blabberer
January 24th, 2013, 17:50
DbgEng Based Debugger (PART2)
Continuing from (part 1 ("http://www.woodmann.com/forum/entry.php?246-A-Simple-Dbgeng-Based-User-Mode-Debugger")) where I described the usage of dbgeng interfaces and utilized them for coding a simple user mode debugger.
I now describe the dbgeng interfaces that would let you peek into kernel aka the mighty ring3
Are you ready if you are not familiar with dbgeng interfaces please refer to this
http://www.woodmann.com/forum/entry.php?246-A-Simple-Dbgeng-Based-User-Mode-Debugger
A short summary of the link for those of you too bored to click a link and read the dry pages
lets gets our hands wet in kernel mode
it should be clear now that we can code a basic barebones kernel peeking code with just
a client and a few required interfaces
and that is what we will do in this example
DebugCreate()
QueryInterface () IDebugControl() for attaching to kernel
QueryInterface () IDebugDataSpaces() for Reading Debugger Data
Attach to kernel
Wait for event
ReadDebuggerData()
Print Results
Exit()
The code as follows
simple and clean
a common exit routine that releases the interfaces prints message and quits
DebugCreate
QueryInterface
Call methods needed ( AttachKernel, WaitForEvent, ReadDebuggerData )
Prints results
And exit
Since this is a simple use case we haven�t implemented any callbacks and as described earlier they are optional
Peeking into kernel is as simple as 65 lines of c code with dbgeng interface.
Now on looking again you might wonder there is an include file that is
Not in include path but in local directory dbgengdecl.h
and an array of structure DataSpaceIndex that doesn�t seem to be defined
what is it and Does it contain any magic ?
No absolutely not it is copy paste of some #defines From dbgeng.h
Into a structure so that we can printf the results
See below
And the grunt work was done using gnuwin32 ports of unix tools
Grep sed and paste
In dbgeng.h
We have #defines for all indices of DEBUG_DATA defined like below
// Indices for ReadDebuggerData interface
#define DEBUG_DATA_KernBase 24
the grep �I �define DEBUG_DATA.*[0-9] regexp
gathers all of them from dbgeng.h and passes it to sed
sed "1,8 d" deletes first 8 lines and is redirected to sed again
sed "114,$ d" deletes any lines till end from line 114 onwards and redirects the output again to sed
sed s/"#define DEBUG"/"{ DEBUG"/g substitutes all #defines with opening brace { and passes it sed again
sed s/" .*[0-9]"/","/g substitutes the space and numbers in the end with a comma , and stores it in a temp file tmp1.txt
similarly the second line in bat replaces #define DEBUG_DATA_ with a double quote (\x22) at start and replaces the space and numerals with a double quote closing brace
and comma � }, to a file tmp2.txt
paste concatenates both the file line by line into another file
and the finished file will contain
{ DEBUG_DATA_KernBase, "KernBase" }, instead of
#define DEBUG_DATA_KernBase 24
kind of kludge work but I am used to it so I don�t feel any pain
any better ideas that makes sense are welcome and I would say this kludge is far better than initializing the array manually with 113 structure members defined in dbgeng.h
the finished file hand modified to remove the last comma
declare a structure and array include the required include files and renamed into dbgengdecl.h is as below
build it with winxp free buld environment copy paste the finished binary into a test folder that contains all the required dlls from windbg installation folder and run the binary and you should get the results as follows for xp-sp3 anyone is welcome to check this in w2k,vista,win7, win8 , x86 and x64 environments this should work as it is all the above boxes
lets verify a few result
lkd> ? nt
Evaluate expression: -2142408704 = 804d7000 we got
KernBase = ffffffff804d7000
lkd> ? nt!PspCidTable
Evaluate expression: -2141871392 = 8055a2e0 we got
PspCidTableAddr = ffffffff8055a2e0
lkd> ? nt!MmMaximumNonPagedPoolInBytes
Evaluate expression: -2141878164 = 8055886c we got
MmMaximumNonPagedPoolInBytesAddr = ffffffff8055886c
From a /debug enabled vm
lkd> db nt!KdPrintCircularBuffer
8068fe00 45 6e 74 65 72 20 50 6f-72 74 49 6f 44 65 76 69 Enter PortIoDevi
8068fe10 63 65 41 64 64 0a 52 65-73 6f 75 72 63 65 20 54 ceAdd.Resource T
8068fe20 72 61 6e 73 6c 61 74 65-64 20 50 6f 72 74 3a 20 ranslated Port:
8068fe30 28 33 30 30 29 20 4c 65-6e 67 74 68 3a 20 28 34 (300) Length: (4
8068fe40 29 0a 45 52 52 4f 52 3a-20 44 61 76 52 65 61 64 ).ERROR: DavRead
8068fe50 52 65 67 69 73 74 72 79-56 61 6c 75 65 73 2f 52 RegistryValues/R
8068fe60 65 67 51 75 65 72 79 56-61 6c 75 65 45 78 57 28 egQueryValueExW(
8068fe70 34 29 2e 20 57 53 74 61-74 75 73 20 3d 20 35 0a 4). WStatus = 5.
