first version

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf

.github/FUNDING.yml

@@ -0,0 +1,5 @@
+# These are supported funding model platforms
+
+github: [therealdreg]
+patreon: dreg
+custom: ["https://www.paypal.me/therealdreg"]

.gitignore

@@ -0,0 +1,52 @@
+# Prerequisites
+*.d
+
+# Object files
+*.o
+*.ko
+*.obj
+*.elf
+
+# Linker output
+*.ilk
+*.map
+*.exp
+
+# Precompiled Headers
+*.gch
+*.pch
+
+# Libraries
+*.lib
+*.a
+*.la
+*.lo
+
+# Shared objects (inc. Windows DLLs)
+*.dll
+*.so
+*.so.*
+*.dylib
+
+# Executables
+*.exe
+*.out
+*.app
+*.i*86
+*.x86_64
+*.hex
+
+# Debug files
+*.dSYM/
+*.su
+*.idb
+*.pdb
+
+# Kernel Module Compile Results
+*.mod*
+*.cmd
+.tmp_versions/
+modules.order
+Module.symvers
+Mkfile.old
+dkms.conf

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 David Reguera Garcia aka Dreg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,192 @@
+# linux kernel debug and disassemble with ida and vmware
+
+Helper script for Linux kernel debugging with IDA Pro on VMware + GDB stub (including some symbols helpers)
+
+![symsida](img/symsida.png)
+
+Examples, tools & POCs:
+* **Disassemble** stripped-kernel + resolving symbols from: system.map **or** nm output **or** /proc/kallsyms output
+* **Debug** stripped-kernel + resolving symbols from /proc/kallsyms output
+* **Debug** stripped-kernel + resolving symbols from own pattern-finder-ring0-LKM, example: lkmsym/lkmsym.c
+
+**linux_kernel_symloader.py**: For python3 + idapython 7.4. It make symbols in IDA from system.map **or** nm output **or** /proc/kallsyms output **or** pattern-finder-ring0-LKM example. It also creates **MANUAL MEMORY REGIONS** for you (then you can JUMP TO E/RIP without problems).
+
+**WARNING**: the ugliest code in the world, I have developed this just for my own needs, you can improve the project via PR.
+
+# Youtube video with example of usage:
+
+https://www.youtube.com/watch?v=l9wKi9_3KrI
+
+# Tools
+
+* **dump_kallsyms.sh**: show & dump symbols from /proc/kallsyms to dump_kallsyms file (in current dir)
+* **vmlinuxsystemap.sh**: copy current kernel vmlinuz & system.map to current directory from /boot. It also extracts to current directory the ELF (vmlinux) from vmlinuz file.
+* **lkmsym/dumpsyms.sh**: load pattern-finder-ring0-LKM and dump kernel symbols to symbols file (in current dir)
+* **lkmsym/compiletry.sh**: compile pattern-finder-ring0-LKM and executes lkmsym/dumpsyms.sh
+
+# Deps
+
+```
+root@debian# apt-get install build-essential
+```
+
+# Debian kernel with debug info
+
+```
+root@debian# apt-get install linux-image-$(uname -r)-dbg
+
+dreg@debian# file /usr/lib/debug/boot/vmlinux-$(uname -r)
+```
+/usr/lib/debug/boot/vmlinux-4.19.0-10-amd64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=b28d236fad2fb7d0eb9bbe6eac766fb04406da3f, **with debug_info, not stripped**
+
+```
+dreg@debian# nm /usr/lib/debug/boot/vmlinux-$(uname -r) | tail
+ffffffff8207d7c0 d zswap_same_filled_pages_enabled
+ffffffff8262b54c b zswap_stored_pages
+ffffffff8262b420 b zswap_trees
+ffffffff81225df0 t zswap_update_total_size
+ffffffff81226a50 t zswap_writeback_entry
+ffffffff8262b538 b zswap_written_back_pages
+ffffffff81c41fb8 r zswap_zpool_ops
+ffffffff8207d7e0 d zswap_zpool_param_ops
+```
+
+# Debian linux headers & kernel sources
+
+```
+root@debian# apt-get install linux-headers-$(uname -r)
+
+root@debian# apt-get install linux-source
+
+dreg@debian# ls /usr/src/
+linux-config-4.19              linux-headers-4.19.0-10-common  linux-patch-4.19-rt.patch.xz  
+linux-headers-4.19.0-10-amd64  linux-kbuild-4.19               linux-source-4.19.tar.xz
+
+dreg@debian# cd /usr/src/ && tar -xf linux-source-4.19.tar.xz && ls linux-source-4.19/
+arch   certs    CREDITS  Documentation  firmware  include  ipc     Kconfig  lib       MAINTAINERS  mm   README   scripts   sound  usr
