Kayaker
October 13th, 2004, 02:25
Hello Mr. Baggins:
That was very useful info. It appears a bit of bit mapping is in order on those flags, there seem to be only a half dozen or so combinations of Highword values. For reference, the Flags for user processes are consistently 0710000x on Win2k.
There seems to be a small problem with that Vaddump app with version compatibility, and it won't run on my system, but it's nice to have the full source.
I had another look at the QUERY command in Softice trying to find where the hell that [EPROCESS+194h] = VadRoot instruction was. As you may have discovered, you can't confirm it from a static disassembly alone (you can't get there from here).
At the start of the QUERY command, Sice uses a function to get certain variables from the current EPROCESS structure. This is a bit of a global function that's used half a dozen times in Sice code. It gets the current context (KPEB) from a global variable and parses the EPROCESS structure (KPEB in Sice) for various fields to store in an internal structure. It does some of this indirectly, by adding to the EPROCESS address offsets it gets from variables in its data section. You need to be in a process context, not a system context, to see the correct values of these offsets after they are initialized. Some of the data fields seem to be initialized to non-zero as seen in IDA, but this is bogus, they change at runtime.
With some checking I was able to determine Sice gets the following fields:
Directly indexed it gets a bunch of KPROCESS fields including
[EPROCESS+18h] = KPROCESS.DirectoryTableBase
Indirectly indexed (runtime values) it gets
[EPROCESS+194] = VadRoot
[EPROCESS+128] = ObjectTable
[EPROCESS+1B0] = PEB
[EPROCESS+9C] = UniqueProcessId
[EPROCESS+1FC] = ImageFileName
Here's the start of the Softice QUERY command for ntice 4.31, some of the definitions are originals from The Owl.
Code:
:00032A10 c_Query: ; DATA XREF: .data:001112BD
:00032A10 55 push ebp
:00032A11 8B EC mov ebp, esp
:00032A13 BE A2 F7 10 00 mov esi, offset bUserCommand
:00032A18 E8 2C 75 03 00 call pSkipWord
:00032A1D 73 14 jnb short loc_32A33
:00032A1F BB EA F6 0E 00 mov ebx, offset buff_Eprocess
:00032A24 8B 15 FF 16 0F 00 mov EDX, dCurrentContext
; = KPEB = EPROCESS (= KPROCESS)
:00032A2A E8 EA F8 FF FF call Get_EPROCESS_Fields
...
And the start of the function:
:00032319 Get_EPROCESS_Fields proc near
:00032319 60 pusha
:0003231A 89 13 mov [ebx], EDX ; EPROCESS(KPEB)
:0003231C 8D 7A 18 lea edi, [edx+18h] ; KPROCESS.DirectoryTableBase
:0003231F E8 BF B0 03 00 call pMOV_EAX_EDI
:00032324 0F 82 0A 01 00 00 jb loc_32434
:0003232A 89 43 08 mov [ebx+8], eax
:0003232D 8B FA mov edi, EDX
:0003232F 03 3D 76 F7 0E 00 add edi, dword_EF776 ; 194h EPROCESS.VadRoot
:00032335 E8 A9 B0 03 00 call pMOV_EAX_EDI
...
The VadRoot is parsed later on to output to the command window, recognized by the
shl eax, cl
instructions which are the Address Range (*VPN<<0xC) Bilbo mentioned.
Ahh, the fun of exploring YAMS (Yet Another MS Structure...

)
Regards,
Kayaker