PDA

View Full Version : How To Add TypeInfo So That Dt Commands Work Properly In Windbg


blabberer
August 20th, 2011, 23:59
How To Add TypeInfo So That Dt Commands Work Properly In Windbg

preface

SomeTimes When You use Certain Dt Commands In windbg You Are Faced With The Type Information Not Available error

like below

Code:


lkd> !ca 8657c600

ControlArea @ 8657c600
Segment 00000010 Flink 00000010 Blink 85c4e7a0
Section Ref 0 Pfn Ref 0 Mapped Views c4000001
User Ref 31447341 WaitForDel 86c7969c Flush Count a08
File Object 865a3818 ModWriteCount c66c System Views 8657

Flags (1) BeingDeleted

No name for file

Segment @ 00000010
Type nt!_MAPPED_FILE_SEGMENT not found.


if we google around we can find this above struct is unoffiicially documented in bits and pieces in several sites
like Moonsols, msdn.mirt , nirsoft etc

and most of these structures were pieced together from pdbs themselves

like we can see this struct in ntkrnlmp.pdb

Code:

F:\SYMBOLS\ntkrnlmp.pdb\998A3472EEA6405CB8C089DE868F26222>grep -i MAPPED_FILE_SE
GMENT -b1 -U *.*
Binary file ntkrnlmp.pdb matches

F:\SYMBOLS\ntkrnlmp.pdb\998A3472EEA6405CB8C089DE868F26222>grep -i MAPPED_FILE_SE
GMENT -a1 -U *.*


♥ ↔ ♦ OwnerTable ≤≥: ♣☻ ☻↔ _CM_INTENT_LOCK U_CM_INTENT_LOCK@@ ≤≥
♫ ♥# " R ♣ ☻ _PROC_IDLE_STATE_ACCOUNTING U_PROC_IDLE_ST
♥ ↔ State F ♣♠ ☻↔ └☻_PROC_IDLE_ACCOUNTING U_PROC_IDLE_ACCOUNTIN
♥ ▬∟ $ ActiveTripPoint ≥B ♣HERMAL_INFORMATION U_THERMAL_INFORMATION@@ →☺♥↕
☻↔ L _THERMAL_INFORMATION U_THERMAL_INFORMATION@@ B ♣ ☻
_MAPPED_FILE_SEGMENT U_MAPPED_FILE_SEGMENT@@ 6 ♣ ☻ _SEGMEN



Code:



_MAPPED_FILE_SEGMENT.U_MAPPED_FILE_SEGMENT@@.6....................
_SEGMENT_FLAGS.U_SEGMENT_FLAGS@@........5.....ControlArea.....".....
TotalNumberOfPtes..........SegmentFlags.....".....
NumberOfCommittedPages.....#.....
SizeOfSegment.....C.....
ExtendInfo...........
BasedAddress...........
SegmentLock.B..................
._MAPPED_FILE_SEGMENT.U_MAPPED_FILE_SEGMENT@@.



even though it is there windbg cant find it because this struct is probably not referanced

anyway back to topic

i had posted a while back how to put the typeinfo back into the respective pdb using wdk

in this post

Quote:


http://www.woodmann.com/forum/showthread.php?10295-Mysteries-of-win32k-amp-GDI&p=72632&viewfull=1#post72632




that method is for putting the type info back to respective pdb

but some times you dont have a pdb to put back

in situations like this you can use the following approach


suppose

you are on winxp and you are debugging via kd a win 7 vm

you think the code you are looking at is similar to fastfat in winddk srcs

an you want the type info for

PACKED_BOOT_SECTOR

in that case


just compile the following code lets say helloworld.c

Code:


#include <ntddk.h>

DRIVER_INITIALIZE DriverEntry;
DRIVER_UNLOAD DriverUnload;


void
DriverUnload(
PDRIVER_OBJECT DriverObject
)
{
DbgPrint("Driver unloading\n";
}



NTSTATUS
DriverEntry(
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
DriverObject->DriverUnload = DriverUnload;
DbgPrint("Hello World!\n";
return STATUS_SUCCESS;
}



this is code for a simple driver that you can load with osr loader and operate with either osrloader or net start / stop "servicename"

the sources file contains

Code:

TARGETNAME=helloworld
TARGETTYPE=DRIVER
TARGETPATH=obj

INCLUDES=..\..\inc

SOURCES = HelloWorld.c



the make file conatins

Code:


C:\WinDDK\7600.16385.1\src\HelloWorld>type makefile
!INCLUDE $(NTMAKEENV)\makefile.def
C:\WinDDK\7600.16385.1\src\HelloWorld>



build this with win 7 fre build environemt

Code:


C:\WINDOWS\system32\cmd.exe /k C:\WinDDK\7600.16385.1\bin\setenv.bat C:\WinDDK\7600.16385.1\ fre x86 WIN7
cd %COMPILEDIR%
build


copy the driver to win7 vm use osrloader to register the sevice and start the service

if you used auto the driver will load during boot stage and you can simply see the dbg print while booting

if you enable DEBUG PRINT FILTER mask in kd

like below

kd> ed nt!Kd_DEFAULT_Mask 0xf

Hello World!

