A simple way to get started is to launch IDA and disassemble the bochsrc file associated with your disk image. IDA will recognize bochsrc files, parse the contents, determine the associated disk image and create a new database containing the first sector of the disk image (usually the boot sector).
The database does not have to correspond to the disk image: it could in fact start as an empty database, then user could convert the needed segments to loader segments for later analysis. The following script can be used for that purpose:
attrs = get_segm_attr(desired__segment__start, SEGATTR_FLAGS);
attrs = (attrs & ~SFL_DEBUG) | SFL_LOADER;
set_segm_attr(desired__segment__start, SEGATTR_FLAGS, attrs);
If the disk image switches to protected mode with memory paging enabled, IDA
will use the page table mapping to display segments. For 16-bit applications, IDA
automatically creates a default DOS memory map (Interrupt vector table, Bios Data Area, User Memory and BIOS ROM).
Also, the Bochs Debugger plugin will try to guess the debugger segment bitness, nonetheless the user can edit the bitness manually.
Moreover, the Bochs internal debugger provides the ability to add hardware like breakpoints, known as watchpoints, but the addresses must be physical addresses. In order to use the disk image operation mode in a more convenient way, the plugin will convert the virtual addresses to physical adresses (if page table information is present) before adding the hardware breakpoint. This mechanism will not always work, please check the FAQ for more information. For hardware breakpoint on execute, the plugin will use the selected address as-is and create a physical breakpoint.
The following parameters can be specified for the disk image operation mode:
- The bochsrc file which contains the configuration for the Bochs virtual machine in question.
The bochsrc file should be entered in:
Debugger -> Process Options -> Application (other fields are ignored)
- Use virtual breakpoints when protected mode is enabled:
This parameter is set in the Debugger Specific options.
It will allow the plugin to use "vb" command to create
virtual breakpoints (using cs:eip), instead of using the "lb" which
creates linear breakpoints (using only "eip"). It is useful when
debugging code where the "cs" segment selector base is not zero.
This is a small example on how to debug a given disk image:
1. Prepare the needed bochs virtual machine files (bochsrc, disk image, floppy image if needed, etc...)
2. Load the bochsrc file into IDA. IDA will automatically create a database.
(Step 2, is optional. It is possible to use a database of your choice, but remember to point its "Debugger->Process Options->Input file" to the bochsrc file)
3. Make sure the "Disk image" operation mode is selected (If Step 2 was used, then Disk image operation mode will be selected automatically)
4. Enable "Debugger Options->Suspend on debugging start", and start debugging!
In the disk image operation mode, the Bochs debugger plugin does not handle or report exceptions, if they must be caught and handled, please put breakpoints in the IDT or IVT entries.
See also:
Bochs debugger
Bochs plugin operation mode FAQ