windbg 首先连接然后在内核调试期间停留在 "Debuggee not connected." 消息上
windbg first connect then stuck on "Debuggee not connected." message during kernel debugging
我正在尝试进行 Windows 内核调试,因此我为此设置了两台机器:
- HOST - DEBUGGER - 运行 windbg 调试器的计算机
- TARGET - DEBUGEE - 正在调试的计算机
HOST 和 TARGET 都运行 Windows 7 32 位,并且都安装了 Windows Driver Kit 8.0。我做了以下步骤:
在 TARGET 上,我使用以下命令启用了内核调试:
bcdedit /copy {current} /d "Windows 7 wih debug"
bcdedit /debug {02b760e4-eafc-11e4-8847-ac1155aec81a} on
bcdedit /dbgsettings serial debugport:1 baudrate:115200
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /timeout 10
然后我启动了 HOST 并执行了以下步骤:
- 启动windbg
- 文件->内核调试->COM
- 波特率:115200,端口:COM1,管道:未选中,重新连接:
未选中,重置:0
- 好的
在此之后,我在主机上的 windbg 命令 window 如下所示:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \.\COM1
Waiting to reconnect...
然后我重新启动了 TARGET 并从启动菜单中选择 "Windows 7 with debug"。
在此之后,我在主机上的 windbg 命令 window 如下所示:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \.\COM1
Waiting to reconnect...
Connected to Windows 7 7601 x86 compatible target at (Tue May 5 08:23:33.992 2015 (UTC - 7:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 MP (1 procs) Free x86 compatible
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0x82611000 PsLoadedModuleList = 0x8275b850
System Uptime: not available
但是我得到的不是通常输入命令的提示:Debuggee not connected.
TARGET 系统照常启动并且我能够使用它。
我注意到的几件事:
- 设备管理器中的目标计算机上缺少 COM1 端口
以上步骤。
- 关闭 HOST 机器上的 windb 并尝试重新启动 TARGET 后,它卡住了 "Shutting Down" 消息,所以我必须强制关闭电源。
- 将 TARGET 引导到 "old" 内核后,无需调试,设备管理器中启用的串行端口可用。
- 将 TARGET 启动到 "new" 内核并启用调试(并且没有 HOST 侦听)后,串行端口在设备管理器中不可用。
我做错了什么?
PS: 两台机器都是 XEN 上的虚拟来宾。
PPS:连接 100% 工作,在未启用调试且使用 putty
的内核上进行测试
编辑:
标题已更改。
根据这篇文章 My Kernel Debugger Won't Connect 缺少 COM1 是可以的:
By checking Device Manager I was able to confirm that there was a problem with the configuration of the OS running in the VM. The bcdedit settings were configured to use COM1, and this should make COM1 unavailable in the OS, however, COM1 was present in device manager. For some reason the debugger was not capturing COM1 on boot as it was configured to.
我也检查了上述文章中描述的设置,但它们似乎也没有问题:
C:\>bcdedit
Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {default}
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
displayorder {default}
{current}
toolsdisplayorder {memdiag}
timeout 10
displaybootmenu Yes
Windows Boot Loader
-------------------
identifier {default}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {02b760e2-eafc-11e4-8847-ac1155aec81a}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
nx OptIn
Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7 wih debug
locale en-US
inherit {bootloadersettings}
recoverysequence {02b760e2-eafc-11e4-8847-ac1155aec81a}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
nx OptIn
debug Yes
EDIT2
基于 this 所以回答我已经尝试发出 kd -kl
命令。我想它应该只在目标上发布,但为了确保我已经尝试过两台机器。您可以看到有关符号的错误,但我认为没有它们也可以进行调试。
主机:
c:\Program Files\Windows Kits.0\Debuggers\x86>kd -kl
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
The system does not support local kernel debugging.
Local kernel debugging requires Windows XP, Administrative privileges.
Only a single local kernel debugging session can run at a time.
Local kernel debugging is disabled by default since Windows Vista, you must run
"bcdedit -debug on" and reboot to enable it.
Debuggee initialization failed, HRESULT 0x80004001
"Not implemented"
目标:
c:\Program Files\Windows Kits.0\Debuggers\x86>kd -kl
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Connected to Windows 7 7601 x86 compatible target at (Tue May 5 12:13:02.806 20
15 (UTC - 7:00)), ptr64 FALSE
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkr
pamp.exe -
Windows 7 Kernel Version 7601 (Service Pack 1) MP (1 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0x82653000 PsLoadedModuleList = 0x8279d850
Debug session time: Tue May 5 12:13:02.822 2015 (UTC - 7:00)
System Uptime: 0 days 2:48:38.649
lkd>
There 还有一些关于设置打印机共享等的建议,值得一试吗?
