none
Debugging Kernel Streaming can't get !ks.dumplog RRS feed

  • Question

  • Hi all. I'm trying to get the Kernel Streaming extension ks.dll working in Windbg - Specifically the !ks.dumplog feature.

    WDK: 8.1

    Target: Windows 8 Kernel Version 9600 MP (1 procs) Checked x64

    Host: Win7, windbg:6.3.9600.16384 AMD64

    1: kd> !ks.dumplog
    ---> INITIALIZING KS DEBUGGER EXTENSION
    ---> This will only happen once...  please wait...
    ---> Checking KS symbols...  please wait...
    ---> KS symbols seem ok...
    ---> Initializing all LibExt modules...
    ---> This may take a few moments as symbols / modules are validated
    ---> Please wait...
    ---> LibExt modules initialized and validated
    Matched: fffff800`01c24198 ks!KsLog = <no type information>
    Matched: fffff800`01c1ee58 ks!KsLog (<no parameter info>)
    Cannot access the log; ensure you are running debug ks.sys!

    Executing this command shows mass quantities of ks.sys symbol output which certainly looks debug-ish:

    1: kd> xks!*
    fffff800`01c11170 ks!SignalCompletion (void)
    fffff800`01c1fdfb ks!EventDpc$filt$1 (void)
    fffff800`01c1fe2b ks!EventDpc$filt$0 (void)
    fffff800`01c203a0 ks!_imp_IoAllocateIrp = <no type information>
    fffff800`01c455d0 ks!KspCreatePin (<no parameter info>)
    fffff800`01c2ee08 ks!DefClockClose (<no parameter info>)
    fffff800`01c51980 ks! ?? ::NNGAKEGL::`string' (<no parameter info>)
    fffff800`01c20498 ks!_imp_Mm64BitPhysicalAddress = <no type information>
    fffff800`01c201f0 ks!_imp_ExAcquireFastMutexUnsafe = <no type information>
    fffff800`01c45e08 ks!CKsPin::Init (<no parameter info>)
    fffff800`01c3fb38 ks!CKsFilter::DispatchClose (<no parameter info>)
    fffff800`01c12150 ks!WppClassicProviderCallback (<no parameter info>)
    fffff800`01c51ad0 ks! ?? ::NNGAKEGL::`string' (<no parameter info>)
    fffff800`01c4a668 ks!KsPinGetConnectedPinInterface (<no parameter info>)

    .

    .

    .

    Any ideas on what might be wrong / missing?

    Thanks very much.

    Monday, June 9, 2014 10:22 PM

All replies

  • This command requires the debug version of KS.SYS. Unless you're running on the debug build, or you've copied the debug version of KS.SYS onto your system (disabling SFP first), then you don't have the debug build of KS.SYS.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, June 10, 2014 12:06 AM
    Moderator
  • Hi Brian. Thanks for the reply. As stated in the post, I am running on a checked (aka debug) build of Win 8.1 x64. I am running windbg x64 as well. I initially tried using .kdfiles to load the checked (debug) ks.sys binary to an otherwise free build of win 8.1 x64( which seemed to work ok) and got the same result as with the completely checked build. Are you saying that neither of these techniques are sufficient to get a debug version of ks.sys on my target? Thanks

    • Edited by Wade_Dawson Tuesday, June 10, 2014 12:51 AM
    Tuesday, June 10, 2014 12:43 AM
  • Sorry, I missed that. I have reproduced your problem. Unfortunately, the extension DLLs are sometimes broken, as is the case with this version. You can try a previous version and that may work. I'll send a note to the KS team. One of them may chime in with a workaround, or you'll have to wait until the next release.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, June 10, 2014 12:54 AM
    Moderator
  • Well I tried build 9200 of the the tools and got the same result.  Do you think this is  an issues with the target / symbols or more with the tools themselves?

      I.e., Should I try a windows7 client?


    Tuesday, June 10, 2014 2:08 PM
  • The product team has been notified. This thread will be updated when more information is available.

    It may work on Win7, and it won't hurt to try it. Let me know if it works.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, June 10, 2014 9:47 PM
    Moderator