{"id":16714034,"url":"https://github.com/therealdreg/linux_kernel_debug_disassemble_ida_vmware","last_synced_at":"2025-10-19T00:01:49.651Z","repository":{"id":50678425,"uuid":"297019985","full_name":"therealdreg/linux_kernel_debug_disassemble_ida_vmware","owner":"therealdreg","description":"Helper script for Linux kernel disassemble or debugging with IDA Pro on VMware + GDB stub (including some symbols helpers)","archived":false,"fork":false,"pushed_at":"2023-08-11T06:26:55.000Z","size":1373,"stargazers_count":35,"open_issues_count":0,"forks_count":13,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-04T00:33:46.884Z","etag":null,"topics":["debugging","disassembly","ida-pro","idapython-plugin","linux-kernel","reversing","vmware","x86","x86-64"],"latest_commit_sha":null,"homepage":"https://rootkit.es/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/therealdreg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["therealdreg"],"patreon":"dreg","custom":["https://www.paypal.me/therealdreg","https://www.paypal.me/therealdreg"]}},"created_at":"2020-09-20T06:56:21.000Z","updated_at":"2025-03-30T05:55:29.000Z","dependencies_parsed_at":"2024-10-28T11:33:37.255Z","dependency_job_id":"f4e33808-55c5-47a7-81af-7eec223fe502","html_url":"https://github.com/therealdreg/linux_kernel_debug_disassemble_ida_vmware","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/therealdreg/linux_kernel_debug_disassemble_ida_vmware","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Flinux_kernel_debug_disassemble_ida_vmware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Flinux_kernel_debug_disassemble_ida_vmware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Flinux_kernel_debug_disassemble_ida_vmware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Flinux_kernel_debug_disassemble_ida_vmware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/therealdreg","download_url":"https://codeload.github.com/therealdreg/linux_kernel_debug_disassemble_ida_vmware/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Flinux_kernel_debug_disassemble_ida_vmware/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272186211,"owners_count":24888333,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-26T02:00:07.904Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debugging","disassembly","ida-pro","idapython-plugin","linux-kernel","reversing","vmware","x86","x86-64"],"created_at":"2024-10-12T20:48:55.934Z","updated_at":"2025-10-19T00:01:49.645Z","avatar_url":"https://github.com/therealdreg.png","language":"Python","readme":"# linux kernel debug and disassemble with ida and vmware\n\nHelper script for Linux kernel disassemble or debugging with IDA Pro on VMware + GDB stub (including some symbols helpers)\n\n![symsida](img/symsida.png)\n\nExamples, tools \u0026 POCs:\n* **Disassemble** stripped-kernel + resolving symbols from: system.map **or** nm output **or** /proc/kallsyms output\n* **Debug** stripped-kernel + resolving symbols from /proc/kallsyms output\n* **Debug** stripped-kernel + resolving symbols from own pattern-finder-ring0-LKM, example: lkmsym/lkmsym.c\n\n**linux_kernel_symloader.py**: For python3 + idapython 7.4. It make symbols in IDA from system.map **or** nm output **or** /proc/kallsyms output **or** pattern-finder-ring0-LKM example. It also creates **MANUAL MEMORY REGIONS** for you (then you can JUMP TO E/RIP without problems).\n\n**WARNING**: the ugliest code in the world, I have developed this just for my own needs, you can improve the project via PR.\n\n# Youtube video with example of usage:\n\nhttps://www.youtube.com/watch?v=l9wKi9_3KrI\n\n# Tools\n\n* **dump_kallsyms.sh**: show \u0026 dump symbols from /proc/kallsyms to dump_kallsyms file (in current dir)\n* **vmlinuxsystemap.sh**: copy current kernel vmlinuz \u0026 system.map to current directory from /boot. It also extracts to current directory the ELF (vmlinux) from vmlinuz file.\n* **lkmsym/dumpsyms.sh**: load pattern-finder-ring0-LKM and dump kernel symbols to symbols file (in current dir)\n* **lkmsym/compiletry.sh**: compile pattern-finder-ring0-LKM and executes lkmsym/dumpsyms.sh\n\n# Deps\n\n```\nroot@debian# apt-get install build-essential\n```\n\n# Debian kernel with debug info\n\n```\nroot@debian# apt-get install linux-image-$(uname -r)-dbg\n\ndreg@debian# file /usr/lib/debug/boot/vmlinux-$(uname -r)\n```\n/usr/lib/debug/boot/vmlinux-4.19.0-10-amd64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=b28d236fad2fb7d0eb9bbe6eac766fb04406da3f, **with debug_info, not stripped**\n\n```\ndreg@debian# nm /usr/lib/debug/boot/vmlinux-$(uname -r) | tail\nffffffff8207d7c0 d zswap_same_filled_pages_enabled\nffffffff8262b54c b zswap_stored_pages\nffffffff8262b420 b zswap_trees\nffffffff81225df0 t zswap_update_total_size\nffffffff81226a50 t zswap_writeback_entry\nffffffff8262b538 b zswap_written_back_pages\nffffffff81c41fb8 r zswap_zpool_ops\nffffffff8207d7e0 d zswap_zpool_param_ops\n```\n\n# Debian linux headers \u0026 kernel