LibVMI-based GDB server, implemented in Python
Table of Contents
This GDB stub allows you to debug a remote process running in a VM with your favorite GDB frontend.
By leveraging virtual machine introspection, the stub remains stealth and requires no modification of the guest.
Why debugging from the hypervisor ?
Operating systems debug API's are problematic:
- they have never been designed to deal with malwares, and lack the stealth and robustness required when analyzing malicious code
- they have an observer effect, by implicitly modifying the process environment being debugged
- this observer effect might be intentional to protect OS features (
Protected Media Pathare disabled)
- modern OS have a high degree of kernel security mechanisms that narrows the debugger's view of the system
Windows 10 Virtual Secure Mode)
- debugging low-level processes and kernel functions interacting directly with the transport protocol used by the debug agent can turn into a infinite recursion hell (eg. debugging TCP connections and having a kernel debug stub communicating via TCP)
- in special cases the "Operating System" lacks debugging capabilities (
Existing solutions like GDB stubs included in
VirtualBox can only
pause the VM and debug the kernel, but lack the guest knowledge to track and follow the rest of the processes.
- intercept process at
- read/write memory
- get/set registers
- continue execution
- breakin (
- insert/remove software breakpoint
Python >= 3.4
virtualenv -p python3 venv source venv/bin/activate pip install .
Note: If you don't want to install
provides a Vagrant environment based on
KVM, with ready to use
vmidbg <port> <vm> [<process>]
Windows XPnested VM in Xen
pyvmidbgand target a process named
- connects to stub with
- set breakpoints on
- avoid breakpoints from the rest of the system, only hit if
- vmidbg: original idea and C implementation
- plutonium-dbg: GDB server protocol parsing
- ollydbg2-python: GDB server protocol parsing
- GDB RSP protocol specifications
Small note: If editing the Readme, please conform to the standard-readme specification.