blabberer

  1. How To Add TypeInfo So That Dt Commands Work Properly In Windbg

    How To Add TypeInfo So That Dt Commands Work Properly In Windbg

    preface

    SomeTimes When You use Certain Dt Commands In windbg You Are Faced With The Type Information Not Available error

    like below

    Code:
    lkd> !ca 8657c600
    
    ControlArea  @ 8657c600
      Segment      00000010  Flink      00000010  Blink        85c4e7a0
      Section Ref         0  Pfn Ref           0  Mapped Views c4000001
      User Ref     31447341  WaitForDel 86c7969c  Flush Count       a08
      File Object  865a3818  ModWriteCount  c66c  System Views     8657
    
      Flags (1) BeingDeleted 
    
          No name for file
    
    Segment @ 00000010
    Type nt!_MAPPED_FILE_SEGMENT not found.
    if we google around we can find this above struct is unoffiicially documented in bits and pieces in several sites
    like Moonsols, msdn.mirt , nirsoft etc

    and most of these structures were pieced together from pdbs themselves

    like we can see this struct in ntkrnlmp.pdb

    Code:
    F:\SYMBOLS\ntkrnlmp.pdb\998A3472EEA6405CB8C089DE868F26222>grep -i MAPPED_FILE_SE
    GMENT  -b1 -U *.*
    Binary file ntkrnlmp.pdb matches
    
    F:\SYMBOLS\ntkrnlmp.pdb\998A3472EEA6405CB8C089DE868F26222>grep -i MAPPED_FILE_SE
    GMENT  -a1 -U *.*
    
    
    ♥ ↔  ♦ OwnerTable ≤≥: ♣☻  ☻↔         _CM_INTENT_LOCK U_CM_INTENT_LOCK@@ ≤≥
    ♫ ♥#   "     R ♣  ☻              _PROC_IDLE_STATE_ACCOUNTING U_PROC_IDLE_ST
    ♥ ↔   State F ♣♠  ☻↔          └☻_PROC_IDLE_ACCOUNTING U_PROC_IDLE_ACCOUNTIN
    ♥ ▬∟  $ ActiveTripPoint ≥B ♣HERMAL_INFORMATION U_THERMAL_INFORMATION@@ →☺♥↕
      ☻↔          L _THERMAL_INFORMATION U_THERMAL_INFORMATION@@ B ♣  ☻
         _MAPPED_FILE_SEGMENT U_MAPPED_FILE_SEGMENT@@ 6 ♣  ☻              _SEGMEN
    Code:
    
    _MAPPED_FILE_SEGMENT.U_MAPPED_FILE_SEGMENT@@.6....................
    _SEGMENT_FLAGS.U_SEGMENT_FLAGS@@........5.....ControlArea.....".....
    TotalNumberOfPtes..........SegmentFlags.....".....
    NumberOfCommittedPages.....#.....
    SizeOfSegment.....C.....
    ExtendInfo...........
    BasedAddress...........
    SegmentLock.B..................
     ._MAPPED_FILE_SEGMENT.U_MAPPED_FILE_SEGMENT@@.
    even though it is there windbg cant find it because this struct is probably not referanced

    anyway back to topic

    i had posted a while back how to put the typeinfo back into the respective pdb using wdk

    in this post


    that method is for putting the type info back to respective pdb

    but some times you dont have a pdb to put back

    in situations like this you can use the following approach


    suppose

    you are on winxp and you are debugging via kd a win 7 vm

    you think the code you are looking at is similar to fastfat in winddk srcs

    an you want the type info for

    PACKED_BOOT_SECTOR

    in that case


    just compile the following code lets say helloworld.c

    Code:
    #include	<ntddk.h>
    
    DRIVER_INITIALIZE				DriverEntry;
    DRIVER_UNLOAD					DriverUnload;
    
    
    void 
    DriverUnload(
    			 PDRIVER_OBJECT DriverObject
    			 )
    			 {
    				 DbgPrint("Driver unloading\n");
    }
    
    
    
    NTSTATUS 
    DriverEntry(
    			__in PDRIVER_OBJECT DriverObject,
    			__in PUNICODE_STRING RegistryPath
    			)
    			{
    				DriverObject->DriverUnload = DriverUnload;
    				DbgPrint("Hello World!\n");
    				return STATUS_SUCCESS;
    }
    this is code for a simple driver that you can load with osr loader and operate with either osrloader or net start / stop "servicename"

    the sources file contains

    Code:
    TARGETNAME=helloworld
    TARGETTYPE=DRIVER
    TARGETPATH=obj
    
    INCLUDES=..\..\inc
    
    SOURCES = HelloWorld.c

    the make file conatins

    Code:
    C:\WinDDK\7600.16385.1\src\HelloWorld>type makefile
    !INCLUDE $(NTMAKEENV)\makefile.def
    C:\WinDDK\7600.16385.1\src\HelloWorld>

    build this with win 7 fre build environemt

    Code:
    C:\WINDOWS\system32\cmd.exe /k C:\WinDDK\7600.16385.1\bin\setenv.bat C:\WinDDK\7600.16385.1\ fre x86 WIN7
    cd %COMPILEDIR% 
    build
    copy the driver to win7 vm use osrloader to register the sevice and start the service

    if you used auto the driver will load during boot stage and you can simply see the dbg print while booting

    if you enable DEBUG PRINT FILTER mask in kd

    like below

    kd> ed nt!Kd_DEFAULT_Mask 0xf

    Hello World!

