Connect to an lldb/gdb server

[NeoZ16]

I'm trying to use the debugger to connect to an lldb or gdb server.
Does not really matter which one at the moment.
Server is running in a Android VM and connecting with a lldb or gdb session does work.

I tried using the local agent via GADP/TCP option with the Agent interface adress and Agent TCP port set to the values that I used for testing if connecting works at all.
But this does not work. Even if I do not start the remote server it crashes with this message: Could not connect: java.lang.RuntimeException: Agent terminated with error: (DebuggerConnectDialog).
I feel like I'm misunderstanding something here. Is connecting to a debugging server even possible?

[d-millar]

@NeoZ16 It is possible, but not in the way that you're attempting. The option names confuse a lot of people, and we're open to suggestions as to how to make it clearer if you have any....

So, just by way of background, the purpose of the GADP agents is two-fold: (1) to prevent crashes in the native debugger clients from taking down the Ghidra Java VM, and (2) to enable scenarios where the host platform on which you're running Ghidra proper does not support the native libraries required by the debugger. For example, you could run Ghidra locally on a macos host and connect to a Ghidra agent that wraps the dbgeng API on a remote Windows machine.

Your scenario is not actually that. Why - because the lldb or gdb server you're starting up in the Android VM does not speak GADP, which is our custom protocol. Gdbserver, the lldb debugserver, and lldb-server all speak variants of Remote Serial Protocol (RSP), a protocol developed originally for gdb only but adopted by various platforms. We have atttempted direct comms using RSP in the past, but that road is fraught with peril to say the least. RSP is basically a suggestion, not a standard, and the variations in its implementation make direct RSP comms unmanageable.

That said, you have several options that should work, although I will caveat this with the comment that many of the lldb options, in particular, have bugs in the current release. You may be better off building from source if that is an option.

So,options:
(1) for gdb, use the Targets window to start a gdb session. (IN-VM is the slightly less complicated and possibly more performant option if you're not worried about crashing your VM.) This should launch an Interpreter window. From there, use the normal CLI for a remote connection, e.g. "target remote host:port". Make sure when you connect that the Targets dialog is pointing to a version of gdb that supports Android, e.g. gdb-multiarch or the equivalent.
(2) for lldb, use the Targets windows to start lldb, open the Connector node in Objects, select "Connect to server", and then launch using the "Launch (X)" button. If "Auto" is selected in that dialog, lldb will attempt to use the host and port specified to connect immediately. Alternatively, leave it unselected, wait for the Intepreter window to open, and issue the command "gdb-remote host:port". NB: the state upon connect may be a little weird. You may need to try setting the "Async" button on or off, you may need to send an interrupt after connecting, and you may need to "Force all memory" from the Regions window to get the Dynamic View to work.
(3) if you have a variant of gdb that you know connects correctly to your target, you can use "gdb vis ssh" to launch an instance of that gdb without the need for a intervening Ghidra agent, and then connect via "target remote".

We have done some preliminary work on a JDWP client for Dalvik, but it's definitely in need of some care and feeding, so caveat emptor there.

Let us know if you run into trouble with any of the above. We're interested in this as a use case and eager to iron out bugs.

[NeoZ16]

@d-millar
First of all thanks for the quick answer! Now it works perfectly fine! If I run into any crashes or bugs I'll let you know.
I'll probably try lldb first and if that is to buggy switch to gdb.

As for the names, yes I think that I was confused me.
The IN-VM option made it sound to me as if it somehow just used a gdb instance IN-VM to debug it on the local machine. But I'm really not sure how this could be changed for more clarity.
Maybe the GADP/TCP options could be a bit more detailed, that they connect against another server that runs GADP.

I just reread the documentation and if I would've read it a little bit more carefully I think I could've avoided that mistake.
It might be a good idea to explain the different options and what they do in the documentation?

Also maybe having some example that shows the how using the IN-VM option and the interpreter could help. Maybe I overlooked it, but I couldn't really find any examples or tutorials for this.

[d-millar]

Agreed - the docs could definitely stand more detailed examples. Appreciate the feedback!

[NeoZ16]

@d-millar
Hey I was just playing around a bit and apparently if I try to start an IN-VM lldb session, I get the following exception:

