There are several issues in IDA related to GDB remote debugging. The following concerns debugging windows programs.
IDA does not show correct destination of logical addresses involving fs or gs overrides, for example:
mov eax, fs:18h ;clicking on this goes to an address 0x18 instead of fs_base + 0x18
mov eax, gs:30h ;same here, goes to 0x30 instead of gs_base + 0x30
At the same time, GDB stub provides fs_base and gs_base registers. Here is a tcpdump of the interaction with GDB stub:
>> from IDA to remote stub
qXfer:features:read:64bit-segments.xml:0,1023
<< from remote stub to IDA
l<?xml version="1.0"?>
<!-- Copyright (C) 2016-2018 Free Software Foundation, Inc.
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. -->
<!DOCTYPE feature SYSTEM "gdb-target.dtd">
<feature name="org.gnu.gdb.i386.segments">
<reg name="fs_base" bitsize="64" type="int"/>
<reg name="gs_base" bitsize="64" type="int"/>
</feature>
IDA is supposed to show thread names in Threads debugging window. Instead it shows only FFFFFFFFFFFFFFFF regardless of thread names
an example conversation shows that names are set:
<< from IDA
qXfer:threads:read::0,1023
>> to IDA
l<threads>
<thread id="1" core="0" name="main thread" />
<thread id="2" core="0" name="thread #1" />
<thread id="3" core="0" name="thread #2" />
</threads>
But all the names are FFFFFFFFFFFFFFFF in Threads window.
Choose process to attach to window does not show process name
IDA can make a request qXfer:exec-file:read to read the name of the program. When attaching to the remote process a window Choose process to attach to appears. It has two fields: Id and Name. Name is always <attach to the process started on target> regardless of the process name, that can be obtained through qXfer:exec-file:read request.
Duplicated program name in Modules window
As I noticed, IDA makes qXfer:exec-file:read to get the name of the running program. Let’s assume that the process name is c:\test.exe. This name is shown in Modules window without base address (ok, it’s not known by default). But if GDB stub provides program’s name in the loaded libraries like this:
<< from IDA
qXfer:libraries:read::0,1023
>> to IDA
l<library-list>
<library name="c:\windows\system32\win32u.dll"><segment address="0x100001000"/></library>
<library name="c:\test.exe"><segment address="0x140001000"/></library>
<library name="c:\windows\system32\ntdll.dll"><segment address="0x180001000"/></library>
</library-list>
then Modules window will contain duplicated entry for the program name:
Path Base Size
c:\windows\system32\win32u.dll 0000000100000000 0000000000022000
c:\test.exe 0000000140000000 0000000000009000
c:\windows\system32\ntdll.dll 0000000180000000 00000000001F8000
c:\test.exe
Some symbols disappear when using Load debug symbols in Modules window
Attach to a program. Load ntdll.dll symbols. Go to LdrLoadDll and find this line in its prolog:
mov rax, cs:__security_cookie
Then load symbols for another module. Look at LdrLoadDll’s prolog again and notice a missed name:
mov rax, cs:off_180184510
WOW64 debugging problems
When debugging WOW64 processes we have a mix of 64/32-bit modules. IDA does not respect module bitness. It loads all the modules as 64-bit. Moreover, if I manually set segment bitness (Alt-S) for such a module to 32-bit, IDA can revert it back to 64-bit during program execution (I think it depends on other module loading).