Can't see WIN32K with SoftIce? [Archive] - RCE Messageboard's Regroupment

View Full Version : Can't see WIN32K with SoftIce?

bilbo

June 14th, 2004, 11:44

Platform: Windows XP SP1; DriverStudio 3.1.
Tried to look at some WIN32k Data/Code.
No success. Code is INVALID, Data is ????????.
"mod win32k" gives BF800000, but PEheader pointer is 00000000.
Anyone has experienced such oddity?

Cheers, Bilbo.

Maybe paged out because too big? But PAGEIN does not work...

Kayaker

June 14th, 2004, 12:07

Hi

What do you get if you try it from the context of a user mode program which has a gui component and has partially loaded enough to register some of its window classes / created its controls? Under these conditions win32k.sys should have kicked in by now I would think.

K.

bilbo

June 15th, 2004, 01:36

Thanks, Kayaker, I could have thought it myself. I fall again on the "context" subject.

Furthermore, also Microsoft Kernel Debugger (kd -kl) has the same behaviour.
On the other hand, Russinovich's LIVEKD shows win32k address space without problems.

Best regards, Bilbo.

darawk

January 31st, 2008, 14:59

I believe this is due to the fact that win32k.sys' information is generally zeroe'd out in the PsLoadedModuleList. Only the driver name/path fields seem to contain any information. Russonivich's tool probably gets the DRIVER_OBJECT from the \Drivers\ folder in the object manager, which does contain correct information for Win32k.sys. I don't know why this is the case, but it seems to be on all Windows systems i've seen.

JMI

January 31st, 2008, 18:01

Did you, perhaps, look at the date of the Post you are apparently attempting to answer???

Regards,

darawk

January 31st, 2008, 18:18

Oops, sorry. I saw it in the little "related threads" box at the bottom of another thread and clicked over to it. I didn't even notice the dates.

Kayaker

January 31st, 2008, 18:19

Doesn't matter the date, it's still good info.

JMI

January 31st, 2008, 20:23

Point taken.

Regards,

blabberer

February 2nd, 2008, 13:25

want to take one more point in this old thread ?

Code:



Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 2600.xpsp.050928-1517

Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553320

Debug session time: Sat Feb  2 18:22:53.860 2008 (GMT+0)

System Uptime: 0 days 2:28:42.394

!process 0 0 winlogon.exe

PROCESS 8462b4d8  SessionId: 0  Cid: 024c    Peb: 7ffde000  ParentCid: 0200

    DirBase: 0fd80060  ObjectTable: e15aea18  HandleCount: 317.

    Image: winlogon.exe



lkd> .process /p 8462b4d8

Implicit process is now 8462b4d8

lkd> .reload /f win32k.sys

x win32k!NtGdiCreateEllipticRgn

bf937803 win32k!NtGdiCreateEllipticRgn = <no type information>

lkd>

so context is needed in lkd too