Login/Register
Debugging Windows Kernel from Linux
Asked Answered
Solved windbgvirtual-machinewindows-kernel
G

4

17

I used to debug the Windows Kernel using VirtualKD, WinDBG and a single Virtual Machine.

Recently I got a Linux machine, and now I wonder- What's the easiest way to debug the Windows Kernel when your host is unable to run VirtualKD/WinDBG*?

I assume the solution will require two Virtual Machines, but I rather have two instances hosted on my actual machine rather than having an instance residing inside another virtual instance...

Is there anyway to make that work?

Thanks in advance!

*Wine is the last resort for stability reasons...

Gluten answered 2/10, 2012 at 19:20 Comment(0)
G
23

Solved! Basically, I ended up using two (VirtualBox) VMs emulating a Serial connection (null-modem cable) over a Unix domain socket (on the host). For more info, read below:

Hardware setup*:

  • Debuggee:
    • Ensure the machine is turned off and edit Serial Ports settings.
    • Enable Port 1, and assign values as follows: Port Number: COM1, Port Mode: Host Pipe, Create Pipe: Unchecked (client), Port/File Path: /tmp/win_link.
  • Debugger:
    • Same as above (using the same path), only this time Create Pipe should be Checked (server).

Debugger setup:

  • Run WinDBG and press Ctrl+K to invoke Kernel Debugging.
  • in COM, enter: Baudrate: 115200, Port: COM1, Resets: 0 and verify that Pipe and Reconnect are unchecked (important).
  • You'll be presented with the following output: Opened \\\\.\com1 Waiting to reconnect...

Debuggee setup:

  • Run bootcfg /debug on /port com1 /baud 115200 /id 1. To verify, run bootcfg.**
  • Reboot.
  • Quite early during the booting stage, WinDBG on the other machine should detect the debuggee is running.

*Assuming VirtualBox is used. VMWare/KVM users will probably be able to achieve the same results following similar steps. Also, for more info refer to the VirtualBox docs.

**Assuming guests are Windows XP. Later versions include bcdedit, which may be used as described here.

Gluten answered 7/10, 2012 at 22:47 Comment(1)
Your configuration seems perfect but regardless of what configuration I'm using, I can't see the serial ports on both my windows vms. Have you ever had such an issue?Lowrie
L
2

For QEMU\KVM follow those instructions: http://www.linux-kvm.org/page/WindowsGuestDrivers/GuestDebugging

Lat answered 3/9, 2013 at 21:34 Comment(0)
E
1

Very helpful but applies to Windows XP machines. You can refer to the following link if you need to configure 2 Windows7-based virtual machines on a Linux host: http://www.aldeid.com/wiki/Category:Digital-Forensics/Computer-Forensics/Debugger/Kernel

Erlindaerline answered 8/4, 2015 at 17:6 Comment(0)
C
-1

Another option nowadays is to enable local kernel debugging. This comes with some limitations, however it will enable you to access kernel data while just using one VM.

This approach only works on Windows 8.0 and Windows Server 2012 and later.

Follow these steps:

  1. Open a Command Prompt window as Administrator.
  2. Enter bcdedit /debug on
  3. If the computer is not already configured as the target of a debug transport, enter bcdedit /dbgsettings local
  4. Reboot the computer.

Once the system is rebooted, you can execute WinDBG as Administrator, press ctrl+k or go to File -> Attach to kernel -> Local and press OK.

Attach to Kernel Option

At that point, you will be able to execute kernel-only commands and access kernel structures:

enter image description here

Tested under Windows 10 and with the new WinDBG version (preview).

Reference: Setting Up Local Kernel Debugging of a Single Computer Manually

Consueloconsuetude answered 13/11, 2017 at 8:5 Comment(1)
This is not a full debugging setup.Infuriate

© 2022 - 2024 — McMap. All rights reserved.