Wak*_*nka 4 windows debugging kernel windbg
我正在尝试进行Windows内核调试,因此我为此设置了两台计算机:
HOST和TARGET都运行Windows 7 32位,并且都安装了Windows Driver Kit 8.0。我做了以下步骤:
在TARGET上,我使用以下命令启用了内核调试:
bcdedit /copy {current} /d "Windows 7 wih debug"
bcdedit /debug {02b760e4-eafc-11e4-8847-ac1155aec81a} on
bcdedit /dbgsettings serial debugport:1 baudrate:115200
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /timeout 10
然后,我开始启动HOST并执行以下步骤:
之后,我在HOST上的windbg命令窗口如下所示:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\COM1
Waiting to reconnect...
然后,我重新启动TARGET并从启动菜单中选择“带有调试功能的Windows 7”。
之后,我在HOST上的windbg命令窗口如下所示:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\COM1
Waiting to reconnect...
Connected to Windows 7 7601 x86 compatible target at (Tue May 5 08:23:33.992 2015 (UTC - 7:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 MP (1 procs) Free x86 compatible
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0x82611000 PsLoadedModuleList = 0x8275b850
System Uptime: not available
但是,我没有提示通常在其中键入命令的提示,而是得到了:Debuggee not connected.TARGET系统像往常一样启动,并且能够使用它。
我注意到的几件事:
我做错了什么?
PS:两台计算机都是XEN上的虚拟客户机。PPS:连接100%正常工作,在内核上测试,未启用调试且具有腻子
编辑:
标题已更改。
根据本文“ 我的内核调试器无法连接”,可以确定COM1丢失:
通过检查设备管理器,我可以确认在VM中运行的OS的配置存在问题。bcdedit设置配置为使用COM1,这应该使COM1在OS中不可用,但是,设备管理器中存在COM1。由于某种原因,调试器在启动时未按配置捕获COM1。
我还检查了提到的文章中描述的设置,但它们似乎也可以:
C:\>bcdedit
Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {default}
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
displayorder {default}
{current}
toolsdisplayorder {memdiag}
timeout 10
displaybootmenu Yes
Windows Boot Loader
-------------------
identifier {default}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {02b760e2-eafc-11e4-8847-ac1155aec81a}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
nx OptIn
Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7 wih debug
locale en-US
inherit {bootloadersettings}
recoverysequence {02b760e2-eafc-11e4-8847-ac1155aec81a}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
nx OptIn
debug Yes
编辑2
基于这个答案,我尝试了发出kd -kl命令。我想应该只在目标上发布它,但是要确保我已经尝试了两台机器。您可以看到关于符号的错误,但是我认为调试也应该在没有它们的情况下进行。
主办:
c:\Program Files\Windows Kits\8.0\Debuggers\x86>kd -kl
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
The system does not support local kernel debugging.
Local kernel debugging requires Windows XP, Administrative privileges.
Only a single local kernel debugging session can run at a time.
Local kernel debugging is disabled by default since Windows Vista, you must run
"bcdedit -debug on" and reboot to enable it.
Debuggee initialization failed, HRESULT 0x80004001
"Not implemented"
目标:
c:\Program Files\Windows Kits\8.0\Debuggers\x86>kd -kl
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Connected to Windows 7 7601 x86 compatible target at (Tue May 5 12:13:02.806 20
15 (UTC - 7:00)), ptr64 FALSE
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkr
pamp.exe -
Windows 7 Kernel Version 7601 (Service Pack 1) MP (1 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0x82653000 PsLoadedModuleList = 0x8279d850
Debug session time: Tue May 5 12:13:02.822 2015 (UTC - 7:00)
System Uptime: 0 days 2:48:38.649
lkd>
还有一些关于设置打印机共享的建议,它们值得尝试吗?
看来您已将调试器附加到目标上。(1)忽略WinDbg状态消息。查看您是否已连接到目标的最佳方法是尝试一些命令。(2)当我调试虚拟机时,我正在使用的串行端口也丢失了,但是看起来好像您知道了(做得很好)。
为了发出命令,您需要进入内核。单击“调试->中断”,然后尝试以下命令:
.reload
!ustr srv!SrvComputerName
这应该为您提供目标系统的计算机名称。
如果您想了解有关内核调试的更多信息,请在YouTube上查看TheSourceLens。至于文学,我不会推荐任何书籍,因为我发现的大多数信息都是在线的。但是,我建议您查看OSR Online。调试愉快。
| 归档时间: |
|
| 查看次数: |
10804 次 |
| 最近记录: |