Windows Network-Based Remote Kernel Debugging Setup

Here is a quick & basic guide of how to setup a debugger & debuggee (target) for remote kernel debugging in Windows over the network.

Configuration

On Debugger - Get IP

ipconfig /all

On Debuggee - Setup remote kernel debugging

In an admin cmd:

bcdedit /dbgsettings NET HOSTIP:<DEBUGGER_IP> PORT:50000
# e.g. bcdedit /dbgsettings NET HOSTIP:172.16.39.2 PORT:50000

# Confirm the settings & copy the 'key' value
bcdedit /dbgsettings

# Confirm debugging is on - Should say 'The operation completed successfully'
bcdedit /debug on

On Debugger - Install WinDbg Preview

On Debugger - Open up WinDbg

# Configure WinDbg to listen for a remote kernel debugging connection
File -> Attach to kernel -> Net (tab)
Port: 50000
Key: <insert key from debuggee>
Target: <leave blank>
Click OK

The result should show something like:

Usering NET for debugging
Waiting to reconnect...

Attempt to Connect…

On Debuggee - Reboot the VM

On Debugger - Wait for WinDbg to show something like

You can get the target MAC address by running .kdtargetmac command.
Connected to Windows 10 19041 x64 target at (Thu Jan 28 07:46:07.981 2021 (UTC - 8:00)), ptr64 TRUE
Kernel Debugger connection established.
Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (1 procs) Free x64
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff805`69c00000 PsLoadedModuleList = 0xfffff805`6a82a2f0
System Uptime: 0 days 0:00:00.846
KDTARGET: Refreshing KD connection

On Debugger - WinDbg may (or may not) break the debuggee on boot. If it does hit the ‘Go’ button in the top left (sometimes takes 2-3 clicks)

Attached Kernel Debugger FTW!

Test 1

On Debugger - In WinDbg you should be able to click ‘Break’ in the top left (sometimes take 2-3 clicks) to pause the debugee VM

On Debuggee - An easy way to test this is working is to open cmd.exe and watch for the flashing cursor

On Debugger - Click ‘Break’ in WinDbg and the flashing cursor should freeze, and the VM will become unresponsive to direct user input

On Debugger - Click ‘Go’ in WinDbg and the flshing cursor should start flashing again and the VM will become responsive

Test 2

On Debugger - In WinDbg click ‘Break’

On Debugger - ‘Debuggee is running…’ should be replaced with a command prompt something like ‘0: kd>’

On Debugger - Run .reload to load the MS symbols

On Debugger - Run lm and you should see a list of modules on the debugee