[LIVEKD]

Live kernel debugger for rootkit detection, kernel analysis, and advanced system-level security investigation

Difficulty: Expert
Category: Advanced

Expert Tool Warning

LiveKd is an extremely advanced tool that provides direct access to kernel memory and system structures. Improper use can cause system instability, crashes, or data corruption. Use only by experienced professionals in controlled environments.

Key Features

Kernel Memory Access
Direct access to live kernel memory and structures
Rootkit Detection
Uncover kernel-level malware and rootkits
System Structure Analysis
Examine kernel objects, driver lists, and system tables
WinDbg Integration
Leverages Windows Debugger for kernel analysis

Understanding Kernel Debugging

Kernel debugging provides access to the Windows kernel's internal data structures and memory. LiveKd enables this analysis on a running system without the need for a separate debug target.

What You Can Analyze:

  • • Process and thread structures
  • • Device driver information
  • • System service tables (SSDT)
  • • Interrupt descriptor tables (IDT)
  • • Memory management structures
  • • Registry hive information

Security Applications:

  • • Rootkit detection and analysis
  • • SSDT hook detection
  • • Hidden process discovery
  • • Driver integrity validation
  • • Kernel object manipulation detection
  • • Advanced persistent threat analysis

Basic Usage

Starting LiveKd

# Start LiveKd with local kernel debugging
livekd

# Start with specific debugger path
livekd -k "C:\\Program Files\\Debugging Tools\\kd.exe"

# Create kernel dump and analyze
livekd -o kernel.dmp

Prerequisites

  • Windows Debugging Tools: WinDbg or Debugging Tools for Windows must be installed
  • Administrative Privileges: Must run as administrator for kernel access
  • Symbols: Microsoft symbols should be configured for proper analysis
  • System Requirements: Compatible with modern Windows versions

Rootkit Detection Techniques

Common Detection Methods

1. SSDT Hook Detection

Check System Service Descriptor Table for hooks and modifications.

kd> dd nt!KeServiceDescriptorTable
kd> u nt!NtOpenProcess

2. IDT Analysis

Examine Interrupt Descriptor Table for unauthorized modifications.

kd> !idt
kd> !analyze -v

3. Driver List Verification

Compare loaded drivers with legitimate system driver list.

kd> !drvobj
kd> lm

Process Hiding Detection

# List active processes from kernel perspective
kd> !process 0 0

# Compare with user-mode process lists
kd> !peb

# Examine process token structures
kd> !token -n

Essential WinDbg Commands

CommandDescriptionUse Case
!process 0 0List all processesHidden process detection
!drvobjDisplay driver objectsMalicious driver detection
!idtDump interrupt descriptor tableIDT hook detection
!chkimgCheck image integrityKernel patching detection
!objectExamine kernel objectsObject manipulation analysis
!gflagGlobal flags informationSystem configuration analysis
!analyze -vAutomated analysisCrash dump analysis

Security Use Cases

🕵️ Advanced Threat Hunting

Hunt for sophisticated threats operating at kernel level.

Target: APT groups using kernel-level persistence

🔍 Forensic Investigation

Deep forensic analysis of compromised systems.

Evidence: Kernel-level artifacts and modifications

🛡️ Rootkit Analysis

Detect and analyze kernel-mode rootkits and bootkits.

Method: SSDT/IDT hook detection and validation

🧪 Malware Research

Research kernel-mode malware techniques and countermeasures.

Focus: Evasion techniques and detection bypass methods

Advanced Detection Techniques

Memory Analysis Patterns

  • Kernel Pool Analysis: Examine pool allocations for suspicious patterns
  • Object Reference Tracking: Follow object references to detect manipulation
  • Code Integrity Verification: Compare loaded code with disk images
  • System Call Tracing: Monitor system call table modifications

Automated Analysis Scripts

# Create analysis script for automated checks
echo "!process 0 0" > rootkit_check.txt
echo "!drvobj" >> rootkit_check.txt
echo "!idt" >> rootkit_check.txt

# Run script with LiveKd
livekd -k kd.exe -c "$<rootkit_check.txt"

Limitations & Considerations

⚠️ System Impact

Kernel debugging can cause system slowdown and potential stability issues during analysis.

⚠️ Skill Requirements

Requires deep understanding of Windows kernel architecture and debugging concepts.

⚠️ Detection Limitations

Advanced rootkits may use techniques that are difficult to detect even with kernel debugging.

⚠️ Environment Dependency

Analysis results may vary based on system configuration, patches, and security software.

Best Practices & Tips

Use in controlled environment: Only use on test systems or during controlled incident response
Configure symbol paths: Ensure proper Microsoft symbol configuration for accurate analysis
Document baseline behavior: Understand normal kernel structures before hunting for anomalies
Combine with other tools: Use alongside RootkitRevealer and other detection tools
Create memory snapshots: Use -o option to create kernel dumps for offline analysis

Get LiveKd

Download LiveKd as part of the Sysinternals Suite

Download LiveKd.exe