What to debug?

Hyper-v worker process

• User mode debugging (easy).
• Symbols available.
• Attack surface: mostly Gen-1 VMs, device emulation, x86 emulation (for MMIO accesses).

Debugging options:

1. Attach to running process with WinDbg.
2. JIT debugger (not recommended):
   • Will be launched as the same user as the (crashing) worker process.
   • Each worker process (one per VM) is launched in an isolated user.
3. Crash dumps for postmortem.

Root partition / VSPs

• Windows kernel debugging (not so hard) : https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--dbgsettings
• Symbols available.
• Attack surface: vmswitch, storage VSP, etc.

Debugging options:

1. Serial port (slow, not recommended).
2. USB.
3. KDNET:
   • What I usually do.
   • Needs a supported NIC but not usually a problem.
4. Run under nested virtualization:
   • Powerful.
   • But too slow for my taste.
   • I rarely use it.

VMM (hvix64/hvax64)

• Similar to windows kernel debugging: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--hypervisorsettings
• Symbols NOT available:
  • Tip: RE it and make your own symbols https://github.com/Mixaill/FakePDB
• Attack surface: handling of guest privileged instructions, hypercalls, x86 emulation (minimal emulator for LAPIC accesses).

Debugging options:

1. Serial port.
2. KDNET (recommended).
3. Nested virtualization.
4. DCI (https://up-shop.org/default/up-xtreme-i11-boards-0000-series.html).

Getting NIC(s) information

Get-NetAdapterHardwareInfo | Format-Table Name,Description,Bus,Device,Function
Get-NetIPAddress -AddressFamily IPv4 | Where-Object { $_.IPAddress -NotLike '169.254.*' -and $_.InterfaceAlias -like "Ethernet*" } | Format-Table InterfaceAlias, IPAddress -AutoSize

Debugging Hyper-V (hvix64) with KDNET

bcdedit /hypervisorsettings NET HOSTIP:192.168.1.13 PORT:50000 BUSPARAMS:2.0.0
bcdedit /set hypervisordebug on
bcdedit /set hypervisorlaunchtype auto

Debugging the Root partition (Windows Kernel) with KDNET

bcdedit /debug on
bcdedit /dbgsettings net hostip:192.168.1.13 PORT:50001
bcdedit /set "{dbgsettings}" busparams 1.0.0