Debugging Windows Kernel from Linux

Joker Thief picture Joker Thief · Oct 2, 2012 · Viewed 8.9k times · Source

I used to debug the Windows Kernel using VirtualKD, WinDBG and a single Virtual Machine.

Recently I got a Linux machine, and now I wonder- What's the easiest way to debug the Windows Kernel when your host is unable to run VirtualKD/WinDBG*?

I assume the solution will require two Virtual Machines, but I rather have two instances hosted on my actual machine rather than having an instance residing inside another virtual instance...

Is there anyway to make that work?

Thanks in advance!

*Wine is the last resort for stability reasons...

Answer

Joker Thief picture Joker Thief · Oct 8, 2012

Solved! Basically, I ended up using two (VirtualBox) VMs emulating a Serial connection (null-modem cable) over a Unix domain socket (on the host). For more info, read below:

Hardware setup*:

  • Debuggee:
    • Ensure the machine is turned off and edit Serial Ports settings.
    • Enable Port 1, and assign values as follows: Port Number: COM1, Port Mode: Host Pipe, Create Pipe: Unchecked (client), Port/File Path: /tmp/win_link.
  • Debugger:
    • Same as above (using the same path), only this time Create Pipe should be Checked (server).

Debugger setup:

  • Run WinDBG and press Ctrl+K to invoke Kernel Debugging.
  • in COM, enter: Baudrate: 115200, Port: COM1, Resets: 0 and verify that Pipe and Reconnect are unchecked (important).
  • You'll be presented with the following output: Opened \\\\.\com1 Waiting to reconnect...

Debuggee setup:

  • Run bootcfg /debug on /port com1 /baud 115200 /id 1. To verify, run bootcfg.**
  • Reboot.
  • Quite early during the booting stage, WinDBG on the other machine should detect the debuggee is running.

*Assuming VirtualBox is used. VMWare/KVM users will probably be able to achieve the same results following similar steps. Also, for more info refer to the VirtualBox docs.

**Assuming guests are Windows XP. Later versions include bcdedit, which may be used as described here.