Could not initialize class jdk.proxy2.$Proxy52
java.lang.NoClassDefFoundError: Could not initialize class jdk.proxy2.$Proxy52
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
	at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1053)
	at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1039)
	at ghidra.util.datastruct.ListenerMap.<init>(ListenerMap.java:212)
	at ghidra.util.datastruct.ListenerSet$1.<init>(ListenerSet.java:59)
	at ghidra.util.datastruct.ListenerSet.<init>(ListenerSet.java:59)
	at ghidra.util.datastruct.ListenerSet.<init>(ListenerSet.java:49)
	at agent.lldb.manager.impl.LldbManagerImpl.<init>(LldbManagerImpl.java:96)
	at agent.lldb.manager.LldbManager.newInstance(LldbManager.java:58)
	at agent.lldb.model.impl.LldbModelImpl.<init>(LldbModelImpl.java:70)
	at agent.lldb.LldbInJvmDebuggerModelFactory.build(LldbInJvmDebuggerModelFactory.java:41)
	at ghidra.app.plugin.core.debug.service.model.DebuggerConnectDialog.connect(DebuggerConnectDialog.java:242)
	at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1972)
	at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2313)
	at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
	at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
	at java.desktop/javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:279)
	at java.desktop/java.awt.Component.processMouseEvent(Component.java:6626)
	at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3389)
	at java.desktop/java.awt.Component.processEvent(Component.java:6391)
	at java.desktop/java.awt.Container.processEvent(Container.java:2266)
	at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5001)
	at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
	at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
	at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4948)
	at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4575)
	at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4516)
	at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2310)
	at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2780)
	at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
	at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:773)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:722)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:716)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:97)
	at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:746)
	at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:744)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
	at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:743)
	at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:117)
	at java.desktop/java.awt.WaitDispatchSupport$2.run(WaitDispatchSupport.java:191)
	at java.desktop/java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:236)
	at java.desktop/java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:234)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
	at java.desktop/java.awt.WaitDispatchSupport.enter(WaitDispatchSupport.java:234)
	at java.desktop/java.awt.Dialog.show(Dialog.java:1080)
	at java.desktop/java.awt.Component.show(Component.java:1728)
	at java.desktop/java.awt.Component.setVisible(Component.java:1675)
	at java.desktop/java.awt.Window.setVisible(Window.java:1036)
	at java.desktop/java.awt.Dialog.setVisible(Dialog.java:1016)
	at docking.DockingDialog.setVisible(DockingDialog.java:353)
	at docking.DockingWindowManager.lambda$doShowDialog$6(DockingWindowManager.java:1769)
	at ghidra.util.Swing.doRun(Swing.java:292)
	at ghidra.util.Swing.runNow(Swing.java:208)
	at ghidra.util.Swing.runNow(Swing.java:163)
	at docking.DockingWindowManager.doShowDialog(DockingWindowManager.java:1773)
	at docking.DockingWindowManager.showDialog(DockingWindowManager.java:1722)
	at docking.AbstractDockingTool.showDialog(AbstractDockingTool.java:158)
	at ghidra.app.plugin.core.debug.service.model.DebuggerModelServicePlugin.doShowConnectDialog(DebuggerModelServicePlugin.java:694)
	at ghidra.app.plugin.core.debug.service.model.DebuggerModelServiceProxyPlugin.showConnectDialog(DebuggerModelServiceProxyPlugin.java:273)
	at ghidra.app.services.DebuggerModelService.showConnectDialog(DebuggerModelService.java:357)
	at ghidra.app.plugin.core.debug.gui.target.DebuggerTargetsProvider$ConnectAction.actionPerformed(DebuggerTargetsProvider.java:110)
	at docking.menu.ToolBarItemManager.lambda$actionPerformed$0(ToolBarItemManager.java:129)
	at java.desktop/java.awt.event.InvocationEvent.dispatch$$$capture(InvocationEvent.java:318)
	at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java)
	at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:771)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:722)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:716)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
	at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:741)
	at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

---------------------------------------------------
Build Date: 2022-Nov-15 1249 EST
Ghidra Version: 10.2.2
Java Home: /usr/lib/jvm/java-17-openjdk-amd64
JVM Version: Private Build 17.0.5
OS: Linux 5.19.0-29-generic amd64

Any idea what the reason for this could be?

[d-millar]

@NeoZ16 Hmmm, that's almost but not quite the error in #4884. Did you get any errors during the swig build process (see Ghidra/Debug/Debugger-swig-lldb/InstructionsForBuildingLLDBInterface.txt)?

[NeoZ16]

@d-millar Im not building myself. I downloaded 10.2.2 from the GitHub Release.

[d-millar]

@NeoZ16 For lldb to work, you HAVE to build the code yourself unless your version is an exact match for the liblldb.dylib and lldb installed on your box.

[d-millar]

more specifically, you have to run "gradle generateSwig" and "gradle build" in Ghidra/Debug/Debugger-swig-lldb after setting the relevant environment variables.

[NeoZ16]

@d-millar
Now I'm trying to build it by myself. My LLVM_HOME points to /usr/lib/llvm-15 which was installed via apt. I cloned the project from GitHub and started with gradle -I gradle/support/fetchDependencies.gradle init .
When I run gradle generateSwig I get following error:

> Configure project :
OS: Linux
Arch: amd64 (gradle: x86-64)
Using platform: linux_x86_64

> Task :Debugger-swig-lldb:generateSwig FAILED
Debugger-swig-lldb: using LLVM_HOME=/usr/lib/llvm-15
/ghidra/ghidra/Ghidra/Debug/Debugger-swig-lldb/src/llvm-project/lldb/bindings/java/java.swig:13: Error: Unable to find 'macros.swig'
/ghidra/ghidra/Ghidra/Debug/Debugger-swig-lldb/src/llvm-project/lldb/bindings/java/java.swig:14: Error: Unable to find 'headers.swig'
/ghidra/ghidra/Ghidra/Debug/Debugger-swig-lldb/src/llvm-project/lldb/bindings/java/java.swig:21: Error: Unable to find 'interfaces.swig'

FAILURE: Build failed with an exception.

* Where:
Script '/ghidra/ghidra/Ghidra/Debug/Debugger-swig-lldb/buildNatives.gradle' line: 41

[d-millar]

@NeoZ16 Apologies - I definitely need to learn to be more explicit in my answers....

First off, you do NOT need to rebuild Ghidra from source to get the lldb interface working, but you DO need to build the JNI wrapper, i.e. you need to build the portion of Ghidra that lives in Ghidra/Debug/Debugger-swig-lldb. That said, if you wish to build Ghidra from source, I would do that first, i.e. don't set LLVM_HOME, run "gradle -I gradle/support/fetchDependencies init", run "gradle build", and make sure everything else is working first.

