GP-5209: kernel-mode

Ghidra/Debug/Debugger-agent-gdb/src/main/py/src/ghidragdb/arch.py

@@ -164,7 +164,7 @@ def compute_ghidra_compiler(lang):
 
     # Check if the selected lang has specific compiler recommendations
     if not lang in compiler_map:
-        print(f"{lang} not found in compiler map")
+        print(f"{lang} not found in compiler map - using default compiler")
         return 'default'
     comp_map = compiler_map[lang]
     if comp_map == data64_compiler_map:
@@ -174,7 +174,7 @@ def compute_ghidra_compiler(lang):
         return comp_map[osabi]
     if None in comp_map:
         return comp_map[None]
-    print(f"{osabi} not found in compiler map")
+    print(f"{osabi} not found in compiler map - using default compiler")
     return 'default'
 
 

Ghidra/Debug/Debugger-agent-lldb/data/debugger-launchers/kernel-lldb.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+## ###
+# IP: GHIDRA
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+#@title kernel lldb
+#@desc <html><body width="300px">
+#@desc   <h3>Launch with local <tt>lldb</tt> and connect to a remote kernel</h3>
+#@desc   <p>
+#@desc     This will start <tt>lldb</tt> on the local system and then use it to connect to the remote system.
+#@desc     For setup instructions, press <b>F1</b>.
+#@desc   </p>
+#@desc </body></html>
+#@menu-group remote
+#@icon icon.debugger
+#@help TraceRmiLauncherServicePlugin#lldb_kernel
+#@env OPT_HOST:str="localhost" "Host" "The hostname of the target"
+#@env OPT_ARCH:str="" "Architecture" "Target architecture override"
+#@env OPT_LLDB_PATH:file="lldb" "lldb command" "The path to lldb on the local system. Omit the full path to resolve using the system PATH."
+
+if [ -d ${GHIDRA_HOME}/ghidra/.git ]
+then
+  export PYTHONPATH=$GHIDRA_HOME/ghidra/Ghidra/Debug/Debugger-agent-lldb/build/pypkg/src:$PYTHONPATH
+  export PYTHONPATH=$GHIDRA_HOME/ghidra/Ghidra/Debug/Debugger-rmi-trace/build/pypkg/src:$PYTHONPATH
+elif [ -d ${GHIDRA_HOME}/.git ]
+then 
+  export PYTHONPATH=$GHIDRA_HOME/Ghidra/Debug/Debugger-agent-lldb/build/pypkg/src:$PYTHONPATH
+  export PYTHONPATH=$GHIDRA_HOME/Ghidra/Debug/Debugger-rmi-trace/build/pypkg/src:$PYTHONPATH
+else
+  export PYTHONPATH=$GHIDRA_HOME/Ghidra/Debug/Debugger-agent-lldb/pypkg/src:$PYTHONPATH
+  export PYTHONPATH=$GHIDRA_HOME/Ghidra/Debug/Debugger-rmi-trace/pypkg/src:$PYTHONPATH
+fi
+
+if [ -z "$OPT_ARCH" ]
+then
+  archcmd=
+else
+  archcmd=-o "settings set target.default-arch $OPT_ARCH" 
+fi
+
+"$OPT_LLDB_PATH" \
+  -o "version" \
+  -o "script import ghidralldb" \
+  $archcmd \
+  -o "kdp-remote $OPT_HOST" \
+  -o "ghidra trace connect \"$GHIDRA_TRACE_RMI_ADDR\"" \
+  -o "ghidra trace start" \
+  -o "ghidra trace sync-enable" \
+  -o "ghidra trace sync-synth-stopped"

Ghidra/Debug/Debugger-agent-lldb/src/main/py/src/ghidralldb/arch.py

@@ -115,6 +115,13 @@ data64_compiler_map = {
     None: 'pointer64',
 }
 
+x86_compiler_map = {
+    'windows': 'windows',
+    'Cygwin': 'windows',
+    'default': 'gcc',
+    'unknown': 'gcc',
+}
+
 default_compiler_map = {
     'freebsd': 'gcc',
     'linux': 'gcc',
@@ -128,14 +135,14 @@ default_compiler_map = {
     # This may seem wrong, but Ghidra cspecs really describe the ABI
     'Cygwin': 'Visual Studio',
     'default': 'default',
-    'unknown': 'gcc',
+    'unknown': 'default',
 }
 