lkd>
we got
MmUserProbeAddressAddr = ffffffff8055fbd4
KdPrintCircularBufferAddr = ffffffff8068fe00
KdPrintCircularBufferEndAddr = ffffffff80690e00
lkd> !kuser
_KUSER_SHARED_DATA at ffdf0000
TickCount: fa00000 * 00232664 (0:09:59:53.562)
TimeZone Id: 0
ImageNumber Range: [14c .. 14c]
Crypto Exponent: 0
SystemRoot: 'C:\WINDOWS'
We got SharedUserData = ffffffffffdf0000
That�s it attaching to kernel and getting data from kernel space is as easy as coding a MessageBox
Full result as follows
Continuing from (part 1 ("http://www.woodmann.com/forum/entry.php?246-A-Simple-Dbgeng-Based-User-Mode-Debugger")) where I described the usage of dbgeng interfaces and utilized them for coding a simple user mode debugger.
I now describe the dbgeng interfaces that would let you peek into kernel aka the mighty ring3
Are you ready if you are not familiar with dbgeng interfaces please refer to this
http://www.woodmann.com/forum/entry.php?246-A-Simple-Dbgeng-Based-User-Mode-Debugger
A short summary of the link for those of you too bored to click a link and read the dry pages
To start with any DbgEng Interfaces you need to create a client
A client may be created using DebugCreate() Function;
Once you Created a client you can Query that client for other interfaces
To Query for interfaces you use QueryInterface() Function
Each of these interfaces implements few methods
Methods that don�t depend on other interfaces can be called directly
Methods that depend on other interfaces can be called after querying them
All interfaces must be released before exiting the program
Release the interfaces on last in first out basis ie (Client will be released last )
There are 3 callbacks available (EVENT , INPUT and OUTPUT) (optional)
The Dbgeng engine uses these callbacks to communicate with your program handlers
A callback consist of a base class, implementation of the methods and a declaration
Event Callback implements 14 optional methods and 2 mandatory methods
Output Callback implements 1 optional method and 2 mandatory methods
Input Callback implements 2 optional methods and 2 mandatory methods
The mandatory methods are AddRef() and Release()
The main program mostly consists of
Argument / Program Input parsing routine
Interfaces creating routine ,
Implementation of callbacks (optinal)
Infinite loop waiting for events to be handled by the cal1back handlers and exit when done
lets gets our hands wet in kernel mode
it should be clear now that we can code a basic barebones kernel peeking code with just
a client and a few required interfaces
and that is what we will do in this example
DebugCreate()
QueryInterface () IDebugControl() for attaching to kernel
QueryInterface () IDebugDataSpaces() for Reading Debugger Data
Attach to kernel
Wait for event
ReadDebuggerData()
Print Results
Exit()
The code as follows
Code:
#include "dbgengdecl.h"
IDebugClient* g_Client = NULL;
IDebugControl* g_Control = NULL;
IDebugDataSpaces* g_DataSpaces = NULL;
HRESULT Status = NULL;
void Exit(int Code, PCSTR Format, ...)
