blabberer

DbgEng Based Debugger (PART2)

Rate this Entry
DbgEng Based Debugger (PART2)

Continuing from (part 1) where I described the usage of dbgeng interfaces and utilized them for coding a simple user mode debugger.
I now describe the dbgeng interfaces that would let you peek into kernel aka the mighty ring3

Are you ready if you are not familiar with dbgeng interfaces please refer to this
http://www.woodmann.com/forum/entry.php?246-A-Simple-Dbgeng-Based-User-Mode-Debugger

A short summary of the link for those of you too bored to click a link and read the dry pages


  1. To start with any DbgEng Interfaces you need to create a client
  2. A client may be created using DebugCreate() Function;
  3. Once you Created a client you can Query that client for other interfaces
  4. To Query for interfaces you use QueryInterface() Function
  5. Each of these interfaces implements few methods
  6. Methods that don�t depend on other interfaces can be called directly
  7. Methods that depend on other interfaces can be called after querying them
  8. All interfaces must be released before exiting the program
  9. Release the interfaces on last in first out basis ie (Client will be released last )
  10. There are 3 callbacks available (EVENT , INPUT and OUTPUT) (optional)
  11. The Dbgeng engine uses these callbacks to communicate with your program handlers
  12. A callback consist of a base class, implementation of the methods and a declaration
  13. Event Callback implements 14 optional methods and 2 mandatory methods
  14. Output Callback implements 1 optional method and 2 mandatory methods
  15. Input Callback implements 2 optional methods and 2 mandatory methods
  16. The mandatory methods are AddRef() and Release()
  17. The main program mostly consists of
  18. Argument / Program Input parsing routine
  19. Interfaces creating routine ,
  20. Implementation of callbacks (optinal)
  21. Infinite loop waiting for events to be handled by the cal1back handlers and exit when done



lets gets our hands wet in kernel mode

it should be clear now that we can code a basic barebones kernel peeking code with just
a client and a few required interfaces

and that is what we will do in this example

DebugCreate()
QueryInterface () IDebugControl() for attaching to kernel
QueryInterface () IDebugDataSpaces() for Reading Debugger Data
Attach to kernel
Wait for event
ReadDebuggerData()
Print Results
Exit()


The code as follows

Code:
#include "dbgengdecl.h"

IDebugClient*          g_Client            = NULL;
IDebugControl*        g_Control         = NULL;
IDebugDataSpaces*  g_DataSpaces  = NULL;
HRESULT Status = NULL;

void Exit(int Code, PCSTR Format, ...)
{
    if (g_Control != NULL)
    {
        g_Control->Release();
        g_Control = NULL;
    }
    if (g_Client != NULL)
    {
        g_Client->EndSession(DEBUG_END_PASSIVE);
        g_Client->Release();
        g_Client = NULL;
    }
    if (Format != NULL)
    {
        va_list Args;
        va_start(Args, Format);
        vfprintf(stderr, Format, Args);
        va_end(Args);
    }
    exit(Code);
};

void __cdecl main(int Argc, char* Argv[])
{
    if ((Status = DebugCreate(__uuidof(IDebugClient), (void**)&g_Client)) != S_OK)    
    {
        Exit(1, "DebugCreate failed, 0x%X\n", Status);
    }
    if ((Status = g_Client->QueryInterface(__uuidof(IDebugControl),    (void**)&g_Control))    != S_OK )
    {
        Exit(1, "g_Client->QueryInterface(IDebugControl) failed, 0x%X\n", Status);
    }
    if ((Status = g_Client->QueryInterface(__uuidof(IDebugDataSpaces),    (void**)&g_DataSpaces))    != S_OK )
    {
        Exit(1, "g_Client->QueryInterface(IDebugDataSpace) fail, 0x%X\n", Status);
    }
    if ((Status = g_Client->AttachKernel( DEBUG_ATTACH_LOCAL_KERNEL,    NULL)) != S_OK)      
    {
        Exit(1, "AttachKernel failed, 0x%X\n", Status);
    }
    if ((Status = g_Control->WaitForEvent( DEBUG_WAIT_DEFAULT, INFINITE ) ) != S_OK)      
    {
        Exit(1, "g_Control->WaitForEvent failed, 0x%X\n", Status);
    }
    ULONG64 Buffer    = 0;
    ULONG    DataSize = 0;
    for (int i =0; i<_countof(DataSpaceIndex);i++)
    {
        if ((g_DataSpaces->ReadDebuggerData( DataSpaceIndex[i].a , (PVOID)&Buffer, 8, &DataSize) ) ==S_OK)
        {
            printf("%40s  =  %I64x\n",DataSpaceIndex[i].b,Buffer);
            continue;
        }
        printf("cant retrieve data for %d\n",i);
    }
    Exit(0, "Finished Debugging Quitting\n");
}
simple and clean
a common exit routine that releases the interfaces prints message and quits
DebugCreate
QueryInterface
Call methods needed ( AttachKernel, WaitForEvent, ReadDebuggerData )
Prints results
And exit


