Skip to content

Remote Debugging

Support Status

Right now, we support Windows remote debugging from Windows, and Linux/macOS remote debugging from all platforms. Remote debugging of Windows executable from Linux/macOS is a planned feature.

We also support gdbserver/lldb-server remote debugging from all platforms. Currently, the gdbserver support is limited to remote android debugging, and support for other targets, e.g., qiling, VMWare, QEMU, etc., will be added later.

Target 🔽 Host ▶️ macOS Linux Windows
macOS / Yes Yes
Linux Yes / Yes
Windows Planned Planned /
GDB Server Yes Yes Yes
LLDB Server Yes Yes Yes

Debug Server v.s. Remote Process

There are two types of remote debugging, i.e, via a debug server, or a remote process.

A remote process is straight-forward -- it is a process that runs on the remote host. The debugger connects to it and then debugs it. If you have used gdbserver or debugserver previously, you probably already know about it.

A debug server is a server that runs on the remote host. The debugger connects to it and can instruct the debug server to launch a proces as needed. Then the debugger can connect to the running process and debug it. One advantage of using a debug server is that the user does not need to access the remote host to launch the target repeately -- it can be done within the debugger. Moreover, a debug server often offers more functionalities than launching a remote process. For example, the lldb-server supports reading and writing the remote file system, as well as executing shell commands on the remote host.

We recommend using debug server whenever possible and only use the remote process as a backup.

For now, DbgEng adapter supports debug server, and LLDB adapter supports both debug server and remote process.

Preparing Remote Host

Windows

  • Download and extract debugger-win32.zip
  • Find the plugins/dbgeng folder in it
  • If you wish to debug a x64 program, copy the amd64 folder to the remote host.
  • If you wish to debug a x86 program, copy the x86 folder to the remote host.
  • There should be a dbgsrv.exe folder you just copied.

macOS

  • Download and extract debugger-darwin.zip.
  • Find the lldb folder at debugger-darwin/plugins/lldb and copy it to the remote host.
  • Note, the entire lldb folder must be copied. Only copying the lldb-server or debugserver executable does not work.

Linux

There are two ways to prepare a Linux remote host, i.e., using lldb-server (recommended) or using gdbserver.

  • Download and extract debugger-linux.zip.
  • Find the lldb folder at debugger-linux/plugins/lldb and copy it to the remote host.
  • Note, the entire lldb folder must be copied. Only copying the lldb-server executable does not work.
  • One can also use the lldb-server or gdbserver that comes with the host system's Linux distribution. However, that might cause compatability issues.

gdbserver

Install the gdb using the system package manager, e.g., sudo apt install gdbserver.

iOS

Setting up an iOS device or emulator for debugging is challenging. A step-by-step guide is out of scope here. We assume the user is familiar with the setup, or already having a proper setup that works with lldb.

We will provide a detailed guide on this later.

The high level steps are:

  • Extract the debugserver executable from the developer disk image that comes with the XCode.
  • Sign it with a proper entitlements plist to enable it to debug all processes.
  • Upload the signed debugserver to the remote system.

Android

Setting up an Android device or emulator for debugging requires a few steps. A step-by-step guide is out of scope here. We assume the user is familiar with the setup, or already having a proper setup that works with gdb.

We will provide a detailed guide on this later.

The high level steps are:

  • Install the Android NDK
  • Find the gdbserver or gdbserver64 executable in NDK
  • Upload it to the remote host

Launching the Debug Server or Remote Process

Windows

To start a remote debugging session, first launch the dbgsrv.exe on the remote machine.

  • First determine whether the target is x64 or x86. If the target is x64, then use the dbgsrv.exe in the x64 DbgEng installation folder. If the target is x86, then use the dbgsrv.exe in the x86 DbgEng installation folder. If the version of dbgsrv.exe does not match the target, the debugger will behave unexpectedly.
  • Launch the dbgsrv by running dbgsrv.exe -t tcp:port=<PORT>,server=<IP_ADDRESS>, where IP_ADDRESS:PORT is the IP and port the Binary Ninja will connect to. For example, dbgsrv.exe -t tcp:port=12345,server=192.168.72.25. Note, the server= part cannot be omitted.
  • If this is done for the first time, the Window firewall will pop up a confirmation dialog. Allow the operation.
  • If the operation succeeds, the dbgsrv.exe will keep running in the background. If any error occurs, it will show a message box.

macOS

Debug Server

  • cd debugger-darwin/plugins/lldb
  • ./lldb-server p --server --listen 0.0.0.0:31337

Specifying 0.0.0.0 instructs lldb-server to listen on all interfaces. You can also specify a particular IP address of an interface.

Remote Process

  • cd debugger-darwin/plugins/lldb
  • To launch a new process, run ./debugserver 0.0.0.0:31337 /path/to/helloworld foo bar, where /path/to/helloworld is the path of the executable, and foo bar are two arguments.
  • To attach to a running process by PID, run ./debugserver 0.0.0.0:31337 --attach=1234, where 1234 is the PID of the target process.

