lunedì 19 settembre 2011

how to calculate the base address ntoskrnl whit kd or windbg

open kd.exe/windbg and connect at kernel with vmware by pipe ....


****(struct _KPCR  = Kernel Processor Control Region) ******
enter "!pcr"

kd> !pcr
KPCR for Processor 0 at ffdff000:
    Major 1 Minor 1
        NtTib.ExceptionList: 805494b0
            NtTib.StackBase: 80549cf0
           NtTib.StackLimit: 80546f00
         NtTib.SubSystemTib: 00000000
              NtTib.Version: 00000000
          NtTib.UserPointer: 00000000
              NtTib.SelfTib: 00000000
                    SelfPcr: ffdff000 <<<<<<<<START _KPCR
                       Prcb: ffdff120
                       Irql: 00000000
                        IRR: 00000000
                        IDR: ffffffff
              InterruptMode: 00000000
                        IDT: 8003f400
                        GDT: 8003f000
                        TSS: 80042000
              CurrentThread: 80552740
                 NextThread: 00000000
                 IdleThread: 80552740
                  DpcQueue:




(_KPCR -> address 0xffdff000)

enter "dt _KPCR ffdff000"

kd> dt _KPCR ffdff000
nt!_KPCR
   +0x000 NtTib            : _NT_TIB
   +0x01c SelfPcr          : 0xffdff000 _KPCR
   +0x020 Prcb             : 0xffdff120 _KPRCB
   +0x024 Irql             : 0 ''
   +0x028 IRR              : 0
   +0x02c IrrActive        : 0
   +0x030 IDR              : 0xffffffff
   +0x034 KdVersionBlock   : 0x80545ab8  <<<<<<<<< it points at _DBGKD_GET_VERSION64
   +0x038 IDT              : 0x8003f400 _KIDTENTRY
   +0x03c GDT              : 0x8003f000 _KGDTENTRY
   +0x040 TSS              : 0x80042000 _KTSS
   +0x044 MajorVersion     : 1
   +0x046 MinorVersion     : 1
   +0x048 SetMember        : 1
   +0x04c StallScaleFactor : 0xa3e
   +0x050 DebugActive      : 0 ''
   +0x051 Number           : 0 ''
   +0x052 Spare0           : 0 ''
   +0x053 SecondLevelCacheAssociativity : 0 ''
   +0x054 VdmAlert         : 0
   +0x058 KernelReserved   : [14] 0
   +0x090 SecondLevelCacheSize : 0
   +0x094 HalReserved      : [16] 0
   +0x0d4 InterruptMode    : 0
   +0x0d8 Spare1           : 0 ''
   +0x0dc KernelReserved2  : [17] 0
   +0x120 PrcbData         : _KPRCB
enter "dt _DBGKD_GET_VERSION64 0x8054c738"

kd> dt _DBGKD_GET_VERSION64 80545ab8
nt!_DBGKD_GET_VERSION64
   +0x000 MajorVersion     : 0xf
   +0x002 MinorVersion     : 0xa28
   +0x004 ProtocolVersion  : 6
   +0x006 Flags            : 2
   +0x008 MachineType      : 0x14c
   +0x00a MaxPacketType    : 0xc ''
   +0x00b MaxStateChange   : 0x3 ''
   +0x00c MaxManipulate    : 0x2d '-'
   +0x00d Simulation       : 0 ''
   +0x00e Unused           : [1] 0
   +0x010 KernBase         : 0xffffffff`804d7000  <<<<<< BASE KERNEL
   +0x018 PsLoadedModuleList : 0xffffffff`80553fc0
   +0x020 DebuggerDataList : 0xffffffff`80677ef4

*** TEST: IS NTOSKRNL? ****

kd> db 804d7000
804d7000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............
804d7010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......
804d7020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
804d7030  00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00  ................
804d7040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th
804d7050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno
804d7060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS
804d7070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......

OK IS KERNEL!
Pubblicato da alle

Nessun commento:

Posta un commento

Iscriviti a: Commenti sul post (Atom)