{"id":16714044,"url":"https://github.com/therealdreg/bochs_linux_kernel_debugging","last_synced_at":"2025-03-21T20:33:39.126Z","repository":{"id":97023139,"uuid":"527701777","full_name":"therealdreg/bochs_linux_kernel_debugging","owner":"therealdreg","description":"Tools for Linux kernel debugging on Bochs (including symbols, native Bochs debugger and IDA PRO)","archived":false,"fork":false,"pushed_at":"2023-08-11T06:27:45.000Z","size":2428,"stargazers_count":31,"open_issues_count":0,"forks_count":10,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-18T05:06:44.608Z","etag":null,"topics":["bochs","debugging-tool","ida-pro","idapython","kernel-debugging","linux","linux-kernel","linux-kernel-hacking","x86-64"],"latest_commit_sha":null,"homepage":"https://rootkit.es/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/therealdreg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["therealdreg"],"patreon":"dreg","custom":["https://www.paypal.me/therealdreg","https://www.paypal.me/therealdreg"]}},"created_at":"2022-08-22T19:18:25.000Z","updated_at":"2024-08-19T21:25:52.000Z","dependencies_parsed_at":"2024-03-08T21:15:48.289Z","dependency_job_id":null,"html_url":"https://github.com/therealdreg/bochs_linux_kernel_debugging","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fbochs_linux_kernel_debugging","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fbochs_linux_kernel_debugging/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fbochs_linux_kernel_debugging/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fbochs_linux_kernel_debugging/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/therealdreg","download_url":"https://codeload.github.com/therealdreg/bochs_linux_kernel_debugging/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244866382,"owners_count":20523507,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bochs","debugging-tool","ida-pro","idapython","kernel-debugging","linux","linux-kernel","linux-kernel-hacking","x86-64"],"created_at":"2024-10-12T20:48:59.155Z","updated_at":"2025-03-21T20:33:39.099Z","avatar_url":"https://github.com/therealdreg.png","language":"Python","readme":"# bochs_linux_kernel_debugging\nTools for Linux kernel debugging on Bochs (including symbols, native Bochs debugger and IDA PRO)\n\n![linux_idt_disas_syscall](img/linux_idt_disas_syscall.png)\n\n![bochs_ida_pro_linux_kernel_debug](img/bochs_ida_pro_linux_kernel_debug.png)\n\n# Generate symbol file for linux kernel debugging\n\nFollow the below steps:\n\n## 0- Generate a nm style debug info file\n\njust use **nm** command on debug kernel image, example for Debian:\n\n1- Install dbg image\n```\nroot@debian# apt-get install linux-image-$(uname -r)-dbg\n```\n\n2- Check if nm works on dbg image:\n```\ndreg@debian# nm /usr/lib/debug/boot/vmlinux-$(uname -r) | tail\nffffffff8207d7c0 d zswap_same_filled_pages_enabled\nffffffff8262b54c b zswap_stored_pages\nffffffff8262b420 b zswap_trees\nffffffff81225df0 t zswap_update_total_size\nffffffff81226a50 t zswap_writeback_entry\nffffffff8262b538 b zswap_written_back_pages\nffffffff81c41fb8 r zswap_zpool_ops\nffffffff8207d7e0 d zswap_zpool_param_ops\n```\n\n3- Generate a valid output file for linsymtobch.py:\n```\ndreg@debian# nm /usr/lib/debug/boot/vmlinux-$(uname -r) \u003e nm_output.txt\n```\n\nAlso you can use/combine other kind of tools, Look this repo for more hints:\n\nhttps://github.com/therealdreg/linux_kernel_debug_disassemble_ida_vmware\n\n* **dump_kallsyms.sh**: dump symbols from /proc/kallsyms \n* **vmlinuxsystemap.sh**: copy current kernel vmlinuz \u0026 system.map to current directory\n* **lkmsym/dumpsyms.sh**: load pattern-finder-ring0-LKM and dump kernel symbols\n\n## 1- nm style output file to Bochs syms\n\nUse linsymtobch.py to convert a nm style output file to a Bochs syms file:\n```\npython linsymbtobch.py symbol_file.txt output_bochs_syms.txt [letter 1] [letter 2] [letter 3] .... [--verbose]\n```\n\nExample:\n```\n./linsymtobch.py nm_output.txt output_bochs_syms.txt \n```\n\nOutput:\n```\nhttps://github.com/therealdreg/bochs_linux_kernel_debugging\n-\nMIT LICENSE Copyright \u003c2020\u003e\nDavid Reguera Garcia aka Dreg - Dreg@fr33project.org\nhttp://www.fr33project.org/ - https://github.com/therealdreg\n\nusage: python linsymbtobch.py symbol_file.txt output_bochs_syms.txt [letter 1] [letter 2] [letter 3] .... [--verbose]\n\nwhere letters can be empty for all symbols or a combination:\n\nIf lowercase, the symbol is local; if uppercase, the symbol is global (external).\n------------------------------------\n\"A\" The symbol's value is absolute, and will not be changed by further linking.\n\n\"B\" \"b\" The symbol is in the uninitialized data section (known as BSS ).\n\n\"C\" The symbol is common. Common symbols are uninitialized data. When linking, multiple common symbols may appear with the same name. If the symbol is defined anywhere, the common symbols are treated as undefined references.\n\n\"D\" \"d\" The symbol is in the initialized data section.\n\n\"G\" \"g\" The symbol is in an initialized data section for small objects. Some object file formats permit more efficient access to small data objects, such as a global int variable as opposed to a large global array.