Before building the lldb piece, I would also recommend reading the InstructionsForBuildingLLDBInterface.txt file a couple of times (it's a little confusing) and maybe looking through some of the relevant posts in Issues and Discussions, e.g. #4937.

To your specific case, LLVM_HOME needs to be set to the source repository for lldb. You do NOT have to build llvm/lldb, but I would highly recommend cloning the relevant repos, checking out "release/14.x", and setting LLVM_HOME to the root of that project. LLVM_BUILD can point either to a local build of lldb or any install via apt or brew, but should be where "lib/liblldb.so" or "lib/liblldb.dylib" lives. JAVA_HOME, of course, should point to where Java lives, on Linux typically something like "/usr/lib/jvm/java-17-openjdk-amd64", i.e. it contains "bin/java".

Once you have the env variables set, you need to run "gradle generateSwig", copy or move the resulting files per the instructions (depending on whether you're in a distro or source), and the "gradle build".

Let us know if you get stuck!

[NeoZ16]

@d-millar
I actually did not know that there were instructions for that, but it was quite easy the follow them!

So the library is compiled now and I actually got the IN-VM lldb session.
I tried to Connect to server as described by you in an earlier answer.

(2) for lldb, use the Targets windows to start lldb, open the Connector node in Objects, select "Connect to server", and then launch using the "Launch (X)" button. 

But this option does not even show for me. Is this a version problem? (I'm still using build 10.2.2 downloaded from the releases page.)

[d-millar]

@NeoZ16 Hmmm, yes, I had thought the option made it into 10.2.2, but apparently not. 10.2.3 is imminent (for some definition of imminent), or, if you're feeling brave, you can build from Ghidra from the current source (which has the option added). The big issue is that, unlike with gdb, you have to do a little finagling to get the Interpreter started for a remote connection, and without that you have no way of starting the connection. If you want to go the build route, the instructions on the GitHub page are pretty straightforward - certainly clearer than the SWIG instructions which you've already survived! :)

[d-millar]

sigh - I think I was wrong about the changes making it into 10.2.3. You may have to try the source.

[NeoZ16]

Ok thanks, then I'll probably try and do that!

[d-millar]

Just to confirm, 10.2.3 won't resolve the problem (10.3 should, but...). You will probably have to build from source to get the benefit of recent changes. This is pretty straightforward, but yell if you get stuck.

[d-millar]

Hmmmm, not sure I've ever seen that, so no quick answer, but a few points to keep in mind:

(1) Both lldb and gdb statically link to the python libraries when they're compiled, so you have to use the version of python they were built with. For the current CLion, I believe that's 3.10.7, but you can check it by starting up lldb and issuing the commands: "script", "import sys", and "sys.version".

(2) The CLion version of lldb does not appear to support either "pip" or loading python classes from PYTHONPATH. I believe the only other alternative is to put the relevant modules in your path. It probably also makes sense to do this with python itself. I have not used "settings set plugin.python executable" and really have no sense of how lldb finds libraries if you go that route.

(3) Am assuming your target is 32-bit from the various refs above - if not, using the 32-bit debuggers will be a problem.

(4) What version of protobuf did you install? Per our instructions, it has to be 3.20.3.

[bukowa]

Thanks for detailed explanation, thing learned.
I tried with 3.20.3 everything is for 32bit yes.
It's the same error.

And yes lldb shipped with python and all the other libs they were just in different path.
I copied everything into one new dir alongside the python packages.

[d-millar]

Hmmm, well, not sure if you've tried this yet, but maybe, as a sanity check, try debugging a relatively mundane 64-bit process, like, say, notepad.exe.

[bukowa]

I just compiled 32bit of my executable and yes indeed I am connected to the debugger.
I will try reinstalling and starting clean.

[d-millar]

The error suggests you're timing out on the connection back to Ghidra, i.e. "ghidra trace connect" is failing. At a guess, this is because "target create" is failing. If you launch TaskManager or the equivalent, are you seeing your target in the process list? Also, if you aren't already, use "support/ghidraDebug.bat" in place of "ghidraRun.bat" and see if there anything suggestive of an error in the terminal.

[bukowa]

I created a fresh install copied all libraries and it's all working now by default. I think the root problem (beside my lack of knowledge in the topic) was that Ghidra did not propagate the error message box from lldb.exe about missing python <- I never tried executing it as standalone before - assuming Ghidra is smart enough to tell me there was error with the lldb.exe.

With all the libraries copied lldb.exe runs just fine. But there's another problem which is:

• the application hangs with error in the same place that x32dbg does, but strange that lldb from CLion doesn't have such problem, maybe it's some kind of anti debugging mechanism

* thread #1, name = 'MainThrd', stop reason = Exception 0xc0000005 encountered at address 0x570b0d99: Access violation reading location 0x00000010
    frame #0: 0x77681b03 ntdll.dll`LdrInitShimEngineDynamic + 1763

[d-millar]

Maybe. Without the actual executable, would be hard for me to tell. You're getting an access violation, presumably dereferencing a null pointer. LdrInitShimEngineDynamic is frequently used to trap on library accesses, e.g. CreateRemoteProcess or LoadLibrary, so could very well be and anti-debugger thing. If you can locate the call in the target, you could try nop'ing it out, but....

[bukowa]

Ok thank you for the follow ups

[bukowa]

Well I don't know what's going on but yet again I have the same problem :) Even with the "normal" applications. Something is odd here

[d-millar]

What does "normal" mean here? notepad.exe? self-compiled example code? 64-bit / 32-bit? LLVM lldb or CLion lldb?

