KDNET on Windows 11 over Hyper-V

# Intro I just wanted to make some quick notes here to refresh my memory on `KDNET` and to add a word or two about nested virtualization of `Win11` on `Win11` such as it may be. Some old hats probably used [VirtualKD](https://sysprogs.com/legacy/virtualkd/) before because it offered much faster debugging than `COM` for example (x45 times haha) but (1) *it's not supported anymore and* (2) *it was probably never a 💯 solid idea to use `VirtualKD` for sensitive debugging sessions anyway*. What about `Hyper-V`? I have been a pretty heavy `VMWare` user for a long time, although I do run a private `Hyper-V` server with [WAC](https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/overview) integration. However, I split my time now with `Hyper-V` as it really is a pretty accomplished platform. Additionally, I run all my personal hardware on `Enterprise` editions and with `Win11` this came with Virtualization Based Security (VBS) and Hypervisor-protected Code Integrity (HVCI) on by default. At that time there was no support for `VMWare` in that scenario (that's different now). # Win11 & Hyper-V As we know `Trusted Platform Module (TPM) v2.0` is a requirement for `Windows 11`. Basically it offers some (more) secure cryptographic operations/guarantees and it can do things like attestation etc., you can read more about it on your own time [here](https://learn.microsoft.com/en-gb/windows/security/information-protection/tpm/trusted-platform-module-overview). The first thing you need to do for your VM is make sure that `vTPM` support is turned on. ![[Pasted image 20221019003104.png]] Note here that `Secure Boot` is turned off, the reason for that is that it will interfere with `KDNET`. You can turn it off before the install or later before you use `KDNET`. Then come some simple, yet annoying parts that are actually not well documented online: - You need, **at least 4096 MB** ram. It won't tell you it's not enough of course just fail to initialize.. - You need, **at least 2 vCPU's**. Also not documented properly but at least people talk about this online. https://twitter.com/FuzzySec/status/1523761034104033280 <blockquote class="twitter-tweet"><p lang="en" dir="ltr">So, just a pro tip to save you some time 👀. I was setting up some Win11 machines in Hyper-V and getting "This PC can’t run Windows 11". People will tell you about enabling TPM and at least 2 VPC's but, listen, you also need 4gb RAM 😉🍸⌚️</p>— b33f | 🇺🇦✊ (@FuzzySec) <a href="https://twitter.com/FuzzySec/status/1523761034104033280?ref_src=twsrc%5Etfw">May 9, 2022</a></blockquote> # KDNET `KDNET` is like a bridge that will connect our VM to `WinDbg` so we can initiate a `KD` session. The install documentation is [here](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection-automatically). `KDNET` offers some pretty good speeds when doing `KD`. If you haven't used it yet, you can forget about `COM`. It's ok you can still drink ☕ while you think instead of wait! Is it as fast as `VirtualKD`, probably not I would say, but totally serviceable and it has much better security guarantees obviously. The install instructions are pretty self-explanatory, you have to go to the `debugging tools` folder in the [SDK](https://developer.microsoft.com/en-gb/windows/downloads/windows-sdk/). Install the `debugging tools` from the `SDK` if you don't have them. The directory will be something like this: ``` C:\Program Files (x86)\Windows Kits\10\Debuggers\... ``` Here, copy `kdnet.exe` and `VerifiedNICList.xml`, you should place these on the target machine in a new folder with the following path: ``` C:\KDNET ``` Remember to turn off `Secure Boot` if it is still on. On the target machine you can test that `KDNET` will work like so: ``` C:\KDNET> kdnet.exe Network debugging is supported on the following NICs: busparams=1.0.0, Broadcom NetXtreme Gigabit Ethernet, Plugged in. This Microsoft hypervisor supports using KDNET in guest VMs. ``` Finally run `KDNET` like so and copy the key it displays because you will need that key to connect to the target from `WinDbg` on your host machine. ``` C:\KDNET> kdnet.exe <HostComputerIPAddress> <YourDebugPort> Enabling network debugging on Intel(R) 82577LM Gigabit Network Connection. Key=2steg4fzbj2sz.23418vzkd4ko3.1g34ou07z4pev.1sp3yo9yz874p ``` A lazy tip here is that you can make a `batch` shortcut on the desktop of your target machine, something like this: ``` cd /D C:\KDNET kdnet.exe xx.xx.xx.xx 50000 ``` ### WinDbg Preview There is just one `caveat` here related to `WinDbg Preview`. You can of course use `KDNET` with either the old or new `WinDbg` but if you only have the new version then you won't necessarily have the `debugging tools` installed. You will have to get those from the `SDK` no matter what. # Establish your session Cool, all we need to do now is set up `WinDbg` using the `Key` we got from `KDNET` on the target machine. ### WinDbg Preview ![[Pasted image 20221019010301.png]] Reboot the target machine and wait. ![[Pasted image 20221019011502.png]] ### WinDbg ![[Pasted image 20221019010906.png]] Reboot the target machine and wait. ![[Pasted image 20221019011346.png]]