Log in

View Full Version : windbg and SSDT

WaxfordSqueers
July 6th, 2013, 14:29
I am a novice on Windbg so please go easy on me.

I was poking through the SSDT and came across addresses that seemed odd with no accompanying functions.

Check out bad60b30, which I have dumped partly below SSDT info.

Does this seem normal to you more experienced types, or is it something that needs further attention?

Code:
804e26a8  8058fdf5 nt!NtAcceptConnectPort

804e26ac  805790f1 nt!NtAccessCheck

804e26b0  80587999 nt!NtAccessCheckAndAuditAlarm

804e26b4  80591130 nt!NtAccessCheckByType

804e26b8  8058da83 nt!NtAccessCheckByTypeAndAuditAlarm

804e26bc  8063807e nt!NtAccessCheckByTypeResultList

804e26c0  8063a207 nt!NtAccessCheckByTypeResultListAndAuditAlarm

804e26c4  8063a250 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle

804e26c8  8057a6e4 nt!NtAddAtom

804e26cc  80649047 nt!NtQueryBootOptions

804e26d0  80637835 nt!NtAdjustGroupsToken

804e26d4  8058d0a1 nt!NtAdjustPrivilegesToken

804e26d8  8062f97c nt!NtAlertResumeThread

804e26dc  8057abcd nt!NtAlertThread

804e26e0  80588928 nt!NtAllocateLocallyUniqueId

804e26e4  806268ff nt!NtAllocateUserPhysicalPages

804e26e8  805dd3c9 nt!NtAllocateUuids

804e26ec  bad60b30

804e26f0  805d9767 nt!NtAreMappedFilesTheSame

804e26f4  805a24ba nt!NtAssignProcessToJobObject

804e26f8  804e2cb4 nt!NtCallbackReturn

804e26fc  8064905b nt!NtModifyBootEntry





lkd> db bad60b30

bad60b30  55 8b ec 81 ec 04 02 00-00 8b 0d 90 30 d6 ba 56  U...........0..V

bad60b40  57 8b 7d 08 8b 11 8d 45-08 6a 00 50 6a 00 52 68  W.}....E.j.Pj.Rh

bad60b50  80 00 00 00 57 ff 15 38-30 d6 ba 85 c0 0f 85 bb  ....W..80.......

bad60b60  00 00 00 8b 45 08 03 05-00 42 d6 ba 8b 00 89 45  ....E....B.....E

bad60b70  fc a1 dc 40 d6 ba 85 c0-0f 84 97 00 00 00 e8 37  ...@...........7

bad60b80  1a 00 00 3b 45 fc 0f 84-89 00 00 00 8d 85 fc fe  ...;E...........

bad60b90  ff ff 50 e8 68 f7 ff ff-8b 55 08 8d 8d fc fd ff  ..P.h....U......

bad60ba0  ff 51 52 e8 98 f7 ff ff-8d 85 fc fd ff ff 50 6a  .QR...........Pj



lkd> u bad60b30



bad60b30 55              push    ebp

bad60b31 8bec            mov     ebp,esp

bad60b33 81ec04020000    sub     esp,204h

bad60b39 8b0d9030d6ba    mov     ecx,dword ptr ds:[0BAD63090h]

bad60b3f 56              push    esi

bad60b40 57              push    edi

bad60b41 8b7d08          mov     edi,dword ptr [ebp+8]

bad60b44 8b11            mov     edx,dword ptr [ecx]
Kayaker
July 6th, 2013, 19:12
Hooked NtAllocateVirtualMemory (Id 0x11) on XP from the looks of it I believe

http://j00ru.vexillium.org/ntapi/
WaxfordSqueers
July 7th, 2013, 01:32
Quote:
[Originally Posted by Kayaker;95009]Hooked NtAllocateVirtualMemory (Id 0x11) on XP from the looks of it I believe

http://j00ru.vexillium.org/ntapi/


Thanks there Kayaker. Tracked it down in trusty old ice. Seems to be hooked by hcmon.sys, a vmware USB monitor for VM Player.

It was kind of stupid how I picked it up. I am still working the same problem with tracking notepad down to the MFT level. It happens via Shell32.dll and Shlwapi.dll mainly and there is a call from shell32 to k32!readfile. Unfortunately, something is loading notepad into the file cache and it gets read from there, so I tried loading every app I could to see if it would overwrite the cache. Normally, I don't use VM Player.