[bukowa]

I keep receiving this error even with notepad.exe. I wonder if this is hardware related error.
32bit self compiled example
llvm lldb
here with notepad.exe

* thread #1, stop reason = Exception 0x80000003 encountered at address 0x77901b02
    frame #0: 0x77901b03 ntdll.dll`LdrInitShimEngineDynamic + 1763
ntdll.dll`LdrInitShimEngineDynamic:

Edit: This is a breakpoint exception right? 0x80000003

[d-millar]

Hmmmm, that’s a 32-bit address in notepad.exe. Do you have a 32-bit version of notepad.exe or are you debugging notepad with the 32-bit version of LLVM’s lldb. Also, 0x80000003 is a breakpoint. If you resume, what happens?

[bukowa]

Yes its 64bit notepad.
I guess it's normal because it happens only when I set --stop-at-entry the program breaks as the exception indicates.
I can continue - but I think here the misunderstanding comes in - it requires additional ENTER in the lldb.exe terminal window inside ghidra for the application to be responsive again. I wonder, if other / better debugger is recommended to work in Windows.

[d-millar]

Not sure I understand what you mean by an additional ENTER in the terminal, I’m afraid. The normal behavior for “—stop-at-entry” would be the process breaks at the initial breakpoint. You hit the resume button or “continue” in the terminal, and notepad is now running. To resume activity in the debugger, you’ll need to hit break.

And, yes, any other debugger is a better choice in Windows. The obvious choice would be to use windbg or from Ghidra dbgeng.

[bukowa]

And, yes, any other debugger is a better choice in Windows. The obvious choice would be to use windbg or from Ghidra dbgeng.

I suppose... let me try... 🔢

[d-millar]

Re breakpoints, it appears that you have 5 sessions running simultaneously. This is not a good idea. From the Connections window, I would “Close all” and start again. With 5 sessions running, you have very little idea which ones are active and which have died.

[bukowa]

I went into documentation but my dbgeng is grayed out, so the next step is to figure out why?

[d-millar]

Do you have the WIndows SDK (i.e. the debugger) installed?

[bukowa]

You can't install

$ pip install pywin32==306
ERROR: Could not find a version that satisfies the requirement pywin32==306 (from versions: 307, 308)

[bukowa]

From dist

$ pip install Debugger-agent-dbgeng/pypkg/dist/pywin32-306-cp312-cp312-win_amd64.whl

[notice] A new release of pip is available: 24.3.1 -> 25.0.1
[notice] To update, run: python.exe -m pip install --upgrade pip
ERROR: pywin32-306-cp312-cp312-win_amd64.whl is not a supported wheel on this platform.

[bukowa]

It's running! But requires pybag 2.2.12

dshikashio/Pybag@2.2.12...2.2.14

ghidra/Ghidra/Debug/Debugger-rmi-trace/src/main/help/help/topics/TraceRmiLauncherServicePlugin/TraceRmiLauncherServicePlugin.html

Line 739 in 684ed5e

python3 -m pip install pybag protobuf==3.20.3

ghidra/GhidraDocs/InstallationGuide.md

Line 165 in 684ed5e

* Pybag>=2.2.10 (for WinDbg support)

[bukowa]

I wonder how do i deal with missing windows .dll symbols like ntdll.dll ?

[bukowa]

It's so painful Ghidra doesn't properly remember debugging targets ... and when editing .bat you just can't properly escape full paths... it's so painful experience

[d-millar]

Apologies re 2.212, pybag was upgraded right before the release and the fix apparently did not make it in. The version in master will work with 2.2.14. I’m a little confused about the pywin32 requirement - my recollection is that replaces win32 and is only needed by 2.2.14. Will look into that tomorrow.

Re symbols, they can be downloaded from Microsoft directly, but do you need them?

Sorry this has been so traumatic - it really shouldn’t have been, and I feel your pain. We moved to the python model because of all the insanity involved with JNI, but we’ve definitely traded one version of insanity for another. Your patience and help hunting down bugs is greatly appreciated.

[d-millar]

So, normally, if the launch succeeds, all the parameters are saved in the program database for that program. Do you have a program loaded in the Static Listing window? The fact that you had to delete the “image-opt env” line suggests you do not (which would account for the options being greyed out). If you don’t have a program, the debugger effectively has no place to save the settings.

Re escaping, the same tricks from the local-lldb.bat may work. (Yours is the first time oddly we’ve hit this.) In particular, you may combinations of single and double quotes. I have to crash now, but will tackle this first thing in the morning.

[bukowa]

I will share my opinion:

So, normally, if the launch succeeds, all the parameters are saved in the program database for that program.

• This is problematic, you can encounter many problems when debugging and have to retype everything.
• It's not good that Ghidra decides for the user. It should be up to me to decide with save as button.
• How do I delete the ones that I don't longer need from the menu? Right clicking just starts a new session.
• How do type a name for it so I am not confused which configuration to run?

The fact that you had to delete the “image-opt env” line suggests you do not (which would account for the options being greyed out

• I don't understand why Ghidra does it like that it's super confusing.
• Even you were confused about missing dlls.

If you don’t have a program, the debugger effectively has no place to save the settings.

• How would I know?

Ghidra has already this functionality from scripts that can put stuff into the menu
//@menupath Tools.Ghidra Analyze.WindowsPropagateExternalParams

• This window could have these buttons like:
  • right click on the ... next to input:
    • show sub menu options
      • fill current program executable
      • fill other project executable (here list submenu)
      • fill recently used paths
      • help menu with links to download?
        • windbg
        • lldb
        • ...
  • extra buttons like:
    • save as

Same window should be reused for renaming existing entries.

