Page 10 of 11 FirstFirst ... 34567891011 LastLast
Results 136 to 150 of 154

Thread: NTFS MFT Internals

  1. #136
    Quote Originally Posted by blabberer View Post
    you either need a neat and clean vm or you have to muck with softice i3here off
    Came across a fresh XP vmx file I forgot I had. Loaded Virtual KD and things seems to have cleared up, even though it's loaded with SI.

    I'm currently sitting with an XP desktop with a live mouse and windbg seems to be talking to it. I don't have a clue how to proceed and I'm too tired to figure it out at the moment. The windbg window says nt!RtlpBreakWithStatusInstruction followed by 804e3592 cc int 3. That's because I issued a ctrl - break.

    I tried tlist | grep explorer, as you suggested in a past thread, but it gets snarky right off, claiming ' ^pass count must be preceeded by whitespace error in 'tlist | grep explorer'.

    I described my SI procedure to you. I use SPYXX to find a hwnd in explorer.exe that represents the window holding the notepad.exe reference in explorer. Then I 'bmsg hwnd 0x201' in SI which sets a BP on the hwnd if it's window is double-clicked, 0x201 being the wmsg for double-click.

    SI breaks in explorer code then returns to u32 code. From the explorer code I can BP on anything I want so long as I know the context and the function, provided the functions is known to SI. A good bp is the shellexecuteex function described in that link I posted. It has a structure that describes what is being done to the file being loaded.

    What I can't figure out at this time is how to begin.

    I am proposing a means of attack but you were suggesting going straight to fopen(). I think that's a waste of time but I'm willing to try it. I think you'll find the file is already open.

    By definition fopen() "Opens the file whose name is specified in the parameter filename and associates it with a stream that can be identified in future operations by the FILE pointer returned". Createfile() does the same thing. The trick is to find the stream and that search seems to take place long before createfile or fopen comes into play.

    What did you have in mind? You're going to be way ahead of me till I get up to speed but I'd like to try getting the hang of your modus operandi as it applies to windbg.

  2. #137
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    when windbg shows that what does the prompt look like ?

    does it show kd
    or is it grayed out and busy running ?

    if it is kd type g and press enter

    that exception seems to show an address from usermode 1b

  3. #138
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    here are three text files that shows the round trip for creation of a txt file named willy.txt that does not exist prior

    modus operandi

    start run -> type notepad willy.txt and press ok
    since the file doesnt exist noteppad will ask you whether you want to create it new
    you want to create it but before that you want to trace it so

    set a breakpoint on nt!IopCreateFile hit g

    now in vm say yes to the msgbox

    if there are spurous breaks in IopCreateFile without notepad.exe in stack ignore them

    you should see a break where stack should look like this

    Code:
    kd> bl
     0 e 8056ae1c     0001 (0001) nt!IopCreateFile
    
    kd> kb
    ChildEBP RetAddr  Args to Child              
    fb3b7c94 8056bb9a 0007fe0c c0100080 0007fdac nt!IopCreateFile
    fb3b7cf0 8056e2ac 0007fe0c c0100080 0007fdac nt!IoCreateFile+0x8e
    fb3b7d30 8053d638 0007fe0c c0100080 0007fdac nt!NtCreateFile+0x30
    fb3b7d30 7c90e4f4 0007fe0c c0100080 0007fdac nt!KiFastCallEntry+0xf8
    0007fd68 7c90d09c 7c8109a6 0007fe0c c0100080 ntdll!KiFastSystemCallRet
    0007fd6c 7c8109a6 0007fe0c c0100080 0007fdac ntdll!ZwCreateFile+0xc
    0007fe04 01004a61 0100a900 c0000000 00000003 kernel32!CreateFileW+0x35f
    0007fedc 01002980 01000000 00000000 0002061c notepad!NPInit+0x4fc
    0007ff1c 01007511 01000000 00000000 000a2332 notepad!WinMain+0x4a
    0007ffc0 7c817067 0149d6ec 00000018 7ffdf000 notepad!WinMainCRTStartup+0x174
    0007fff0 00000000 0100739d 00000000 78746341 kernel32!BaseProcessStart+0x23
    kd> dt nt!_object_attributes poi(@esp+c)
       +0x000 Length           : 0x18
       +0x004 RootDirectory    : 0x0000000c Void
       +0x008 ObjectName       : 0x0007fdec _UNICODE_STRING "willy.txt"
       +0x00c Attributes       : 0x40
       +0x010 SecurityDescriptor : (null) 
       +0x014 SecurityQualityOfService : 0x0007fdd0 Void
    further tracing should get you to into sr!SrCreate which checks for ADS (advanced data stream) and calls the lower / upper driver