Since this is a simple use case we haven�t implemented any callbacks and as described earlier they are optional
Peeking into kernel is as simple as 65 lines of c code with dbgeng interface.

Now on looking again you might wonder there is an include file that is
Not in include path but in local directory dbgengdecl.h
and an array of structure DataSpaceIndex that doesn�t seem to be defined
what is it and Does it contain any magic ?

No absolutely not it is copy paste of some #defines From dbgeng.h
Into a structure so that we can printf the results
See below
And the grunt work was done using gnuwin32 ports of unix tools
Grep sed and paste

In dbgeng.h
We have #defines for all indices of DEBUG_DATA defined like below

// Indices for ReadDebuggerData interface
#define DEBUG_DATA_KernBase 24


the grep �I �define DEBUG_DATA.*[0-9] regexp

gathers all of them from dbgeng.h and passes it to sed

sed "1,8 d" deletes first 8 lines and is redirected to sed again

sed "114,$ d" deletes any lines till end from line 114 onwards and redirects the output again to sed

sed s/"#define DEBUG"/"{ DEBUG"/g substitutes all #defines with opening brace { and passes it sed again

sed s/" .*[0-9]"/","/g substitutes the space and numbers in the end with a comma , and stores it in a temp file tmp1.txt

similarly the second line in bat replaces #define DEBUG_DATA_ with a double quote (\x22) at start and replaces the space and numerals with a double quote closing brace
and comma � }, to a file tmp2.txt

paste concatenates both the file line by line into another file

and the finished file will contain

{ DEBUG_DATA_KernBase, "KernBase" }, instead of

#define DEBUG_DATA_KernBase 24


kind of kludge work but I am used to it so I don�t feel any pain
any better ideas that makes sense are welcome and I would say this kludge is far better than initializing the array manually with 113 structure members defined in dbgeng.h


Code:
grep -i "#define  DEBUG_DATA.*[0-9]" %DBGSDK_INC_PATH%\dbgeng.h | sed "1,8 d" | sed "114,$  d" | sed s/"#define DEBUG"/"{ DEBUG"/g | sed s/"  .*[0-9]"/","/g  >tmp1.txt
grep -i "#define DEBUG_DATA.*[0-9]" %DBGSDK_INC_PATH%\dbgeng.h | sed  "1,8 d" | sed "114,$ d" | sed s/"#define DEBUG_DATA_"/\x22/g | sed s/"   .*[0-9]"/"\x22 },"/g >tmp2.txt

paste tmp1.txt tmp2.txt > finished.txt

del tmp*.*
the finished file hand modified to remove the last comma
declare a structure and array include the required include files and renamed into dbgengdecl.h is as below

Code:
#include <stdio.h>
#include <dbgeng.h>

typedef struct _FOO
{
    ULONG a;
    PSTR  b;
}Foo , *PFoo;