[bukowa]

Hmmm I don't know how do I pass -c ".effmach x86" to windbg

[bukowa]

Seems like the correct path to debugger may be C:\Program Files (x86)\Windows Kits\10\Debuggers

[bukowa]

But this error?

C:\Program Files (x86)\Windows Kits\10\Debuggers\x86

  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\venv\Lib\site-packages\pybag\__init__.py", line 48, in <module>
    ctypes.windll.LoadLibrary(os.path.join(dbgdir, 'dbghelp.dll'))
    ~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\users\buk\appdata\local\programs\python\python313\Lib\ctypes\__init__.py", line 471, in LoadLibrary
    return self._dlltype(name)
           ~~~~~~~~~~~~~^^^^^^
  File "C:\users\buk\appdata\local\programs\python\python313\Lib\ctypes\__init__.py", line 390, in __init__
    self._handle = _dlopen(self._name, mode)
                   ~~~~~~~^^^^^^^^^^^^^^^^^^
OSError: [WinError 193] %1 is not a valid Win32 application
>>>

[d-millar]

Re "-c", the windbg command line options are not exposed (AFAICT) in the dbgeng API. The easiest thing to do is put them in a startup script and execute this from the terminal.

Re "correct path", close - C:\Program Files (x86)\Windows Kits\10\Debuggers\x64, I believe.

[bukowa]

If I am debugging 32 bit, what is the correct way here?

[bukowa]

When using x64 as you suggested indeed works but debugger often hangs at wow64.dll and trying to resume just loops there again. There are also exceptions:

Error caused by front end
Traceback (most recent call last):
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-rmi-trace\pypkg\src\ghidratrace\client.py", line 65, in _handle_invoke_method
    result = self.client._handle_invoke_method(request)
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-rmi-trace\pypkg\src\ghidratrace\client.py", line 1146, in _handle_invoke_method
    return method.callback(**kwargs)
           ~~~~~~~~~~~~~~~^^^^^^^^^^
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-agent-dbgeng\pypkg\src\ghidradbg\methods.py", line 274, in refresh_registers
    tnum = find_thread_by_regs_obj(node)
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-agent-dbgeng\pypkg\src\ghidradbg\methods.py", line 140, in find_thread_by_regs_obj
    return find_thread_by_pattern(REGS_PATTERN0, object, "a RegisterValueContainer")
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-agent-dbgeng\pypkg\src\ghidradbg\methods.py", line 127, in find_thread_by_pattern
    find_proc_by_num(pnum)
    ~~~~~~~~~~~~~~~~^^^^^^
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-agent-dbgeng\pypkg\src\ghidradbg\methods.py", line 72, in find_proc_by_num
    if id != util.selected_process():
             ~~~~~~~~~~~~~~~~~~~~~^^
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-agent-dbgeng\pypkg\src\ghidradbg\util.py", line 292, in _func
    return self.run(func, *args, **kwargs)
           ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-agent-dbgeng\pypkg\src\ghidradbg\util.py", line 261, in run
    return future.result(0.5)
           ~~~~~~~~~~~~~^^^^^
  File "C:\users\buk\appdata\local\programs\python\python313\Lib\concurrent\futures\_base.py", line 449, in result
    return self.__get_result()
           ~~~~~~~~~~~~~~~~~^^
  File "C:\users\buk\appdata\local\programs\python\python313\Lib\concurrent\futures\_base.py", line 401, in __get_result
    raise self._exception
ghidradbg.util.DebuggeeRunningException: Debuggee is Running

[d-millar]

I haven't tried debugging on Windows using the x86 debugger for x86 targets in quite a while. Have a meeting to go to now, but will try it out after. The stack trace above will always occur if you attempt anything in the GUI that triggers a refresh while the process is running. When you say, "hangs in wow64.dll" are you hitting an exception? I guess I'm not entirely sure what that means.

[bukowa]

ghidradbg.util.DebuggeeRunningException: Debuggee is Running

Could this exception indicate this? Just idea!

"hangs in wow64.dll"

It's first place where breakpoint is hit, but trying to resume just loops over the .dll.
It's probably due to my lack of understanding of what is going on here. I don't know what really is the wow64.dll and what does it want from me :D

ModLoad: 00007ff8`fba70000 00007ff8`fbc68000   ntdll.dll
ModLoad: 00000000`779c0000 00000000`77b64000   ntdll.dll
ModLoad: 00007ff8`fb9d0000 00007ff8`fba29000   C:\Windows\System32\wow64.dll
ModLoad: 00007ff8`fa940000 00007ff8`fa9c3000   C:\Windows\System32\wow64win.dll
(5d94.3824): Break instruction exception - code 80000003 (first chance)

[d-millar]

To your longer list of observations, I agree on some; others are a little more problematic. I am reminded of the words of a salesman in Akihabara who, when asked why the Japanese version of a camera had 200 buttons while the otherwise identical American version of the camera had 2, replied "Americans don't like buttons?".

Many of the things you've mentioned have been considered, but there always a trade-off. Tools occupy screen real estate, and real estate is limited. For every button, you add to the Toolbar, space for some other feature is removed. Similarly, while one might prefer a choice as to when your options gets saved, do you really want to hit "Save" every time?

