How to debug a Windows kernel driver properly?

Question

I'm trying to set up the environment of Windows VM for debugging a kernel driver.

I created a sample of kernel driver in Visual Studio 2017. File->New Project->Kernel Mode Driver (basic project; just for testing - autogenerated trace macro, required procedures, etc.) and want to test it on the target machine.

There are my steps (target machine):

1. Install Windows 10 to a virtual machine (VirtualBox);
2. Turn on Test mode and set BCDEdit as local;
3. Install WDK;
4. Download OSR Loader;
5. Copy files after a building to a VM (C:\DriverTest\TestKernelDriver2\; .cer, .inf, .pdb, .sys);
6. Create traces folder; C:\DriverTest\TestKernelDriver2\traces\
7. Install the cerificate - TestKernelDriver2.sys; (Sign mode: Test Sign)
8. Run OSR Driver Loader, choose the driver, press Register service (Success).

9. Run tracelog with params (GUID was generated by templates; no via Tools->Create GUID) - success:

   tracelog -start TestKernelDriver2 -guid #0f4fbb98-1569-495b-88d1-f654b1e2d68e -f C:\DriverTest\TestKernelDriver2\traces\trace.etl -flag 2 -level 0xFFFF

10. Check C:\DriverTest\TestKernelDriver2\traces\trace.etl; (exist - 64KB size)

11. OSR Driver Loader: press Start Service (fail). Error message: The specified procedure could not be found.

12. Stop tracelog - success:

    tracelog -stop TestKernelDriver2

13. Open Event Viewer. Windows logs->System. The last error:

    The TestKernelDriver2 service failed to start due to the following error: The specified procedure could not be found.

    Details: EventData param1 TestKernelDriver2 param2 %%127 54006500730074004B00650072006E0065006C0044007200690076006500720032000000

14. Open C:\DriverTest\TestKernelDriver2\traces\trace.etl via Event Viewer and don't see any logs.

How can I find out what is procedure was missed?

I tried to investigate it via Dependency Walker and revealed that some .sys files are missed (WppRecorder.sys, WdfLdr.sys, msrpc.sys, EXT-MS-WIN-###.DLL). These filed are located in C:\Windows\System32\drivers. I copied the files to C:\Windows\System32 and Dependency Walker calmed down. What about EXT-MS-WIN-*.DLL - I read in this topic that these files can be missed.

Thanks to @magicandre1981. I installed my driver via PnPUtil. But now, I see it in the list of pnputil /enum-drivers command.

But when I run the following commands in WinDbg, I don't see my driver in the list:

!load wdfkd.dll
!wdfkd.wdfldr

I'm trying to make steps of Session 1 from this Microsoft ttutoriall.

Answer 1

I found the solution via tracefmt generator and TraceView application.

Step 0: Generate tmf file by command:

tracefmt С:\TestDriver\TestKernelDriver2\TestKernelDriver2.etl -i С:\TestDriver\TestKernelDriver2\TestKernelDriver2.sys -r С:\TestDriver\TestKernelDriver2\TestKernelDriver2 -p С:\TestDriver\TestKernelDriver2\tmfs -o С:\TestDriver\TestKernelDriver2\TestKernelDriver2.txt -v

Step 1: Create Session in TraceView: File -> Create New Session. Fill Manually Entered Control GUID. (0f4fbb98-1569-495b-88d1-f654b1e2d68e)

Step 2: Choose Source of WPP Format Information (Set TMF Search Path option) and fill path: C:\DriverTest\TestKernelDriver2\tmfs

Step 3: Next, fill Log Session Name and Real-Time Display is checked. Finish.