gdb.io.open: Cannot connect to host about pyvmidbg HOT 7 OPEN

@Wenzel I didn't know it doesn't work with volatility, My first profile was made with volatility and then converted to JSON profile.
After your response, I installed the latest version of rekall (1.7.2rc1), made a profile and vola, it worked

P.S: I know I'm very new to this, but if you don't mind I love to help you with implementing the int3 into memory and other stuff, because it would be a really great experience for me.
Thank you for your help again

from pyvmidbg.

hi @Alibm73 ,

the vmidbg server is listening by default on localhost: 127.0.0.1.
The whole point of debugging from the hypervisor is that you don't need in guest vm tools for debugging.

so you don't need the guest IP address, or for the guest to have a network card at all.

You want to connnect radare2 to 127.0.0.1:5000, that's where the server will be listening, on you Xen host, to talk with Xen APIs, to query the VM's hardware state.

so r2 -d gdb://127.0.0.1:5000 -b 64.

Also, remember to run vmidbg as root, because talking to Xen's VMI interface requires high privileges.

from pyvmidbg.

@Wenzel
I tried to connect to the gdbserver as instructed, but it still doesn't connect
i get this error:

(venv) root@alixen:/home/aliadmin/iso/new/Wenzel/pyvmidbg# vmidbg 5000 windows10 mspaint -d
INFO:server:listening on 127.0.0.1:5000
DEBUG:server:ready for next client
INFO:server:new client ('127.0.0.1', 43406)
ERROR:root:Exception while initializing debug context
Traceback (most recent call last):
  File "/home/aliadmin/iso/new/Wenzel/pyvmidbg/venv/lib/python3.6/site-packages/vmidbg/libvmistub.py", line 74, in __enter__
    self.ctx = WindowsDebugContext(self.vmi, self.process)
  File "/home/aliadmin/iso/new/Wenzel/pyvmidbg/venv/lib/python3.6/site-packages/vmidbg/windowsdebugcontext.py", line 131, in __init__
    ps_head_rva = profile['$CONSTANTS']['PsActiveProcessHead']
KeyError: '$CONSTANTS'
INFO:GDBStub:connected
ERROR:root:Exception while detaching from debug context
Traceback (most recent call last):
  File "/home/aliadmin/iso/new/Wenzel/pyvmidbg/venv/lib/python3.6/site-packages/vmidbg/libvmistub.py", line 87, in __exit__
    self.ctx.detach()
AttributeError: 'LibVMIStub' object has no attribute 'ctx'
DEBUG:server:ready for next client

from pyvmidbg.

How come you have no $CONSTANTS in your rekall profile ?

Maybe because you are using a Volatility JSON profile, and i'm assuming a data structure that is only present in Rekall JSON profiles ? 🤔

Can you paste the profile in a Gist please ?
How did you generated it ?

from pyvmidbg.

I'm glad to see that pyvmidbg works for you, congrats !

I know I'm very new to this, but if you don't mind I love to help you with implementing the int3 into memory and other stuff

The software breakpoints are already implemented in pyvmidbg at this point.
I'm not sure I understand what int3 implementation you are talking about ? 🤔

from pyvmidbg.

@Wenzel yea, that was a mistake from my part. what i really meant was i would like to help you (specially learn from you) on future developments, IF that is ok with you. I really don't know how can I really help you 😄 but i would definitely try 💪
thanks
oh by the way on this step:

[0x7ffc81d31144]> oba 0xfffff8005221a000 /home/aliadmin/iso/windows10v1703.rekall.json
[0x7ffc81d31144]> fs
0   18 . regs
1    0 * symbols
[0x7ffc81d31144]> fs

there are no symbols, I should create pdb for ntoskrnl.exe, right?? currently My rekall profile is for ntkr nlmp.pdb
should I even use a json format or not?!

from pyvmidbg.

yea, that was a mistake from my part. what i really meant was i would like to help you (specially learn from you) on future developments, IF that is ok with you. I really don't know how can I really help you 😄 but i would definitely try 💪

would be glad to have some help building the future of pyvmidbg !
welcome aboard.

[0x7ffc81d31144]> oba 0xfffff8005221a000 /home/aliadmin/iso/windows10v1703.rekall.json

oba loads a binary, not rekall symbols.
if you watch my presentation, I'm loading the ntoskrnl at a certain address, and radare2 will parse the PE to look for exported symbols.
But it's not loading PDBs.
That's something we might need also.

from pyvmidbg.