Ntoseye: Windows kernel debugger for Linux hosts running Windows under KVM/QEMU
Ntoseye
Windows kernel debugger for Linux hosts running Windows under KVM/QEMU.
Features
- Command line interface
- WinDbg style commands
- Kernel debugging
- PDB fetching
- Breakpointing
- Scripting API (Lua)
Supported Windows
ntoseye currently only supports Windows 10 and 11 guests.
ntoseye will ask you if you wish to download symbols (defaults to exports if user declines). It will only download symbols from Microsoft’s official symbol server. All files which will be read/written to will be located in $XDG_CONFIG_HOME/ntoseye.
Keybinds
| Key(s) | Description |
|---|---|
| tab | Tab completion. Either lists all available commands or attempts to complete the currently typed out command. |
| ctrl+C | Attempt a breakpoint. Will terminate the debugger if in the middle of a download or hang. |
Commands
| Command | Description |
|---|---|
!pte [VirtualAddress/Symbol] |
Display the page table entries of a given virtual address. |
!process 0 0 |
Display a list of the current active processes. |
.process [/p /r] OR [AddressOfEPROCESS] |
Set the current process context. |
break |
Breakpoint. |
db [VirtualAddress/Symbol] [EndAddress/L<Count>] |
Display bytes at address. |
g |
Continue from breakpoint. |
lm |
List current modules. |
n [10 OR 16] |
Set radix. 16 by default. |
q |
Quit. |
r OR r [Register names] |
Display registers. |
reload_lua |
Reload lua scripts. |
u [VirtualAddress/Symbol] [EndAddress/L<Count>] |
Display disassembly at address. |
uf [VirtualAddress/Symbol] [EndAddress/L<Count>] |
Alias for u command. |
x [Module!Function] |
Display symbols matching the string. Accepts wildcard. |
~ OR ~ [ProcessorNumber] |
Display current processor number or set current processor. |
:[CallbackName] <Args> |
Call to Lua callback. |
