我正在尝试进行Windows内核调试,因此我为此设置了两台机器:
HOST和TARGET都运行Windows 7 32位,并且都安装了Windows Driver Kit 8.0。我做了以下步骤:
在TARGET上,我使用以下命令启用了内核调试:
bcdedit /copy {current} /d "Windows 7 wih debug"
bcdedit /debug {02b760e4-eafc-11e4-8847-ac1155aec81a} on
bcdedit /dbgsettings serial debugport:1 baudrate:115200
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /timeout 10
然后我开始使用HOST并执行以下步骤:
在此之后,我在HOST上的windbg命令窗口如下所示:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\COM1
Waiting to reconnect...
然后我重新启动TARGET并从启动菜单中选择“带调试的Windows 7”。
在此之后,我在HOST上的windbg命令窗口如下所示:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\COM1
Waiting to reconnect...
Connected to Windows 7 7601 x86 compatible target at (Tue May 5 08:23:33.992 2015 (UTC - 7:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 MP (1 procs) Free x86 compatible
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0x82611000 PsLoadedModuleList = 0x8275b850
System Uptime: not available
但是通常输入命令的地方不是提示:Debuggee not connected. TARGET系统像往常一样启动,我可以使用它。
我注意到的一些事情:
我做错了什么?
PS:这两台机器都是XEN上的虚拟客人。 PPS:连接100%正常工作,在内核上测试,未启用调试和使用putty
修改
标题已更改。
根据这篇文章My Kernel Debugger Won't Connect,可以忽略COM1:
通过检查设备管理器,我能够确认VM中运行的操作系统配置存在问题。 bcdedit设置被配置为使用COM1,这应该使操作系统中的COM1不可用,但是,设备管理器中存在COM1。出于某种原因,调试器在启动时没有捕获COM1,因为它已配置为。
我还检查了上述文章中描述的设置,但它们似乎也没问题:
C:\>bcdedit
Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {default}
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
displayorder {default}
{current}
toolsdisplayorder {memdiag}
timeout 10
displaybootmenu Yes
Windows Boot Loader
-------------------
identifier {default}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {02b760e2-eafc-11e4-8847-ac1155aec81a}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
nx OptIn
Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7 wih debug
locale en-US
inherit {bootloadersettings}
recoverysequence {02b760e2-eafc-11e4-8847-ac1155aec81a}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
nx OptIn
debug Yes
EDIT2
基于this SO回答我尝试了kd -kl问题。我想它应该仅在目标上发布,但我确定我已经尝试过两台机器。您可以看到有关符号的错误,但我认为调试应该没有它们。
HOST:
c:\Program Files\Windows Kits\8.0\Debuggers\x86>kd -kl
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
The system does not support local kernel debugging.
Local kernel debugging requires Windows XP, Administrative privileges.
Only a single local kernel debugging session can run at a time.
Local kernel debugging is disabled by default since Windows Vista, you must run
"bcdedit -debug on" and reboot to enable it.
Debuggee initialization failed, HRESULT 0x80004001
"Not implemented"
TARGET:
c:\Program Files\Windows Kits\8.0\Debuggers\x86>kd -kl
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Connected to Windows 7 7601 x86 compatible target at (Tue May 5 12:13:02.806 20
15 (UTC - 7:00)), ptr64 FALSE
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkr
pamp.exe -
Windows 7 Kernel Version 7601 (Service Pack 1) MP (1 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0x82653000 PsLoadedModuleList = 0x8279d850
Debug session time: Tue May 5 12:13:02.822 2015 (UTC - 7:00)
System Uptime: 0 days 2:48:38.649
lkd>
There也是关于设置打印机共享等的一些建议,值得一试吗?
答案 0 :(得分:5)
看起来您已将调试器附加到目标。 (1)忽略WinDbg状态消息。查看您是否已连接到目标的最佳方法是尝试一些命令。 (2)当我调试虚拟机时,我正在使用的串口也会丢失,但看起来你想出来了(干得好)。
要发出命令,您需要进入内核。单击“Debug-&gt; Break”并尝试以下命令:
.reload
!ustr srv!SrvComputerName
那应该为您提供目标系统计算机名称。
如果您想了解有关内核调试的更多信息,我会在YouTube上查看TheSourceLens。至于文学,我不能推荐任何书籍,因为我找到的大多数信息都是在线的。但是,我建议您查看OSR Online。快乐的调试。
答案 1 :(得分:0)
您可以尝试Bellavista.exe创建新的调试条目并查找差异。