{
if (g_Control != NULL)
{
g_Control->Release();
g_Control = NULL;
}
if (g_Client != NULL)
{
g_Client->EndSession(DEBUG_END_PASSIVE);
g_Client->Release();
g_Client = NULL;
}
if (Format != NULL)
{
va_list Args;
va_start(Args, Format);
vfprintf(stderr, Format, Args);
va_end(Args);
}
exit(Code);
};
void __cdecl main(int Argc, char* Argv[])
{
if ((Status = DebugCreate(__uuidof(IDebugClient), (void**)&g_Client)) != S_OK)
{
Exit(1, "DebugCreate failed, 0x%X\n", Status);
}
if ((Status = g_Client->QueryInterface(__uuidof(IDebugControl), (void**)&g_Control)) != S_OK )
{
Exit(1, "g_Client->QueryInterface(IDebugControl) failed, 0x%X\n", Status);
}
if ((Status = g_Client->QueryInterface(__uuidof(IDebugDataSpaces), (void**)&g_DataSpaces)) != S_OK )
{
Exit(1, "g_Client->QueryInterface(IDebugDataSpace) fail, 0x%X\n", Status);
}
if ((Status = g_Client->AttachKernel( DEBUG_ATTACH_LOCAL_KERNEL, NULL)) != S_OK)
{
Exit(1, "AttachKernel failed, 0x%X\n", Status);
}
if ((Status = g_Control->WaitForEvent( DEBUG_WAIT_DEFAULT, INFINITE ) ) != S_OK)
{
Exit(1, "g_Control->WaitForEvent failed, 0x%X\n", Status);
}
ULONG64 Buffer = 0;
ULONG DataSize = 0;
for (int i =0; i<_countof(DataSpaceIndex);i++)
{
if ((g_DataSpaces->ReadDebuggerData( DataSpaceIndex[I].a , (PVOID)&Buffer, 8, &DataSize) ) ==S_OK)
{
printf("%40s = %I64x\n",DataSpaceIndex[I].b,Buffer);
continue;
}
printf("cant retrieve data for %d\n",i);
}
Exit(0, "Finished Debugging Quitting\n";
}
simple and clean
a common exit routine that releases the interfaces prints message and quits
DebugCreate
QueryInterface
Call methods needed ( AttachKernel, WaitForEvent, ReadDebuggerData )
Prints results
And exit
Since this is a simple use case we haven�t implemented any callbacks and as described earlier they are optional
Peeking into kernel is as simple as 65 lines of c code with dbgeng interface.
Now on looking again you might wonder there is an include file that is
Not in include path but in local directory dbgengdecl.h
and an array of structure DataSpaceIndex that doesn�t seem to be defined
what is it and Does it contain any magic ?
No absolutely not it is copy paste of some #defines From dbgeng.h
Into a structure so that we can printf the results
See below
And the grunt work was done using gnuwin32 ports of unix tools
Grep sed and paste
In dbgeng.h
We have #defines for all indices of DEBUG_DATA defined like below
// Indices for ReadDebuggerData interface
#define DEBUG_DATA_KernBase 24
the grep �I �define DEBUG_DATA.*[0-9] regexp
gathers all of them from dbgeng.h and passes it to sed
sed "1,8 d" deletes first 8 lines and is redirected to sed again
sed "114,$ d" deletes any lines till end from line 114 onwards and redirects the output again to sed
sed s/"#define DEBUG"/"{ DEBUG"/g substitutes all #defines with opening brace { and passes it sed again
sed s/" .*[0-9]"/","/g substitutes the space and numbers in the end with a comma , and stores it in a temp file tmp1.txt
