Kernel Debugging of Win10 Guest

[AsusUser]

I have win 10 as both host and guest OS. I want to run windbg to do kernel mode debugging on the win 10 guest. I am able to configure and establish a debugging session using com port which is rather straightforward but slow.

I know win 10 now supports kernel mode debugging over the network. I tried changing the configuration but failed to establish a debugging session. Just wonder is the kernel mode debugging over a network supported on a VM guest? Or, was it actually limited to 2 real physically network connected machines only?

[mpack]

A VM is just a PC, so anything that is generally true of PCs is true of VMs as well.

In particular, yes, guest applications can communicate over a network. The nature of the guest application doesn't really make much difference. What might make a difference is the virtual network mode: NAT doesn't allow for unsolicited transactions coming from the host. If you wanted to allow that you would use bridged (which also allows internet) or host-only networking (which doesn't). I'm assuming by the by that "ability to use a network" means the ability to use TCP/IP, as opposed to basic Ethernet.

[andyp73]

According to Microsoft's list of supported NICs the default Intel PRO/1000MT is on the list.

Which networking mode have you configured for the adapter in the guest? It might be that NAT won't support it and you need to set the guest to use a bridged adapter.

-Andy.

[AsusUser]

This is exactly what I expect. But I was unable to establish a connection.

Just wondering if I was doing it correctly:
1. vbox 5.1.14 runnning guest win10
- Network is NAT,
- Port Forwarding tcp host port 50000 to guest port 50000
- Port Forwarding udp host port 50000 to guest port 50000

2. win10 host
- firewall opened for both ports.
- windbg listening on port 50000

- with the above settings, does that mean opening the guest's 128.0.0.1:50000 (or the network adapter's ip which was 10.0.2.15:50000) automatically routes the network packets to my host's port 50000? (What i understand is that it is the guest that initiates a connection to the host's windbg since we don't specify any target ip address in the windbg session, so it should be passively waiting for an incoming connection from the guest debuggee win10)

How do i setup a bridge adapter? What should be for the Promiscuous Mode option ? And, the Port Forwarding button is grayed out!

[mpack]

Just wondering if I was doing it correctly:
1. vbox 5.1.14 runnning guest win10
- Network is NAT,

Did you read my post above? I already told you that NAT may not be usable.

[AsusUser]

Some further testing, I found these results:

1. VM set to use NAT and no session established to windbg

2. VM set to use host-only networking while windbg was running in the host. debug connection was successfully established

3 VM set to use bridged adapter, the guest was assigned its own IP address by the DHCP server of my network, but windbg was running in the host, debug connection was successfully established

4. VM set to use bridged adapter just like above, the guest was assigned its own IP address by the DHCP server of my network, and was able to access the internet, windbg was running in another physical machine with another ip address, guest win10 debug session pointed to the IP address of that separate machine (i.e. in my guest win10, w.x.y.z below is set to the IP address of that physical machine), no windbg session was established.

To confirm bad firewall setting was not the problem, I did confirm that a TCP connection can be made from my guest to the same port of that physical machine. Only a windbg session could not be established.

bcdedit /debug on
bcdedit /dbgsettings net hostip:w.x.y.z port:n

Does that mean in bridged or host-only networking, the Windbg must be running in the host machine? That seems counter-intuitive unless i made some mistake in my testing

[mpack]

Does that mean in bridged or host-only networking, the Windbg must be running in the host machine? That seems counter-intuitive unless i made some mistake in my testing

Those are two separate questions. In host-only networking only the host can access the VM, hence the name of that networking mode.

In bridged mode the VM is a peer on whatever network the bridged NIC is connected to, which usually means your own local network - as apparantly in your case. As a peer the VM the indistinguishable from other PCs on the network. If a second PC can't see the VM on that network the there must be some kind of configuration issue, but I've never used WinDBG so I won't attempt to guess what the config problem might be.

[AsusUser]

case 4 in my test above should be working now, probably due to some configuration error.

case 1 in my test above using NAT also working now, just forward the proper port to guest e.g. if windbg on the host is listening to 50002, just forward the guest port to this host port

[mpack]

case 1 in my test above using NAT also working now, just forward the proper port to guest

Well, at least that answers one question I had: if WinDBG works with NAT port forwarding then the base protocol must be TCP/IP, not Ethernet. Without that info I wouldn't propose port forwarding, not when two guaranteed solutions existed.

[michaln]

What you need to read is the section on paravirtualized debugging in the VirtualBox manual: https://www.virtualbox.org/manual/ch09.html#gimdebug

Network debugging may not work the way you think because Windows (guest) configures networked and paravirtualized debugging the same way.