> For the complete documentation index, see [llms.txt](https://vxerlee.gitbook.io/radare2/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://vxerlee.gitbook.io/radare2/remoting_capabilities/windbg.md). # 远程WinDbg The WinDBG support for r2 allows you to attach to VM running Windows using a named socket file (will support more IOs in the future) to debug a windows box using the KD interface over serial port. Bear in mind that WinDBG support is still work-in-progress, and this is just an initial implementation which will get better in time. It is also possible to use the remote GDB interface to connect and debug Windows kernels without depending on Windows capabilities. Enable WinDBG support on Windows Vista and higher like this: ``` bcdedit /debug on bcdedit /dbgsettings serial debugport:1 baudrate:115200 ``` Starting from Windows 8 there is no way to enforce debugging for every boot, but it is possible to always show the advanced boot options, which allows to enable kernel debugging: ``` bcedit /set {globalsettings} advancedoptions true ``` Or like this for Windows XP: Open boot.ini and add /debug /debugport=COM1 /baudrate=115200: ``` [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Debugging with Cable" /fastdetect /debug /debugport=COM1 /baudrate=57600 ``` In case of VMWare ``` Virtual Machine Settings -> Add -> Serial Port Device Status: [v] Connect at power on Connection: [v] Use socket (named pipe) [_/tmp/windbg.pipe________] From: Server To: Virtual Machine ``` Configure the VirtualBox Machine like this: ``` Preferences -> Serial Ports -> Port 1 [v] Enable Serial Port Port Number: [_COM1_______[v]] Port Mode: [_Host_Pipe__[v]] [v] Create Pipe Port/File Path: [_/tmp/windbg.pipe____] ``` Or just spawn the VM with qemu like this: ``` $ qemu-system-x86_64 -chardev socket,id=serial0,\ path=/tmp/windbg.pipe,nowait,server \ -serial chardev:serial0 -hda Windows7-VM.vdi ``` Radare2 will use the 'windbg' io plugin to connect to a socket file created by virtualbox or qemu. Also, the 'windbg' debugger plugin and we should specify the x86-32 too. (32 and 64 bit debugging is supported) ``` $ r2 -a x86 -b 32 -D windbg windbg:///tmp/windbg.pipe ``` On Windows you should run the following line: ``` $ radare2 -D windbg windbg://\\.\pipe\com_1 ``` At this point, we will get stuck here: ``` [0x828997b8]> pd 20 ;-- eip: 0x828997b8 cc int3 0x828997b9 c20400 ret 4 0x828997bc cc int3 0x828997bd 90 nop 0x828997be c3 ret 0x828997bf 90 nop ``` In order to skip that trap we will need to change eip and run 'dc' twice: ``` dr eip=eip+1 dc dr eip=eip+1 dc ``` Now the Windows VM will be interactive again. We will need to kill r2 and attach again to get back to control the kernel. In addition, the `dp` command can be used to list all processes, and `dpa` or `dp=` to attach to the process. This will display the base address of the process in the physical memory layout. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://vxerlee.gitbook.io/radare2/remoting_capabilities/windbg.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.