sources\n\n```\nroot@debian# apt-get install linux-headers-$(uname -r)\n\nroot@debian# apt-get install linux-source\n\ndreg@debian# ls /usr/src/\nlinux-config-4.19              linux-headers-4.19.0-10-common  linux-patch-4.19-rt.patch.xz  \nlinux-headers-4.19.0-10-amd64  linux-kbuild-4.19               linux-source-4.19.tar.xz\n\ndreg@debian# cd /usr/src/ \u0026\u0026 tar -xf linux-source-4.19.tar.xz \u0026\u0026 ls linux-source-4.19/\narch   certs    CREDITS  Documentation  firmware  include  ipc     Kconfig  lib       MAINTAINERS  mm   README   scripts   sound  usr\nblock  COPYING  crypto   drivers        fs        init     Kbuild  kernel   LICENSES  Makefile     net  samples  security  tools  virt\n```\n\n# New entries in .vmx \n\n**WARNING: use only debugOnStartGuest if you want start debugging immediately on BIOS load**\n\n## for x64 .vmx\n\ndebugStub.hideBreakpoints= \"TRUE\"\n\ndebugStub.listen.guest64 = \"TRUE\"\n\nmonitor.debugOnStartGuest64 = \"TRUE\"\n\ndebugStub.port.guest64 = \"8864\"\n\n\n## for x32 .vmx\n\ndebugStub.hideBreakpoints= \"TRUE\"\n\ndebugStub.listen.guest32 = \"TRUE\"\n\nmonitor.debugOnStartGuest32 = \"TRUE\"\n\ndebugStub.port.guest32 = \"8832\"\n\n# Example of use\n\n1. Open IDA PRO, start a debug session (go to Debugger -\u003e Attach -\u003e Remote GDB debugger)\n2. File -\u003e Script File -\u003e linux_kernel_symloader.py\n\nThis script ask you for symbol file\n\n# Other info\n\nHow to Disable KASLR from boot? add **nokaslr** to GRUB_CMDLINE_LINUX_DEFAULT:\n```\ndreg@debian# cat /etc/default/grub\n# If you change this file, run 'update-grub' afterwards to update\n# /boot/grub/grub.cfg.\n# For full documentation of the options in this file, see:\n#   info -f grub -n 'Simple configuration'\n\nGRUB_DEFAULT=0\nGRUB_TIMEOUT=5\nGRUB_DISTRIBUTOR=`lsb_release -i -s 2\u003e /dev/null || echo Debian`\nGRUB_CMDLINE_LINUX_DEFAULT=\"quiet splash nokaslr\"\nGRUB_CMDLINE_LINUX=\"\"\n```\n\nExecute update-grub\n```\nroot@debian# update-grub\n```\n\n# Tested\n\n* Hosts: \n    - Windows 10 10.0.19041 Build 19041\n    - Windows 10 10.0.19041 Build 19041\n    - Windows 10 10.0.19044 Build 19044\n* Guests: \n    - Debian 10 4.19.0-10-amd64\n    - Debian 11 5.10.0-16-amd64\n* VMware Workstation:\n    - 16 Pro 10.0.19041 Build 19041\n    - 16 Pro 16.0.0 build-16894299\n    - 16 Pro 16.2.3 build-19376536\n    - 16 Pro 16.2.4 build-20089737\n* IDA Pro x64 Windows:\n    - 7.5.200519\n    - 7.5.200728 \n    - 7.7.220218\n\n# Some possible problems\n\nHow to solve Crash after resuming execution from gdb stub and/or crash after breakpoint:\n\n```\nThe crash is in ulm.c\n\nWithout more details, part of it means that I'm guessing here, but there's a very high probability that it stands for \"User Level Monitor\" as it does elsewhere whenever VMware mentions \"ulm\".\n\nAs such that means your VM is running on a host with Hyper-V mode enabled.\n\nThat codepath is pretty new and is most likely why you are getting this issue.\nThe most likely workaround would be to disable Hyper-V mode at the host level.\nThis might not be an option for you though.\n\nIf it is then the steps to disable the Hyper-V role is to run the following command at the host in windows command-line with Administrator privileges:\n\nbcdedit /set hypervisorlaunchtype off\nReboot the system to activate it.\n\nIf you want to go back to Hyper-V mode again, then you can enable it like this:\n\nbcdedit /set hypervisorlaunchtype auto\n \n\nhope this helps,\n```\n\n- https://communities.vmware.com/t5/VMware-Workstation-Pro/Crash-after-resuming-execution-from-gdb-stub/td-p/2824667\n\n# Related\n\nHelper script for Windows kernel debugging with IDA Pro on VMware + GDB stub (including PDB symbols):\n- https://github.com/therealdreg/ida_vmware_windows_gdb\n\nHelper script for Windows kernel debugging with IDA Pro on native Bochs debugger:\n- https://github.com/therealdreg/ida_bochs_windows\n\nTools for Linux kernel debugging on Bochs (including symbols, native Bochs debugger and IDA PRO):\n- https://github.com/therealdreg/bochs_linux_kernel_debugging\n\n# References\n\nhttps://www.hex-rays.com/wp-content/uploads/2019/12/debugging_gdb_linux_vmware.pdf\n \nhttps://blog.packagecloud.io/eng/2016/03/08/how-to-extract-and-disassmble-a-linux-kernel-image-vmlinuz/\n\nhttps://www.triplefault.io/2017/07/setup-vmm-debugging-using-vmwares-gdb_9.html\n\nhttps://stackoverflow.com/questions/37978245/how-to-dump-list-all-kernel-symbols-with-addresses-from-linux-kernel-module\n\nhttps://github.com/marin-m/vmlinux-to-elf\n\n","funding_links":["https://github.com/sponsors/therealdreg","https://patreon.com/dreg","https://www.paypal.me/therealdreg"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Flinux_kernel_debug_disassemble_ida_vmware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftherealdreg%2Flinux_kernel_debug_disassemble_ida_vmware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Flinux_kernel_debug_disassemble_ida_vmware/lists"}