KPCR -> KDVersionblock -> PsLoadedModuleList
http://memogaki.wordpress.com/2011/10/01/kpcr/
http://stackoverflow.com/questions/10690330/how-do-i-get-the-address-to-kernel-modules-nt-and-win32k
Showing posts with label Windows Kernel. Show all posts
Showing posts with label Windows Kernel. Show all posts
Tuesday, November 27, 2012
Monday, July 30, 2012
Wednesday, July 18, 2012
Traversal Widows Process List
Method1:
Using the PsActiveProcessList in EProcess structure
Method 2:
Using the Handle_Table structure in Eprocess structure, and traversal HandleTableList.
Using the PsActiveProcessList in EProcess structure
Method 2:
Using the Handle_Table structure in Eprocess structure, and traversal HandleTableList.
kd> dt _Handle_table 0xe1001cd0
nt!_HANDLE_TABLE
+0x000 TableCode : 0xe1002000
+0x004 QuotaProcess : (null)
+0x008 UniqueProcessId : 0x00000004
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [ 0xe1023e44 - 0x8055b548 ]
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : (null)
+0x02c ExtraInfoPages : 0
+0x030 FirstFree : 0x2c4
+0x034 LastFree : 0
+0x038 NextHandleNeedingPool : 0x800
+0x03c HandleCount : 252
+0x040 Flags : 0
+0x040 StrictFIFO : 0y0
Method3:
Using the queues in scheduler.
Tuesday, April 17, 2012
Windows Kernel Debugging
How to set up the Windows Kernel Debugging, please see article:
http://www.blogger.com/blogger.g?blogID=6275589693478001671#editor/target=post;postID=4149230560487743600
Some useful commands:
> dt _eprocess // see the structure of eprocess
> dt _peb // process environment block
> dt _kprocess // kernel process structure
> dt _heap // heap structure
> dt _ heap_segment
> dt _heap_entry
Application debugging(e.g. firefox)
> !process 0 0 // list all the running process
> .context <dirbase_address> // this is to enable the context, and you can find the dirbase address from !process 0 0 command in firefox process info. Sometimes, you need to run command before enable the context
>.enable forcedecoderuser
> dt _peb <peb_address_of_Firefox>
> dd <address> // you can see the content of that location, like the x command in QEMU
> dd /p <address> // see the physical address content
> dt _heap <heap_address>
> dt _heap_entry <heap_entry_address>
http://www.blogger.com/blogger.g?blogID=6275589693478001671#editor/target=post;postID=4149230560487743600
Some useful commands:
> dt _eprocess // see the structure of eprocess
> dt _peb // process environment block
> dt _kprocess // kernel process structure
> dt _heap // heap structure
> dt _ heap_segment
> dt _heap_entry
Application debugging(e.g. firefox)
> !process 0 0 // list all the running process
> .context <dirbase_address> // this is to enable the context, and you can find the dirbase address from !process 0 0 command in firefox process info. Sometimes, you need to run command before enable the context
>.enable forcedecoderuser
> dt _peb <peb_address_of_Firefox>
> dd <address> // you can see the content of that location, like the x command in QEMU
> dd /p <address> // see the physical address content
> dt _heap <heap_address>
> dt _heap_entry <heap_entry_address>
Monday, April 9, 2012
Windows Kernel Debugging by using serial port
1. Setup two machines: target machine and debugging machie
2. Download windbg at the debugging machine
http://msdn.microsoft.com/en-us/windows/hardware/gg463009
for window XP you need to download the Windows 7 version
3. Change the boot.ini file in taget machine to recognize com1 serial port.
4. Boot target machine into debugging mode ( press F8 when booting)
5. Start windbg at the debugging machine, and choose the correct device.
e.g. Serial port to USB
6. Set the the correct symbol table path.
e.g. srv*c\symbols*http://msdl.microsoft.com/download/symbols
7. run dt _eprocess
How to change boot.ini
http://www.etdot.com/2008/04/16/windbg-and-vmware/
http://support.microsoft.com/kb/289022
You also can get more information from: Windows Internals book 5 Edition
Another book: Advanced Windows Debugging
2. Download windbg at the debugging machine
http://msdn.microsoft.com/en-us/windows/hardware/gg463009
for window XP you need to download the Windows 7 version
3. Change the boot.ini file in taget machine to recognize com1 serial port.
4. Boot target machine into debugging mode ( press F8 when booting)
5. Start windbg at the debugging machine, and choose the correct device.
e.g. Serial port to USB
6. Set the the correct symbol table path.
e.g. srv*c\symbols*http://msdl.microsoft.com/download/symbols
7. run dt _eprocess
How to change boot.ini
http://www.etdot.com/2008/04/16/windbg-and-vmware/
http://support.microsoft.com/kb/289022
You also can get more information from: Windows Internals book 5 Edition
Another book: Advanced Windows Debugging
Tuesday, April 3, 2012
How to find PsActiveProcessHead in memory on Windows
PsActiveProcessHead is a pointer to the start of the kerne's list of _EPROCESS structures.
1. Get the FS register value: 0xffdff000, which points to the Kernel Processor Control Region (KPCR) structure
2. KDVersionBlock is at the offset 0x34 of KPCR
3. Get the KdVersionBlock value: 0x8054c738 (run x /20w 0xffdff034 in QEMU monitor)
4. PsActiveProcessHead is at the offset 0x78 of KdVersionBlock, which is at location 0x8054c7b0
5. Get the PsActiveProcessHead value: 0x80560bd8 ( run x /20w 0x8054c7b0)
6. See the LIST_ENTRY field of PsActiveProcessHead, and it is a double linked list.
7. See the process name ( run x /20c location)
7. See the process name ( run x /20c location)
More Info:
http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf
Monday, April 2, 2012
Find useful memory in windows
http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf
http://forum.sysinternals.com/devphysicalmemoryfinding-my-peb_topic3473.html
http://moyix.blogspot.com/2008/04/finding-kernel-global-variables-in.html
http://forum.sysinternals.com/devphysicalmemoryfinding-my-peb_topic3473.html
http://moyix.blogspot.com/2008/04/finding-kernel-global-variables-in.html
http://www.facultyresourcecenter.com/curriculum/ResourceKits/Default.aspx?c1=en-us&c2=0
Subscribe to:
Posts (Atom)