Re saving parameters, I should have been a little clearer. The parameters are saved unless the start-up fails catastrophically. For instance, if I run dbgeng with "C\Windex\notepad.ex" and "Arguments: junk", after the launch fails, I can re-open the dialog and fix "C:\Windex\notepad.ex" to "C:\Windows\notepad.exe".

With respect to items in the launch menu, if you really want options not to appear in the "Configure and launch" menu, you can move them out of data/debugger-launchers. Similarly, if you want to customize them or add your own, these files are trivially editable. You can change the field label, the default value, the description, or the hover for any of the options. I do agree we should probably add documentation to this affect in the help. Right now, it's documented in GitHub in the GhidraClass under "B5-AddingDebuggers".

On your point regarding greyed out options, when the underlying API supports connecting without an executable, we do try to enable that. For instance, you can start any of the gdb options without an executable in the listing. The dbgeng API does not support this except when starting via "attach" or debugging a kernel. That said, we should change the behavior along the lines of lldb, i.e. bring up the dialog and allow the user to specify the target on -the-fly. I will put in a ticket for that.

Re "missing dlls", I'm not sure I understand the reference. If you have a chance, maybe more details on this?

As you've noted, the scripting API already has the ability to add menu options. If you're feeling motivated, send us a script with the adds you think would be helpful. If it seems generally useful, we'd definitely consider adding it to the distribution.

And, finally (I think - I've probably missed something), the current help does describe what you need for each launcher in the correspinding "Setup" section. I'm a little loath to include specifics like URLS for downloading as these vary over time and by platforms, but, if you have specific suggestions regarding these sections, send them our way!

[bukowa]

The parameters are saved unless the start-up fails catastrophically

That's great.

With respect to items in the launch menu, if you really want options not to appear in the "Configure and launch" menu, you can move them out of data/debugger-launchers.

I am trying to find where Ghidra saves the debugger configuration options it automatically saved.

As you've noted, the scripting API already has the ability to add menu options. If you're feeling motivated, send us a script with the adds you think would be helpful. If it seems generally useful, we'd definitely consider adding it to the distribution.

I have yet no idea about this part, I only seen it in the script manager. But ill consider later.

Re "missing dlls", I'm not sure I understand the reference. If you have a chance, maybe more details on this?

When asked about grayed out option you said, quote:

May have to think about this one - have only seen those grayed out when the requisite DLLs are missing.

[d-millar]

Ah, right! I missed the boat on that.

[d-millar]

OK, following up, I don't think using the x86 versions of the various dbgXXX.dll's is a good idea. The problem is that Java and pybag are going to load some of these before you get to the load corresponding to the entry in the startup dialog, and, if the versions are mismatched, well, things won't work and they won't work in ways that are completely non-obvious. I will think about a workaround (you could conceivably use windbg in client/server mode), but for now I would say stick to x64.

Wow.dll is essentially proxying the system calls for you, i.e. your target makes a 32-bit syscall and wow.dll converts it to the corresponding 64-bit call. In general, this should have very little affect on debugging the target. That said, it probably introduces an extra breakpoint on start-up, similar to the initial breakpoint for every debuggee. i.e. you'll hit 0x80000003, resume, hit 0x4000001f, resume, and then be running. If that's not the case for your executable, I'd be interested, although I can't say off the top of my head why that could happen.

If you want to disable the exception generally, that's do-able from the Terminal. This article does a better job than I could explaining how: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/controlling-exceptions-and-events

[bukowa]

Ok ill take a read - but generally - I must work with the native debugger on the module-level? Ex. I cannot tell Ghidra by right clicking on a module to ignore breakpoints inside this module ?

[bukowa]

If that's not the case for your executable, I'd be interested, although I can't say off the top of my head why that could happen.

I had to click "resume" in Ghidra many times (10+) before it continued loading other modules.
Other than that Ghidra does not notify me in any way after clicking resume that something is actually happening.
I just have to wait until I see that things changed in any of the windows to realize that we "resumed".

[bukowa]

Why I cannot set breakpoints - I get this exception?

Traceback (most recent call last):
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-rmi-trace\pypkg\src\ghidratrace\client.py", line 65, in _handle_invoke_method
    result = self.client._handle_invoke_method(request)
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-rmi-trace\pypkg\src\ghidratrace\client.py", line 1146, in _handle_invoke_method
    return method.callback(**kwargs)
           ~~~~~~~~~~~~~~~^^^^^^^^^^
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-agent-dbgeng\pypkg\src\ghidradbg\util.py", line 292, in _func
    return self.run(func, *args, **kwargs)
           ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-agent-dbgeng\pypkg\src\ghidradbg\util.py", line 261, in run
    return future.result(0.5)
           ~~~~~~~~~~~~~^^^^^
  File "C:\users\buk\appdata\local\programs\python\python313\Lib\concurrent\futures\_base.py", line 449, in result
    return self.__get_result()
           ~~~~~~~~~~~~~~~~~^^
  File "C:\users\buk\appdata\local\programs\python\python313\Lib\concurrent\futures\_base.py", line 401, in __get_result
    raise self._exception
ghidradbg.util.DebuggeeRunningException: Debuggee is Running

[d-millar]

Again, because the target is running. The dbgeng API does not allow you to set breakpoints while the target is running.

[bukowa]

if you attempt anything in the GUI that triggers a refresh while the process is running

Oh ok, so any command to debugger is a refresh.

[d-millar]

The buttons in the toolbar are enable/disabled based on the state of the target, and the state of each thread is listed in Threads. If you want to see the state in the Model Tree, you can also select "Show hidden". And the terminal does not display a prompt when the process is running.

