Log in

View Full Version : DbgEng Based Debugger (PART2 Contd......)

blabberer
January 26th, 2013, 13:09

DbgEng Based Debugger (PART2 Contd......)


continuing from part 2 ("http://www.woodmann.com/forum/entry.php?248-DbgEng-Based-Debugger-(PART2)") where we discussed about peeking into kernel mode we saw how we can make dbgeng read DataSpaces and get details about key kernel mode addresses
now in this example lets make dbgeng retrieve us some machine parameters
exactly what ?

shall we try CMOS Ram Map ?

that could be as basic as it could get prior to that a box is all silicon and plastics
i think (to debug silicon and plastic one may need to get into smelting furnaces and moulding machines and windbg isnt designed to be in that environment)

if you are not aware of basics that we assume you understand in this article refer to the following 2 urls

part 1 http://www.woodmann.com/forum/entry.php?246-A-Simple-Dbgeng-Based-User-Mode-Debugger
part 2 http://www.woodmann.com/forum/entry.php?248-DbgEng-Based-Debugger-(PART2)

ok so we want cmos rammap

remove or comment out the ReadDebuggerData() code in your sample no 2 and inset this in its space



ULONG BusDataType = 0; //Cmos
ULONG BusNumber = 0;
ULONG SlotNumber = 0;
ULONG StartOffset = 0;
BYTE Buff[0x100];
memset(&Buff,0,sizeof(Buff));
ULONG BytesRead = 0;
if ((g_DataSpaces->ReadBusData(
BusDataType,
BusNumber,
SlotNumber,
StartOffset,
&Buff,
(_countof(Buff)/2),
&BytesRead
)) == S_OK)
{
printf("Bytes Read From CMOS Bus is %d\n",BytesRead);
int l = 0;
printf("************************DUMP*************************************\n";
while( l < sizeof(Buff) )
{
for (int i = l+0; i < l+0x10 ;i++)
{
printf("%02x ",Buff[I]);
}
for (int i = l+0; i < l+0x10 ;i++)
{
printf("%c",Buff[I]);
}
printf("\n";
l+= 0x10;
}
printf("************************DUMP*************************************\n";
for (int i = 0; i< _countof(CMosData); i++)
{
printf( "%40s = %02x\n",CMosData[I] , Buff[I]);
}


}

Exit(0, "Finished Debugging Quitting\n";
}


and voila we got cmos ram map from the machine we ran this program on
no need for what old dos junkies did to get it all of it in one go and what newer
.net doesn't probably have access to



in port 70 magic
out port 71 genie


does it work ?



