blabberer

How To Add TypeInfo So That Dt Commands Work Properly In Windbg

Rate this Entry
How To Add TypeInfo So That Dt Commands Work Properly In Windbg

preface

SomeTimes When You use Certain Dt Commands In windbg You Are Faced With The Type Information Not Available error

like below

Code:
lkd> !ca 8657c600

ControlArea  @ 8657c600
  Segment      00000010  Flink      00000010  Blink        85c4e7a0
  Section Ref         0  Pfn Ref           0  Mapped Views c4000001
  User Ref     31447341  WaitForDel 86c7969c  Flush Count       a08
  File Object  865a3818  ModWriteCount  c66c  System Views     8657

  Flags (1) BeingDeleted 

      No name for file

Segment @ 00000010
Type nt!_MAPPED_FILE_SEGMENT not found.
if we google around we can find this above struct is unoffiicially documented in bits and pieces in several sites
like Moonsols, msdn.mirt , nirsoft etc

and most of these structures were pieced together from pdbs themselves

like we can see this struct in ntkrnlmp.pdb

Code:
F:\SYMBOLS\ntkrnlmp.pdb\998A3472EEA6405CB8C089DE868F26222>grep -i MAPPED_FILE_SE
GMENT  -b1 -U *.*
Binary file ntkrnlmp.pdb matches

F:\SYMBOLS\ntkrnlmp.pdb\998A3472EEA6405CB8C089DE868F26222>grep -i MAPPED_FILE_SE
GMENT  -a1 -U *.*


♥ ↔  ♦ OwnerTable ≤≥: ♣☻  ☻↔         _CM_INTENT_LOCK U_CM_INTENT_LOCK@@ ≤≥
♫ ♥#   "     R ♣  ☻              _PROC_IDLE_STATE_ACCOUNTING U_PROC_IDLE_ST
♥ ↔   State F ♣♠  ☻↔          └☻_PROC_IDLE_ACCOUNTING U_PROC_IDLE_ACCOUNTIN
♥ ▬∟  $ ActiveTripPoint ≥B ♣HERMAL_INFORMATION U_THERMAL_INFORMATION@@ →☺♥↕
  ☻↔          L _THERMAL_INFORMATION U_THERMAL_INFORMATION@@ B ♣  ☻
     _MAPPED_FILE_SEGMENT U_MAPPED_FILE_SEGMENT@@ 6 ♣  ☻              _SEGMEN
Code:

_MAPPED_FILE_SEGMENT.U_MAPPED_FILE_SEGMENT@@.6....................
_SEGMENT_FLAGS.U_SEGMENT_FLAGS@@........5.....ControlArea.....".....
TotalNumberOfPtes..........SegmentFlags.....".....
NumberOfCommittedPages.....#.....
SizeOfSegment.....C.....
ExtendInfo...........
BasedAddress...........
SegmentLock.B..................
 ._MAPPED_FILE_SEGMENT.U_MAPPED_FILE_SEGMENT@@.
even though it is there windbg cant find it because this struct is probably not referanced

anyway back to topic

i had posted a while back how to put the typeinfo back into the respective pdb using wdk

in this post


that method is for putting the type info back to respective pdb

but some times you dont have a pdb to put back

in situations like this you can use the following approach


suppose

you are on winxp and you are debugging via kd a win 7 vm

you think the code you are looking at is similar to fastfat in winddk srcs

an you want the type info for

PACKED_BOOT_SECTOR

in that case


just compile the following code lets say helloworld.c

Code:
#include	<ntddk.h>

DRIVER_INITIALIZE				DriverEntry;
DRIVER_UNLOAD					DriverUnload;


void 
DriverUnload(
			 PDRIVER_OBJECT DriverObject
			 )
			 {
				 DbgPrint("Driver unloading\n");
}



NTSTATUS 
DriverEntry(
			__in PDRIVER_OBJECT DriverObject,
			__in PUNICODE_STRING RegistryPath
			)
			{
				DriverObject->DriverUnload = DriverUnload;
				DbgPrint("Hello World!\n");
				return STATUS_SUCCESS;
}
this is code for a simple driver that you can load with osr loader and operate with either osrloader or net start / stop "servicename"

the sources file contains

Code:
TARGETNAME=helloworld
TARGETTYPE=DRIVER
TARGETPATH=obj

INCLUDES=..\..\inc

SOURCES = HelloWorld.c

the make file conatins

Code:
C:\WinDDK\7600.16385.1\src\HelloWorld>type makefile
!INCLUDE $(NTMAKEENV)\makefile.def
C:\WinDDK\7600.16385.1\src\HelloWorld>

build this with win 7 fre build environemt

Code:
C:\WINDOWS\system32\cmd.exe /k C:\WinDDK\7600.16385.1\bin\setenv.bat C:\WinDDK\7600.16385.1\ fre x86 WIN7
cd %COMPILEDIR% 
build
copy the driver to win7 vm use osrloader to register the sevice and start the service

if you used auto the driver will load during boot stage and you can simply see the dbg print while booting

if you enable DEBUG PRINT FILTER mask in kd

like below

kd> ed nt!Kd_DEFAULT_Mask 0xf

Hello World!

now we want to add type info for

PACKED_BOOT_SECTOR

which does not exist in any pdbs

kd> dt *!*boot*
ntkrnlmp!_ARBITER_BOOT_ALLOCATION_PARAMETERS
ntkrnlmp!_TPM_BOOT_ENTROPY_LDR_RESULT
ntkrnlmp!_TPM_BOOT_ENTROPY_RESULT_CODE
pci!_ARBITER_BOOT_ALLOCATION_PARAMETERS



change the earlier code to fatexam.c with the following addition

Code:
#include	<ntddk.h>
#include	"fat.h"   \\<------------ C:\WinDDK\7600.16385.1\src\filesys\fastfat\Win7