+block  COPYING  crypto   drivers        fs        init     Kbuild  kernel   LICENSES  Makefile     net  samples  security  tools  virt
+```
+
+# New entries in .vmx 
+
+**WARNING: use only debugOnStartGuest if you want start debugging immediately on BIOS load**
+
+## for x64 .vmx
+
+debugStub.hideBreakpoints= "TRUE"
+
+debugStub.listen.guest64 = "TRUE"
+
+monitor.debugOnStartGuest64 = "TRUE"
+
+debugStub.port.guest64 = "8864"
+
+
+## for x32 .vmx
+
+debugStub.hideBreakpoints= "TRUE"
+
+debugStub.listen.guest32 = "TRUE"
+
+monitor.debugOnStartGuest32 = "TRUE"
+
+debugStub.port.guest32 = "8832"
+
+# Example of use
+
+1. Open IDA PRO, start a debug session (go to Debugger -> Attach -> Remote GDB debugger)
+2. File -> Script File -> linux_kernel_symloader.py
+
+This script ask you for symbol file
+
+# Other info
+
+How to Disable KASLR from boot? add **nokaslr** to GRUB_CMDLINE_LINUX_DEFAULT:
+```
+dreg@debian# cat /etc/default/grub
+# If you change this file, run 'update-grub' afterwards to update
+# /boot/grub/grub.cfg.
+# For full documentation of the options in this file, see:
+#   info -f grub -n 'Simple configuration'
+
+GRUB_DEFAULT=0
+GRUB_TIMEOUT=5
+GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
+GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nokaslr"
+GRUB_CMDLINE_LINUX=""
+```
+
+Execute update-grub
+```
+root@debian# update-grub
+```
+
+# Tested
+
+* Hosts: 
+    - Windows 10 10.0.19041 Build 19041
+    - Windows 10 10.0.19041 Build 19041
+    - Windows 10 10.0.19044 Build 19044
+* Guests: 
+    - Debian 10 4.19.0-10-amd64
+    - Debian 11 5.10.0-16-amd64
+* VMware Workstation:
+    - 16 Pro 10.0.19041 Build 19041
+    - 16 Pro 16.0.0 build-16894299
+    - 16 Pro 16.2.3 build-19376536
+    - 16 Pro 16.2.4 build-20089737
+* IDA Pro x64 Windows:
+    - 7.5.200519
+    - 7.5.200728 
+    - 7.7.220218
+
+# Some possible problems
+
+How to solve Crash after resuming execution from gdb stub and/or crash after breakpoint:
+
+```
+The crash is in ulm.c
+
+Without more details, part of it means that I'm guessing here, but there's a very high probability that it stands for "User Level Monitor" as it does elsewhere whenever VMware mentions "ulm".
+
+As such that means your VM is running on a host with Hyper-V mode enabled.
+
+That codepath is pretty new and is most likely why you are getting this issue.
+The most likely workaround would be to disable Hyper-V mode at the host level.
+This might not be an option for you though.
+
+If it is then the steps to disable the Hyper-V role is to run the following command at the host in windows command-line with Administrator privileges:
+
+bcdedit /set hypervisorlaunchtype off
+Reboot the system to activate it.
+
+If you want to go back to Hyper-V mode again, then you can enable it like this:
+
+bcdedit /set hypervisorlaunchtype auto
+ 
+
+hope this helps,
+```
+
+- https://communities.vmware.com/t5/VMware-Workstation-Pro/Crash-after-resuming-execution-from-gdb-stub/td-p/2824667
+
+# Related
+
+Helper script for Windows kernel debugging with IDA Pro on VMware + GDB stub (including PDB symbols):
+- https://github.com/therealdreg/ida_vmware_windows_gdb
+
+Helper script for Windows kernel debugging with IDA Pro on native Bochs debugger:
+- https://github.com/therealdreg/ida_bochs_windows
+
+# References
+
+https://www.hex-rays.com/wp-content/uploads/2019/12/debugging_gdb_linux_vmware.pdf
+
+https://blog.packagecloud.io/eng/2016/03/08/how-to-extract-and-disassmble-a-linux-kernel-image-vmlinuz/
+
+https://www.triplefault.io/2017/07/setup-vmm-debugging-using-vmwares-gdb_9.html
+
+https://stackoverflow.com/questions/37978245/how-to-dump-list-all-kernel-symbols-with-addresses-from-linux-kernel-module
+
+https://github.com/marin-m/vmlinux-to-elf
+

