.does anyone have any information on the pointer returned by
lpImagename member of the struct below
i was parsing and i always get a 7FFDE014 value
which always shows NULL
7FFDE014 00 00 00 00 00 E0 FD 7F .....��
is this Imagename Really filled up by system when a debugger gets this DEBUG_EVENT ? can i rely on it or is it another bogus unreliable value ?
typedef struct _LOAD_DLL_DEBUG_INFO {
HANDLE hFile;
LPVOID lpBaseOfDll;
DWORD dwDebugInfoFileOffset;
DWORD nDebugInfoSize;
LPVOID lpImageName;
WORD fUnicode;
} LOAD_DLL_DEBUG_INFO, *LPLOAD_DLL_DEBUG_INFO;
Structure, item 22
Address=0012F54C
Name=u.LoadDll.lpImageName
Type=DWORD
Value=7FFDE014
here is the filled up structure
Structure
Address Name Type Value Hex Dump
0012F530 dwDebugEventCode DWORD 00000006
0012F534 dwProcessId DWORD 000001D0
0012F538 dwThreadId DWORD 0000076C
0012F53C u.CreateThread.hThread DWORD 0000009C
0012F540 u.CreateThread.lpThreadLocalBase DWORD 77F50000
0012F544 u.CreateThread.lpStartAddress DWORD 00000000
0012F53C u.CreateProcessInfo.hFile DWORD 0000009C
0012F540 u.CreateProcessInfo.hProcess DWORD 77F50000
0012F544 u.CreateProcessInfo.hThread DWORD 00000000
0012F548 u.CreateProcessInfo.lpBaseOfImage DWORD 00000000
0012F54C u.CreateProcessInfo.dwDebugInfoFileOffset DWORD 7FFDE014
0012F550 u.CreateProcessInfo.nDebugInfoSize DWORD 00000001
0012F554 u.CreateProcessInfo.lpThreadLocalBase DWORD 7FFDE000
0012F558 u.CreateProcessInfo.lpStartAddress DWORD 00401000
0012F55C u.CreateProcessInfo.lpImageName DWORD 00000000
0012F560 u.CreateProcessInfo.fUnicode WORD 0001
0012F53C u.ExitThread.dwExitCode DWORD 0000009C
0012F53C u.ExitProcess.dwExitCode DWORD 0000009C
0012F53C u.LoadDll.hFile DWORD 0000009C
0012F540 u.LoadDll.lpBaseOfDll DWORD 77F50000
0012F544 u.LoadDll.dwDebugInfoFileOffset DWORD 00000000
0012F548 u.LoadDll.nDebugInfoSize DWORD 00000000
0012F54C u.LoadDll.lpImageName DWORD 7FFDE014
0012F550 u.LoadDll.fUnicode WORD 0001
0012F53C u.UnloadDll.lpBaseOfDll DWORD 0000009C
0012F53C u.DebugString.lpDebugStringData DWORD 0000009C
0012F540 u.DebugString.fUnicode WORD 0000
0012F542 u.DebugString.nDebugStringiLength WORD 77F5
0012F53C u.RipInfo.dwError DWORD 0000009C
0012F540 u.RipInfo.dwType DWORD 77F50000
0012F53C u.Exception.pExceptionRecord.ExceptionCode DWORD 0000009C
0012F540 u.Exception.pExceptionRecord.ExceptionFlags DWORD 77F50000
0012F544 u.Exception.pExceptionRecord.pExceptionRecord DWORD 00000000
0012F548 u.Exception.pExceptionRecord.ExceptionAddress DWORD 00000000
0012F54C u.Exception.pExceptionRecord.NumberParameters DWORD 7FFDE014
0012F550 u.Exception.pExceptionRecord.ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS] DWORD 0100000000E0FD7F0010400000000000
0012F58C u.Exception.dwFirstChance DWORD 00000000
i know this event is for ntdll.dll
i can confirm the file handle ox9c is indeed ntdll.dll
Handles, item 12
Handle=0000009C
Type=File
Refs= 2.
