Ida Bochs Windows Versions Save

Helper script for Windows kernel debugging with IDA Pro on native Bochs debugger https://github.com/therealdreg/ida_bochs_windows GNU General Public License v3.0

By Oleksiuk Dmytro (aka Cr4sh) Twitter @d_olex http://blog.cr4.sh [email protected] https://github.com/Cr4sh

Mod by David Reguera Garcia aka Dreg Twitter @therealdreg https://www.fr33project.org [email protected] https://github.com/therealdreg

2022/07/31 by Dreg

• project renamed to ida_bochs_windows.py
• ported to python3
• ported to idapython 7.4:
  • https://hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml
  • https://www.hex-rays.com/products/ida/support/idapython_docs/index.html
• send_dbg_command('sreg') to get IDT address
• added ida_kernwin.open_segments_window(0) and ida_kernwin.open_names_window(0)
• fixed bug in get_unistr with len
• code style fixed using black
• added changelog
• added some prints
• set all segments with +rwx
• lincense GNU General Public License v3.0
• comestic changes (new header...)
• ported to new pdb: netnode using $ pdb + altset 0 + supset 0
• black list, white list mode
• import new ida modules for inteli
• tested:
  • hosts: windows 10.0.19044 Build 19044
  • ida pro 7.7, idapython 7.4
  • targets: windows xp sp3 x86
  • bochs debugger 2.7

Features:

• Enumerating loaded kernel modules and segments creation for them.
• Loading debug symbols for kernel modules.

Based on original vmware_modules.py from Hex Blog article: http://www.hexblog.com/?p=94

Changes:

• Changed nt!PsLoadedModuleList finding algo, 'cause using FS segment base for this -- is bad idea (FS not always points to the _KPCR).
• Added complete support of Windows x64.
• Fixed bugs in .PDB loading for mdules with the 'non-canonical' image path.

for inteli: set ENV VAR PYTHONPATH=C:\Program Files\IDA Pro 7.7\python\3