Linux

Debug Server (LLDB)

  • cd debugger-linux/plugins/lldb
  • ./lldb-server p --server --listen 0.0.0.0:31337

Specifying 0.0.0.0 instructs lldb-server to listen on all interfaces. You can also specify a particular IP address of an interface.

Remote Process (LLDB)

  • cd debugger-linux/plugins/lldb
  • To launch a new process, run ./lldb-server g 0.0.0.0:31337 -- /path/to/helloworld foo bar, where /path/to/helloworld is the path of the executable, and foo bar are two arguments.
  • To attach to a running process by PID, run ./lldb-server g 0.0.0.0:31337 --attach 1234, where 1234 is the PID of the target process.

Debug Server (GDB)

gdbserver can work as a debug server as well.

  • gdbserver --multi 0.0.0.0:31337

Remote Process (GDB)

One can also use gdbserver to launch or attach to a remote process. Since the version of gdbserver varies, there might be compatability issues, though.

  • To launch a new process, run gdbserver 0.0.0.0:31337 -- /path/to/helloworld foo bar, where /path/to/helloworld is the path of the executable, and foo bar are two arguments.
  • To attach to a running process by PID, run gdbserver 0.0.0.0:31337 --attach 1234, where 1234 is the PID of the target process.

iOS

  • ssh into the remote host
  • To launch a new process, run ./debugserver 0.0.0.0:31337 /path/to/helloworld foo bar, where /path/to/helloworld is the path of the executable, and foo bar are two arguments.
  • To attach to a running process by PID, run ./debugserver 0.0.0.0:31337 --attach=1234, where 1234 is the PID of the target process.
  • Targets launched/attached by debugserver are considered remote process. Follow the Connecting to a Remote Process section to connect to it.

Android

  • ssh into the remote host
  • To launch a new process, run gdbserver 0.0.0.0:31337 -- /path/to/helloworld foo bar, where /path/to/helloworld is the path of the executable, and foo bar are two arguments.
  • To attach to a running process by PID, run gdbserver 0.0.0.0:31337 --attach 1234, where 1234 is the PID of the target process.
  • Targets launched/attached by gdbserver are considered remote process. Follow the Connecting to a Remote Process section to connect to it.

Connecting to a Debug Server (DBGENG Adapter)

Now, connect to a debug server in Binary Ninja using DbgEng adapter.

  • Open the binary you wish to debug
  • Click "Debugger" -> "Connect to Debug Server" in the main window menu bar
  • In the dialog, type in the IP and port to connect to:

  • Click Accept. A message box will show up if the connection is successful.
  • Now one can launch the target in the same way as local debugging. However, since the path of the executable on the remote machine is very likely to be different from the path on the local machine. We need to specify its path.
  • Click "Debugger" -> "Launch/Connect Settings" in the main window menu bar

  • Specify the executable path on the remote machine
  • Launch the target

One can also attach to a process running on the remote machine via its PID. In that case, there is no need to specify the executable path.

When connected to the debug server, the debugger can launch the executable multiple times using the same connection. There is no need to relaunch and reconnect to the debug server after the target exits.

To disconnect from the debug server, click "Debugger" -> "Disconnect from Debug Server". After that, if we launch the target, it will execute on the local machine. Be careful!

Connecting to a Debug Server (LLDB Adapter)

Connecting to a debug server using LLDB adapter is slightly different from using DbgEng adapter.

  • Open the binary you wish to debug
  • Click "Debugger" -> "Connect to Debug Server" in the main window menu bar
  • In the dialog, type in the IP and port to connect to:

  • There is a Platform dropdown menu. We need to select an appropriate platform so that LLDB can work properly:

If the remote host is a macOS system, select remote-macosx. If the remote host is a Linux system, select remote-linux. If the remote host is a gdbserver with --multi command line option, select remote-gdb-server. Note, despite that there exists an remote-windows entry, LLDB's debug server does not work on Windows at the moment.

  • Click Accept. A message box will show up if the connection is successful.
  • Open the Debug Adapter Settings dialog, and set the Working Directory to the remote directory that you wish to launch the process in. Do not leave the path unchanged since it will then be a local path, and there will be an error during launch.
  • Do NOT change the Executable Path to a remote path. Set it to the local path where the executable is in. During launch, LLDB will copy the executable to the remote host, put it in the working directory we supplied above, and launch it. Setting a remote path here will cause errors. LLDB is smart enough to check the hash of the file so that it will only copy the file once.
  • Launch the target

One can also attach to a process running on the remote machine via its PID. In that case, there is no need to change the current working directory.

When connected to the debug server, the debugger can launch the executable multiple times using the same connection. There is no need to relaunch and reconnect to the debug server after the target exits.

To disconnect from the debug server, click "Debugger" -> "Disconnect from Debug Server". After that, if we launch the target, it will execute on the local machine. Be careful!

Connecting to a Remote Process

  • Open the binary you wish to debug
  • Click "Debugger" -> "Connect to Debug Server" in the main window menu bar
  • In the dialog, type in the IP and port to connect to:

  • For the Plugin dropdown menu, select gdb-remote or debugserver/lldb accordingly.
  • Click Accept.