    now we want to add type info for

    PACKED_BOOT_SECTOR

    which does not exist in any pdbs

    kd> dt *!*boot*
    ntkrnlmp!_ARBITER_BOOT_ALLOCATION_PARAMETERS
    ntkrnlmp!_TPM_BOOT_ENTROPY_LDR_RESULT
    ntkrnlmp!_TPM_BOOT_ENTROPY_RESULT_CODE
    pci!_ARBITER_BOOT_ALLOCATION_PARAMETERS



    change the earlier code to fatexam.c with the following addition

    Code:
    #include	<ntddk.h>
    #include	"fat.h"   \\<------------ C:\WinDDK\7600.16385.1\src\filesys\fastfat\Win7
    
    PACKED_BOOT_SECTOR				packboot;  \\ <---------------------- declaration 
    DRIVER_INITIALIZE				DriverEntry;
    DRIVER_UNLOAD					DriverUnload;
    
    
    void 
    DriverUnload(
    			 PDRIVER_OBJECT DriverObject
    			 )
    			 {
    				 DbgPrint("Driver unloading\n");
    }
    
    
    
    NTSTATUS 
    DriverEntry(
    			__in PDRIVER_OBJECT DriverObject,
    			__in PUNICODE_STRING RegistryPath
    			)
    			{
    				DriverObject->DriverUnload = DriverUnload;
    				DbgPrint("Hello World!\n called from fatexam.sys\n "); 
    				DbgPrint("Testing To See If .Kdfiles Work Dynamically!\n");
    				DbgPrint("use dt fatexam!* to look for typeinfo you just added\n");
    				return STATUS_SUCCESS;
    }
    change the sources file to reflect names and build it

    now about how to transfer the newly built sys to vm via debugger

    we can use the debuggers .kdfiles command

    .kdfiles is a command (Driver Replacement Map) which will replace an existing driver in the target computer being debugged with a
    new one from host computer that is running Windbg

    to use .kdfiles

    make a foo.txt file (may be foo.ini or blah.yuk or whatever.crap file) in any directory

    in that file add the following contents
    Code:
    C:\WinDDK\7600.16385.1\src>type kdfiles.ini
    
    map
    \??\C:\Windows\System32\drivers\fatexam.sys
    C:\WinDDK\7600.16385.1\src\HelloWorld\fatexam\objfre_win7_x86\i386\fatexam.sys

    if it didnt work first time you may have to change \??\ to just c:\Windows\system32 or maybe %systemroot%\system32

    use ctrl+alt+d to view the debug spew to find the error


    go to windbg command window and type

    .kdfiles C:\WinDDK\7600.16385.1\src\kdfiles.ini (use the directory and filename you chose not what i typed here)


    windbg should say
    Code:
    kd> .kdfiles C:\WinDDK\7600.16385.1\src\kdfiles.ini
    KD file assocations loaded from 'C:\WinDDK\7600.16385.1\src\kdfiles.ini'
    
    
    if you run the .kdfiles without any argument you should see something similar to this
    
    kd> .kdfiles
    KD file assocations loaded from 'C:\WinDDK\7600.16385.1\src\kdfiles.ini'
    \??\C:\Windows\System32\drivers\fatexam.sys -> C:\WinDDK\7600.16385.1\src\HelloWorld\fatexam\objfre_win7_x86\i386\fatexam.sys
    and thats all

    now if you go to vm and use net start service name
    before the driver is accessed it will be replace by the new one and your type info should be available



    like below

    Code:
     Driver unloading
    KD: Accessing 'C:\WinDDK\7600.16385.1\src\HelloWorld\fatexam\objfre_win7_x86\i386\fatexam.sys' (\??\C:\Windows\System32\drivers\fatexam.sys)
      File size 4KKdPullRemoteFile(83DE4A70): About to overwrite \??\C:\Windows\System32\drivers\fatexam.sys and preallocate to e00
    KdPullRemoteFile(83DE4A70): Return from ZwCreateFile with status 0
    .
    Hello World!
     called from helloworld.sys
     Testing To See If .Kdfiles Work Dynamically!
    use dt fatexam!* to look for typeinfo you just added

    the results of the ealier command now shows added info

    Code:
    kd> dt *!*boot*
              ntkrnlmp!_ARBITER_BOOT_ALLOCATION_PARAMETERS
              ntkrnlmp!_TPM_BOOT_ENTROPY_LDR_RESULT
              ntkrnlmp!_TPM_BOOT_ENTROPY_RESULT_CODE
              pci!_ARBITER_BOOT_ALLOCATION_PARAMETERS
    ...