VERSION.txt

@@ -0,0 +1 @@
+v1

dump_kallsyms.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+set -x 
+cat /proc/kallsyms > dump_kallsyms
+head dump_kallsyms
+tail dump_kallsyms

extract-vmlinux.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+# SPDX-License-Identifier: GPL-2.0-only
+# ----------------------------------------------------------------------
+# extract-vmlinux - Extract uncompressed vmlinux from a kernel image
+#
+# Inspired from extract-ikconfig
+# (c) 2009,2010 Dick Streefland <[email protected]>
+#
+# (c) 2011      Corentin Chary <[email protected]>
+#
+# ----------------------------------------------------------------------
+
+check_vmlinux()
+{
+	# Use readelf to check if it's a valid ELF
+	# TODO: find a better to way to check that it's really vmlinux
+	#       and not just an elf
+	readelf -h $1 > /dev/null 2>&1 || return 1
+
+	cat $1
+	exit 0
+}
+
+try_decompress()
+{
+	# The obscure use of the "tr" filter is to work around older versions of
+	# "grep" that report the byte offset of the line instead of the pattern.
+
+	# Try to find the header ($1) and decompress from here
+	for	pos in `tr "$1\n$2" "\n$2=" < "$img" | grep -abo "^$2"`
+	do
+		pos=${pos%%:*}
+		tail -c+$pos "$img" | $3 > $tmp 2> /dev/null
+		check_vmlinux $tmp
+	done
+}
+
+# Check invocation:
+me=${0##*/}
+img=$1
+if	[ $# -ne 1 -o ! -s "$img" ]
+then
+	echo "Usage: $me <kernel-image>" >&2
+	exit 2
+fi
+
+# Prepare temp files:
+tmp=$(mktemp /tmp/vmlinux-XXX)
+trap "rm -f $tmp" 0
+
+# That didn't work, so retry after decompression.
+try_decompress '\037\213\010' xy    gunzip
+try_decompress '\3757zXZ\000' abcde unxz
+try_decompress 'BZh'          xy    bunzip2
+try_decompress '\135\0\0\0'   xxx   unlzma
+try_decompress '\211\114\132' xy    'lzop -d'
+try_decompress '\002!L\030'   xxx   'lz4 -d'
+try_decompress '(\265/\375'   xxx   unzstd
+
+# Finally check for uncompressed images or objects:
+check_vmlinux $img
+
+# Bail out:
+echo "$me: Cannot find vmlinux." >&2