\n\n\"i\" For PE format files this indicates that the symbol is in a section specific to the implementation of DLLs. For ELF format files this indicates that the symbol is an indirect function. This is a GNU extension to the standard set of ELF symbol types. It indicates a symbol which if referenced by a relocation does not evaluate to its address, but instead must be invoked at runtime. The runtime execution will then return the value to be used in the relocation.\n\n\"N\" The symbol is a debugging symbol.\n\n\"p\" The symbols is in a stack unwind section.\n\n\"R\" \"r\" The symbol is in a read only data section.\n\n\"S\" \"s\" The symbol is in an uninitialized data section for small objects.\n\n\"T\" \"t\" The symbol is in the text (code) section.\n\n\"U\" The symbol is undefined.\n\n\"u\" The symbol is a unique global symbol. This is a GNU extension to the standard set of ELF symbol bindings. For such a symbol the dynamic linker will make sure that in the entire process there is just one symbol with this name and type in use.\n\n\"V\" \"v\" The symbol is a weak object. When a weak defined symbol is linked with a normal defined symbol, the normal defined symbol is used with no error. When a weak undefined symbol is linked and the symbol is not defined, the value of the weak symbol becomes zero with no error. On some systems, uppercase indicates that a default value has been specified.\n\n\"W\" \"w\" The symbol is a weak symbol that has not been specifically tagged as a weak object symbol. When a weak defined symbol is linked with a normal defined symbol, the normal defined symbol is used with no error. When a weak undefined symbol is linked and the symbol is not defined, the value of the symbol is determined in a system-specific manner without error. On some systems, uppercase indicates that a default value has been specified.\n\n\"-\" The symbol is a stabs symbol in an a.out object file. In this case, the next values printed are the stabs other field, the stabs desc field, and the stab type. Stabs symbols are used to hold debugging information.\n\n\"?\" The symbol type is unknown, or object file format specific.\n------------------------------------\n\n0xffffffff81412a30 T_aa_af_perm\n0xffffffff813ff4f0 T_aa_alloc_profile\n0xffffffff8140c420 T_aa_alloc_proxy\n0xffffffff82c71f0d T_aa_alloc_root_ns\n0xffffffff81409e20 T_aa_alloc_secid\n0xffffffff813f7bc0 T_aa_apply_modes_to_perms\n0xffffffff813f6030 T_aa_audit\n0xffffffff8140a210 T_aa_audit_file\n0xffffffff813f6010 T_aa_audit_msg\n\n...\n\ndone!\n\n        total symbols written: 115131\n        total letters written: A B D R T V W a b d r t\n          total letters found: A B D R T V W a b d r t\n```\n\nExample filtering some symbols:\n```\n./linsymtobch.py nm_output.txt output_bochs_syms.txt T V d \n```\n\n## 2- Load syms file on Bochs debugger\n\nLoad generated file on Bochs debugger with \"ldsym global\", example:\n```\nldsym global \"C:\\Users\\leno\\Desktop\\bochs_linux_kernel_debugging\\output_bochs_syms.txt\"\n```\n\nDone! try if symbols works executing some commands on Bochs debugger:\n* info idt\n* u /10\n* ...\n\n![linux_idt_disas_syscall](img/linux_idt_disas_syscall.png)\n\n## How to use Bochs symbol file on IDA PRO Local Bochs Debugger\n\nEdit \"C:\\Program Files\\IDA Pro 7.7\\cfg\\dbg_bochs.cfg\"\n\n```\nBOCHSDBG = \"C:\\\\Users\\\\leno\\\\Desktop\\\\Bochs-pruebas\\\\bochs\\\\bochs.exe\";\nBOCHSRC = \"C:\\\\Users\\\\leno\\\\Desktop\\\\Bochs-pruebas\\\\bochs\\\\.bochsrc\";\n```\n\nGo to IDA .....\n\nDebugger -\u003e Run -\u003e Local Bochs Debugger \n\nApplication:\n\n```\nC:\\Users\\leno\\Desktop\\Bochs-pruebas\\bochs\\.bochsrc\n```\n\nCick Debug Options -\u003e Set specific options -\u003e Select Disk image \n\nDownload ida_load_names.py from this repo:\n\nhttps://github.com/therealdreg/symseghelper\n\nOpen IDA PRO, start a Bochs debug session and go to File -\u003e Script File\n\nSelect ida_load_names.py, this script ask you for generated Bochs symbol file\n\nDone!\n\nAfter that you can also load symbols on Native Bochs Debugger (it is running inside IDA PRO). Just select Bochs in IDA command line and execute a \"ldsym global\"\n\nIDA PRO with Bochs symbols (ida_load_names.py) + Bochs native debugger with symbols (ldsym global), The best of both worlds:\n\n![bochs_ida_pro_linux_kernel_debug_and_native](img/bochs_ida_pro_linux_kernel_debug_and_native.png)\n\n\n**WARNING: your own Bochs Instrumentation can cause problems on IDA PRO Local Bochs**\n\n# Related \n\nHelper scripts for windows debugging with symbols for Bochs and IDA Pro (PDB files). Very handy for user mode \u003c--\u003e kernel mode:\n- https://github.com/therealdreg/symseghelper\n\nHelper script for Linux kernel debugging with IDA Pro on VMware + GDB stub (including some symbols helpers):\n- https://github.com/therealdreg/linux_kernel_debug_disassemble_ida_vmware\n\nDump PDB Symbols including support for Bochs Debugging Format (with wine support):\n- https://github.com/therealdreg/pdbdump_bochs\n\nHelper script for Windows kernel debugging with IDA Pro on native Bochs debugger:\n- https://github.com/therealdreg/ida_bochs_windows\n","funding_links":["https://github.com/sponsors/therealdreg","https://patreon.com/dreg","https://www.paypal.me/therealdreg"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fbochs_linux_kernel_debugging","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftherealdreg%2Fbochs_linux_kernel_debugging","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fbochs_linux_kernel_debugging/lists"}