gdb.io.open: Cannot connect to host

[Alibm73-zz]

Hi @Wenzel
I tried to connect to the gdbserver but it doesn't work.
even my firewalls are off and still it's not connecting.

aliadmin@alixen:~$ sudo xl list
Name                                        ID   Mem VCPUs	State	Time(s)
Domain-0                                     0  4095     4     r-----    3250.4
windows10                                  220  3000     1     -b----     296.4

I don't know if it makes any difference but I'm connecting to my quest vm with vncviewer:

aliadmin@alixen:~/iso$ gvncviewer 192.168.1.9::5900
Connected to server
Remote desktop size changed to 1024x768
Connection initialized

note: instead of gvncviewer 192.168.1.9::5900 I can use gvncviewer localhost too
At last this is my vm config, I changed the number of vcpu and max cpus to 1 as it was in the limitation section:

arch = 'x86_64'
name = "windows10"
maxmem = 3000
memory = 3000
vcpus = 1
maxcpus = 1
builder = "hvm"
boot = "cd"
hap = 1
acpi = 1
on_poweroff = "destroy"
on_reboot = "destroy"
on_crash = "destroy"
vnc=1
vnclisten="0.0.0.0"
usb = 1
usbdevice = "tablet"
shadow_memory = 16
audio=1
soundhw='hda'
vif = [ 'type=ioemu,model=e1000,bridge=xenbr0,mac=00:06:5B:BA:7C:02' ]
disk = [ 'phy:/dev/vg/windows10,hda,w', 'file:/home/aliadmin/iso/Windows10.iso,hdc:cdrom,r' ]

And this is the Error:

[Wenzel]

hi @Alibm73 ,

the vmidbg server is listening by default on localhost: 127.0.0.1.
The whole point of debugging from the hypervisor is that you don't need in guest vm tools for debugging.

so you don't need the guest IP address, or for the guest to have a network card at all.

You want to connnect radare2 to 127.0.0.1:5000, that's where the server will be listening, on you Xen host, to talk with Xen APIs, to query the VM's hardware state.

so r2 -d gdb://127.0.0.1:5000 -b 64.

Also, remember to run vmidbg as root, because talking to Xen's VMI interface requires high privileges.

[Alibm73-zz]

@Wenzel
I tried to connect to the gdbserver as instructed, but it still doesn't connect
i get this error:

(venv) root@alixen:/home/aliadmin/iso/new/Wenzel/pyvmidbg# vmidbg 5000 windows10 mspaint -d
INFO:server:listening on 127.0.0.1:5000
DEBUG:server:ready for next client
INFO:server:new client ('127.0.0.1', 43406)
ERROR:root:Exception while initializing debug context
Traceback (most recent call last):
  File "/home/aliadmin/iso/new/Wenzel/pyvmidbg/venv/lib/python3.6/site-packages/vmidbg/libvmistub.py", line 74, in __enter__
    self.ctx = WindowsDebugContext(self.vmi, self.process)
  File "/home/aliadmin/iso/new/Wenzel/pyvmidbg/venv/lib/python3.6/site-packages/vmidbg/windowsdebugcontext.py", line 131, in __init__
    ps_head_rva = profile['$CONSTANTS']['PsActiveProcessHead']
KeyError: '$CONSTANTS'
INFO:GDBStub:connected
ERROR:root:Exception while detaching from debug context
Traceback (most recent call last):
  File "/home/aliadmin/iso/new/Wenzel/pyvmidbg/venv/lib/python3.6/site-packages/vmidbg/libvmistub.py", line 87, in __exit__
    self.ctx.detach()
AttributeError: 'LibVMIStub' object has no attribute 'ctx'
DEBUG:server:ready for next client

[Wenzel]

How come you have no $CONSTANTS in your rekall profile ?

Maybe because you are using a Volatility JSON profile, and i'm assuming a data structure that is only present in Rekall JSON profiles ? 🤔

Can you paste the profile in a Gist please ?
How did you generated it ?

[Alibm73-zz]

@Wenzel I didn't know it doesn't work with volatility, My first profile was made with volatility and then converted to JSON profile.
After your response, I installed the latest version of rekall (1.7.2rc1), made a profile and vola, it worked

P.S: I know I'm very new to this, but if you don't mind I love to help you with implementing the int3 into memory and other stuff, because it would be a really great experience for me.
Thank you for your help again

[Wenzel]

I'm glad to see that pyvmidbg works for you, congrats !

I know I'm very new to this, but if you don't mind I love to help you with implementing the int3 into memory and other stuff

The software breakpoints are already implemented in pyvmidbg at this point.
I'm not sure I understand what int3 implementation you are talking about ? 🤔

[Alibm73-zz]

@Wenzel yea, that was a mistake from my part. what i really meant was i would like to help you (specially learn from you) on future developments, IF that is ok with you. I really don't know how can I really help you 😄 but i would definitely try 💪
thanks
oh by the way on this step:

[0x7ffc81d31144]> oba 0xfffff8005221a000 /home/aliadmin/iso/windows10v1703.rekall.json
[0x7ffc81d31144]> fs
0   18 . regs
1    0 * symbols
[0x7ffc81d31144]> fs

there are no symbols, I should create pdb for ntoskrnl.exe, right?? currently My rekall profile is for ntkr nlmp.pdb
should I even use a json format or not?!

[Wenzel]

yea, that was a mistake from my part. what i really meant was i would like to help you (specially learn from you) on future developments, IF that is ok with you. I really don't know how can I really help you 😄 but i would definitely try 💪

would be glad to have some help building the future of pyvmidbg !
welcome aboard.

[0x7ffc81d31144]> oba 0xfffff8005221a000 /home/aliadmin/iso/windows10v1703.rekall.json

oba loads a binary, not rekall symbols.
if you watch my presentation, I'm loading the ntoskrnl at a certain address, and radare2 will parse the PE to look for exported symbols.
But it's not loading PDBs.
That's something we might need also.