{"id":15144623,"url":"https://github.com/dmaivel/ntoseye","last_synced_at":"2026-04-05T06:01:23.451Z","repository":{"id":256877405,"uuid":"856699121","full_name":"dmaivel/ntoseye","owner":"dmaivel","description":"Windows kernel debugger for Linux hosts running Windows under KVM/QEMU","archived":false,"fork":false,"pushed_at":"2026-04-05T04:22:31.000Z","size":355,"stargazers_count":137,"open_issues_count":1,"forks_count":17,"subscribers_count":8,"default_branch":"master","last_synced_at":"2026-04-05T05:22:49.866Z","etag":null,"topics":["disassembler","gdb","introspection","kernel-debugger","kvm","linux","memory","ntos","ntoskrnl","pdb","physical-memory","qemu","qemu-kvm","rust","windbg","windows"],"latest_commit_sha":null,"homepage":"https://crates.io/crates/ntoseye","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dmaivel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["dmaivel"]}},"created_at":"2024-09-13T03:20:05.000Z","updated_at":"2026-04-05T04:22:28.000Z","dependencies_parsed_at":"2024-12-27T02:06:26.467Z","dependency_job_id":"76168f3e-4161-4c14-9dd6-1e78af4ae524","html_url":"https://github.com/dmaivel/ntoseye","commit_stats":{"total_commits":2,"total_committers":1,"mean_commits":2.0,"dds":0.0,"last_synced_commit":"2b0eb8198590b4805236e4f887f132de49f8840d"},"previous_names":["dmaivel/ntoseye"],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/dmaivel/ntoseye","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmaivel%2Fntoseye","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmaivel%2Fntoseye/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmaivel%2Fntoseye/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmaivel%2Fntoseye/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dmaivel","download_url":"https://codeload.github.com/dmaivel/ntoseye/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmaivel%2Fntoseye/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31426193,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T02:22:46.605Z","status":"ssl_error","status_checked_at":"2026-04-05T02:22:33.263Z","response_time":75,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["disassembler","gdb","introspection","kernel-debugger","kvm","linux","memory","ntos","ntoskrnl","pdb","physical-memory","qemu","qemu-kvm","rust","windbg","windows"],"created_at":"2024-09-26T10:42:41.266Z","updated_at":"2026-04-05T06:01:23.118Z","avatar_url":"https://github.com/dmaivel.png","language":"Rust","funding_links":["https://github.com/sponsors/dmaivel"],"categories":[],"sub_categories":[],"readme":"\u003cimg align=\"right\" width=\"28%\" src=\"media/ntoseye.png\"\u003e\n\n# ntoseye ![license](https://img.shields.io/badge/license-MIT-blue) [![crates.io](https://img.shields.io/crates/v/ntoseye.svg)](https://crates.io/crates/ntoseye)\n\nWindows kernel debugger for Linux hosts running Windows under KVM/QEMU. Essentially, WinDbg for Linux.\n\n## Features\n\n- Command line interface\n- WinDbg style commands\n- Kernel debugging\n- PDB fetching \u0026 parsing for offsets\n- Breakpointing\n\n### Supported Windows\n\n`ntoseye` currently only supports Windows 10 and 11 guests.\n\n### Disclaimer\n\n`ntoseye` needs to download symbols to initialize required offsets, it will only download symbols from Microsoft's official symbol server. All files which will be read/written to will be located in `$XDG_CONFIG_HOME/ntoseye`.\n\n### Preview\n\n![ntos](media/preview.png)\n\n# Getting started\n\n## Install via cargo\n\n```bash\ncargo install ntoseye\n```\n\n## Building\n\n```bash\ngit clone https://github.com/dmaivel/ntoseye.git\ncd ntoseye\ncargo build --release\n```\n\n# Usage\n\nIt is recommended that you run the following command before running `ntoseye` or a VM:\n```bash\necho 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope\n```\n\nNote that you may need to run `ntoseye` with `sudo` aswell (last resort, try command above first).\n\nTo view command line arguments, run `ntoseye --help`. The debugger is self documented, so pressing tab will display completions and descriptions for commands, symbols, and types.\n\nFor examples, refer [here](#usage-examples).\n\n## VM configuration\n\n`bcdedit /debug on` is not required within the guest.\n\nMany features depend on `gdbstub` being enabled, so its recommended that it is enabled.\n\nIt is recommended to disable memory paging and memory compression within the guest operating system to avoid memory-related issues. This only needs to be done once per Windows installation. Run the following commands in PowerShell (Run as Administrator):\n```\nGet-CimInstance Win32_ComputerSystem | Set-CimInstance -Property @{ AutomaticManagedPagefile = $false }\nGet-CimInstance Win32_PageFileSetting | Remove-CimInstance\nDisable-MMAgent -MemoryCompression\nRestart-Computer\n```\n\n#### QEMU\n\nAppend `-s -S` to qemu command.\n\n#### virt-manager\n\nAdd the following to the XML configuration:\n```xml\n\u003cdomain xmlns:qemu=\"http://libvirt.org/schemas/domain/qemu/1.0\" type=\"kvm\"\u003e\n  ...\n  \u003cqemu:commandline\u003e\n    \u003cqemu:arg value=\"-s\"/\u003e\n    \u003cqemu:arg value=\"-S\"/\u003e\n  \u003c/qemu:commandline\u003e\n\u003c/domain\u003e\n```\n\n## Credits\n\nFunctionality regarding initialization of guest information was written with the help of the following sources:\n\n- [vmread](https://github.com/h33p/vmread)\n- [pcileech](https://github.com/ufrisk/pcileech)\n- [MemProcFS](https://github.com/ufrisk/MemProcFS)\n\n## Usage examples\n\n### Privilege escalation\n\n1. Run `ps \u003cfilter\u003e` to get the `EPROCESS` address of the process you wish to escalate\n2. Run `eq (_EPROCESS)(AddressOfEPROCESS)-\u003eToken *(_EPROCESS)*PsInitialSystemProcess-\u003eToken` where `AddressOfEPROCESS` is the address from step 1","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdmaivel%2Fntoseye","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdmaivel%2Fntoseye","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdmaivel%2Fntoseye/lists"}