Use bochs + VMware + windbg to analyze and debug Windows 7 Kernel

Link: http://www.mouseos.com/win7/windbg.html

Google can find many tutorials on "How to Use windbg to debug Windows Kernel. Almost all

Based on the obtained tutorial, I will summarize the experiment process and write it out.

★My vmware version is: 6.0.4 build-93057

★Windbg version: 6.11.0001.402 amd64

★Bochs version: 2.4.2

★Target Windows 7 version: Windows 7 Ultimate x64 Chinese Version

Bytes -------------------------------------------------------------------------------------------------------

You can use VMware + windbg to debug the Windows Kernel, but I like to enable bochs, which is convenient and flexible to use.

The Guest OS in VMware is used as the debugging object, and the windbg is used as the debugger in host OS.

The Guest OS and Host OS use the named pipe method as the connection line through the serial port.

I. installed the latest Windows 7x64 Chinese flagship edition on my Vmware

Bochs is also installed with the same Windows 7x64 Chinese flagship version.

1. VMWare settings

On the corresponding VMWare virtual machine, choose unzip aul Machine Settings> hardware> Add a serial port ----> next ----> on the serial port select "output to named pipe" ----> "Next" ----> "finish"

Finally, when you return to the "Virtual Machine Settings" Page, select "yield CPU on Poll" in "I/O mode" to complete the VMware settings.

2. Use of windbg

Create a convenient method on the desktop. The command line is:

"C: \ Program Files \ debugging tools for Windows 64-bit \ windbg.exe"-B-K COM: Port = \. \ PIPE \ com_1, baud = 115200, pipe

In this way, after Windows 7 in VMware is enabled, windbg and Guest OS "win7" are connected.

Ii. Set in guest OS-win7

1. Place a breakpoint in bootmgr

In Vista and subsequent windows, ntldr module management guide has been canceled, and the bootmgr module management guide system has been switched.

In my Windows 7, set which part to debug.

Windws 7 has four debuggable parts: bootmgr module, winload module, winresume module, and Windows kernel module nt module.

You can enable breakpoint adjustment under the four modules mentioned above.

For example, run the following command to perform a breakpoint under bootmgr:

(1) Run "command prompt" as an administrator"

(2) In the "command prompt" window, enter the following command:

Bcdedit/set {bootmgr} bootdebug on Bcdedit/set {bootmgr} debugtype serial Bcdedit/set {bootmgr} debugport 1 Bcdedit/set {bootmgr} baudrate 115200

After the command is prompted, A debuggable mechanism is established in the bootmgr module in Windows 7.
When Windows 7 arrives at bootmgr, it stops loading. There is a black screen in VMware and it is waiting for response from serial port,
After running windbg, windbg establishes a connection with bootmgr in windws 7.

The following is the response information of my windbg in bootmgr mode:

Microsoft (r) Windows debugger version 6.11.0001.402 amd64 Copyright (c) Microsoft Corporation. All rights reserved. Opened \. \ PIPE \ com_1 Waiting to reconnect... BD: boot debugger initialized Connected to Windows boot debugger 7600x86 compatible target at (Thu Nov 26 21:05:14. 787 2009 (GMT + 8), ptr64 false Kernel debugger connection established. (initial breakpoint requested) Symbol search path is: *** invalid *** **************************************** ************************************ * Symbol loading may be unreliable without a symbol search path .* * Use. symfix to have the debugger choose a symbol path .* * After setting your symbol path, use. Reload to refresh symbol locations .* **************************************** ************************************ Executable search path is: **************************************** ***************************** * Symbols can not be loaded because symbol path is not initialized .* ** * The symbol path can be set :* * Using the _ nt_symbol_path environment variable .* * Using the-Y <symbol_path> argument when starting the debugger .* * Using. sympath and. sympath + * **************************************** ***************************** * ** Error: module Load completed but symbols cocould not be loaded for bootmgr Windows boot debugger kernel version 7600 up free x86 compatible Machine Name: Primary image base = 0x00400000 loaded module list = 0x00491b80 System uptime: not available Break instruction exception-code 80000003 (first chance) Bootmgr + 0x436bc: 004436bc cc int 3

In this section, you can see:

★Opened \. \ PIPE \ com_1

Windbg opens serial port

★Symbol search path is: *** invalid ***

The symbols in the current mode are unavailable.

★Primary image base = 0x00400000 loaded module list = 0x00491b80

The bootmgr is loaded to the base address 0x00400000.

★Bootmgr + 0x436bc:

Currently in the bootmgr Module

2. breakpoint under winload Module

Also use commands in the "command prompt"

Bcdedit/Enum

This command displays the guid of the currently available Module

The following information is displayed on my system:

Windows Startup Manager ------------------ Identifier {bootmgr} Device partition = \ device \ harddiskvolume1 Description Windows boot Manager Locale ZH-CN Inherit {globalsettings} Debugtype serial Debugport 1 Baudrate 115200 Bootdebug Yes Default {current} Resumeobject {53a5f400-d7b9-11de-93c1-e9eb61f9eb4f} Displayorder {current} Toolsdisplayorder {memdiag} Timeout 30 Windows boot loader ------------------ Identifier {current} Device partition = C: Path \ windows \ system32 \ winload.exe Description Windows 7 Locale ZH-CN Inherit {bootloadersettings} Recoverysequence {53a5f402-d7b9-11de-93c1-e9eb61f9eb4f} Osdevice partitions = C: Systemroot \ WINDOWS Resumeobject {53a5f400-d7b9-11de-93c1-e9eb61f9eb4f}

The GUID of winload is current.

Therefore, run the following command:

Bcdedit/set {current} bootdebug on Bcdedit/set {current} debugtype serial Bcdedit/set {current} debugport 1 Bcdedit/set {current} baudrate 115200

In this way, the breakpoint is enabled in the winload module.

3. breakpoint under the kernel module nt Module

Open "Control Panel" ----> "Management Tools" ---> "System Configuration" ---> open the "Boot" Page ---> click "advanced options"

----> In the Advanced startup options, select "debug" ----> click "OK.

In this way, the breakpoint is enabled for the NT module.

Iii. windbg loading symbols

In windbg's "file" ---> "symbol file path" ---> set to: SRV * D: \ symbols * http://msdl.microsoft.com/download/symbols

Return to the windbg command line and use the command. Reload command to automatically load symbols.

4. Use bochs with windbg for debugging

Bochs performs independent debugging and has no connection with windbg. However, bochs can set breakpoints throughout the startup process, which cannot be achieved by windbg.

The advantage of windbg is that you can view symbols. Bochs does not contain symbols. bochs + windbg can be used together to observe every process started in windows7.

 

Article: http://advdbg.org/blogs/advdbg_system/articles/784.aspx