Demonstration environment:
host: win10
target virtual machine: win7
tools: IDA, 0D, ret-sync plug-in
IDA remote debugging of executable programs in virtual machines
Copy win32_remote.exe in the dbgsrv directory of IDA to the virtual machine. By default, the program obtains the IP address of the first adapter of the system.
There are three network adapters installed in my virtual machine. Even if the network adapter is disabled, it is useless. Win32_remote.exe obtains the IP address of the first adapter in the system by default, so the other two must be uninstalled through the device manager.
byDevice managerAfter uninstalling other network adapters, only one local connection remains. The virtual machine is set to NAT mode.
At this time, there is only one local connection under ipconfig, and it is displayed first in the cmd window.
Run win32_remote.exe at this time, and the server address of myip will be opened correctly.
IDA——Debugger——Run——Remote Windows Debugger calls out this window and connects to the IP address of the virtual machine.
The win32_remote.exe in the virtual machine will prompt Accept connect from... to indicate that the connection is successful (there is in the picture above).
After the host keeps the idb file, the IDA debugger is started. In this way, the virus program in the virtual machine can be debugged. For analysisReinforced shellVirus andWill seriously affect the normal operation of the host(Such as shutting down) virus, using this debugging method to get twice the result with half the effort.
For specific applications, please refer to https://blog.csdn.net/m0_37552052/article/details/103721403
https://blog.csdn.net/m0_37552052/article/details/104550020
IDA remote dual-computer debugging and synchronization of OD information
Download the ret-sync plug-in, which is a very useful debugger synchronization plug-in. OD, winb=dbg, X64 dynamic debugging can be synchronized with IDA static analysis.
Pay attention to the use of this plug-in:
1. The minimum IDA version of this plug-in is IDA7.2.
2. The IDApython version of IDA7.2 is applicable to this version of python-2.7.10.amd64.msi.
3. Before using the plug-in, you must save the IDB file with Ctrl+W before you can see the ret-sync 
ret-sync synchronous static assembly instruction and dynamic assembly instruction in the plug-in window . dsync synchronizes static pseudo code and dynamic assembly instructions.
After the plug-in is successfully synchronized and debugged, there will be a sentence below.
The actual machine rendering is as above.
However, IDA is placed on the host and x32dbg is in the virtual machine. Even if the .sync file is configured, the synchronization fails.The specific reasons for the failure of synchronization of dual-machine debugging still need to be studied。