Bytes Read From CMOS Bus is 128
************************DUMP*************************************
41 45 13 16 13 11 05 25 01 13 26 42 00 80 00 00 AE‼▬‼◄♣%☺‼&B Ç
00 ee df e5 0a 80 02 00 fc e9 be 37 ea f7 ed 3a ε▀σÇ☻ ⁿΘ╛7Ω≈φ:
6d ef ff af fe ff ff e3 fa fc ff 7d f9 46 14 ba m∩ »■ π·ⁿ }∙F¶║
00 fc 20 d9 fc ff 00 9f 1d ff df df e7 b9 df df ⁿ ┘ⁿ ƒ↔ ▀▀τ╣▀▀
fe ef be fb 79 57 ff d3 ff bf 72 d6 fb f9 bf f6 ■∩╛√yW ╙ ┐r╓√∙┐÷
fb fe db ae fb f7 ff 1f ff 7e e4 76 ef 6b ea f5 √■█«√≈ ▼ ~Σv∩kΩ⌡
db f7 eb 7d fe fd e9 02 f7 f9 d7 ef 00 53 f4 6c █≈δ}■²Θ☻≈∙╫∩ S⌠l
1f ff fe fe bf fb ee f1 76 fd ff bd fe 33 f3 fe ▼ ■■┐√ε±v² ╜■3≤■
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
************************DUMP*************************************
RTCSeconds = 41
RTCSecondsAlarm = 45
RTCMinutes = 13
RTCMinutesAlarm = 16
RTCHours = 13
RTCHoursAlarm = 11
RTCDayofWeek = 05
RTCDateDay = 25
RTCDateMonth = 01
RTCDateYear = 13
StatusRegisterA = 26
StatusRegisterB = 42
StatusRegisterC = 00
StatusRegisterD = 80
DiagnosticStatus = 00
CMOSShutdownStatus = 00
FloppyDiskDriveTypes = 00
SystemConfigurationSettings = ee
HardDiskTypes = df
TypematicParameters = e5
InstalledEquipment = 0a
BaseMemoryLowOrderByte = 80
BaseMemoryHighOrderByte = 02
ExtendedMemoryLowOrderByte = 00
ExtendedMemoryHighOrderByte = fc
HardDisk0ExtendedType = e9
HardDisk1ExtendedType = be
CNumberofcylindersLSB = 37
CNumberofcylindersMSB = ea
CNumberofheads = f7
CWriteprecompcylinderLSB = ed
CWriteprecompcylinderMSB = 3a
CControlbyte = 6d
CLandingzoneLSB = ef
CLandingzoneMSB = ff
CNumberofsectors = af
DNumberofcylindersLSB = fe
DNumberofcylindersMSB = ff
DNumberofheads = ff
DWriteprecompcylinderLSB = e3
DWriteprecompcylinderMSB = fa
DControlbyte = fc
DLandingzoneLSB = ff
DLandingzoneMSB = 7d
DNumberofsectors = f9
SystemOperationalFlags = 46
CMOSChecksumHighOrderByte = 14
CMOSChecksumLowOrderByte = ba
ActualExtendedMemoryLoByte = 00
ActualExtendedMemoryHiByte = fc
CenturyDateBCD = 20
POSTInformationFlags = d9
BIOSandShadowOptionFlags = fc
BIOSandShadowOptionFlags = ff
ChipsetSpecificInformation = 00
PasswordSeedandColorOption = 9f
EncryptedPassword1bytes = 1d
EncryptedPassword2bytes = ff
EncryptedPassword3bytes = df
EncryptedPassword4bytes = df
EncryptedPassword5bytes = e7
EncryptedPassword6bytes = b9
ExtendedCMOSChecksum = df
ExtendedCMOSChecksum = df
ModelNumberByte = fe
FirstSerialNumber = ef
SecondSerialNumber = be
ThirdSerialNumber = fb
FourthSerialNumber = 79
FifthSerialNumber = 57
SixthSerialNumber = ff
CRCByte = d3
CenturyByte = ff
DateAlarm = bf
ExtendedControlRegister4A = 72
ExtendedControlregister4B = d6
Reserved = fb
Reserved = f9
RealTimeClockAddress2 = bf
RealTimeClockAddress3 = f6
ExtendedRAMAddress = fb
ExtendedRAMAddress = fe
Reserved = db
ExtendedRAMDataPort = ae
Reserved = fb
Finished Debugging Quitting

the details of the array CmosData is taken from bob hurts bios central cmos memory map page
google bob hurt cmos and it is first hit on first page

you can also check with time /t & date /t clubbed with this binary

[CODE]
13:19
25/01/2013

RTCSeconds = 11
RTCMinutes = 19
RTCHours = 13
RTCDayofWeek = 05
RTCDateDay = 25
RTCDateMonth = 01
RTCDateYear = 13


nice and clean isnt it ?
windbg itself doesnt seem to be able to display this
no dont get me wrong i just now during research for this article learnt windbg does have the functionality to retrieve this and display (i tried coaxing windbg display this but either i must have been doing something wrong
or this functionality is truly broken in windbg

to make windbg display this you need to open the memory window (gui only) right click properties on memory window select the BUS tab and provide it bus / slot / offset details

a screen shot below

http://www.woodmann.com/forum/attachment.php?attachmentid=2712

also attached the files used to compile this open the bat file and read before building it
LKDCMOS.zip