similarly the second line in bat replaces #define DEBUG_DATA_ with a double quote (\x22) at start and replaces the space and numerals with a double quote closing brace
and comma � }, to a file tmp2.txt
paste concatenates both the file line by line into another file
and the finished file will contain
{ DEBUG_DATA_KernBase, "KernBase" }, instead of
#define DEBUG_DATA_KernBase 24
kind of kludge work but I am used to it so I don�t feel any pain
any better ideas that makes sense are welcome and I would say this kludge is far better than initializing the array manually with 113 structure members defined in dbgeng.h
Code:
grep -i "#define DEBUG_DATA.*[0-9]" %DBGSDK_INC_PATH%\dbgeng.h | sed "1,8 d" | sed "114,$ d" | sed s/"#define DEBUG"/"{ DEBUG"/g | sed s/" .*[0-9]"/","/g >tmp1.txt
grep -i "#define DEBUG_DATA.*[0-9]" %DBGSDK_INC_PATH%\dbgeng.h | sed "1,8 d" | sed "114,$ d" | sed s/"#define DEBUG_DATA_"/\x22/g | sed s/" .*[0-9]"/"\x22 },"/g >tmp2.txt
paste tmp1.txt tmp2.txt > finished.txt
del tmp*.*
the finished file hand modified to remove the last comma
declare a structure and array include the required include files and renamed into dbgengdecl.h is as below
Code:
#include <stdio.h>
#include <dbgeng.h>
typedef struct _FOO
{
ULONG a;
PSTR b;
}Foo , *PFoo;
Foo DataSpaceIndex[] =
{
{ DEBUG_DATA_KernBase, "KernBase" },
{ DEBUG_DATA_BreakpointWithStatusAddr, "BreakpointWithStatusAddr" },
{ DEBUG_DATA_SavedContextAddr, "SavedContextAddr" },
{ DEBUG_DATA_KiCallUserModeAddr, "KiCallUserModeAddr" },
{ DEBUG_DATA_KeUserCallbackDispatcherAddr, "KeUserCallbackDispatcherAddr" },
{ DEBUG_DATA_PsLoadedModuleListAddr, "PsLoadedModuleListAddr" },
{ DEBUG_DATA_PsActiveProcessHeadAddr, "PsActiveProcessHeadAddr" },
{ DEBUG_DATA_PspCidTableAddr, "PspCidTableAddr" },
{ DEBUG_DATA_ExpSystemResourcesListAddr, "ExpSystemResourcesListAddr" },
{ DEBUG_DATA_ExpPagedPoolDescriptorAddr, "ExpPagedPoolDescriptorAddr" },
{ DEBUG_DATA_ExpNumberOfPagedPoolsAddr, "ExpNumberOfPagedPoolsAddr" },
{ DEBUG_DATA_KeTimeIncrementAddr, "KeTimeIncrementAddr" },
{ DEBUG_DATA_KeBugCheckCallbackListHeadAddr, "KeBugCheckCallbackListHeadAddr" },
{ DEBUG_DATA_KiBugcheckDataAddr, "KiBugcheckDataAddr" },
{ DEBUG_DATA_IopErrorLogListHeadAddr, "IopErrorLogListHeadAddr" },
{ DEBUG_DATA_ObpRootDirectoryObjectAddr, "ObpRootDirectoryObjectAddr" },
{ DEBUG_DATA_ObpTypeObjectTypeAddr, "ObpTypeObjectTypeAddr" },
{ DEBUG_DATA_MmSystemCacheStartAddr, "MmSystemCacheStartAddr" },
{ DEBUG_DATA_MmSystemCacheEndAddr, "MmSystemCacheEndAddr" },
{ DEBUG_DATA_MmSystemCacheWsAddr, "MmSystemCacheWsAddr" },
{ DEBUG_DATA_MmPfnDatabaseAddr, "MmPfnDatabaseAddr" },
{ DEBUG_DATA_MmSystemPtesStartAddr, "MmSystemPtesStartAddr" },
{ DEBUG_DATA_MmSystemPtesEndAddr, "MmSystemPtesEndAddr" },
{ DEBUG_DATA_MmSubsectionBaseAddr, "MmSubsectionBaseAddr" },
