Unusual strings in Kernel debugging

Bagher · Dec 28, 2020

Hi

Yesterday I decided debug my windows. I connected my laptop(debugee) to a PC(debugger) with a Lan cable and used from Kdnet.exe to debug over network card. My Windows is fresh. But when I started my laptop and ran the windbg on debugger system(PC), I saw an unusual strings in windbg:

"the target has requested that the debugger execute a command"

I installed a new fresh windows 10 and try again. But I see this message again.

Next time I delete my EFI boot partition and install a fresh Windows10 and I see it again.

Is this behavior normal or no?

I have a Lenovo y510 with a Windows10 UEFI .

Also I attached a screenshot from my PC monitor

x BlueRobot · Dec 28, 2020

Looks normal to me, seems like the target machine has encountered an error, according to the documentation, the ACPI will attempt to break in with a debugger if it encounters a fatal error.

zbook · Dec 28, 2020

How frequent are the BSOD after the clean install?
Were the BSOD before or after driver installation or both?
Had you ran the Lenovo hardware diagnostics? > post results into the thread

See posting instructions: Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 + Vista | Sysnative Forums

Bagher · Dec 29, 2020

x BlueRobot said:
Looks normal to me, seems like the target machine has encountered an error, according to the documentation, the ACPI will attempt to break in with a debugger if it encounters a fatal error.

Thank you.
But I thought maybe it is for a rootkit. A rootkit that uses from anti-debugging technique. Because I used to see this message when I was debugging an Anti-Cheat driver of a game.

Bagher · Dec 29, 2020

zbook said:
How frequent are the BSOD after the clean install?
Were the BSOD before or after driver installation or both?
Had you ran the Lenovo hardware diagnostics? > post results into the thread

See posting instructions: Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 + Vista | Sysnative Forums

Thank you,

I will do. But my problem isn't BSOD. My problem is in kernel debugging.

x BlueRobot · Dec 29, 2020

Bagher said:
But I thought maybe it is for a rootkit. A rootkit that uses from anti-debugging technique. Because I used to see this message when I was debugging an Anti-Cheat driver of a game.

Most software will employ anti-debugging techniques for obvious reasons. Have you checked what the error message is for? The !almi extension is typically used for debugging the ACPI.

x BlueRobot · Dec 29, 2020

@zbook Please ensure that you read the OP's initial post properly, it's clear that they're setting up a live debugging session with a remote computer.

Bagher · Dec 29, 2020

x BlueRobot said:
Most software will employ anti-debugging techniques for obvious reasons. Have you checked what the error message is for? The !almi extension is typically used for debugging the ACPI.

The problem is that I don't know how to find out which driver generates this error. This error is shown when debugging process starts.
I installed a fresh Windows because I thought this error is for a malicious driver or a rootkit or a bootkit. But nothing changed.
Also I installed "Lenovo hardware diagnostic", but it says all hardwares are OK.
Perhaps you are right. Maybe this is for ACPI.

x BlueRobot · Dec 29, 2020

In WinDbg, you can click the DML link (the blue text) and it will run the command for you. Could you please post the output?

Bagher · Dec 29, 2020

I did it but nothing happened. Seems the blue link is nothing.

x BlueRobot said:
In WinDbg, you can click the DML link (the blue text) and it will run the command for you. Could you please post the output?

x BlueRobot · Dec 29, 2020

Try this:

Code:

!amli err 0xee

Bagher · Dec 30, 2020

I ran thid command. I think the "err" command is an undocumented command or doesn't exists for amli. I attached the result.
I also read about amli command in the Intel documents and didn't see the err command

x BlueRobot said:
Try this:

Code:

!amli err 0xee

x BlueRobot · Dec 31, 2020

It's undocumented but it does exist otherwise WinDbg wouldn't recommend it, have you tried enter the command in the blue text manually? I'm wondering if the DML is broken for that particular command hence why it doesn't work when you click it.

Search

Search

Unusual strings in Kernel debugging

Bagher

Member

Attachments

x BlueRobot

Moderator, BSOD Academy Instructor

zbook

Member

Bagher

Member

Bagher

Member

x BlueRobot

Moderator, BSOD Academy Instructor

x BlueRobot

Moderator, BSOD Academy Instructor

Bagher

Member

x BlueRobot

Moderator, BSOD Academy Instructor

Bagher

Member

Attachments

x BlueRobot

Moderator, BSOD Academy Instructor

Bagher

Member

Attachments

x BlueRobot

Moderator, BSOD Academy Instructor