Access=00120089 SYNCHRONIZE|READ_CONTROL|READ_DATA|READ_EA|READ_ATTRIBUTES
Info=Size 668672. (000A3400) bytes
Name=c:\WINDOWS\System32\ntdll.dll
should i be murking around with FindFilename From File handle routines to get the image name
see here another example
Structure
Address Name Type Value Hex Dump
0012F530 dwDebugEventCode DWORD 00000006
0012F534 dwProcessId DWORD 000001D0
0012F538 dwThreadId DWORD 0000076C
0012F53C u.CreateThread.hThread DWORD 000000A0
0012F540 u.CreateThread.lpThreadLocalBase DWORD 77E60000
0012F544 u.CreateThread.lpStartAddress DWORD 00000000
0012F53C u.CreateProcessInfo.hFile DWORD 000000A0
0012F540 u.CreateProcessInfo.hProcess DWORD 77E60000
0012F544 u.CreateProcessInfo.hThread DWORD 00000000
0012F548 u.CreateProcessInfo.lpBaseOfImage DWORD 00000000
0012F54C u.CreateProcessInfo.dwDebugInfoFileOffset DWORD 7FFDE014
0012F550 u.CreateProcessInfo.nDebugInfoSize DWORD 00000001
0012F554 u.CreateProcessInfo.lpThreadLocalBase DWORD 7FFDE000
0012F558 u.CreateProcessInfo.lpStartAddress DWORD 00401000
0012F55C u.CreateProcessInfo.lpImageName DWORD 00000000
0012F560 u.CreateProcessInfo.fUnicode WORD 0001
0012F53C u.ExitThread.dwExitCode DWORD 000000A0
0012F53C u.ExitProcess.dwExitCode DWORD 000000A0
0012F53C u.LoadDll.hFile DWORD 000000A0
0012F540 u.LoadDll.lpBaseOfDll DWORD 77E60000
0012F544 u.LoadDll.dwDebugInfoFileOffset DWORD 00000000
0012F548 u.LoadDll.nDebugInfoSize DWORD 00000000
0012F54C u.LoadDll.lpImageName DWORD 7FFDE014
0012F550 u.LoadDll.fUnicode WORD 0001
0012F53C u.UnloadDll.lpBaseOfDll DWORD 000000A0
0012F53C u.DebugString.lpDebugStringData DWORD 000000A0
0012F540 u.DebugString.fUnicode WORD 0000
0012F542 u.DebugString.nDebugStringiLength WORD 77E6
0012F53C u.RipInfo.dwError DWORD 000000A0
0012F540 u.RipInfo.dwType DWORD 77E60000
0012F53C u.Exception.pExceptionRecord.ExceptionCode DWORD 000000A0
0012F540 u.Exception.pExceptionRecord.ExceptionFlags DWORD 77E60000
0012F544 u.Exception.pExceptionRecord.pExceptionRecord DWORD 00000000
0012F548 u.Exception.pExceptionRecord.ExceptionAddress DWORD 00000000
0012F54C u.Exception.pExceptionRecord.NumberParameters DWORD 7FFDE014
0012F550 u.Exception.pExceptionRecord.ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS] DWORD 0100000000E0FD7F0010400000000000
0012F58C u.Exception.dwFirstChance DWORD 00000000
the handle A0 is kernel32.dll
Handles, item 13
Handle=000000A0
Type=File
Refs= 2.
Access=00120089 SYNCHRONIZE|READ_CONTROL|READ_DATA|READ_EA|READ_ATTRIBUTES
Info=Size 930304. (000E3200) bytes
Name=c:\WINDOWS\System32\KERNEL32.DLL
but the pointer in imagename is pointing at some 7ff
7FFDE014 00 00 00 00 00 E0 FD 7F 00 .....��.
any information would be helpful
some one with quick sleight of hand in scripting languages could confirm deny this with a quick hacked script
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}