{ DEBUG_DATA_MmNumberOfPagingFilesAddr, "MmNumberOfPagingFilesAddr" },
{ DEBUG_DATA_MmLowestPhysicalPageAddr, "MmLowestPhysicalPageAddr" },
{ DEBUG_DATA_MmHighestPhysicalPageAddr, "MmHighestPhysicalPageAddr" },
{ DEBUG_DATA_MmNumberOfPhysicalPagesAddr, "MmNumberOfPhysicalPagesAddr" },
{ DEBUG_DATA_MmMaximumNonPagedPoolInBytesAddr,"MmMaximumNonPagedPoolInBytesAddr" },
{ DEBUG_DATA_MmNonPagedSystemStartAddr, "MmNonPagedSystemStartAddr" },
{ DEBUG_DATA_MmNonPagedPoolStartAddr, "MmNonPagedPoolStartAddr" },
{ DEBUG_DATA_MmNonPagedPoolEndAddr, "MmNonPagedPoolEndAddr" },
{ DEBUG_DATA_MmPagedPoolStartAddr, "MmPagedPoolStartAddr" },
{ DEBUG_DATA_MmPagedPoolEndAddr, "MmPagedPoolEndAddr" },
{ DEBUG_DATA_MmPagedPoolInformationAddr, "MmPagedPoolInformationAddr" },
{ DEBUG_DATA_MmPageSize, "MmPageSize" },
{ DEBUG_DATA_MmSizeOfPagedPoolInBytesAddr, "MmSizeOfPagedPoolInBytesAddr" },
{ DEBUG_DATA_MmTotalCommitLimitAddr, "MmTotalCommitLimitAddr" },
{ DEBUG_DATA_MmTotalCommittedPagesAddr, "MmTotalCommittedPagesAddr" },
{ DEBUG_DATA_MmSharedCommitAddr, "MmSharedCommitAddr" },
{ DEBUG_DATA_MmDriverCommitAddr, "MmDriverCommitAddr" },
{ DEBUG_DATA_MmProcessCommitAddr, "MmProcessCommitAddr" },
{ DEBUG_DATA_MmPagedPoolCommitAddr, "MmPagedPoolCommitAddr" },
{ DEBUG_DATA_MmExtendedCommitAddr, "MmExtendedCommitAddr" },
{ DEBUG_DATA_MmZeroedPageListHeadAddr, "MmZeroedPageListHeadAddr" },
{ DEBUG_DATA_MmFreePageListHeadAddr, "MmFreePageListHeadAddr" },
{ DEBUG_DATA_MmStandbyPageListHeadAddr, "MmStandbyPageListHeadAddr" },
{ DEBUG_DATA_MmModifiedPageListHeadAddr, "MmModifiedPageListHeadAddr" },
{ DEBUG_DATA_MmModifiedNoWritePageListHeadAddr,"MmModifiedNoWritePageListHeadAddr" },
{ DEBUG_DATA_MmAvailablePagesAddr, "MmAvailablePagesAddr" },
{ DEBUG_DATA_MmResidentAvailablePagesAddr, "MmResidentAvailablePagesAddr" },
{ DEBUG_DATA_PoolTrackTableAddr, "PoolTrackTableAddr" },
{ DEBUG_DATA_NonPagedPoolDescriptorAddr, "NonPagedPoolDescriptorAddr" },
{ DEBUG_DATA_MmHighestUserAddressAddr, "MmHighestUserAddressAddr" },
{ DEBUG_DATA_MmSystemRangeStartAddr, "MmSystemRangeStartAddr" },
{ DEBUG_DATA_MmUserProbeAddressAddr, "MmUserProbeAddressAddr" },
{ DEBUG_DATA_KdPrintCircularBufferAddr, "KdPrintCircularBufferAddr" },
{ DEBUG_DATA_KdPrintCircularBufferEndAddr, "KdPrintCircularBufferEndAddr" },
{ DEBUG_DATA_KdPrintWritePointerAddr, "KdPrintWritePointerAddr" },
{ DEBUG_DATA_KdPrintRolloverCountAddr, "KdPrintRolloverCountAddr" },
{ DEBUG_DATA_MmLoadedUserImageListAddr, "MmLoadedUserImageListAddr" },
{ DEBUG_DATA_NtBuildLabAddr, "NtBuildLabAddr" },
{ DEBUG_DATA_KiNormalSystemCall, "KiNormalSystemCall" },
{ DEBUG_DATA_KiProcessorBlockAddr, "KiProcessorBlockAddr" },
{ DEBUG_DATA_MmUnloadedDriversAddr, "MmUnloadedDriversAddr" },
{ DEBUG_DATA_MmLastUnloadedDriverAddr, "MmLastUnloadedDriverAddr" },
{ DEBUG_DATA_MmTriageActionTakenAddr, "MmTriageActionTakenAddr" },
{ DEBUG_DATA_MmSpecialPoolTagAddr, "MmSpecialPoolTagAddr" },