Foo DataSpaceIndex[] =
{
    { DEBUG_DATA_KernBase,    "KernBase" },
    { DEBUG_DATA_BreakpointWithStatusAddr,    "BreakpointWithStatusAddr" },
    { DEBUG_DATA_SavedContextAddr,    "SavedContextAddr" },
    { DEBUG_DATA_KiCallUserModeAddr,    "KiCallUserModeAddr" },
    { DEBUG_DATA_KeUserCallbackDispatcherAddr,    "KeUserCallbackDispatcherAddr" },
    { DEBUG_DATA_PsLoadedModuleListAddr,    "PsLoadedModuleListAddr" },
    { DEBUG_DATA_PsActiveProcessHeadAddr,    "PsActiveProcessHeadAddr" },
    { DEBUG_DATA_PspCidTableAddr,    "PspCidTableAddr" },
    { DEBUG_DATA_ExpSystemResourcesListAddr,    "ExpSystemResourcesListAddr" },
    { DEBUG_DATA_ExpPagedPoolDescriptorAddr,    "ExpPagedPoolDescriptorAddr" },
    { DEBUG_DATA_ExpNumberOfPagedPoolsAddr,    "ExpNumberOfPagedPoolsAddr" },
    { DEBUG_DATA_KeTimeIncrementAddr,    "KeTimeIncrementAddr" },
    { DEBUG_DATA_KeBugCheckCallbackListHeadAddr,    "KeBugCheckCallbackListHeadAddr" },
    { DEBUG_DATA_KiBugcheckDataAddr,    "KiBugcheckDataAddr" },
    { DEBUG_DATA_IopErrorLogListHeadAddr,    "IopErrorLogListHeadAddr" },
    { DEBUG_DATA_ObpRootDirectoryObjectAddr,    "ObpRootDirectoryObjectAddr" },
    { DEBUG_DATA_ObpTypeObjectTypeAddr,    "ObpTypeObjectTypeAddr" },
    { DEBUG_DATA_MmSystemCacheStartAddr,    "MmSystemCacheStartAddr" },
    { DEBUG_DATA_MmSystemCacheEndAddr,    "MmSystemCacheEndAddr" },
    { DEBUG_DATA_MmSystemCacheWsAddr,    "MmSystemCacheWsAddr" },
    { DEBUG_DATA_MmPfnDatabaseAddr,    "MmPfnDatabaseAddr" },
    { DEBUG_DATA_MmSystemPtesStartAddr,    "MmSystemPtesStartAddr" },
    { DEBUG_DATA_MmSystemPtesEndAddr,    "MmSystemPtesEndAddr" },
    { DEBUG_DATA_MmSubsectionBaseAddr,    "MmSubsectionBaseAddr" },
    { DEBUG_DATA_MmNumberOfPagingFilesAddr,    "MmNumberOfPagingFilesAddr" },
    { DEBUG_DATA_MmLowestPhysicalPageAddr,    "MmLowestPhysicalPageAddr" },
    { DEBUG_DATA_MmHighestPhysicalPageAddr,    "MmHighestPhysicalPageAddr" },
    { DEBUG_DATA_MmNumberOfPhysicalPagesAddr,    "MmNumberOfPhysicalPagesAddr" },
    { DEBUG_DATA_MmMaximumNonPagedPoolInBytesAddr,"MmMaximumNonPagedPoolInBytesAddr" },
    { DEBUG_DATA_MmNonPagedSystemStartAddr,    "MmNonPagedSystemStartAddr" },
    { DEBUG_DATA_MmNonPagedPoolStartAddr,    "MmNonPagedPoolStartAddr" },
    { DEBUG_DATA_MmNonPagedPoolEndAddr,    "MmNonPagedPoolEndAddr" },
    { DEBUG_DATA_MmPagedPoolStartAddr,    "MmPagedPoolStartAddr" },
    { DEBUG_DATA_MmPagedPoolEndAddr,    "MmPagedPoolEndAddr" },
    { DEBUG_DATA_MmPagedPoolInformationAddr,    "MmPagedPoolInformationAddr" },
    { DEBUG_DATA_MmPageSize,    "MmPageSize" },
