preface

When we do not have two physical machines, and want to do dual-machine kernel debugging? Install the virtual machine, of course! This paper summarizes the use of VMware15.5 + Win10 + VirtualkD + WinDBG to build a dual-machine kernel debugging environment.

Installation environment

  1. VMware version: 15.5 Pro. You can download the latest version from VMware’s official website.

  2. My physical host system: Win10 1909. Other versions of Windows are also available. VMware15.5 supports Windows 7 at least.

  3. Vm system image: WIN10 1809 X64. Other versions of the system also work. We can find the official Windows images for each version at MSDN I Tell You. In addition to system images, it also includes official images for many other tools, such as VS, Office, etc.

  4. Windbg version: 10.0.18362.1, other versions can also. Windbg is included with the Windows SDK. You can download it from the SDK download address on Microsoft’s official website. If you only need WinDBg, you are advised to download the. Exe installation package. During installation, you can select only Debugging Tools for Windows.

Install VMware & Install Win10

After downloading VMware to the local PC, double-click to install it, and click Next. Note the following two points:

  1. Try to download the latest versionVMwareEarly versionsVMwarewin10 1909There may be compatibility issues on.
  2. After the installation is complete, it is best to restart the system!

Once VMware is installed, you are ready to install the system image. To start the New VM wizard, go to File (F) -> New VM (N). Generally, we choose the downloaded system image to install through the installation program CD image file (ISO)(M), and then go all the way to the next step (N).

With the installation complete, you are ready to start. But there may be some problems, so I made a brief summary.

Possible problems

  • promptIntel VT-xBe disabled.

Enable Intel VT-X in the BIOS as prompted.

Restart the BIOS, start Intel Virutal Technology, and press F10 to save the Settings and exit.

  • promptVMware WorkstationDevice/Credential GuardNot compatible.

You are strongly advised to check whether Hyper-V is enabled. If yes, shut down Hyper-V first.

If you shut down Hyper-V, you still see the above prompt. Please refer to Microsoft’s official documentation for Disabling Device/Credential Guard.

Click the tool download link to download the corresponding script file to your local PC. If our system is not English, follow the instructions to change the script

*$OSArch = $(gwMI win32_operatingSystem).OSArchitecture = $OSArch = $(gwMI win32_operatingsystem).OSArchitecture).tolower()

Then run dg_readiness_tool_v3.6. ps1 -disable-autoreboot as an administrator.

-Disable Indicates that the switch is disabled.

-AutoReboot Automatically restarts the system. This parameter is specified based on your requirements.

After the restart, you will be prompted to actually disable this feature. Press the Windows or F3 key to disable and Esc to skip.

After successfully installing the system, we can start dual-machine kernel debugging.

Connect through a virtual serial port

If you want to connect through a virtual serial port, before setting up the system, it is important to note that the VMware printer will use the default serial port 1. If the printer is not removed, the new serial port will be serial port 2.

Of course, we can remove the printer and create a new serial port, so that the new serial port is the default serial port 1.

I kept the printer and used COM2 as an example to record a screen video. Here is a brief description of the whole process:

  • Create a new serial port, because the printer occupies serial port 1, so we create a new serial port 2.

  • To set the pipe parameter, I set \\.\pipe\bcn_com, the other parameters are the default.

  • Run the following command to start the VM system and set debugging parameters:

    12Copy the code
    copy 
    bcdedit /debug onbcdedit /dbgsettings serial debugport:1 baudrate:115200Copy the code

  • Run WinDBG with administrator authority, connect through the interface.

  • After the VM system is restarted, the vm cannot be connected. Because the new serial port is serial port 2, and we set serial port 1 in the virtual machine system.

  • Restart the VM system and set debugging parameters. Run the following command:

    12Copy the code
    copy 
    bcdedit /debug onbcdedit /dbgsettings serial debugport:2 baudrate:115200Copy the code

  • Restart the virtual machine system and this time the connection is successful.

  • Finally, it demonstrates winDBG directly connecting via the command line. The command line is as follows:

    1Copy the code
    copy 
    windbg.exe -k com:pipe,port=\\.\pipe\bcn_com,reconnectCopy the code

Through VirtualKD

For those of you who often do dual-kernel debugging, you are no stranger to VirtualKD. Can greatly improve the speed of dual-machine kernel debugging, can be described as a magic tool.

A few years ago, setting up a two-machine kernel debugging environment with VirtualKD was simple. I can’t believe it’s not working this time. By Google search keyword VMware15 VirtualKD, VirtualKD Github Issues and look at the snow forum “ask for Help” post to see that there are already some friends have encountered this problem. VirtualKD3.0 is incompatible with VMware15.5. That’s bad news, but there’s good news — someone has already solved this problem. The github repository is Virtualkd-Redux.

While looking for a solution, someone encountered another problem. Bcdedit /debug ON failed to execute bcdedit /debug on in the VIRTUAL machine, indicating that the value is protected.

You can disable secure boot in the advanced Settings of the virtual machine.

Virutalkd-redux can be used in the same way as VirutalKD.

  1. Run on the debug hostvmmon64.exe, click on theDebugger Path...Select the debugger path.
  2. thetarget64Copy to virtual machine (if yes32Bit system, please copytarget32).
  3. Run the command on the VMtarget64In the directoryvminstall.exeThe installationVirtualKD-Redux.
  4. Restart the VM system and select the newly created oneEntryAnd according to theF8Select Disable the forced signature.
  5. If everything goes well, the debugger will automatically pop up and connect to the system being debugged (becauseStart debugger automaticallyIt is checked by default.
  6. If the debugger doesn’t pop up automatically, or if we accidentally turn off the debugger, we can clickRun DebuggerButton to start the debugger manually.

The whole process, it’s very simple. The specific process of screen recording is as follows:

Windbg symbol path Settings

When we execute a command (e.g.,! Thread), with the help of symbol files. We can set the symbolic path using the _NT_SYMBOL_PATH environment variable. Symfix path/to/symbol_cache automatically sets Microsoft symbol server to upstream symbol server in WinDBg if not already set. Symfix path/to/symbol_cache When winDBg needs symbols, it looks for them in path/to/symbol_cache. If it doesn’t find them, it looks for them in Microsoft symbol server. If it finds them in Microsoft symbol server, it caches them in path/to/symbol_cache. Then load symbols from path/to/symbol_cache.

Tips:

  • .symfixThe command will deletewindbgExisting symbolic path Settings in.
  • Currently, it seems that you need scientific Internet access to successfully connect to Microsoft symbol server.

conclusion

  • Before using VMware, disable Hyper-V, disable Security Boot, and enable Intel VT-X.

  • Note that VMware printers use serial port 1 by default. If you want to create a new serial port without deleting the printer, the new serial port is serial port 2.

  • VirtualKD3.0 does not support VMware15.5 yet, we can use virtualkd-redux.

  • Execute.symfix path/to/symbol_cache using Microsoft symbol server.

The resources

VirtualKD official install tutorial

“VMware Workstation and Device/Credential Guard are not compatible” error in VMware Workstation on Windows 10 host (2146361).

Setting up kernel debugging (VirtualKD)

VMware+Windgb+Win7 kernel driver debugging