The WinDBG support for r2 allows you to attach to VM running Windows using a named socket file (will support more IOs in the future) to debug a windows box using the KD interface over serial port.
Bear in mind that WinDBG support is still work-in-progress, and this is just an initial implementation which will get better in time.
It is also possible to use the remote GDB interface to connect and debug Windows kernels without depending on Windows capabilities.
Enable WinDBG support on Windows Vista and higher like this:
bcdedit /debug on
bcdedit /dbgsettings serial debugport:1 baudrate:115200
Starting from Windows 8 there is no way to enforce debugging for every boot, but it is possible to always show the advanced boot options, which allows to enable kernel debugging:
bcedit /set {globalsettings} advancedoptions true
Or like this for Windows XP: Open boot.ini and add /debug /debugport=COM1 /baudrate=115200:
Virtual Machine Settings -> Add -> Serial Port
Device Status:
[v] Connect at power on
Connection:
[v] Use socket (named pipe)
[_/tmp/windbg.pipe________]
From: Server To: Virtual Machine
Configure the VirtualBox Machine like this:
Or just spawn the VM with qemu like this:
Radare2 will use the 'windbg' io plugin to connect to a socket file created by virtualbox or qemu. Also, the 'windbg' debugger plugin and we should specify the x86-32 too. (32 and 64 bit debugging is supported)
On Windows you should run the following line:
At this point, we will get stuck here:
In order to skip that trap we will need to change eip and run 'dc' twice:
Now the Windows VM will be interactive again. We will need to kill r2 and attach again to get back to control the kernel.
In addition, the dp command can be used to list all processes, and dpa or dp= to attach to the process. This will display the base address of the process in the physical memory layout.
Preferences -> Serial Ports -> Port 1
[v] Enable Serial Port
Port Number: [_COM1_______[v]]
Port Mode: [_Host_Pipe__[v]]
[v] Create Pipe
Port/File Path: [_/tmp/windbg.pipe____]
