Helper script for Windows kernel debugging with IDA Pro on VMware + GDB stub
https://github.com/therealdreg/ida_vmware_windows_gdb
GNU General Public License v3.0
By Oleksiuk Dmytro (aka Cr4sh)
Twitter @d_olex
http://blog.cr4.sh
cr4sh0@gmail.com
https://github.com/Cr4sh
Mod by David Reguera Garcia aka Dreg
Twitter @therealdreg
https://www.fr33project.org
dreg@fr33project.org
https://github.com/therealdreg
2022/07/31 by Dreg
- project renamed to ida_vmware_windows_gdb.py
- ported to python3
- ported to idapython 7.4: https://hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml
- fixed bug in get_unistr with len
- idc.eval_idc('SendGDBMonitor
- added ida_kernwin.open_segments_window(0) and ida_kernwin.open_names_window(0)
- code style fixed using black
- added changelog
- added some prints
- black list, white list mode
- set all segments with +rwx
- lincense GNU General Public License v3.0
- comestic changes (new header...)
- added hal.dll to PDB_MODULES list
- ported to new pdb: netnode using $ pdb + altset 0 + supset 0
- import new ida modules for inteli
- tested:
- hosts: windows 10.0.19044 Build 19044
- ida pro 7.7, idapython 7.4
- targets: windows xp sp3 x86
- vmware workstation 16
Features:
- Enumerating loaded kernel modules and segments creation for them.
- Loading debug symbols for kernel modules.
Based on original vmware_modules.py from Hex Blog article: http://www.hexblog.com/?p=94
Changes:
- Changed nt!PsLoadedModuleList finding algo, 'cause using FS segment base
for this -- is bad idea (FS not always points to the _KPCR). - Added complete support of Windows x64.
- Fixed bugs in .PDB loading for mdules with the 'non-canonical' image path.
for inteli: set ENV VAR PYTHONPATH=C:\Program Files\IDA Pro 7.7\python\3
Contributors
therealdreg