Debugging the Windows Kernel (Part 2)

Note: this is a follow up to the last meetup. A recap will be given for any attendee that did not have the chance to join the previous session.

In this presentation we will cover different techniques to address a fundamental issue in the information security field when investigating the security of the modern versions
of the Windows (The NT) Kernel.

Specifically, we will detail two methods of debugging the Windows kernel without resorting to the usage of WinDBG, as this is not always a
possible choice. In addition, we will talk a little bit about the new mitigations introduced in the Windows 11 kernel specifically regarding Virtualization Based
Security and what negative consequences it could have for us, the security researchers.

In the open-source security scene, this is generally not regarded as a real issue since most of the times the Kernel mode debugger embedded within the Windows Kernel is deemed "good enough" as it covers most of what can be debugged in the Kernel. This is definitely no longer the case on Windows 11 x64 , but also leaves out important unresearched areas of the Windows 10 x64 Kernel as it will be demonstrated in the talk.

The presentation includes a small lab where most of the techniques can be tried out locally by attendants. It should be of importance for those who are debugging these areas of the Kernel, or doing similar low level hardware debugging for which proper debugging tools do not
exist yet (such as secure boot research).