PACKED_BOOT_SECTOR				packboot;  \\ <---------------------- declaration 
DRIVER_INITIALIZE				DriverEntry;
DRIVER_UNLOAD					DriverUnload;


void 
DriverUnload(
			 PDRIVER_OBJECT DriverObject
			 )
			 {
				 DbgPrint("Driver unloading\n");
}



NTSTATUS 
DriverEntry(
			__in PDRIVER_OBJECT DriverObject,
			__in PUNICODE_STRING RegistryPath
			)
			{
				DriverObject->DriverUnload = DriverUnload;
				DbgPrint("Hello World!\n called from fatexam.sys\n "); 
				DbgPrint("Testing To See If .Kdfiles Work Dynamically!\n");
				DbgPrint("use dt fatexam!* to look for typeinfo you just added\n");
				return STATUS_SUCCESS;
}
change the sources file to reflect names and build it

now about how to transfer the newly built sys to vm via debugger

we can use the debuggers .kdfiles command

.kdfiles is a command (Driver Replacement Map) which will replace an existing driver in the target computer being debugged with a
new one from host computer that is running Windbg

to use .kdfiles

make a foo.txt file (may be foo.ini or blah.yuk or whatever.crap file) in any directory

in that file add the following contents
Code:
C:\WinDDK\7600.16385.1\src>type kdfiles.ini

map
\??\C:\Windows\System32\drivers\fatexam.sys
C:\WinDDK\7600.16385.1\src\HelloWorld\fatexam\objfre_win7_x86\i386\fatexam.sys

if it didnt work first time you may have to change \??\ to just c:\Windows\system32 or maybe %systemroot%\system32

use ctrl+alt+d to view the debug spew to find the error


go to windbg command window and type

.kdfiles C:\WinDDK\7600.16385.1\src\kdfiles.ini (use the directory and filename you chose not what i typed here)


windbg should say
Code:
kd> .kdfiles C:\WinDDK\7600.16385.1\src\kdfiles.ini
KD file assocations loaded from 'C:\WinDDK\7600.16385.1\src\kdfiles.ini'


if you run the .kdfiles without any argument you should see something similar to this

kd> .kdfiles
KD file assocations loaded from 'C:\WinDDK\7600.16385.1\src\kdfiles.ini'
\??\C:\Windows\System32\drivers\fatexam.sys -> C:\WinDDK\7600.16385.1\src\HelloWorld\fatexam\objfre_win7_x86\i386\fatexam.sys
and thats all

now if you go to vm and use net start service name
before the driver is accessed it will be replace by the new one and your type info should be available



like below

Code:
 Driver unloading
KD: Accessing 'C:\WinDDK\7600.16385.1\src\HelloWorld\fatexam\objfre_win7_x86\i386\fatexam.sys' (\??\C:\Windows\System32\drivers\fatexam.sys)
  File size 4KKdPullRemoteFile(83DE4A70): About to overwrite \??\C:\Windows\System32\drivers\fatexam.sys and preallocate to e00
KdPullRemoteFile(83DE4A70): Return from ZwCreateFile with status 0
.
Hello World!
 called from helloworld.sys
 Testing To See If .Kdfiles Work Dynamically!
use dt fatexam!* to look for typeinfo you just added

the results of the ealier command now shows added info

Code:
kd> dt *!*boot*
          ntkrnlmp!_ARBITER_BOOT_ALLOCATION_PARAMETERS
          ntkrnlmp!_TPM_BOOT_ENTROPY_LDR_RESULT
          ntkrnlmp!_TPM_BOOT_ENTROPY_RESULT_CODE
          pci!_ARBITER_BOOT_ALLOCATION_PARAMETERS
          fatexam!PACKED_BOOT_SECTOR
          fatexam!_PACKED_BOOT_SECTOR
Code:
kd> dt -r fatexam!_PACKED_BOOT_SECTOR
   +0x000 Jump             : [3] UChar
   +0x003 Oem              : [8] UChar
   +0x00b PackedBpb        : _PACKED_BIOS_PARAMETER_BLOCK
      +0x000 BytesPerSector   : [2] UChar
      +0x002 SectorsPerCluster : [1] UChar
      +0x003 ReservedSectors  : [2] UChar
      +0x005 Fats             : [1] UChar
      +0x006 RootEntries      : [2] UChar
      +0x008 Sectors          : [2] UChar
      +0x00a Media            : [1] UChar
      +0x00b SectorsPerFat    : [2] UChar
      +0x00d SectorsPerTrack  : [2] UChar
      +0x00f Heads            : [2] UChar
      +0x011 HiddenSectors    : [4] UChar
      +0x015 LargeSectors     : [4] UChar
   +0x024 PhysicalDriveNumber : UChar
   +0x025 CurrentHead      : UChar
   +0x026 Signature        : UChar
   +0x027 Id               : [4] UChar
   +0x02b VolumeLabel      : [11] UChar
   +0x036 SystemId         : [8] UChar
thats all for now

comments , queries , criticisms are welcome

Submit "How To Add TypeInfo So That Dt Commands Work Properly In Windbg" to Digg Submit "How To Add TypeInfo So That Dt Commands Work Properly In Windbg" to del.icio.us Submit "How To Add TypeInfo So That Dt Commands Work Properly In Windbg" to StumbleUpon Submit "How To Add TypeInfo So That Dt Commands Work Properly In Windbg" to Google

Comments