    { DEBUG_DATA_MmSizeOfPagedPoolInBytesAddr,    "MmSizeOfPagedPoolInBytesAddr" },
    { DEBUG_DATA_MmTotalCommitLimitAddr,    "MmTotalCommitLimitAddr" },
    { DEBUG_DATA_MmTotalCommittedPagesAddr,    "MmTotalCommittedPagesAddr" },
    { DEBUG_DATA_MmSharedCommitAddr,    "MmSharedCommitAddr" },
    { DEBUG_DATA_MmDriverCommitAddr,    "MmDriverCommitAddr" },
    { DEBUG_DATA_MmProcessCommitAddr,    "MmProcessCommitAddr" },
    { DEBUG_DATA_MmPagedPoolCommitAddr,    "MmPagedPoolCommitAddr" },
    { DEBUG_DATA_MmExtendedCommitAddr,    "MmExtendedCommitAddr" },
    { DEBUG_DATA_MmZeroedPageListHeadAddr,    "MmZeroedPageListHeadAddr" },
    { DEBUG_DATA_MmFreePageListHeadAddr,    "MmFreePageListHeadAddr" },
    { DEBUG_DATA_MmStandbyPageListHeadAddr,    "MmStandbyPageListHeadAddr" },
    { DEBUG_DATA_MmModifiedPageListHeadAddr,    "MmModifiedPageListHeadAddr" },
    { DEBUG_DATA_MmModifiedNoWritePageListHeadAddr,"MmModifiedNoWritePageListHeadAddr" },
    { DEBUG_DATA_MmAvailablePagesAddr,    "MmAvailablePagesAddr" },
    { DEBUG_DATA_MmResidentAvailablePagesAddr,    "MmResidentAvailablePagesAddr" },
    { DEBUG_DATA_PoolTrackTableAddr,    "PoolTrackTableAddr" },
    { DEBUG_DATA_NonPagedPoolDescriptorAddr,    "NonPagedPoolDescriptorAddr" },
    { DEBUG_DATA_MmHighestUserAddressAddr,    "MmHighestUserAddressAddr" },
    { DEBUG_DATA_MmSystemRangeStartAddr,    "MmSystemRangeStartAddr" },
    { DEBUG_DATA_MmUserProbeAddressAddr,    "MmUserProbeAddressAddr" },
    { DEBUG_DATA_KdPrintCircularBufferAddr,    "KdPrintCircularBufferAddr" },
    { DEBUG_DATA_KdPrintCircularBufferEndAddr,    "KdPrintCircularBufferEndAddr" },
    { DEBUG_DATA_KdPrintWritePointerAddr,    "KdPrintWritePointerAddr" },
    { DEBUG_DATA_KdPrintRolloverCountAddr,    "KdPrintRolloverCountAddr" },
    { DEBUG_DATA_MmLoadedUserImageListAddr,    "MmLoadedUserImageListAddr" },
    { DEBUG_DATA_NtBuildLabAddr,    "NtBuildLabAddr" },
    { DEBUG_DATA_KiNormalSystemCall,    "KiNormalSystemCall" },
    { DEBUG_DATA_KiProcessorBlockAddr,    "KiProcessorBlockAddr" },
    { DEBUG_DATA_MmUnloadedDriversAddr,    "MmUnloadedDriversAddr" },
    { DEBUG_DATA_MmLastUnloadedDriverAddr,    "MmLastUnloadedDriverAddr" },
    { DEBUG_DATA_MmTriageActionTakenAddr,    "MmTriageActionTakenAddr" },
    { DEBUG_DATA_MmSpecialPoolTagAddr,    "MmSpecialPoolTagAddr" },
    { DEBUG_DATA_KernelVerifierAddr,    "KernelVerifierAddr" },
    { DEBUG_DATA_MmVerifierDataAddr,    "MmVerifierDataAddr" },
    { DEBUG_DATA_MmAllocatedNonPagedPoolAddr,    "MmAllocatedNonPagedPoolAddr" },
    { DEBUG_DATA_MmPeakCommitmentAddr,    "MmPeakCommitmentAddr" },
