omega_red
November 4th, 2008, 05:15
OK, this got me really wondering what is going on. I'm testing a global syscall dispatcher hook (inline hook at the beginning of KiFastCallEntry). Environment: vista32, 1 cpu, vmware. The following code crashes sometimes, not on all passes, but on some. It basically gets KPCR->KPRCB->KTHREAD->TEB. Interrupts are off.
As you can see, it crashes with access violation due to invalid dereference. EBX is 0x3d8 at the moment of AV (8316d028). BUT take a look at this...
Wtf? Windbg can access the memory and it's a valid TEB. So EBX should be 8a368760, right?
What's going on here? Vmware playing some tricks on me or am I just stupid and overlooked something simple? 
PS. Is there any windbg expression that returns the selector base? "dg @fs" displays it, but it can't be used inside of commands (or can it somehow?).
Code:
0008:8316d021 648b1d20000000 mov ebx,dword ptr fs:[20h] ; KPRCB
0008:8316d028 8b5b04 mov ebx,dword ptr [ebx+4] ds:0023:000003dc=???????? ; KTHREAD
0008:8316d02b 8b9b84000000 mov ebx,dword ptr [ebx+84h] ; TEB
As you can see, it crashes with access violation due to invalid dereference. EBX is 0x3d8 at the moment of AV (8316d028). BUT take a look at this...
Code:
kd> dg @fs
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0030 818ec700 000020b8 Data RW 0 Bg By P Nl 00000492
kd> ? poi(poi(818ec700+20)+4)
Evaluate expression: -1976137888 = 8a368760
kd> ? poi(poi(poi(818ec700+20)+4)+84)
Evaluate expression: 2147151872 = 7ffaf000
Wtf? Windbg can access the memory and it's a valid TEB. So EBX should be 8a368760, right?


PS. Is there any windbg expression that returns the selector base? "dg @fs" displays it, but it can't be used inside of commands (or can it somehow?).