i,m starting to work with windbg and vmware and i'm learning how to use both.

I change the context and look the pte of the program with the

!pte 401000

and windbg response me the pte for this VA, when i change the permission of this VA, with a ring 3 tool, whet use VirtualProtectExA, the pte is changed but if i make the same change by hand editing the value of pte, the wmware reboot and tell me ILLEGAL PTE or so, there are a method for change manually correctly, without make a mess, hehe.

Ricardo Narvaja

you are trying to change the protection status of a page ?

like you would do in VirtualProtect()

!vadump shows PAGE_READWRITEEXECUTE
and you now want it to change to PAGE_NOACCESS ?? like that?

or !vprot Address shows PAGE_WHATEVER
and you like to change it to PAGE_RICARDO

you can get an extension written by skywing

it has got a wrapper to change page attributes

!VPROTECT

http://www.nynaeve.net/?p=7
http://www.nynaeve.net/?p=6

it has also gotr a few other extensions that make sourceless debugging little easier to deal with

like handles (handle window in ollydbg)
!HWND

also one nice feature is you can import a map file to be able to
load in windbg from ida !loadsym or something similar

use !sdbgext.help for detailed help

you have to be in your debuggees thread before you could enumerate
the hwnd

for example you used ctrl + break to pause windbg

windbg will be in the thread which caused the exception
and not in debugges primary thread

you can find how many threads are running
by hitting ~

when you are in your debugees thread

you can do !hwnd etc etc

hope thats what you are looking for

i have this extension SDbgExt but donīt work in kernel debugging, i change context of the process to the desired, and select the thread, and load the extension and give me error, i try again and tell you the exact error.

Ricardo

kd> .PROCESS /p 80e43380
Implicit process is now 80e43380
.cache forcedecodeuser done
kd> !thread
THREAD 80559320 Cid 0000.0000 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
Not impersonating
Owning Process 80559580 Image: Idle
Wait Start TickCount 0 Ticks: 13969 (0:00:03:38.265)
Context Switch Count 2659
UserTime 00:00:00.0000
KernelTime 00:01:03.0218
Stack Init 80550b80 Current 805508cc Base 80550b80 Limit 8054db80 Call 0
Priority 16 BasePriority 0 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
8055084c 804e38a2 00000001 fff0bd02 000000d1 nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0])
8055084c 806f59aa 00000001 fff0bd02 000000d1 nt!KeUpdateSystemTime+0x165 (FPO: [0,2] TrapFrame @ 80550860)
WARNING: Frame IP not in any known module. Following frames may be wrong.
805508d0 804dc0d7 00000000 0000000e 00000000 0x806f59aa
805508d4 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x10 (FPO: [0,0,0])

kd> !vadump

have no response

kd> !vprotect 401000 8000 PAGE_READWRITE
Usage: !vprotect <address> <size> <protect>
VirtualProtectEx failed: 87

kd> !vprotect 401000 8000 R
Usage: !vprotect <address> <size> <protect>
VirtualProtectEx failed: 87

i donīt know the protect paraeter is not explained, i try differents but always say failed :87

Ricardo

i think in the kernel debugging with 2 machines there are no privileges for change the memory of the debugged machine, the 87 error maybe is for this reason.

Ricardo

kd> !vprot 401000
ERROR: !vprot: extension exception 0x80004001.
"QueryVirtual failed"

ERROR_INVALID_PARAMETER equ 87

maybe is the numerical value of the desired protection i try

Ricardo

!vprot , !vprotect , !vadump these all are user mode extensions

not kdextensions

btw i think you should also do .reload /user

or provide /r in .process Address /p /r

and i dont think kd will be able to know which 0x401000 you are talking about
unless you relaod user symbols

i am not that much conversant with two machine or vmware
so may be i am too much off in my comments

if you are debugging both user mode component and kernelmode component
using windbg try looking at .breakin

start as user mode from windbg and then use .breakin to switch control to
kd

thanks i try

Ricardo