I am familiar with using windbg or IDA for remote kernel debugging, but right now i have extracted a kernel driver from an executable, and have done static analysis on its IDB and renamed a lot of variables, what is the easiest way of using my IDB file to debug the driver on the remote debugee when it gets loaded by the executable?
I know how to attach to remote kernel using IDA, but how can i use my current IDB file, and put breakpoint on some of its functions so it they get hit when the driver is loaded? (I dont have the corresponding pdb file for the driver so i can't use symbols for breakpoint)
Above answer is not a good solution.
For future references, the correct answer is this:
In the newest versions of IDA pro (I tried with 8.3) you can easily just set a breakpoint on the DriverEntry function in your IDB, then setup KDNet debugging on the target machine using:
bcdedit /debug on
bcdedit /dbgsettings net hostip:hostIP port:50000 key:1.2.3.4
reboot
then in your IDA pro, use windbg as the debugger and net:port=50000,key=1.2.3.4 as the connection string, then do the following:
Debugger -> Debugger Options -> Set Specific Options -> Debugging mode: Kernel mode debugging with reconnect and initial break.
After that, do the following:
Debugger -> Attach to process -> select kernel
you will hit a initial breakpoint, press F9, then load your driver (need to be the exact driver that you have the IDB for). If you have set everything correctly, after you load the driver IDA Pro will ask you is this the same driver or not, select yes, then you will hit your breakpoint in the DriverEntry.
Side note: Also suggest that after you hit the initial breakpoint when you attach, in the windbg console type .reload /f to download and load all the symbols for kernel modules for better debugging experience.