now we want to add type info for

PACKED_BOOT_SECTOR

which does not exist in any pdbs

kd> dt *!*boot*
ntkrnlmp!_ARBITER_BOOT_ALLOCATION_PARAMETERS
ntkrnlmp!_TPM_BOOT_ENTROPY_LDR_RESULT
ntkrnlmp!_TPM_BOOT_ENTROPY_RESULT_CODE
pci!_ARBITER_BOOT_ALLOCATION_PARAMETERS



change the earlier code to fatexam.c with the following addition

Code:


#include <ntddk.h>
#include "fat.h" \\<------------ C:\WinDDK\7600.16385.1\src\filesys\fastfat\Win7

PACKED_BOOT_SECTOR packboot; \\ <---------------------- declaration
DRIVER_INITIALIZE DriverEntry;
DRIVER_UNLOAD DriverUnload;


void
DriverUnload(
PDRIVER_OBJECT DriverObject
)
{
DbgPrint("Driver unloading\n";
}



NTSTATUS
DriverEntry(
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
DriverObject->DriverUnload = DriverUnload;
DbgPrint("Hello World!\n called from fatexam.sys\n ";
DbgPrint("Testing To See If .Kdfiles Work Dynamically!\n";
DbgPrint("use dt fatexam!* to look for typeinfo you just added\n";
return STATUS_SUCCESS;
}



change the sources file to reflect names and build it

now about how to transfer the newly built sys to vm via debugger

we can use the debuggers .kdfiles command

.kdfiles is a command (Driver Replacement Map) which will replace an existing driver in the target computer being debugged with a
new one from host computer that is running Windbg

to use .kdfiles

make a foo.txt file (may be foo.ini or blah.yuk or whatever.crap file) in any directory

in that file add the following contents
Code:


C:\WinDDK\7600.16385.1\src>type kdfiles.ini

map
\??\C:\Windows\System32\drivers\fatexam.sys
C:\WinDDK\7600.16385.1\src\HelloWorld\fatexam\objfre_win7_x86\i386\fatexam.sys



if it didnt work first time you may have to change \??\ to just c:\Windows\system32 or maybe %systemroot%\system32

use ctrl+alt+d to view the debug spew to find the error


go to windbg command window and type

.kdfiles C:\WinDDK\7600.16385.1\src\kdfiles.ini (use the directory and filename you chose not what i typed here)


windbg should say
Code:


kd> .kdfiles C:\WinDDK\7600.16385.1\src\kdfiles.ini
KD file assocations loaded from 'C:\WinDDK\7600.16385.1\src\kdfiles.ini'


if you run the .kdfiles without any argument you should see something similar to this

kd> .kdfiles
KD file assocations loaded from 'C:\WinDDK\7600.16385.1\src\kdfiles.ini'
\??\C:\Windows\System32\drivers\fatexam.sys -> C:\WinDDK\7600.16385.1\src\HelloWorld\fatexam\objfre_win7_x86\i386\fatexam.sys



and thats all

now if you go to vm and use net start service name
before the driver is accessed it will be replace by the new one and your type info should be available



like below

Code:


Driver unloading
KD: Accessing 'C:\WinDDK\7600.16385.1\src\HelloWorld\fatexam\objfre_win7_x86\i386\fatexam.sys' (\??\C:\Windows\System32\drivers\fatexam.sys)
File size 4KKdPullRemoteFile(83DE4A70): About to overwrite \??\C:\Windows\System32\drivers\fatexam.sys and preallocate to e00
KdPullRemoteFile(83DE4A70): Return from ZwCreateFile with status 0
.
Hello World!
called from helloworld.sys
Testing To See If .Kdfiles Work Dynamically!
use dt fatexam!* to look for typeinfo you just added




the results of the ealier command now shows added info

Code:

kd> dt *!*boot*
ntkrnlmp!_ARBITER_BOOT_ALLOCATION_PARAMETERS
ntkrnlmp!_TPM_BOOT_ENTROPY_LDR_RESULT
ntkrnlmp!_TPM_BOOT_ENTROPY_RESULT_CODE
pci!_ARBITER_BOOT_ALLOCATION_PARAMETERS
fatexam!PACKED_BOOT_SECTOR
fatexam!_PACKED_BOOT_SECTOR



Code:

kd> dt -r fatexam!_PACKED_BOOT_SECTOR
+0x000 Jump : [3] UChar
+0x003 Oem : [8] UChar
+0x00b PackedBpb : _PACKED_BIOS_PARAMETER_BLOCK
+0x000 BytesPerSector : [2] UChar
+0x002 SectorsPerCluster : [1] UChar
+0x003 ReservedSectors : [2] UChar
+0x005 Fats : [1] UChar
+0x006 RootEntries : [2] UChar
+0x008 Sectors : [2] UChar
+0x00a Media : [1] UChar
+0x00b SectorsPerFat : [2] UChar
+0x00d SectorsPerTrack : [2] UChar
+0x00f Heads : [2] UChar
+0x011 HiddenSectors : [4] UChar
+0x015 LargeSectors : [4] UChar
+0x024 PhysicalDriveNumber : UChar
+0x025 CurrentHead : UChar
+0x026 Signature : UChar
+0x027 Id : [4] UChar
+0x02b VolumeLabel : [11] UChar
+0x036 SystemId : [8] UChar



thats all for now

comments , queries , criticisms are welcome