{ DEBUG_DATA_KernelVerifierAddr, "KernelVerifierAddr" },
{ DEBUG_DATA_MmVerifierDataAddr, "MmVerifierDataAddr" },
{ DEBUG_DATA_MmAllocatedNonPagedPoolAddr, "MmAllocatedNonPagedPoolAddr" },
{ DEBUG_DATA_MmPeakCommitmentAddr, "MmPeakCommitmentAddr" },
{ DEBUG_DATA_MmTotalCommitLimitMaximumAddr, "MmTotalCommitLimitMaximumAddr" },
{ DEBUG_DATA_CmNtCSDVersionAddr, "CmNtCSDVersionAddr" },
{ DEBUG_DATA_MmPhysicalMemoryBlockAddr, "MmPhysicalMemoryBlockAddr" },
{ DEBUG_DATA_MmSessionBase, "MmSessionBase" },
{ DEBUG_DATA_MmSessionSize, "MmSessionSize" },
{ DEBUG_DATA_MmSystemParentTablePage, "MmSystemParentTablePage" },
{ DEBUG_DATA_MmVirtualTranslationBase, "MmVirtualTranslationBase" },
{ DEBUG_DATA_OffsetKThreadNextProcessor, "OffsetKThreadNextProcessor" },
{ DEBUG_DATA_OffsetKThreadTeb, "OffsetKThreadTeb" },
{ DEBUG_DATA_OffsetKThreadKernelStack, "OffsetKThreadKernelStack" },
{ DEBUG_DATA_OffsetKThreadInitialStack, "OffsetKThreadInitialStack" },
{ DEBUG_DATA_OffsetKThreadApcProcess, "OffsetKThreadApcProcess" },
{ DEBUG_DATA_OffsetKThreadState, "OffsetKThreadState" },
{ DEBUG_DATA_OffsetKThreadBStore, "OffsetKThreadBStore" },
{ DEBUG_DATA_OffsetKThreadBStoreLimit, "OffsetKThreadBStoreLimit" },
{ DEBUG_DATA_SizeEProcess, "SizeEProcess" },
{ DEBUG_DATA_OffsetEprocessPeb, "OffsetEprocessPeb" },
{ DEBUG_DATA_OffsetEprocessParentCID, "OffsetEprocessParentCID" },
{ DEBUG_DATA_OffsetEprocessDirectoryTableBase,"OffsetEprocessDirectoryTableBase" },
{ DEBUG_DATA_SizePrcb, "SizePrcb" },
{ DEBUG_DATA_OffsetPrcbDpcRoutine, "OffsetPrcbDpcRoutine" },
{ DEBUG_DATA_OffsetPrcbCurrentThread, "OffsetPrcbCurrentThread" },
{ DEBUG_DATA_OffsetPrcbMhz, "OffsetPrcbMhz" },
{ DEBUG_DATA_OffsetPrcbCpuType, "OffsetPrcbCpuType" },
{ DEBUG_DATA_OffsetPrcbVendorString, "OffsetPrcbVendorString" },
{ DEBUG_DATA_OffsetPrcbProcessorState, "OffsetPrcbProcessorState" },
{ DEBUG_DATA_OffsetPrcbNumber, "OffsetPrcbNumber" },
{ DEBUG_DATA_SizeEThread, "SizeEThread" },
{ DEBUG_DATA_KdPrintCircularBufferPtrAddr, "KdPrintCircularBufferPtrAddr" },
{ DEBUG_DATA_KdPrintBufferSizeAddr, "KdPrintBufferSizeAddr" },
{ DEBUG_DATA_MmBadPagesDetected, "MmBadPagesDetected" },
{ DEBUG_DATA_EtwpDebuggerData, "EtwpDebuggerData" },
{ DEBUG_DATA_PaeEnabled, "PaeEnabled" },
{ DEBUG_DATA_SharedUserData, "SharedUserData" },
{ DEBUG_DATA_ProductType, "ProductType" },
{ DEBUG_DATA_SuiteMask, "SuiteMask" },
{ DEBUG_DATA_DumpWriterStatus, "DumpWriterStatus" },
{ DEBUG_DATA_DumpFormatVersion, "DumpFormatVersion" },
{ DEBUG_DATA_DumpWriterVersion, "DumpWriterVersion" },
{ DEBUG_DATA_DumpPowerState, "DumpPowerState" },
{ DEBUG_DATA_DumpMmStorage, "DumpMmStorage" }
};
build it with winxp free buld environment copy paste the finished binary into a test folder that contains all the required dlls from windbg installation folder and run the binary and you should get the results as follows for xp-sp3 anyone is welcome to check this in w2k,vista,win7, win8 , x86 and x64 environments this should work as it is all the above boxes
lets verify a few result
lkd> ? nt
Evaluate expression: -2142408704 = 804d7000 we got
KernBase = ffffffff804d7000
lkd> ? nt!PspCidTable
Evaluate expression: -2141871392 = 8055a2e0 we got
PspCidTableAddr = ffffffff8055a2e0
lkd> ? nt!MmMaximumNonPagedPoolInBytes
Evaluate expression: -2141878164 = 8055886c we got
MmMaximumNonPagedPoolInBytesAddr = ffffffff8055886c
From a /debug enabled vm
lkd> db nt!KdPrintCircularBuffer
8068fe00 45 6e 74 65 72 20 50 6f-72 74 49 6f 44 65 76 69 Enter PortIoDevi
8068fe10 63 65 41 64 64 0a 52 65-73 6f 75 72 63 65 20 54 ceAdd.Resource T
8068fe20 72 61 6e 73 6c 61 74 65-64 20 50 6f 72 74 3a 20 ranslated Port:
8068fe30 28 33 30 30 29 20 4c 65-6e 67 74 68 3a 20 28 34 (300) Length: (4
8068fe40 29 0a 45 52 52 4f 52 3a-20 44 61 76 52 65 61 64 ).ERROR: DavRead
8068fe50 52 65 67 69 73 74 72 79-56 61 6c 75 65 73 2f 52 RegistryValues/R
8068fe60 65 67 51 75 65 72 79 56-61 6c 75 65 45 78 57 28 egQueryValueExW(
8068fe70 34 29 2e 20 57 53 74 61-74 75 73 20 3d 20 35 0a 4). WStatus = 5.
lkd>
we got
MmUserProbeAddressAddr = ffffffff8055fbd4
KdPrintCircularBufferAddr = ffffffff8068fe00
KdPrintCircularBufferEndAddr = ffffffff80690e00
lkd> !kuser
_KUSER_SHARED_DATA at ffdf0000
TickCount: fa00000 * 00232664 (0:09:59:53.562)
TimeZone Id: 0
ImageNumber Range: [14c .. 14c]
Crypto Exponent: 0
SystemRoot: 'C:\WINDOWS'
We got SharedUserData = ffffffffffdf0000
That�s it attaching to kernel and getting data from kernel space is as easy as coding a MessageBox
Full result as follows
Code:
KernBase = ffffffff804d7000
BreakpointWithStatusAddr = ffffffff80527bf4
SavedContextAddr = 0
KiCallUserModeAddr = ffffffff804ff69c
KeUserCallbackDispatcherAddr = 7c90e460
PsLoadedModuleListAddr = ffffffff80554040
PsActiveProcessHeadAddr = ffffffff8055a1d8
PspCidTableAddr = ffffffff8055a2e0
ExpSystemResourcesListAddr = ffffffff8055c708
ExpPagedPoolDescriptorAddr = ffffffff8055b5a0
ExpNumberOfPagedPoolsAddr = ffffffff8054ab2c
KeTimeIncrementAddr = ffffffff80552f9c
KeBugCheckCallbackListHeadAddr = ffffffff80553078
KiBugcheckDataAddr = ffffffff805539c0
IopErrorLogListHeadAddr = ffffffff80551940
ObpRootDirectoryObjectAddr = ffffffff805597f8
ObpTypeObjectTypeAddr = ffffffff805597f0
MmSystemCacheStartAddr = ffffffff8054a210
MmSystemCacheEndAddr = ffffffff805587e8
MmSystemCacheWsAddr = ffffffff80558800
MmPfnDatabaseAddr = ffffffff805589e8
MmSystemPtesStartAddr = ffffffff80553c68
MmSystemPtesEndAddr = ffffffff80553c60
MmSubsectionBaseAddr = ffffffff80553ff8
MmNumberOfPagingFilesAddr = ffffffff80558580
MmLowestPhysicalPageAddr = ffffffff8054a13c
MmHighestPhysicalPageAddr = ffffffff80558a44
MmNumberOfPhysicalPagesAddr = ffffffff80558a48
MmMaximumNonPagedPoolInBytesAddr = ffffffff8055886c
MmNonPagedSystemStartAddr = ffffffff805589a0
MmNonPagedPoolStartAddr = ffffffff80553cb8
MmNonPagedPoolEndAddr = ffffffff8054a5f8
MmPagedPoolStartAddr = ffffffff8054a5fc
MmPagedPoolEndAddr = ffffffff80553cb4
MmPagedPoolInformationAddr = ffffffff805584a0
MmPageSize = 1000
MmSizeOfPagedPoolInBytesAddr = ffffffff8054a208
MmTotalCommitLimitAddr = ffffffff80558544
MmTotalCommittedPagesAddr = ffffffff80558548
MmSharedCommitAddr = ffffffff8054c748
MmDriverCommitAddr = ffffffff805540c0
MmProcessCommitAddr = ffffffff80554034
MmPagedPoolCommitAddr = ffffffff80553e14
MmExtendedCommitAddr = 0
MmZeroedPageListHeadAddr = ffffffff8054a160
MmFreePageListHeadAddr = ffffffff8054a170
MmStandbyPageListHeadAddr = ffffffff8054a180
MmModifiedPageListHeadAddr = ffffffff8054a190
MmModifiedNoWritePageListHeadAddr = ffffffff8054a1a0
MmAvailablePagesAddr = ffffffff80558a3c
MmResidentAvailablePagesAddr = ffffffff805589fc
PoolTrackTableAddr = ffffffff8055c680
NonPagedPoolDescriptorAddr = ffffffff8055b640
MmHighestUserAddressAddr = ffffffff80558a5c
MmSystemRangeStartAddr = ffffffff80558a58
MmUserProbeAddressAddr = ffffffff80558a54
KdPrintCircularBufferAddr = ffffffff80674200
KdPrintCircularBufferEndAddr = ffffffff80675200
KdPrintWritePointerAddr = ffffffff80675200
KdPrintRolloverCountAddr = ffffffff80675204
MmLoadedUserImageListAddr = ffffffff80553f10
NtBuildLabAddr = ffffffff804d7c5c
KiNormalSystemCall = 0
KiProcessorBlockAddr = ffffffff80552ec0
MmUnloadedDriversAddr = ffffffff805540bc
MmLastUnloadedDriverAddr = ffffffff805540b8
MmTriageActionTakenAddr = ffffffff80553e18
MmSpecialPoolTagAddr = ffffffff80553d2c
KernelVerifierAddr = ffffffff8054c708
MmVerifierDataAddr = ffffffff805583a0
MmAllocatedNonPagedPoolAddr = ffffffff80553e10
MmPeakCommitmentAddr = ffffffff80553d48
MmTotalCommitLimitMaximumAddr = ffffffff80558540
CmNtCSDVersionAddr = ffffffff805512e4
MmPhysicalMemoryBlockAddr = ffffffff80553fe8
MmSessionBase = ffffffff8055848c
MmSessionSize = ffffffff80558480
MmSystemParentTablePage = 0
MmVirtualTranslationBase = 0
OffsetKThreadNextProcessor = 12b
OffsetKThreadTeb = 20
OffsetKThreadKernelStack = 28
OffsetKThreadInitialStack = 18
OffsetKThreadApcProcess = 44
OffsetKThreadState = 2d
OffsetKThreadBStore = 0
OffsetKThreadBStoreLimit = 0
SizeEProcess = 258
OffsetEprocessPeb = 1b0
OffsetEprocessParentCID = 14c
OffsetEprocessDirectoryTableBase = 18
SizePrcb = 9f0
OffsetPrcbDpcRoutine = 874
OffsetPrcbCurrentThread = 4
OffsetPrcbMhz = 910
OffsetPrcbCpuType = 18
OffsetPrcbVendorString = 900
OffsetPrcbProcessorState = 1c
OffsetPrcbNumber = 10
SizeEThread = 260
KdPrintCircularBufferPtrAddr = 0
KdPrintBufferSizeAddr = 0
MmBadPagesDetected = 0
EtwpDebuggerData = 0
PaeEnabled = 1
SharedUserData = ffffffffffdf0000
ProductType = ffffffff00000001
SuiteMask = ffffffff00000110
cant retrieve data for 108
cant retrieve data for 109
cant retrieve data for 110
cant retrieve data for 111
cant retrieve data for 112
Finished Debugging Quitting