    { DEBUG_DATA_MmTotalCommitLimitMaximumAddr,    "MmTotalCommitLimitMaximumAddr" },
    { DEBUG_DATA_CmNtCSDVersionAddr,    "CmNtCSDVersionAddr" },
    { DEBUG_DATA_MmPhysicalMemoryBlockAddr,    "MmPhysicalMemoryBlockAddr" },
    { DEBUG_DATA_MmSessionBase,    "MmSessionBase" },
    { DEBUG_DATA_MmSessionSize,    "MmSessionSize" },
    { DEBUG_DATA_MmSystemParentTablePage,    "MmSystemParentTablePage" },
    { DEBUG_DATA_MmVirtualTranslationBase,    "MmVirtualTranslationBase" },
    { DEBUG_DATA_OffsetKThreadNextProcessor,    "OffsetKThreadNextProcessor" },
    { DEBUG_DATA_OffsetKThreadTeb,    "OffsetKThreadTeb" },
    { DEBUG_DATA_OffsetKThreadKernelStack,    "OffsetKThreadKernelStack" },
    { DEBUG_DATA_OffsetKThreadInitialStack,    "OffsetKThreadInitialStack" },
    { DEBUG_DATA_OffsetKThreadApcProcess,    "OffsetKThreadApcProcess" },
    { DEBUG_DATA_OffsetKThreadState,    "OffsetKThreadState" },
    { DEBUG_DATA_OffsetKThreadBStore,    "OffsetKThreadBStore" },
    { DEBUG_DATA_OffsetKThreadBStoreLimit,    "OffsetKThreadBStoreLimit" },
    { DEBUG_DATA_SizeEProcess,    "SizeEProcess" },
    { DEBUG_DATA_OffsetEprocessPeb,    "OffsetEprocessPeb" },
    { DEBUG_DATA_OffsetEprocessParentCID,    "OffsetEprocessParentCID" },
    { DEBUG_DATA_OffsetEprocessDirectoryTableBase,"OffsetEprocessDirectoryTableBase" },
    { DEBUG_DATA_SizePrcb,    "SizePrcb" },
    { DEBUG_DATA_OffsetPrcbDpcRoutine,    "OffsetPrcbDpcRoutine" },
    { DEBUG_DATA_OffsetPrcbCurrentThread,    "OffsetPrcbCurrentThread" },
    { DEBUG_DATA_OffsetPrcbMhz,    "OffsetPrcbMhz" },
    { DEBUG_DATA_OffsetPrcbCpuType,    "OffsetPrcbCpuType" },
    { DEBUG_DATA_OffsetPrcbVendorString,    "OffsetPrcbVendorString" },
    { DEBUG_DATA_OffsetPrcbProcessorState,    "OffsetPrcbProcessorState" },
    { DEBUG_DATA_OffsetPrcbNumber,    "OffsetPrcbNumber" },
    { DEBUG_DATA_SizeEThread,    "SizeEThread" },
    { DEBUG_DATA_KdPrintCircularBufferPtrAddr,    "KdPrintCircularBufferPtrAddr" },
    { DEBUG_DATA_KdPrintBufferSizeAddr,    "KdPrintBufferSizeAddr" },
    { DEBUG_DATA_MmBadPagesDetected,    "MmBadPagesDetected" },
    { DEBUG_DATA_EtwpDebuggerData,    "EtwpDebuggerData" },
    { DEBUG_DATA_PaeEnabled,    "PaeEnabled" },
    { DEBUG_DATA_SharedUserData,    "SharedUserData" },
    { DEBUG_DATA_ProductType,    "ProductType" },
    { DEBUG_DATA_SuiteMask,    "SuiteMask" },
    { DEBUG_DATA_DumpWriterStatus,    "DumpWriterStatus" },
    { DEBUG_DATA_DumpFormatVersion,    "DumpFormatVersion" },
    { DEBUG_DATA_DumpWriterVersion,    "DumpWriterVersion" },
    { DEBUG_DATA_DumpPowerState,    "DumpPowerState" },
    { DEBUG_DATA_DumpMmStorage,    "DumpMmStorage" }
};

