https://github.com/dmaivel/ntoseye

Windows kernel debugger for Linux hosts running Windows under KVM/QEMU
https://github.com/dmaivel/ntoseye

disassembler gdb introspection kernel-debugger kvm linux memory ntos ntoskrnl pdb physical-memory qemu qemu-kvm rust windbg windows

Last synced: about 1 month ago
JSON representation

Windows kernel debugger for Linux hosts running Windows under KVM/QEMU

• Host: GitHub
• URL: https://github.com/dmaivel/ntoseye
• Owner: dmaivel
• License: mit
• Created: 2024-09-13T03:20:05.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2026-02-01T04:44:11.000Z (about 1 month ago)
• Last Synced: 2026-02-01T15:53:42.631Z (about 1 month ago)
• Topics: disassembler, gdb, introspection, kernel-debugger, kvm, linux, memory, ntos, ntoskrnl, pdb, physical-memory, qemu, qemu-kvm, rust, windbg, windows
• Language: Rust
• Homepage: https://crates.io/crates/ntoseye
• Size: 311 KB
• Stars: 117
• Watchers: 9
• Forks: 16
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          


# ntoseye ![license](https://img.shields.io/badge/license-MIT-blue)

Windows kernel debugger for Linux hosts running Windows under KVM/QEMU. Essentially, WinDbg for Linux.

## Features

- Command line interface

- WinDbg style commands

- Kernel debugging

- PDB fetching & parsing for offsets

- Breakpointing

### Supported Windows

`ntoseye` currently only supports Windows 10 and 11 guests.

### Disclaimer

`ntoseye` needs to download symbols to initialize required offsets, it will only download symbols from Microsoft's official symbol server. All files which will be read/written to will be located in `$XDG_CONFIG_HOME/ntoseye`.

### Preview

![ntos](media/preview.png)

# Getting started

## Install via cargo

```bash

cargo install ntoseye

```

## Building

```bash

git clone https://github.com/dmaivel/ntoseye.git

cd ntoseye

cargo build --release

```

# Usage

It is recommended that you run the following command before running `ntoseye` or a VM:

```bash

echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope

```

Note that you may need to run `ntoseye` with `sudo` aswell (last resort, try command above first).

To view command line arguments, run `ntoseye --help`. The debugger is self documented, so pressing tab will display completions and descriptions for commands, symbols, and types.

## VM configuration

`bcdedit /debug on` is not required within the guest.

Many features depend on `gdbstub` being enabled, so its recommended that it is enabled.

#### QEMU

Append `-s -S` to qemu command.

#### virt-manager

Add the following to the XML configuration:

```xml

  ...

  

    

    

  

```

## Credits

Functionality regarding initialization of guest information was written with the help of the following sources:

- [vmread](https://github.com/h33p/vmread)

- [pcileech](https://github.com/ufrisk/pcileech)

- [MemProcFS](https://github.com/ufrisk/MemProcFS)