Windows XP Kernel Debugging on VMware fusion
Something that once was done with heavy and expensive serial cables, can now be achieved in a matter of seconds through virtual machines. I am of course speaking about kernel debugging, what else? Recently I have been following the exceptionally great Intermediate x86 training lead by Xeno Kovah where, in order to keep up with the labs, I had to setup a WinXP-to-WinXP kernel debugging setup. So after a few moments of bewilderment I reached a full working environment with the following steps. Everything below this point has been tested on VMware Fusion pro 11
We are going to have two VMs: a debugger, from where WinDbg is running, and a debuggee machine, our target system. The debuggee will act as a server, while the debugger will be the client, connecting to it, via a named pipe.
1) Power down both WindowsXP vms and edit each VMX file inside the vm folder accordingly.
debugger
serial1.present = "TRUE"
serial1.fileType = "pipe"
serial1.yieldOnMsrRead = "TRUE"
serial1.startConnected = "TRUE"
serial1.fileName = "/tmp/dev_com"
serial1.pipe.endPoint = "client"debuggee
serial1.present = "TRUE"
serial1.fileType = "pipe"
serial1.yieldOnMsrRead = "TRUE"
serial1.startConnected = "TRUE"
serial1.fileName = "/tmp/dev_com"
serial1.pipe.endPoint = "server"multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /debug /debugport=com1 /baudrate=115200Power down the debuggee machine.
3) Boot the debugger machine and install the winxp symbol file “WindowsXP-KB936929-SP3-x86-symbols-full-ENU.exe”. As XP is no longer supported by Microsoft you will not likely find these symbols on the official site >:) Launch WinDbg x86 (the 32-bit version) and as ‘symbol file path’ set the same location where the XP’s symbols have been installed.
SRC*c:\windows\symbols*4) Boot the debuggee machine and select the second boot option (debugging mode). Back to the debugger machine, you should now see WinDbg showing live debugging data from our target system.