Is it possible to use this project to debug userland processes running inside the Linux kernel guest from the QEMU GDB stub, and without Xen? #24
Comments
cirosantilli
changed the title
|
Hi,
You are looking for a guest-aware GDB stub.
It should be. I looked at Linux internals, got interested in the scheduler, but couldn't find the resources to have the whole picture. At the moment the implementation is silly, you can follow how I'm attaching to an existing process for Linux here: I try to find the process descriptor, find the CR3, and wait for the CR3 to be loaded, and then pause the VM. That's far from ideal. If you are ready to look at Linux internals, feel free to implement it.
I'm parsing Rekall profiles, which are JSON file containing structs, constants, symbols, etc. Look how i'm using these profiles to read the Windows process and thread descriptor fields:
Xen is the only hypervisor fully supported by Libvmi at the moment. I created a project to help bring vmi on KVM, and an appropriate libvmi driver: I will update the README to state what hypervisor is supported, as it brings confusion.
I know people working on a KD stub inspecting Windows OS, but not Linux. Apart from the solution you listed in your SO post, that's it. You might want to look at a presentation I did on the topic: Thanks ! |
|
I just updated the README, adding a section about the state of VMI support in hypervisors today. |
|
Awesome, thanks for this info! Extending this library does seem like the best way to achieve the solution I've seen so far! I can't work on it now, but I'll update the answer to mention this, and ping the people who were working on an in-GDB solution. Feel free to close this ticket, or keep it open: likely this should be split into two: no-Xen support and Linux support. |
|
O M G! Any reason why it should not work on QEMU BTW? If it might work I'll try it out. |
|
It depends what you mean by QEMU:
|
|
OK, was mostly thinking about binary translation :-( I have to understand better how this project works at some point and why it works for one and not the other. Fantastic news anyways! |
|
@cirosantilli Hey, yes we are parsing the Linux kernel structures, and injecting actual breakpoints, but there are a couple of things I need to make sure they are stable first and test then I will be updating and submitting it to the repository soon enough as I've been inactive lately. |
Salut Mathieu,
I've been looking for such capability for a while, and this project seems really close.
I summarized my findings so far: https://stackoverflow.com/questions/9561546/thread-aware-gdb-for-the-linux-kernel/51515470#51515470
My main question is: is that possible with this project? The main thing which might not work is that I'm not using Xen, just the QEMU GDB stub directly.
But you seem to be parsing Linux kernel process data structures, which is the hard part.
Or do you know any other project which has achieved this?
The text was updated successfully, but these errors were encountered: