[_Lynn]

How can I properly debug the windows boot sequence, don't get me wrong I'm not talking about real mode or bootloader debugging, just would like an idea as to where windows actually begins it's execution.

thanks ;)

[rkhunter]

Look /BREAK loader's parameter - this is the earliest point (during HAL init).

[_Lynn]

Is it possible though to break execution at KiSystemStartup?

[rkhunter]

Have you looked at the stack at the time of activation of the breakpoint?

First breakpoint (on /BREAK responce)
KiSystemStartup->KiInitializeKernel->ExpInitializeExecutive->HalInitSystem->HalpGetParameters->DbgBreakPoint

2-nd
KiSystemStartup->KiInitializeKernel->ExpInitializeExecutive->RtlpBreakWithStatusInstruction

[_Lynn]

I not understand what you mean /BREAK :(

I am try to analyze a rootkit that I believe is patching call to KiInitializePatchguard (INIT) to use it's hooks. I just have wanted to begin my analysis at KiSystemStartup but Im not sure how that goes..

for example my bcd entry looks like

Code: Select all

bcdedit /dbgsettings serial debugport:1 /start AUTOENABLE
bcdedit /debug ON

when I restart windows it not give me chance to attach debugger. Can only attach afterwards.. long after KiSystemStartup been called. Could you please explain proper protocol for this?

Thanks! :lol:

[_Lynn]

Nevermind I find its

Code: Select all

/debugboot