Windows Kernel debugger doesn't properly pause execution

Question

Windows Kernel debugger doesn't properly pause execution

Opened this issue 2 months ago · 4 comments

The Windows Kernel debugger doesn't properly pause execution.
Because when we pause the execution and we execute the r command twice without unpausing, the content of the registers changes:

The expected behavior should be like this in windbg:

After breaking none of the values are changing.

Answer 1 · 2024-07-18T06:05:27.000Z

Thx for letting me know about this bug, I will fix it ASAP

Answer 2 · 2024-07-18T09:28:10.000Z

Per my testing, the target is properly stopped -- I tried to interact with the VM and the guest system hangs. Also, it seems only the first time when you run "r", you get a different value, the subsequent values are all the same. I will look into it further but this may not be a bug

Answer 3 · 2024-07-18T10:04:21.000Z

Yes it is only the first time i get a different value. Also the RIP changes from nt!DbgBreakPointWithStatus to nt!HalProcessorIdle where it stays. This behavior only happens in the binary ninja debugger not when i debug the kernel with windbg. And its not only the r command also commands like dd @r8 or any other command are changing the state.

Answer 4 · 2024-07-18T10:09:21.000Z

Right, there is definitely something unusual going on, and I need to figure that out