied commands. In fact, most built-in commands are also packaged as extensions.

Windows Debugger is focused on remote interactive and emergency debugging, which, when used, reveals all its capabilities. At the same time, full local interactive debugging is not supported: the debugger only allows you to view some kernel structures.

There is an extension module for Windows Debugger called LiveKD, created by Mark Russinovich, which in a sense implements local interactive debugging. LiveKD creates a memory dump of the working system on the fly and uses it for debugging.

The Debugging Tools for Windows package is regularly updated and supports all modern Windows operating systems.

The SoftICE kernel debugger, produced by Compuware in the DriverStudio software package, has traditionally been an alternative to the Debugging Tools for Windows package. A distinctive feature of SoftICE was the implementation of local interactive debugging on supported hardware. The debugger could almost completely control the operation of the operating system.

As of April 3, 2006, sales of the DriverStudio family of products were discontinued due to "a variety of technical and business issues, as well as general market conditions." The latest version of the operating system to be supported is Windows XP Service Pack 2. Typically, service packs do not change the application interface of the operating system, but system call numbers and other undocumented information may change. The SoftICE debugger relied on hard-coded addresses of internal data structures. As a result, compatibility was broken with the release of Service Pack 3. Obviously, later versions of the Windows operating system are also not supported.

Syser Kernel Debugger was created by a small Chinese company Sysersoft as a replacement for the SoftICE debugger. The first final version was released in 2007. Like SoftICE, Syser Kernel Debugger is capable of interactive debugging on a running system. Only 32-bit editions of modern versions of Windows are supported.

Currently, Windows Debugger is the main tool among kernel module developers. It is also used by the Windows operating system kernel team.