1. Install WinDbg inside the guest. You will need to generate symbol files from the guest since this is the Windows version you will be hooking vprobes to.
2. Create a local or remote symbol server per Debugging Applications for Microsoft .NET and Microsoft Windows Part I, Chapter 2 and run the following command from the WinDbg folder:
google:Applications_net_windows
This will take some time to complete and you should end up with a couple gigs of modules and their PDBs.
3. Run WinDbg in local kernel debugging mode on the guest and issue the following command, replacing <modulename> with an actual module name:
4. Save the output from WinDbg: Edit > Write Window Text to File
5. Place the saved file in the guest datastore directory.
6. Stop the guest.
7. Edit the VMX file to include
8. Start the guest.
9. Issue the vprobeListProbes command to view your imported events.
The attached probes.txt file contains all my events with the NT module imported. nt.txt is the file I am importing with vprobe.guestSyms. I am not sure if this will be a problem but the event names look like:
instead of
Any insight on this?
UPDATE FROM VMWARE:
I will check this out and post my results...
http://windbg.info
2. Create a local or remote symbol server per Debugging Applications for Microsoft .NET and Microsoft Windows Part I, Chapter 2 and run the following command from the WinDbg folder:
google:Applications_net_windows
cscript ossyms2.0.js \\symbols\path
This will take some time to complete and you should end up with a couple gigs of modules and their PDBs.
3. Run WinDbg in local kernel debugging mode on the guest and issue the following command, replacing <modulename> with an actual module name:
x <modulename>!*
4. Save the output from WinDbg: Edit > Write Window Text to File
5. Place the saved file in the guest datastore directory.
6. Stop the guest.
7. Edit the VMX file to include
vprobe.enable = "TRUE"
vprobe.guestSyms = "symbolFile.TXT"
8. Start the guest.
9. Issue the vprobeListProbes command to view your imported events.
The attached probes.txt file contains all my events with the NT module imported. nt.txt is the file I am importing with vprobe.guestSyms. I am not sure if this will be a problem but the event names look like:
GUEST:t!MiShutdownSystem*
instead of
GUEST:nt!MiShutdownSystem*
Any insight on this?
UPDATE FROM VMWARE:
This looks like an issue with our internal parsing logic for windbg-style symbol text files. Try adding a "0`" (w/o the double quotes) to each of the lines and you should see the full, intact probe names.
I will check this out and post my results...
http://windbg.info
Attachments:
- nt.TXT (576.2 K)
- probes.txt (301.6 K)
- OSsyms2.0.js (16.9 K)