您可以尝试Bellavista.exe创建一个新的调试条目并查找不同之处。
您似乎已将调试器附加到目标。 (1) 忽略 WinDbg 状态消息。查看您是否已连接到目标的最佳方法是尝试一些命令。 (2) 当我调试虚拟机时,我正在使用的串口也不见了,但看起来你想通了(干得好)。
为了发出命令,您需要闯入内核。单击 "Debug->Break" 并尝试以下命令:
.reload
!ustr srv!SrvComputerName
那应该给你目标系统计算机名。
如果您想了解有关内核调试的更多信息,我会查看 TheSourceLens on YouTube. As for literature, I can't recommend any books, because most information I find are online. However, I would recommend checking out OSR Online。调试愉快。
我正在尝试进行 Windows 内核调试,因此我为此设置了两台机器:
- HOST - DEBUGGER - 运行 windbg 调试器的计算机
- TARGET - DEBUGEE - 正在调试的计算机
HOST 和 TARGET 都运行 Windows 7 32 位,并且都安装了 Windows Driver Kit 8.0。我做了以下步骤:
在 TARGET 上,我使用以下命令启用了内核调试:
bcdedit /copy {current} /d "Windows 7 wih debug"
bcdedit /debug {02b760e4-eafc-11e4-8847-ac1155aec81a} on
bcdedit /dbgsettings serial debugport:1 baudrate:115200
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /timeout 10
然后我启动了 HOST 并执行了以下步骤:
- 启动windbg
- 文件->内核调试->COM
- 波特率:115200,端口:COM1,管道:未选中,重新连接: 未选中,重置:0
- 好的
在此之后,我在主机上的 windbg 命令 window 如下所示:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \.\COM1
Waiting to reconnect...
然后我重新启动了 TARGET 并从启动菜单中选择 "Windows 7 with debug"。
在此之后,我在主机上的 windbg 命令 window 如下所示:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \.\COM1
Waiting to reconnect...
Connected to Windows 7 7601 x86 compatible target at (Tue May 5 08:23:33.992 2015 (UTC - 7:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 MP (1 procs) Free x86 compatible
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0x82611000 PsLoadedModuleList = 0x8275b850
System Uptime: not available
但是我得到的不是通常输入命令的提示:Debuggee not connected.
TARGET 系统照常启动并且我能够使用它。
我注意到的几件事:
- 设备管理器中的目标计算机上缺少 COM1 端口 以上步骤。
- 关闭 HOST 机器上的 windb 并尝试重新启动 TARGET 后,它卡住了 "Shutting Down" 消息,所以我必须强制关闭电源。
- 将 TARGET 引导到 "old" 内核后,无需调试,设备管理器中启用的串行端口可用。
- 将 TARGET 启动到 "new" 内核并启用调试(并且没有 HOST 侦听)后,串行端口在设备管理器中不可用。
我做错了什么?
PS: 两台机器都是 XEN 上的虚拟来宾。 PPS:连接 100% 工作,在未启用调试且使用 putty
的内核上进行测试编辑:
标题已更改。
根据这篇文章 My Kernel Debugger Won't Connect 缺少 COM1 是可以的:
By checking Device Manager I was able to confirm that there was a problem with the configuration of the OS running in the VM. The bcdedit settings were configured to use COM1, and this should make COM1 unavailable in the OS, however, COM1 was present in device manager. For some reason the debugger was not capturing COM1 on boot as it was configured to.
我也检查了上述文章中描述的设置,但它们似乎也没有问题:
C:\>bcdedit
Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {default}
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
displayorder {default}
{current}
toolsdisplayorder {memdiag}
timeout 10
displaybootmenu Yes
Windows Boot Loader
-------------------
identifier {default}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {02b760e2-eafc-11e4-8847-ac1155aec81a}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
nx OptIn
Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7 wih debug
locale en-US
inherit {bootloadersettings}
recoverysequence {02b760e2-eafc-11e4-8847-ac1155aec81a}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {02b760e0-eafc-11e4-8847-ac1155aec81a}
nx OptIn
debug Yes
EDIT2
基于 this 所以回答我已经尝试发出 kd -kl
命令。我想它应该只在目标上发布,但为了确保我已经尝试过两台机器。您可以看到有关符号的错误,但我认为没有它们也可以进行调试。
主机:
c:\Program Files\Windows Kits.0\Debuggers\x86>kd -kl
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
The system does not support local kernel debugging.
Local kernel debugging requires Windows XP, Administrative privileges.
Only a single local kernel debugging session can run at a time.
Local kernel debugging is disabled by default since Windows Vista, you must run
"bcdedit -debug on" and reboot to enable it.
Debuggee initialization failed, HRESULT 0x80004001
"Not implemented"
目标:
c:\Program Files\Windows Kits.0\Debuggers\x86>kd -kl
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Connected to Windows 7 7601 x86 compatible target at (Tue May 5 12:13:02.806 20
15 (UTC - 7:00)), ptr64 FALSE
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkr
pamp.exe -
Windows 7 Kernel Version 7601 (Service Pack 1) MP (1 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0x82653000 PsLoadedModuleList = 0x8279d850
Debug session time: Tue May 5 12:13:02.822 2015 (UTC - 7:00)
System Uptime: 0 days 2:48:38.649
lkd>
There 还有一些关于设置打印机共享等的建议,值得一试吗?
您可以尝试Bellavista.exe创建一个新的调试条目并查找不同之处。
您似乎已将调试器附加到目标。 (1) 忽略 WinDbg 状态消息。查看您是否已连接到目标的最佳方法是尝试一些命令。 (2) 当我调试虚拟机时,我正在使用的串口也不见了,但看起来你想通了(干得好)。
为了发出命令,您需要闯入内核。单击 "Debug->Break" 并尝试以下命令:
.reload
!ustr srv!SrvComputerName
那应该给你目标系统计算机名。
如果您想了解有关内核调试的更多信息,我会查看 TheSourceLens on YouTube. As for literature, I can't recommend any books, because most information I find are online. However, I would recommend checking out OSR Online。调试愉快。