发表新帖
发表新帖

Debugging Windows Kernel from Linux

后端 未结
关注
4 588
梦毁少年i
梦毁少年i 2021-02-04 07:07

I used to debug the Windows Kernel using VirtualKD, WinDBG and a single Virtual Machine.

Recently I got a Linux machine, and now I wond

相关标签:
4条回答
  • 礼貌的吻别
    2021-02-04 07:34

    Solved! Basically, I ended up using two (VirtualBox) VMs emulating a Serial connection (null-modem cable) over a Unix domain socket (on the host). For more info, read below:

    Hardware setup*:

    • Debuggee:
      • Ensure the machine is turned off and edit Serial Ports settings.
      • Enable Port 1, and assign values as follows: Port Number: COM1, Port Mode: Host Pipe, Create Pipe: Unchecked (client), Port/File Path: /tmp/win_link.
    • Debugger:
      • Same as above (using the same path), only this time Create Pipe should be Checked (server).

    Debugger setup:

    • Run WinDBG and press Ctrl+K to invoke Kernel Debugging.
    • in COM, enter: Baudrate: 115200, Port: COM1, Resets: 0 and verify that Pipe and Reconnect are unchecked (important).
    • You'll be presented with the following output: Opened \\\\.\com1 Waiting to reconnect...

    Debuggee setup:

    • Run bootcfg /debug on /port com1 /baud 115200 /id 1. To verify, run bootcfg.**
    • Reboot.
    • Quite early during the booting stage, WinDBG on the other machine should detect the debuggee is running.

    *Assuming VirtualBox is used. VMWare/KVM users will probably be able to achieve the same results following similar steps. Also, for more info refer to the VirtualBox docs.

    **Assuming guests are Windows XP. Later versions include bcdedit, which may be used as described here.

    0 讨论(0)
  • 广开言路
    2021-02-04 07:36

    Another option nowadays is to enable local kernel debugging. This comes with some limitations, however it will enable you to access kernel data while just using one VM.

    This approach only works on Windows 8.0 and Windows Server 2012 and later.

    Follow these steps:

    1. Open a Command Prompt window as Administrator.
    2. Enter bcdedit /debug on
    3. If the computer is not already configured as the target of a debug transport, enter bcdedit /dbgsettings local
    4. Reboot the computer.

    Once the system is rebooted, you can execute WinDBG as Administrator, press ctrl+k or go to File -> Attach to kernel -> Local and press OK.

    At that point, you will be able to execute kernel-only commands and access kernel structures:

    Tested under Windows 10 and with the new WinDBG version (preview).

    Reference: Setting Up Local Kernel Debugging of a Single Computer Manually

    0 讨论(0)
  • 盖世英雄少女心
    2021-02-04 07:38

    For QEMU\KVM follow those instructions: http://www.linux-kvm.org/page/WindowsGuestDrivers/GuestDebugging

    0 讨论(0)
  • 长情又很酷
    2021-02-04 07:39

    Very helpful but applies to Windows XP machines. You can refer to the following link if you need to configure 2 Windows7-based virtual machines on a Linux host: http://www.aldeid.com/wiki/Category:Digital-Forensics/Computer-Forensics/Debugger/Kernel

    0 讨论(0)
 看不清?
提交回复
热议问题