Just to be clear, 0x4000001f from wow is an exception, not a breakpoint. Software breakpoints are generally module-specific. Hardware breakpoints are not. Exceptions are not module-specific, so you can set them off or on, but not on-by-module.

[bukowa]

That's not what that error is telling you - it's telling you the version of python gdb is using is not in the path.

[bukowa]

::@title gdb
::@image-opt env:OPT_TARGET_IMG
::@desc <html><body width="300px">
::@desc   <h3>Launch with <tt>gdb</tt></h3>
::@desc   <p>
::@desc     This will launch the target on the local machine using <tt>gdb</tt>.
::@desc     For setup instructions, press <b>F1</b>.
::@desc   </p>
::@desc </body></html>
::@menu-group local
::@icon icon.debugger
::@help TraceRmiLauncherServicePlugin#gdb
::@enum StartCmd:str run start starti
::@enum Endian:str auto big little
::@env OPT_TARGET_IMG:file="" "Image" "The target binary executable image"
::@env OPT_TARGET_ARGS:str="" "Arguments" "Command-line arguments to pass to the target"
::@env OPT_GDB_PATH:file="gdb" "gdb command" "The path to gdb. Omit the full path to resolve using the system PATH."
::@env OPT_START_CMD:StartCmd="starti" "Run command" "The gdb command to actually run the target."
::@env OPT_ARCH:str="auto" "Architecture" "Target architecture"
::@env OPT_ENDIAN:Endian="auto" "Endian" "Target byte order"


@echo off
set PYTHONPATH0=%GHIDRA_HOME%\Ghidra\Debug\Debugger-agent-gdb\pypkg\src
set PYTHONPATH1=%GHIDRA_HOME%\Ghidra\Debug\Debugger-rmi-trace\pypkg\src
IF EXIST %GHIDRA_HOME%\.git (
  set PYTHONPATH0=%GHIDRA_HOME%\Ghidra\Debug\Debugger-agent-gdb\build\pypkg\src
  set PYTHONPATH1=%GHIDRA_HOME%\Ghidra\Debug\Debugger-rmi-trace\build\pypkg\src
)
IF EXIST %GHIDRA_HOME%\ghidra\.git (
  set PYTHONPATH0=%GHIDRA_HOME%\ghidra\Ghidra\Debug\Debugger-agent-gdb\build\pypkg\src
  set PYTHONPATH1=%GHIDRA_HOME%\ghidra\Ghidra\Debug\Debugger-rmi-trace\build\pypkg\src
)
set PYTHONPATH=%PYTHONPATH1%;%PYTHONPATH0%;%PYTHONPATH%;C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\venv\Lib\site-packages

IF "%OPT_TARGET_IMG%"=="" (
  "%OPT_GDB_PATH%" ^
    -q ^
    -ex "set pagination off" ^
    -ex "set confirm off" ^
    -ex "show version" ^
    -ex "python import ghidragdb" ^
    -ex "set architecture %OPT_ARCH%" ^
    -ex "set endian %OPT_ENDIAN%" ^
    -ex "ghidra trace connect '%GHIDRA_TRACE_RMI_ADDR%'" ^
    -ex "ghidra trace start" ^
    -ex "ghidra trace sync-enable" ^
    -ex "set confirm on" ^
    -ex "set pagination on"
) ELSE (
  "%OPT_GDB_PATH%" ^
    -q ^
    -ex "set pagination off" ^
    -ex "set confirm off" ^
    -ex "show version" ^
    -ex "python import ghidragdb" ^
    -ex "set architecture %OPT_ARCH%" ^
    -ex "set endian %OPT_ENDIAN%" ^
    -ex "target exec "%OPT_TARGET_IMG%"" ^
    -ex "set args %OPT_TARGET_ARGS%" ^
    -ex "ghidra trace connect '%GHIDRA_TRACE_RMI_ADDR%'" ^
    -ex "ghidra trace start" ^
    -ex "ghidra trace sync-enable" ^
    -ex "%OPT_START_CMD%" ^
    -ex "set confirm on" ^
    -ex "set pagination on"
)

[bukowa]

Any chance to get lldb / gdb witch attach? Now after trying windbg I feel like ldb is much more responsive :D

[bukowa]

So the way to go now is providing empty image and typing the target exec <path> manually.
I am using gdb from msys2 mingw64 and to properly escape paths I have to type:

(gdb) target exec "C:/\Games/\some path - game 2\/game.exe" 

[bukowa]

Problem when executing gdb manually is that it doesn't show anything in this window (model is populated just fine)
(where lldb and windbg shows)

[d-millar]

Working on this as we speak....

Re gdb, it looks like spaces in the Image work fine, but not in Arguments. However, I can get args to work if we add two lines before the IF:

set OPT_TARGET_ARGS=%OPT_TARGET_ARGS:"=\"%
set OPT_TARGET_ARGS=%OPT_TARGET_ARGS:)=\)%

For exampe, I can launch windbg targetting windbg from gdb using:

Image: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe
Arguments: "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe"

(Insanity noted.)

