Skip to content

Latest commit

 

History

History
261 lines (182 loc) · 5.43 KB

README.md

File metadata and controls

261 lines (182 loc) · 5.43 KB

symseghelper

Helper scripts for windows debugging with symbols for Bochs and IDA Pro (PDB files). Very handy for user mode <--> kernel mode

bochstvshow

names

Fast and easy way (only names)

In Guest: Install windows debugging tools (windbg)

In Guest: install debug symbols

In Guest: execute windbg with command line -logo:

"C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe" -logo c:\windbg_syms_output.txt

Go to File -> Kernel Debug -> Local

Go to File -> Symbol File Path -> Browse

Select your symbol path (for me its C:\winsymbols), Select Reload -> OK

List all processes in windbg with:

!process 0 0 

...

PROCESS 8982ec20  SessionId: 0  Cid: 056c    Peb: 7ffd7000  ParentCid: 0548
    DirBase: 10a83000  ObjectTable: e18f4320  HandleCount: 237.
    Image: explorer.exe

...

Attach to explorer.exe with .process /p /r 8976e2d0 (it has a a lot of user mode dlls)

.process /p /r 8982ec20

type:

.reload -a

type:

.reload /f

Execute in windbg:

x /2 *!*

Wait and be patient

Close windbg

Clean c:\windbg_syms_output.txt file, removing all lines before

lkd> x /2 *!*

windbg_syms_output.txt should looks like:

7ffe0300 SharedUserData!SystemCallStub
00af1d80 kext!diskspace
00af2af0 kext!DebugExtensionInitialize
00af2bb0 kext!DebugExtensionNotify
00af2ce0 kext!DebugExtensionUninitialize
...
f7ba0a90 Ntfs!LfsAllocateSpanningBuffer
f7b78831 Ntfs!NtfsQueryBasicInfo
f7b85653 Ntfs!NtfsCacheSharedSecurityByDescriptor

Move windbg_syms_output.txt to Host

In Host: Execute

windbg_syms_parser.py windbg_syms_output.txt bochs_syms_and_ida_names.txt

Bochs

in Host: Open Bochs Debugger, start a debug session, Press Ctrl + C (break). Use ldsym global bochs_syms_and_ida_names.txt

Example:

ldsym global "C:\\Users\\leno\\Desktop\\symseghelper\\bochs_syms_and_ida_names.txt"

Done!

betweenrings

IDA PRO:

Edit "C:\Program Files\IDA Pro 7.7\cfg\dbg_bochs.cfg"

BOCHSDBG = "C:\\Users\\leno\\Desktop\\Bochs-pruebas\\bochs\\bochs.exe";
BOCHSRC = "C:\\Users\\leno\\Desktop\\Bochs-pruebas\\bochs\\.bochsrc";

Go to IDA .....

Debugger -> Run -> Local Bochs Debugger

Application:

C:\Users\leno\Desktop\Bochs-pruebas\bochs\.bochsrc

Cick Debug Options -> Set specific options -> Select Disk image

in Host: Open IDA PRO, start a debug session and go to File -> Script File

Select ida_load_names.py, this script ask you for bochs_syms_and_ida_names.txt

Done!

names

Segments

WARNING: Only follow these steps if you need segments

Copy dumpmodules.wds to Guest C:\

Create in Guest C:\outfiles directory

In Guest: Install windows debugging tools (windbg)

In Guest: install debug symbols

In Guest: execute windbg

"C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe"

Go to File -> Kernel Debug -> Local

Go to File -> Symbol File Path -> Browse

Select your symbol path (for me its C:\winsymbols), Select Reload -> OK

List all processes in windbg with:

!process 0 0 

...

PROCESS 8982ec20  SessionId: 0  Cid: 056c    Peb: 7ffd7000  ParentCid: 0548
    DirBase: 10a83000  ObjectTable: e18f4320  HandleCount: 237.
    Image: explorer.exe

...

Attach to explorer.exe with .process /p /r 8976e2d0 (it has a a lot of user mode dlls)

.process /p /r 8982ec20

type:

.reload -a

type:

.reload /f

Execute in windbg

$$>a<C:\dumpmodules.wds C:\outfiles

move C:\outfiles dir from Guest to Host

type in windbg

.cls

type in windbg

lm vo

Create a new file called windbg_lm_output.txt and paste lm vo output

windbg_lm_output.txt shoud looks like:

806d0000 806f0300   hal        (pdb symbols)          c:\winsymbols\dll\halaacpi.pdb
    Loaded symbol image file: halaacpi.dll
    Image path: halaacpi.dll
    Image name: halaacpi.dll
    Timestamp:        Sun Apr 13 11:31:27 2008 (4802517F)
    CheckSum:         00024F17
    ImageSize:        00020300
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
bf800000 bf9c2980   win32k     (pdb symbols)          c:\winsymbols\sys\win32k.pdb
    Loaded symbol image file: \SystemRoot\System32\win32k.sys
    Image path: \SystemRoot\System32\win32k.sys
...

move windbg_lm_output.txt to Guest

In Host

with seg_helper.py, windbg_lm_output.txt and outfiles/ in same path, execute:

seg_helper.py windbg_lm_output.txt outfiles ida_segments.txt bochs_segments.txt

bochs_segments.txt

you can use this file in Bochs debugger with ldsym global, example:

ldsym global "C:\\Users\\leno\\Desktop\\symseghelper\\bochs_segments.txt"

It can be useful have segments + symbols together:

type bochs_segments.txt > bochs_syms_with_segments.txt
type bochs_syms_and_ida_names.txt >> bochs_syms_with_segments.txt

Load segments + symbols in Bochs:

ldsym global "C:\\Users\\leno\\Desktop\\symseghelper\\bochs_syms_with_segments.txt"

Now, when a instruction its out of a known segment its easy to view:

bochsend

ida_segments.txt

in Host: Open IDA PRO, start a debug session and go to File -> Script File

Select ida_load_segs.py, this script ask you for ida_segments.txt

done!

segments

Related