Is there anyway to debug a process running on a Virtual Machine (guest) with Radare2 from the host? I'm currently using VirtualBox. It provides a built in debugger. I'm not sure if it's possible for radare2 to integrate with it.
Asked
Active
Viewed 899 times
4
-
I'm not sure what your goal is, do you want to debug the process running inside the VM on your host system? – pudi Nov 05 '18 at 19:31
-
@pudi yes, clarified. – Evan Carroll Nov 05 '18 at 19:38
3 Answers
4
i'm the developer of r2vmi, and found your topic by googling my own project.
I have been working on an improved version by reimplementing a GDB stub:
https://github.com/Wenzel/pyvmidbg
The README contains a demo if you want a quick look.
I'm able to debug a Windows XP VMs, both kernel and userland, given you have the right symbols, with radare2.
I presented the project at Insomni'Hack conference last week, if you want to take a look at the slides: https://drive.google.com/file/d/1ZMUszfwWDOljdDfPOJgkEfSabNy0UAJR/view
Hope this helps !
Wenzel
- 41
- 4
1
Radare is able to connect to gdb remote sessions. So if you use something like qemu for your virtualization you would be able to connect to this. The problem will be to find the desired process inside the whole memory. At first you need to understand how your guest operating system handles processes inside it's kernel and then you need to find the kernel inside this memory region.
There are two interesting projects about this topic: zdbg and r2vmi
defragger
- 536
- 4
- 7
0
Also make sure that to accurately reverse any sort of WindowsVM you make sure you point gdb to the proper .pdb so it can read the symbols for better debugging.
