Project 12: Kernel Debugging with WinDbg (Mac version) (20 pts.)

What You Need

A Mac with VMware Fusion.
A Windows XPSP3 virtual machine to examine.

Purpose

Introduction to WinDbg and kernel debugging

The Two Machines

You need two Windows machines to do this project: One is the TARGET machine, which is a virtual machine running Win XP SP3.

The other is the WINDBG machine, which is a Windows machine running WinDbg. If you are using a Mac, the WINDNG machine is also a virtual machine.

Adding a Boot Menu Item to the TARGET machine

Start the TARGET Windows XPSP3 virtual machine.

Click Start, Run.

In the Run box, execute this command:

notepad c:\boot.ini

In Notepad, copy the existing boot line, paste it at the end of the file, and add these switches to the end of the line, as shown below:

/debug /debugport=COM2 /baudrate=115200

Save the file.

Click Start,

Virtual Serial Adapters on the Mac

Since you are using a Mac with Fusion, you will need two Windows virtual machines: one is the TARGET, to be examined, and the other is the WINDBG machine, running WinDbg.

You could use a second copy of your WinXPSP3 virtual machine as the WINDBG machine. I used a Win 7 VM as the WINDBG machine.

Editing the TARGET VM's VMX File

Unfortunately, the GUI for VMware Fusion doesn't include the options we need, so you need to edit the VMX file manually.

Power off the TARGET virtual machine. You cannot make this change while the virtual machine is running or suspended.

In a Terminal window, use the cd command to get to the directory containing your TARGET virtual machine's VMX file.

In my case, this was the required command:

cd ~/Documents/VMs/WinXPSP3-working

Execute this command to see the files, as shown below:

ls

Find the file ending in ".vmx" --in the example above, it was "Windows XP Professional.vmx".

Edit that file with nano: as shown below:

nano "Windows XP Professional.vmx"

Scroll to the bottom of the file and add this code, as shown below:

serial1.present = "TRUE" serial1.fileType = "pipe" serial1.fileName = "/private/tmp/serial" serial1.tryNoRxLoss = "FALSE" serial1.pipe.endPoint = "server"

Press Ctrl+X, Y, Enter to save the file.

Editing the WINDBG VM's VMX File

Power off the WINDBG virtual machine.

In a Terminal window, use the cd command to get to the directory containing your WINDBG virtual machine's VMX file.

In my case, this was the required command:

cd ~/Documents/VMs/Win7-Target/Windows\ 7.vmwarevm

Execute this command to see the files:

ls

Find the file ending in ".vmx".

Edit that file with nano: as shown below:

nano "Windows 7.vmx"

Scroll to the bottom of the file and add this code, as shown below:

serial1.present = "TRUE" serial1.fileType = "pipe" serial1.fileName = "/private/tmp/serial" serial1.tryNoRxLoss = "FALSE" serial1.pipe.endPoint = "client"

Press Ctrl+X, Y, Enter to save the file.

Configuring a Shared Folder on Both Machines

The virtual serial adapters store serial traffic in a /private/tmp/serial file on the host Mac.

According to a Web page I read, you need to share this folder with the VM for it to work.

I'm not sure this is necessary, but it works.

Open VMware Fusion. Open the Virtual Machine Library.

In the left pane, select the TARGET VM.

From the menu bar, click "Virtual Machine ", Settings.

In the "System Settings" section, click Sharing.

In the "Shared Folders" box, on the left side, click the + sign.

Accept the default folder of "/private/tmp" and click the Add button.

Your window should now look like the example below.

Repeat this process to add the same shared folder to the WINDBG virtual machine.

Downloading Microsoft Symbols

Kernel debugging is much easier with symbols.

WinDbg can download them automatically as needed, but downloading them separately is the best procedure if you plan to work without always being connected to a reliable, high-speed Internet connection.

Start the WINDBG machine. in a Web browser, go to

http://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx

Download the symbol file for "Windows XP with Service Pack 3 x86 retail symbols, all languages", as shown below.

You end up with an EXE file. Run it in the WINDBG machine. Accept all the default options.

First it will extract into a temporary directory with a long name, then it will automatically extract into C:\Windows\Symbols. Accept that selection.

Installing WinDbg on the WINDBG Machine

On the WINDBG machine, open a browser and go to

http://msdn.microsoft.com/en-US/windows/desktop/bg162891

Click the blue Download button.

Save the sdksetup.exe file on your desktop.

Double-click the sdksetup.exe file.

Accept the agreement and click the "Accept & Install" button.

Wait while .NET installs, as shown below.

In the "Specify Location" box, accept the default options, as shown below.

Click Next.

In the "Join the Customer Experience Improvement Program (CEIP)" box, accept the default selection of No and click Next.

In the "License Agreement" box, click Accept.

In the "Select the features you want to install" box, clear all the check boxes except "Debugging Tools for Windows", as shown below.

Click Install.

When the process is complete, you see a message saying "Welcome to the Windows Software Deveopment Kit for Windows 8.1!".

Click Close.

Configuring Symbols in WinDbg

Click Start. Type in WINDBG.

Launch WinDbg. If you are using Windows 7, run it as Administrator.

In WinDbg, click File, "Symbol File Path". Enter this line, as shown below:

SRC*c:\windows\symbols*

Click the OK button.

Starting Kernel Debugging

In WinDbg, click File, "Kernel Debug".

In the "Kernel Debugging" box, click the COM tab.

Change the Port to com2, as shown below. Then click OK.

You see a window saying "Waiting to reconnect...", as shown below.

Starting the TARGET machine

Start the TARGET virtual machine.

If you see a message saying "The serial port output file ... already exists", click Replace.

When you should see two boot-menu options, choose the second one, "Microsoft Windows XP Professional with debugger enabled", as shown below.

Your WINDBG machine should now show the message "Connected to Windows XP", as shown below.

Saving a Screen Image

Make sure you can see the message "Connected to Windows XP", as shown above.

On your keyboard, press the PrntScrn key.

Click Start, type in PAINT, and open Paint.

Press Ctrl+V to paste in the image of your desktop.

YOU MUST SUBMIT WHOLE-DESKTOP IMAGES TO GET FULL CREDIT.

Save the image with a filename of "Proj 12 from YOUR NAME".

Turning in Your Project

Email the image to: cnit.126sam@gmail.com with a subject line of Proj 12 From Your Name, replacing Your Name with your own first and last name. Send a Cc to yourself.

Source

http://www.dcl.hpi.uni-potsdam.de/research/WRK/2011/01/running-wrk-on-mac-os-with-vmware-fusion/

Last Modified: 10-21-13 9:47 am