[bukowa]

Another issue with lldb - try with empty image

[bukowa]

gddb that works:

-ex "target exec 'C:/\Games/\some path- super/\game.exe'" ^

[bukowa]

gdb has a lot of these:

Thread 1 "MainThrd" received signal SIGSEGV, Segmentation fault.
0x6b240d99 in entry_point () from game.dll
Exception in batch operation: TraceRmiError('ghidra.app.plugin.core.debug.service.tracermi.TraceRmiHandler.InvalidObjPathError')
Exception in batch operation: TraceRmiError('ghidra.app.plugin.core.debug.service.tracermi.TraceRmiHandler.InvalidObjPathError')
Exception in batch operation: TraceRmiError('ghidra.app.plugin.core.debug.service.tracermi.TraceRmiHandler.InvalidObjPathError')
...
(gdb)

[d-millar]

hmmm, that looks like the process died, i.e. the InvalidObjPathError's a very likely a result of the SIGSEGV

[nsadeveloper789]

Nah. InvalidObjPathError is from trying to update an object's attributes (in Ghidra's database) before creating that object. I should probably have that error message include the path in question. This is one of those bugs that just keeps going away when we try to investigate....

[d-millar]

Re gdb, understood. Mingw doesn't implement "info proc modules" - try "Force Full View" from the Regions pull-down in the top right.

[bukowa]

Re gdb, understood. Mingw doesn't implement "info proc modules"

I am not sure about this one, it may be due to "attach" method.
When using lldb via attach <pid> it's the same problem.

[d-millar]

re set new-console on, there is an option for that. I forget where it is - a box referencing tty?

[bukowa]

re new-console from docs:

This is probably outdated as there's no checkbox I can see anywhere.

Inferior TTY: Depending on your target and/or personal preference, you may opt to separate the debugger's and the target's I/O.
 If you check this box, the launcher will use GDB's "set inferior-tty ..." command to direct the target's I/O to a second Terminal window.

[bukowa]

re escaping this seems like working also for empty image.

setlocal enabledelayedexpansion
-ex "target exec '!OPT_TARGET_IMG:\=\/!'" ^

[nsadeveloper789]

The "Inferior TTY" checkbox is available but only on Linux (and maybe macOS). On those systems, you can open a pty, and the child end gets a filename that you can then give to set inferior-tty. Windows has ConPTY, but I've not figured out how to open one of those with a name that I can hand over to set inferior-tty. I also don't know what sort of thing I'd set it to on Windows. I tried a named pipe once, but had no luck.... So this option is not outdated, but it is not available on Windows for the moment.

[d-millar]

Ah, this one I think I know off the top of my head....

If you leave the Image blank and run lldb (or run something and kill it), you'll get the Terminal and an entry in the Connections window, but basically nothing else. Then run "process attach --pid XYZZY" to attach. You''ll see the usual messages in the Terminal, but nothing else. Double-click the entry in Connections, double-click the noname node that appears. This should partially populate the Model Tree. Now, refresh Processes (right-click) and double-click one of the threads. Should bring you to an almost normal state. "Force Full View" again if you need to.

Yes, I realize this is a liitle crazy and certainly not obvious. The issue again surrounds another unfortunate trade-off. When you attach, the process stops but doesn't send any event we can trigger a refresh off of. There are workarounds, but most of the ones we've tried involve pushing refreshes on other events, which then slows down the normal behavior. sigh

[bukowa]

Ok... I tried and indeed it seems like working but modules are not populated for lldb this way?
I am going to pass on lldb again I guess.

gdb is the most promising one but these errors are kind of troubling

Exception in batch operation: TraceRmiError('ghidra.app.plugin.core.debug.service.tracermi.TraceRmiHandler.InvalidObjPathError')
(gdb) Python Exception <class 'gdb.MemoryError'>: Cannot access memory at address 0x0

And this one when trying to breakpoint on read

Traceback (most recent call last):
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-rmi-trace\pypkg\src\ghidratrace\client.py", line 65, in _handle_invoke_method
    result = self.client._handle_invoke_method(request)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-rmi-trace\pypkg\src\ghidratrace\client.py", line 1146, in _handle_invoke_method
    return method.callback(**kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\buk\Documents\Tools\GHIDRADEBUGGER\ghidra_11.3_PUBLIC\Ghidra\Debug\Debugger-agent-gdb\pypkg\src\ghidragdb\methods.py", line 608, in break_read_range
    gdb.execute(
gdb.error: Expression cannot be implemented with read/access watchpoint.
Watchpoint 3: -location *((char(*)[27]) 0x6bb2d070)

[d-millar]

OK, will put a ticket in for that one.

[nsadeveloper789]

Regarding each error mentioned:

1. InvalidObjPathError: Definitely an issue in our code somewhere. It is often precipitated by some other error, but it shouldn't be happening. If you have a dev repo, I can send you some patches to the Java code so that we can see what path(s) are causing the error. Otherwise, I'll update for next patch release, and we'll see next time we see. The error itself just means there's some node missing from the Model view. Without knowing the path, I can't tell whether or not it's an important one.
2. Cannot access memory at address 0x0 can be safely ignored. This can happen for a variety of reasons: a) The connector thinks pc or sp is in page 0, b) Your listing display briefly scrolls to page 0 (this can happen in the interim when Ghidra updates the ranges of viewable addresses), c) You have a watch that derefs some sub-expression whose address is in page 0, etc.
3. Expression cannot be implemented with read/access watchpoint: It might be a matter of the size. I'm not sure if that was based on your selection, or if it's the size of some code unit in the listing, but 27 is probably an issue. Does this error also get caught and displayed by Ghidra? (Either in an error/stacktrace dialog, or in the Debug Console?) Or does it only show in the Terminal? On x86, I'm pretty sure the size has to be between 1 and 16 inclusive. The hardware also requires a power of 2, but gdb may be less restrictive there.

[bukowa]

Thanks for follow up I already lost this rabbit hole but if I encounter them again ill get back here.