How can I modify windbg is using ring0 on single pc?
 

I unkonw used windbg's ring0 mode on single pc and is not used VM's Pipe ,I was seeking a patch or more way modfiy the windbg to run ring0,but I can't find,please post your suggesting !
if you have russ's patch for windbg please tell me ! :confused:

welcome to the club of single pc windbagging :)
as far as i know i havent been yet able to achieve it
russ patch ??
you mean the utility by mark russinovich ???

if yes then it is called livekd and it is available for download for free
from thier site sysinternals.com

but even with livekd you can only find static structures of kernel in a single machine you cannot trace through kernel live :(
but it sure is a nice application and if you happen to have the book
windows internals something by solomon and russinovich then you can
actually find some good kernel info by using livekd
because it also fetches the symbols from microsoft symbol server for almost all the system drivers too :)

hope this is what you are looking for

if you are ruuning XP, latest windbg allows local kernel debugging.

Select Local tab in Kernel Debugging Dialog.

Hope it helps

Visu

well it is still stactic all you can do with local kernel debugging is watch
read and write to user and kernel memory that is all
no dynamic commands like t,p,g , no break points bp etc are avl
in xp too :( that means it is of practically not much usefull

well if that is what you would like to then livekd does that for you in w2k too
and even older versions of windbg is sufficient :)

Thats right. However, I am just wondering, why livekd can offer debugging with one PC and Microsoft can't. Since livekd internally uses Microsoft kd or windbg, I am sure there has to be some (hidden??) interface for live debugging or probing. Anyone knows how livekd works?

Visu

read some microsoft.public.kernel or microsoft.public.windbg

livekd instalss a driver and fools the os to think it as a crashdump file
and fakes some context structures and redirects the ioctl to read the kernel memory

and the ms guys picked it upon that idea and implemented it in xp :)
as Local Kernel Debugging so it is a reversers contribution in some twisted
context

but in xp they dont fake context structures and such because they had the complete source code for thier os as well as russinovichs app

LiveKd
------
LiveKd allows you to run the Kd and Windbg Microsoft kernel debuggers, which are part of the Debugging Tools for Windows package, locally on a live system. While the latest versions of Windbg and Kd have a similar capability on Windows XP and Server 2003, LiveKd works on NT 4 through Server 2003 and enables more functionality, such as viewing thread stacks with the !thread command, than debugger's own live kernel debugging facility.

Download:http://www.wasm.ru/baixado.php?mode=tool&id=115

thanks All of
 

:eek:
Debug is important in our way ,but mast have a super tools,like soft-ice ,trw,ollydbg,kd,windbg and more plugin's addin those. sure. :)

In fact. livekd is not realtime kernel debugger. It just make memorydump many times and do on the memorydumps. WinDbg do so too.
It is only softice which can do kernel debugger on one machine.

WinDbg and livekd is a ring3 application. You can never expert it can do ring0 debug on one machine. Because if ring0 paused, no ring3 application can running unless you are in VM.