OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: May 15, 2008 20:42 CDT by FILEOBJECT .

I posted on another thread in regards to retrieving memory maps within the kernel.  Someone provided an article that described the process which essentially located the VadRoot MMVAD structure in the processes EPROCESS structure and walked the binary tree to enumerate all available ranges.  However, this method is not portable between NT builds, as the exported _MMVAD and EPROCESS change between builds.

for example on build xp build 2600 MMVAD looks like this
kd> dt nt!_MMVAD
   +0x000 StartingVpn      : Uint4B
   +0x004 EndingVpn        : Uint4B
   +0x008 Parent           : Ptr32 _MMVAD
   +0x00c LeftChild        : Ptr32 _MMVAD
   +0x010 RightChild       : Ptr32 _MMVAD
   +0x014 u                : __unnamed
   +0x018 ControlArea      : Ptr32 _CONTROL_AREA
   +0x01c FirstPrototypePte : Ptr32 _MMPTE
   +0x020 LastContiguousPte : Ptr32 _MMPTE
   +0x024 u2               : __unnamed

and on vista you have this:
http://www.nirsoft.net/kernel_struct/vista/MMVAD.html

Is there a way to get the same information, in a build portable manner?

Thanks.

FILEOBJECT		May 16, 2008 03:38.57 CDT
been looking for hours, I might have to #ifdef on different build versions for different modified VAD structures. I've read so much MS documentation my eye is twitching.

nezumi		May 16, 2008 05:46.47 CDT
dbgeng.dll is free and redistributable with all extensions, the interface is well documented and SDK comes with MS Debugging tools shows how to use it in your own program, I think better ms stuff - this is ugly, but highly reliable way. btw, symbols for every build are available, so...

FILEOBJECT		May 16, 2008 06:22.22 CDT
I dont think i can use it for this solution :( In order to use it, the /debug flag would have to be set in boot.ini. The project im working on right now is more or less a forensics tool, which would mean a reboot would destroy the data in question. Wrackin my brain here, im starting to think a buncha #ifdefs will be the only way.

nezumi		May 16, 2008 07:38.20 CDT
use debug symbols, they define all essential kernel structures, you can download symbols form ms site on the fly, or, well, download them for all build and add to your project. and besides to use debug engine you don't need reboot your PC. in essence you just call function parses certain data structure and retrieves result. all your #def will not work with a new build, while symbols - will.

FILEOBJECT		May 16, 2008 16:34.25 CDT
word.

FILEOBJECT		May 16, 2008 17:34.22 CDT
QueryVirtual The QueryVirtual method provides information about the specified pages in the target's virtual address space. HRESULT IDebugDataSpaces2::QueryVirtual( IN ULONG64 Offset, OUT MEMORY_BASIC_INFORMATION64 * Info ); Parameters Offset Specifies the location in the target's virtual address space of the pages whose information is requested. Info Receives the information about the memory page. Return Value S_OK The method was successful. This method can also return error values. See Return Values for more details. b00mz.

FILEOBJECT		May 16, 2008 22:37.32 CDT
.r.e.d.r.u.m. So, got and installed the debugging tools for windows to get access to the dbgengine api. Spent like 4 hours looking through the documentation till i found the COM object methods that i'd need to use to do what i need to do. Spent 4 more hours trying to get the sdk samples to build and am at my wits end. The readme says to build under the 2003 server build environment, fine. Says to set a buncha environment variables as well, k done. Verified they're set right according to the manual, ez. So why do my builds keep flipping out? My configuration is right out of the box, fresh install no tweaks or modifications. Ive tried building under the 2003 server build invironment under DDK release 3790, and WDK 6001 and nothing but errors. Heres the 6001 error: NMAKE : fatal error U1073: don't know how to make 'c:\sdk_ex~1\samples\assert\ob jchk_wnet_x86\i386\mui.rcc' errors in directory c:\sdk_ex~1\samples\assert Heres the error in 3790 if i try to build the sources with no modifications: errors in directory c:\sdk_ex~1\samples\assert c:\winddk\3790~1.183\bin\makefile.new(1082) : error U1050: Your .\sources. file must define the TARGETPATH= macro If i define a TARGETPATH value (obj) i get this: errors in directory c:\sdk_ex~1\samples\assert c:\winddk\3790~1.183\bin\i386mk.inc(494) : error U1023: syntax error in expression I'm gonna keep fighting it as I need to be able to use this API but any help at all would be way apprecated. The API looks killer, i just cant get anything to build right. ~the living dead

FILEOBJECT		May 16, 2008 23:03.02 CDT
Everything builds under Windows Vista and Windows 2008 checked build environments now for some magical reason. Still no 2003 tho. See, this is how it works.. i spend like 6 million hours trying to find the solution to the problem, then say god damnit i should ask the internet. Then 5 minutes after i ask the internet i figure it out. i must have upset the spaghetti monster at some point. I probably ate noodle-jesus or something.

FILEOBJECT		May 17, 2008 14:31.36 CDT
So what you're saying is to get the kernel structures from the build symbols parsed with the userland symbols api, then communicate the correct structure to the kernel driver, which then extracts the proper data from the opaque structures? I dont have a problem putting in the work if this is truly the only way to do it, it just seems convoluted. Additionally for the record: DbgEng is not a kernel mode solution for something like this. Its userland like no ones buisness, just look at the imports section in the dbgeng.dll. You can use it to connect to hosts which are waiting to be debugged, but its not like an api you can include in a kernel driver to get any debugging info. I thought otherwise because everything was compiled through the ddk and the documentation seemed to hint at the possiblity, but nope, its all obviously userland.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit