Windows Kernel Exploitation – Setting up the Environment

I am focused on malware analysis but on the other hand, I am also focused on Windows Kernel Exploitation. Actually I started to learn. Thats why it takes time to deal with the problems initially encountered. I will explain these experiences in this article.

The first try on Vmware Fusion

I usually use Vmware Fusion for malware analysis. So I also preferred it in this lab. Frankly speaking, it was not hard set up necessary ISO files. When I install necessary virtual drivers, I had to make the Serial Port settings for the next step. But It is really takes most of my time. In the documents I follow, I have to show /private/tmp/ path located in Mac OSx on virtual drives. But I tried several times to show on  VM but I could not successful. I also need to add that they did not specify how to do it at the source I followed.

The second try on Virtualbox

My second experience was in VirtualBox. I set up two different Windows OS like previous one and the second step is to set the Serial Port. It was easier to set up Serial Ports in VirtualBox than in Vmware. I was using Windows10Prox64 as a debugger. When I try to use Windbg on this VM, there was a unexpected error. Although I did really do much research but I coudn’t find any solution. That’s why ı removed my VM and I reinstall again.

Than, I decided to use Windows7Prox86 for both VM machines. After installing the software and other tools, I went to the Serial port configuration section. There was a important point to make a path way. I made path to /tmp/pipe for debugger. I also did same think for debugee. But The only difference was that the debuggee machine was marked as “Connect to existing pipe/Socket“.

There was a no problem about Debugger machine and it was working well. But when I try to run Debugee machine, I got the NS_ERROR_FAILURE error. I was really want to find solution for this issue. I checked StackoverFlow even VirtualBox forum but I can say once again I failed.

The third try in VirtualBox with a single difference

I tried two different things when I was waiting response from them. Firstly, I set up new Ubuntu VM as a main host. Than I installed VB in a Ubuntu. After this steps, I created two different VM. But when I try to run VM, I got VT-x hardware acceleration error. I can say once again I failed.

I continued to try, even though I had encountered so many mistakes. I tried my chance with Kali Linux. I prepared everything but I have to say that waiting for updates was very boring. I also received many errors during the update. The result was again the same. Failed!!! Failed!


I almost gave up. I tried indirectly way and it works!! Let me tell you something about this experience.

  • I created VM with Windows7Prox86 ISO file. It was my main host.
  • Than, I installed VB in main host. After that, I created two Windows7Prox86(Debugger and Debugee) VM in Virtual Box.
  • Lastly I installed Windows 10 SDK in Debugger VM


1- Installed Windows 10 SDK in a Debugger VM. Depending on the machine you used during the installation, you may be able to install some additional software updates.

2- We would also need to setup Debugging Symbols in the Debugger VM. Fortunately, Microsoft provides public debugging symbols.

Variable Name: _NT_SYMBOL_PATH

Variable Value: SRV*C:\Symbols*

After WinDbg is installed, we would need to enable debugging in BCD:

  • Run cmd as administrator, and execute the following commands:Bcdedit
    bcdedit /copy {current} /d “Debug”
    bcdedit /debug {MY_GUID} on
    bcdedit /dbgsettings

3- After everything, we need to establish a connection between the two sides. We need to enable Serial Ports on both the VMs, so as to make them communicate using a Virtual Serial Port.

4- Turn on the Debugger VM first (always), and select the first option without the [debugger enabled].

5- After the Debugger VM is booted up, open up the
WinDbg –> File –> Kernel Debug –> COM.

6- Boot up the Debugee VM, and select the second option with [debugger enabled].

7-After the Debuggee VM is booted up, hit the Break button, and you should get an interactive kd> prompt, ready to take commands.


Thank you for your patience 🙂 🙂 🙂