Windows 10 Kernel debugging on QEMU

| | Comments ()

My quick notes and configurations to debug the Windows 10 Kernel on QEMU...

If you are not familiar with the Windows Kernel debugging process, maybe you could be interested to check the next links. They should contain all required information to understand these notes.

Getting Started with Windows Debugging

KVM Guest Debugging

qemu-kvm(1) - Linux man page

Tested on...

  • QEMU emulator version 2.0.0
  • Microsoft Windows 10 1511 - November update 2015 (ISO)
  • Microsoft Windows 10 10586 x64 target
  • Windows Debugger Version 10.0.10586.567 AMD64

QEMU configuration...

We will use two Windows 10 VMs to run the debugger ('host') and the kernel under debugging ('guest').

The 'host' will work as server while the 'guest' will be the client.

The 'host' requires the Windows Debugger Version 10.0.10586.567 installed. There is several ways to install it. I used the "Debugging Tools for Windows 10 (WinDbg)" package to deploy it.

The following QEMU parameters are required to suppor the 'host' use case:

qemu-system-x86_64 -enable-kvm ... -cpu core2duo,+nx -serial tcp::4545,server,nowait

The 'guest' use case requires the following switches to work:

qemu-system-x86_64 -enable-kvm ... -cpu core2duo,+nx -serial tcp:127.0.0.1:4545

You will have to enable the debugging support in the 'guest'. You will need to run the following commands under a privileged (Administrator) console (cmd.exe)...

After enabling the debugging support in the 'guest' you will have to reboot the box. You should see a new choice with debugging support...

With my current hardware and these software versions the cpu switches 'core2duo' and '+nx' are required to get a stable debugging session. Now, both VMs uses TCP/IP to emulate the required serial port.

Remember to configure the serial port in 'WinDbg' before running the kernel debugger (File -> Kernel Debug...)

Breaking in the debugger (Debug -> Break)...

With the default configuration you don't need to do anything to have symbols support. They are retrieved on demmand...

Windows 10 Kernel debugging on QEMU...

The configuration looks quite stable and the performance is pretty good too.

Comments

comments powered by Disqus