Log in

View Full Version : Disassembling a kernel function

1bitshort
October 31st, 2005, 02:47
I need to disassemble a kernel function (just disassemble, not debug in realtime). Can this be done with Ollydbg or IDA?

For example here is ZwTerminateProcess in ntdll.dll as seen from Ollydbg:
7C90E88E > B8 01010000 MOV EAX,101
7C90E893 BA 0003FE7F MOV EDX,7FFE0300
7C90E898 FF12 CALL DWORD PTR DS:[EDX]
7C90E89A C2 0800 RETN 8
Ollydbg can disassemble this code because its usermode but when the CALL is made it goes to kernel mode and Ollydbg cant debug there. If I made a copy of ntdll.dll would I be able to disassemble from that? I know that the CALL doesnt go directly to the kernel TerminateProcess function but rather a handler that checks the value of eax (101 in this case) and then calls the related kernel function

Has anyone done this before or know how to?
arboc
October 31st, 2005, 02:58
in ntoskrnl.exe its the function ZwTerminateProcess ,read this to know more about.
http://www.codeguru.com/Cpp/W-P/system/devicedriverdevelopment/article .php/c8035/
("http://www.codeguru.com/Cpp/W-P/system/devicedriverdevelopment/article.php/c8035/
")
http://www.codeguru.com/Cpp/misc/misc/system/article.php/c8223 ("http://www.codeguru.com/Cpp/misc/misc/system/article.php/c8223")
blabberer
November 7th, 2005, 12:18
if you are interested only in disassembling a kernel function but dont want to debug it and dont have two machines

you can use windbg (avl from ms for free and then get livekd from sysinternals)

now with the above combination you can disassemble any kernel function without problems

after successfull installation of windbg
unzip the live kd package too to the windbg dir
then open command prompt and navigate to the dir

when you are the
c:\your path\livekd -w
-w is to activate windbg (gui screen) without -w you will have a console window only
it would ask you if you want to set up the path for pdbs
(i would suggest you to get them it makes life very very easier wading through those wierd mmprobeforphysinkernel functions but you would need an active inet conection if you want to fetch those pdbs from
ms servers)

now to disassemble
try uf nt!ZwTerminateProcess (uf == unassemblefull)
would show you the complete disassembly of the whole
ZwTerminateProcess() call

pretty nifty but you would need to persist and grow with its
awkward gui if you persist windbg is a very very usefull tool
to have in your debugging arsenal

and after that if you have two machines you can delve into live debugging of those kernel functions
Epsylon3
November 7th, 2005, 12:22
You can also use VMWare to do that... but never tried...