build it with winxp free buld environment copy paste the finished binary into a test folder that contains all the required dlls from windbg installation folder and run the binary and you should get the results as follows for xp-sp3 anyone is welcome to check this in w2k,vista,win7, win8 , x86 and x64 environments this should work as it is all the above boxes
lets verify a few result

lkd> ? nt
Evaluate expression: -2142408704 = 804d7000 we got
KernBase = ffffffff804d7000
lkd> ? nt!PspCidTable
Evaluate expression: -2141871392 = 8055a2e0 we got
PspCidTableAddr = ffffffff8055a2e0
lkd> ? nt!MmMaximumNonPagedPoolInBytes
Evaluate expression: -2141878164 = 8055886c we got
MmMaximumNonPagedPoolInBytesAddr = ffffffff8055886c

From a /debug enabled vm

lkd> db nt!KdPrintCircularBuffer
8068fe00
45 6e 74 65 72 20 50 6f-72 74 49 6f 44 65 76 69 Enter PortIoDevi
8068fe10 63 65 41 64 64 0a 52 65-73 6f 75 72 63 65 20 54 ceAdd.Resource T
8068fe20 72 61 6e 73 6c 61 74 65-64 20 50 6f 72 74 3a 20 ranslated Port:
8068fe30 28 33 30 30 29 20 4c 65-6e 67 74 68 3a 20 28 34 (300) Length: (4
8068fe40 29 0a 45 52 52 4f 52 3a-20 44 61 76 52 65 61 64 ).ERROR: DavRead
8068fe50 52 65 67 69 73 74 72 79-56 61 6c 75 65 73 2f 52 RegistryValues/R
8068fe60 65 67 51 75 65 72 79 56-61 6c 75 65 45 78 57 28 egQueryValueExW(
8068fe70 34 29 2e 20 57 53 74 61-74 75 73 20 3d 20 35 0a 4). WStatus = 5.
lkd>
we got
MmUserProbeAddressAddr = ffffffff8055fbd4
KdPrintCircularBufferAddr = ffffffff8068fe00
KdPrintCircularBufferEndAddr = ffffffff80690e00

lkd> !kuser
_KUSER_SHARED_DATA at ffdf0000

TickCount: fa00000 * 00232664 (0:09:59:53.562)
TimeZone Id: 0
ImageNumber Range: [14c .. 14c]
Crypto Exponent: 0
SystemRoot: 'C:\WINDOWS'

We got SharedUserData = ffffffffffdf0000

That�s it attaching to kernel and getting data from kernel space is as easy as coding a MessageBox

Full result as follows


Code:

