Bochs debugger

The Bochs debugger plugin uses the Bochs internal command line debugger. For more about the internal debugger: http://bochs.sourceforge.net/doc/docbook/user/internal-debugger.html

To use the Bochs debugger plugin, the following steps must be carried out:

• Download and install Bochs v2.6.x from: http://bochs.sourceforge.net/getcurrent.html For Mac OS or Linux, please refer to the following guide: https://www.hex-rays.com//products/ida/support/tutorials/debugging_bochs_linux.pdf

  Copy

  - Open or create an IDB file in IDA and select the Bochs debugger
  
  - Configure the debugger specific options in
        Debugger Options, Set specific options.
    One of three possible modes of operation can be selected: image, idb, or pe.

Because the debugger plugin uses the Bochs command line debugger, it has the following limitations:

  - Breakpoints: the Bochs debugger has the limit of 10 physical, 10
    virtual, and 10 linear breakpoints. Since IDA uses some breakpoints
    for its own purposes, only 20 breakpoints can be set by the user

  - Watchpoints: the Bochs debugger has the limit of 16 read and 16 write
    watchpoints

  - FPU registers, MMX, XMM, control, task and segment registers cannot be modified

There are ways to overcome some of the limitations mentioned above by downloading Bochs source code and modifying it. For example, the number of allowed breakpoints can be increased.

The Bochs debugger configuration dialog box has the following entries:

  BOCHSRC
    This is the path to the Bochs configuration file template. It contains
    special variables prefixed with "$". These variables should not be
    modified or changed by the user, as they are automatically filled by the
    plugin. Other entries can be modified as needed.

Operation mode The user can choose between Disk Image, IDB and PE operation modes.

  Delete image files upon session end
    If enabled, IDA will automatically delete the Bochs disk images used for
    the debugging session (this option only applies to IDB and PE operation modes).
    If the plugin (in IDB operation mode) finds a previously created image, it verifies that it
    corresponds to the database and uses it as is. Unchecking this option
    for the IDB operation mode will speed up launching the debugger.

  64-bit emulation
    This options enables 64bit emulation. It is only present in the 64-bit version of IDA.
    By default, the Bochs plugin will try to detect whether to choose 32 or 64-bit emulation.

Default configuration parameters are taken from ida\cfg\dbg_bochs.cfg.

The Bochs debugger module adds a new menu item: Debugger, Bochs Command. It can be used to send arbitrary commands to Bochs. The command output is displayed in the message window (there is also an IDC counterpart of this function, please refer to "startup.idc" file). This command is very useful but may interfere with IDA, especially if the user modifies breakpoints or resume execution outside IDA.

See also:

• Disk Image operation mode

• Bochs IDB operation mode

• Bochs PE operation mode

• Bochs plugin operation mode FAQ