How to find IP address in WinDbg Windows Kernel Debugging

Solution 1:

Based on https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-ndiskd-netadapter

$$ find IP address of host
!ndiskd.netadapter -ip

Example output:

14: kd> !ndiskd.netadapter -ip Driver NetAdapter Name
ffffce85591b7450 ffffce8558ff51a0 Microsoft Kernel Debug Network Adapter

IP ADDRESSES

unicast            ffffce855af44040 - 10.6.185.61
multicast          ffffce855968c040 - 224.0.0.1
multicast          ffffce855b45e040 - 224.0.0.251
multicast          ffffce855b449040 - 224.0.0.252
multicast          ffffce855968c130 - 239.255.255.250
broadcast          ffffce8559688040 - 255.255.255.255
broadcast          ffffce855af42040 - 10.6.185.255
unicast            ffffce8559694040 - fe80::e929:f1ef:83da:31b
multicast          ffffce855969a040 - ff01::1
multicast          ffffce855969a130 - ff02::1
multicast          ffffce855969a220 - ff02::1:ffda:31b
multicast          ffffce855b423040 - ff02::fb
multicast          ffffce855b450040 - ff02::1:3
multicast          ffffce8558c1f040 - ff02::c

Please note, you need the private symbols of tcpip.sys for this to work, otherwise:

11: kd> !ndiskd.netadapter -ip ... *** ERROR: Symbol file could not be found. Defaulted to export symbols for ndis.sys - ... *** Type referenced: ndis!_LIST_ENTRY ***

Another method, if you are using DHCP for your host, then the IP address given to KDNET virtual adapter will be the same, as DHCP server uses MAC address to allocate IP addresses and KDNIC adapter has same MAC as the real NIC. This is printed when the machine first boots and negotiates connection to WinDbg.

Connected to target 172.xxx.yyy.zzz on port 50009 on local IP 172.xxx.yyy.zzz