Virtualkd + windbg + VMware fast debugging + windbg download symbol + Windows 7 Local kernel debugging

======================================Windbg download symbol==========================================
After patching, "Your debugger is not using the correct symbols" is often displayed ",

Use the windbg command to download the updated symbol file. The following command cannot remove ".". After the command is completed, you can see that the traffic monitoring is downloaded.

1:. sympath SRV * G: \ winddk \ 7600.16385.1 \ debuggers \ symbols * http://msdl.microsoft.com/download/symbols

2 :! Sym noisy

3:. Reload
After the download is complete
Lkd>. reloadconnected to Windows 7 7600x86 compatible target at (Fri APR 29 21:42:54. 477 2011 (UTC + )), ptr64 falseloading kernel symbols .................................... ........................................ ........................................ ......................................... loading user symbolspeb is paged out (peb. LDR = 7ffda00c ). type ". HH dbgerr001 "for detailsloading unl Oaded module list... lkd>! Sym noisynoisy mode-symbol prompts onlkd>! Sym noisynoisy mode-symbol prompts onlkd>. sympath SRV * G: \ winddk \ Alibaba \ debuggers \ symbols * http://msdl.microsoft.com/download/symbols dbghelp: Symbol search path: SRV * G: \ winddk \ 7600.16385.1 \ debuggers \ symbols * http://msdl.microsoft.com/download/symbols dbghelp: symbol search path: SRV * G: \ winddk \ 7600.16385.1 \ debuggers \ symbols * http://msdl.microsoft.com/download/symbols symbol search path is: SRV * g: \ winddk \ 7600.16385.1 \ debuggers \ symbols * http://msdl.microsoft.com/download/symbols expanded symbol search path is: SRV * G: \ winddk \ 7600.16385.1 \ debuggers \ symbols * http://msdl.microsoft.com/download/symbols warning: whitespace at end of path element
The following code uses the dt _ eprocess command. The local machine is 7600.1669.5

Lkd> dt _ eprocessntdll! _ Eprocess

+ 0x000 PCB: _ kprocess

====================================== Fast dual-host debugging virtualkd + windbg + Vmware ========================================
During dual-machine debugging, whether it is windbg + VMware or windbg + 1394, the debugging speed is relatively low. Sometimes, when you execute a p command, the windbg status will be busy .. long time...
Virtualkd can solve this problem perfectly.
Virtualkd is mainly used to increase the speed when using VMware or virtualbox for Windows kernel debugging. In the past, the standard debugging method of Dual-machine is to use virtual com serial port, and its speed is very low.
Generally, debugging through the Virtual com serial port includes the following steps:
1. Use the virtual com serial port in Windows to exchange data with the host;
2. windbg/KD uses a pipe Pipeline provided by VM to communicate with the target debugging machine.
The weakest connection here is the virtual com serial port. The transmission rate is only 115200 baudrate, equivalent to 115200 bit per second, that is, the transmission rate of about 10 kb/s. Virtualkd replaces the virtual com serial port function, greatly improving the data exchange rate, up to 6 Mb/s, but officially provided! If the irpfind command is tested, the VMware platform can reach kb/s, but it is 15 times faster than the virtual com serial port. The specific effect can be realized only during the debugging process-:) In fact, the main principle of virtualkd is to use the dll extension function of KD and patch a process to the virtual machine, the two communicate through pipe.
Usage:
1. The configuration method is simple and complex. Simple methods are automated, and complicated methods are manually configured. Manual methods include dynamic patch and static patch. For details, refer to the official website. Http://virtualkd.sysprogs.org/
2. Now only the automatic installation is described. The target machine is VMware. If virtualbox is used, it is slightly changed.
Download the virtualkd installation package, decompress the package, and copy the target directory to the virtual machine under virtualkd2.2 in the parent directory. Click target/vminstall.exe to run the package, and then install it directly. 1. vminstall.exe automatically checks the kernel version of the Virtual Machine. Because my target machine is the kernel of wrk, it is displayed as follows: wrk debug [virtualkd]. Of course, after modifying the displayed string, click Install.

When the target machine is an XP system, situation 2 is shown below:
 
(Figure 2)

After you select install, restart as prompted.
Start vmmon.exe on the hostnames terminal.ProgramYou can (Remember, the vmmon program must always be enabled), and the program will automatically detect the operating system running in the virtual machine. Simply set the windbg path and startup mode (automatic/manual), then everything is OK. When the virtual machine is started, the windbg debug machine is automatically or manually attached.

In fact, the configuration process is very simple. Keystore is automatically installed, and you forget to set debugger path... and it is a waste of time to check.
The final conclusion is that after the traditional virtual com serial port is replaced by virtualkd, the debugging speed is very fast.
It is always good to accept new things, and the cognitive process is always a little tortuous, But how simple the target object is !!!

======================================Windows 7 Local kernel debugging======================

Use vistalkd as shown in Figure