 compiler_map = {
     'DATA:BE:64:': data64_compiler_map,
     'DATA:LE:64:': data64_compiler_map,
-    'x86:LE:32:': default_compiler_map,
+    'x86:LE:32:': x86_compiler_map,
-    'x86:LE:64:': default_compiler_map,
+    'x86:LE:64:': x86_compiler_map,
     'ARM:LE:32:': default_compiler_map,
     'ARM:LE:64:': default_compiler_map,
 }
@@ -225,7 +232,7 @@ def compute_ghidra_compiler(lang):
         key=lambda l: compiler_map[l]
     )
     if len(matched_lang) == 0:
-        print(f"{lang} not found in compiler map")
+        print(f"{lang} not found in compiler map - using default compiler")
         return 'default'
     
     comp_map = compiler_map[matched_lang[0]]
@@ -234,9 +241,12 @@ def compute_ghidra_compiler(lang):
     osabi = get_osabi()
     if osabi in comp_map:
         return comp_map[osabi]
+    if lang.startswith("x86:"):
+        print(f"{osabi} not found in compiler map - using gcc")
+        return 'gcc'
     if None in comp_map:
         return comp_map[None]
-    print(f"{osabi} not found in compiler map")
+    print(f"{osabi} not found in compiler map - using default compiler")
     return 'default'
 
 

Ghidra/Debug/Debugger-rmi-trace/src/main/help/help/topics/TraceRmiLauncherServicePlugin/TraceRmiLauncherServicePlugin.html

@@ -635,13 +635,59 @@ gdb-remote [host]:[port]
 
       <LI><B>Port</B>: The TCP port of the target stub.</LI>
 
-      <LI><B>Architecture</B> (optional): If the stub does not describe its architecture to GDB,
+      <LI><B>Architecture</B> (optional): If the stub does not describe its architecture to LLDB,
       you must set it before connecting. This is passed as is to "<TT>setting set
       target.default-arch ...</TT>" immediately before the "<TT>gdb-remote ...</TT>" command.</LI>
 
       <LI><B><TT>lldb</TT> command</B>: This works the same as in LLDB.</LI>
     </UL>
 
+	    <H3><A name="lldb_kernel"></A>Kernel LLDB</H3>
+
+	    <P>This launcher connects to macos kernels booted in debug-mode using
+	    <TT>lldb</TT>. Essentially, it just starts <TT>lldb</TT> and then enters</P>
+
+	    <UL style="list-style-type: none">
+	      <LI>
+<PRE>
+kdp-remote [host]
+</PRE>
+	      </LI>
+	    </UL>
+
+	    <P>It is best to test this command outside of Ghidra to be sure everything is
+	    compatible before using this launcher. This launcher does not require an image, nor does it
+	    create your target. Thus, it can be used without a current program.</P>
+
+	    <H4>Setup</H4>
+
+	    <P>On your local system, follow the steps given in <A href="#lldb_setup">LLDB Setup</A>.
+		Before connecting to the target kernel, you must force an NMI on the target to ready the connection.
+		On actual hardware, this is typically achieved by some button sequence, e.g. <B>L/R-Options + Power</B>
+		or <B>Command+Option+Control+Shift+Esc</B>. In a VM, you may have to pause the VM and modify its state.
+		For example, by cd'ing to the VM's container and issuing the command:
+		</P>
+		
+		    <UL style="list-style-type: none">
+		      <LI>
+<PRE>
+perl -i -pe 's/(?<=pendingNMI\x00{4})\x00/\x01/' macOS_15-1234567.vmss
+</PRE>
+		      </LI>
+		    </UL>
+
+	    <H4>Options</H4>
+
+	    <UL>
+	      <LI><B>Host</B>: The host IP of the target kernel.</LI>
+
+	      <LI><B>Architecture</B> (optional): If the kernel does not describe its architecture to LLDB,
+	      you must set it before connecting. This is passed as is to "<TT>setting set
+	      target.default-arch ...</TT>" immediately before the "<TT>kdp-remote ...</TT>" command.</LI>
+
+	      <LI><B><TT>lldb</TT> command</B>: This works the same as in LLDB.</LI>
+	    </UL>
+
     <H2>Stock Windows Debugger (WinDbg) Launchers</H2>
 
     <P>The following launchers based on Microsoft's <TT>dbgeng.dll</TT> are included out of the