                                                                  KernBase  =  ffffffff804d7000
                BreakpointWithStatusAddr  =  ffffffff80527bf4
                        SavedContextAddr  =  0
                      KiCallUserModeAddr  =  ffffffff804ff69c
            KeUserCallbackDispatcherAddr  =  7c90e460
                  PsLoadedModuleListAddr  =  ffffffff80554040
                 PsActiveProcessHeadAddr  =  ffffffff8055a1d8
                         PspCidTableAddr  =  ffffffff8055a2e0
              ExpSystemResourcesListAddr  =  ffffffff8055c708
              ExpPagedPoolDescriptorAddr  =  ffffffff8055b5a0
               ExpNumberOfPagedPoolsAddr  =  ffffffff8054ab2c
                     KeTimeIncrementAddr  =  ffffffff80552f9c
          KeBugCheckCallbackListHeadAddr  =  ffffffff80553078
                      KiBugcheckDataAddr  =  ffffffff805539c0
                 IopErrorLogListHeadAddr  =  ffffffff80551940
              ObpRootDirectoryObjectAddr  =  ffffffff805597f8
                   ObpTypeObjectTypeAddr  =  ffffffff805597f0
                  MmSystemCacheStartAddr  =  ffffffff8054a210
                    MmSystemCacheEndAddr  =  ffffffff805587e8
                     MmSystemCacheWsAddr  =  ffffffff80558800
                       MmPfnDatabaseAddr  =  ffffffff805589e8
                   MmSystemPtesStartAddr  =  ffffffff80553c68
                     MmSystemPtesEndAddr  =  ffffffff80553c60
                    MmSubsectionBaseAddr  =  ffffffff80553ff8
               MmNumberOfPagingFilesAddr  =  ffffffff80558580
                MmLowestPhysicalPageAddr  =  ffffffff8054a13c
               MmHighestPhysicalPageAddr  =  ffffffff80558a44
             MmNumberOfPhysicalPagesAddr  =  ffffffff80558a48
        MmMaximumNonPagedPoolInBytesAddr  =  ffffffff8055886c
               MmNonPagedSystemStartAddr  =  ffffffff805589a0
                 MmNonPagedPoolStartAddr  =  ffffffff80553cb8
                   MmNonPagedPoolEndAddr  =  ffffffff8054a5f8
                    MmPagedPoolStartAddr  =  ffffffff8054a5fc
                      MmPagedPoolEndAddr  =  ffffffff80553cb4
              MmPagedPoolInformationAddr  =  ffffffff805584a0
                              MmPageSize  =  1000
            MmSizeOfPagedPoolInBytesAddr  =  ffffffff8054a208
                  MmTotalCommitLimitAddr  =  ffffffff80558544
               MmTotalCommittedPagesAddr  =  ffffffff80558548
                      MmSharedCommitAddr  =  ffffffff8054c748
                      MmDriverCommitAddr  =  ffffffff805540c0
                     MmProcessCommitAddr  =  ffffffff80554034
                   MmPagedPoolCommitAddr  =  ffffffff80553e14
                    MmExtendedCommitAddr  =  0
                MmZeroedPageListHeadAddr  =  ffffffff8054a160
                  MmFreePageListHeadAddr  =  ffffffff8054a170
               MmStandbyPageListHeadAddr  =  ffffffff8054a180
              MmModifiedPageListHeadAddr  =  ffffffff8054a190
       MmModifiedNoWritePageListHeadAddr  =  ffffffff8054a1a0
                    MmAvailablePagesAddr  =  ffffffff80558a3c
            MmResidentAvailablePagesAddr  =  ffffffff805589fc
                      PoolTrackTableAddr  =  ffffffff8055c680
              NonPagedPoolDescriptorAddr  =  ffffffff8055b640
                MmHighestUserAddressAddr  =  ffffffff80558a5c
                  MmSystemRangeStartAddr  =  ffffffff80558a58
                  MmUserProbeAddressAddr  =  ffffffff80558a54
               KdPrintCircularBufferAddr  =  ffffffff80674200
            KdPrintCircularBufferEndAddr  =  ffffffff80675200
                 KdPrintWritePointerAddr  =  ffffffff80675200
                KdPrintRolloverCountAddr  =  ffffffff80675204
               MmLoadedUserImageListAddr  =  ffffffff80553f10
                          NtBuildLabAddr  =  ffffffff804d7c5c
                      KiNormalSystemCall  =  0
                    KiProcessorBlockAddr  =  ffffffff80552ec0
                   MmUnloadedDriversAddr  =  ffffffff805540bc
                MmLastUnloadedDriverAddr  =  ffffffff805540b8
                 MmTriageActionTakenAddr  =  ffffffff80553e18
                    MmSpecialPoolTagAddr  =  ffffffff80553d2c
                      KernelVerifierAddr  =  ffffffff8054c708
                      MmVerifierDataAddr  =  ffffffff805583a0
             MmAllocatedNonPagedPoolAddr  =  ffffffff80553e10
                    MmPeakCommitmentAddr  =  ffffffff80553d48
           MmTotalCommitLimitMaximumAddr  =  ffffffff80558540
                      CmNtCSDVersionAddr  =  ffffffff805512e4
               MmPhysicalMemoryBlockAddr  =  ffffffff80553fe8
                           MmSessionBase  =  ffffffff8055848c
                           MmSessionSize  =  ffffffff80558480
                 MmSystemParentTablePage  =  0
                MmVirtualTranslationBase  =  0
              OffsetKThreadNextProcessor  =  12b
                        OffsetKThreadTeb  =  20
                OffsetKThreadKernelStack  =  28
               OffsetKThreadInitialStack  =  18
                 OffsetKThreadApcProcess  =  44
                      OffsetKThreadState  =  2d
                     OffsetKThreadBStore  =  0
                OffsetKThreadBStoreLimit  =  0
                            SizeEProcess  =  258
                       OffsetEprocessPeb  =  1b0
                 OffsetEprocessParentCID  =  14c
        OffsetEprocessDirectoryTableBase  =  18
                                SizePrcb  =  9f0
                    OffsetPrcbDpcRoutine  =  874
                 OffsetPrcbCurrentThread  =  4
                           OffsetPrcbMhz  =  910
                       OffsetPrcbCpuType  =  18
                  OffsetPrcbVendorString  =  900
                OffsetPrcbProcessorState  =  1c
                        OffsetPrcbNumber  =  10
                             SizeEThread  =  260
            KdPrintCircularBufferPtrAddr  =  0
                   KdPrintBufferSizeAddr  =  0
                      MmBadPagesDetected  =  0
                        EtwpDebuggerData  =  0
                              PaeEnabled  =  1
                          SharedUserData  =  ffffffffffdf0000
                             ProductType  =  ffffffff00000001
                               SuiteMask  =  ffffffff00000110
cant retrieve data for 108
cant retrieve data for 109
cant retrieve data for 110
cant retrieve data for 111

cant retrieve data for 112
Finished Debugging Quitting
  

Submit "DbgEng Based Debugger (PART2)" to Digg Submit "DbgEng Based Debugger (PART2)" to del.icio.us Submit "DbgEng Based Debugger (PART2)" to StumbleUpon Submit "DbgEng Based Debugger (PART2)" to Google

Categories
Uncategorized

Comments