    Code:
    kd> kb
    ChildEBP RetAddr  Args to Child              
    fb3b7a24 80578616 ff458da8 ff2f1dd0 fb3b7c04 nt!IopfCallDriver+0x2d
    fb3b7b04 80578a38 81029dd0 00000000 ff2a9e18 nt!IopParseDevice+0xa12
    fb3b7b3c 805b486b ff458da8 00000000 ff2a9e18 nt!IopParseFile+0x46
    fb3b7bc4 805b1065 0000000c fb3b7c04 00000040 nt!ObpLookupObjectName+0x119
    fb3b7c18 8056b223 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb
    fb3b7c94 8056bb9a 0007fe0c c0100080 0007fdac nt!IopCreateFile+0x407
    fb3b7cf0 8056e2ac 0007fe0c c0100080 0007fdac nt!IoCreateFile+0x8e
    fb3b7d30 8053d638 0007fe0c c0100080 0007fdac nt!NtCreateFile+0x30
    fb3b7d30 7c90e4f4 0007fe0c c0100080 0007fdac nt!KiFastCallEntry+0xf8
    0007fd68 7c90d09c 7c8109a6 0007fe0c c0100080 ntdll!KiFastSystemCallRet
    0007fd6c 7c8109a6 0007fe0c c0100080 0007fdac ntdll!ZwCreateFile+0xc
    0007fe04 01004a61 00000000 c0000000 00000003 kernel32!CreateFileW+0x35f
    0007fedc 01002980 01000000 00000000 0002061c notepad!NPInit+0x4fc
    0007ff1c 01007511 01000000 00000000 000a2332 notepad!WinMain+0x4a
    0007ffc0 7c817067 0149d6ec 00000018 7ffdf000 notepad!WinMainCRTStartup+0x174
    0007fff0 00000000 0100739d 00000000 78746341 kernel32!BaseProcessStart+0x23
    kd> r
    eax=00000000 ebx=ff323bc0 ecx=81029dd0 edx=ff32b5f0 esi=80faea80 edi=ff32b600
    eip=804ee115 esp=fb3b7a1c ebp=fb3b7b04 iopl=0         nv up ei ng nz ac pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000296
    nt!IopfCallDriver+0x2d:
    804ee115 ff548638        call    dword ptr [esi+eax*4+38h] ds:0023:80faeab8={sr!SrCreate (fc28f726)}
    
    fc28f908 ff159cab28fc    call    dword ptr [sr!_imp_IofCallDriver (fc28ab9c)] ds:0023:fc28ab9c={nt!IofCallDriver (804ee120)}

    here you enter ntfs

    Code:
    nt!IopfCallDriver+0x2d:
    804ee115 ff548638        call    dword ptr [esi+eax*4+38h] ds:0023:80f7a068={Ntfs!NtfsFsdCreate (fc20be01)}
    kd> t
    
    which should call 
    
    fc20bf28 e88ddcffff      call    Ntfs!NtfsCommonCreate (fc209bba)

    here is the relevent stack

    Code:
    Ntfs!NtfsCommonCreate+0x172:
    fc209cd8 8b4830          mov     ecx,dword ptr [eax+30h] ds:0023:ff323bf0=00380012
    kd> dd eax
    ff323bc0  00700005 80f95e30 00000000 00000000
    ff323bd0  00000000 00000000 00000000 00000000
    ff323be0  ff458da8 00000000 00000000 00000002
    ff323bf0  00380012 e181a2b0 00000000 00000000
    ff323c00  00000000 00000000 00000000 00040001
    ff323c10  00000000 ff323c14 ff323c14 00040000
    ff323c20  00000000 ff323c24 ff323c24 00000000
    ff323c30  00100013 7453624f 80fe07c0 ff3c0120
    kd> !object @eax
    Object: ff323bc0  Type: (8109d560) File
        ObjectHeader: ff323ba8 (old version)
        HandleCount: 0  PointerCount: 1
        Directory Object: 00000000  Name: willy.txt {HarddiskVolume1}
    kd> dt nt!_FILE_OBJECT @eax
       +0x000 Type             : 0n5
       +0x002 Size             : 0n112
       +0x004 DeviceObject     : 0x80f95e30 _DEVICE_OBJECT
       +0x008 Vpb              : (null) 
       +0x00c FsContext        : (null) 
       +0x010 FsContext2       : (null) 
       +0x014 SectionObjectPointer : (null) 
       +0x018 PrivateCacheMap  : (null) 
       +0x01c FinalStatus      : 0n0
       +0x020 RelatedFileObject : 0xff458da8 _FILE_OBJECT
       +0x024 LockOperation    : 0 ''
       +0x025 DeletePending    : 0 ''
       +0x026 ReadAccess       : 0 ''
       +0x027 WriteAccess      : 0 ''
       +0x028 DeleteAccess     : 0 ''
       +0x029 SharedRead       : 0 ''
       +0x02a SharedWrite      : 0 ''
       +0x02b SharedDelete     : 0 ''
       +0x02c Flags            : 2
       +0x030 FileName         : _UNICODE_STRING "willy.txt"
       +0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
       +0x040 Waiters          : 0
       +0x044 Busy             : 0
       +0x048 LastLock         : (null) 
       +0x04c Lock             : _KEVENT
       +0x05c Event            : _KEVENT
       +0x06c CompletionContext : (null) 
    kd> kb
    ChildEBP RetAddr  Args to Child              
    fb3b78d4 fc20bf2d ff37f698 ff32b5f0 fb3b792c Ntfs!NtfsCommonCreate+0x172
    fb3b79b8 804ee119 81029408 ff32b5f0 81029e88 Ntfs!NtfsFsdCreate+0x1dc
    fb3b79c8 fc28f90e ff32b600 80faea80 ff323bc0 nt!IopfCallDriver+0x31
    fb3b7a14 804ee119 81029e88 00000003 ff32b5f0 sr!SrCreate+0x1e8
    fb3b7a24 80578616 ff458da8 ff2f1dd0 fb3b7c04 nt!IopfCallDriver+0x31
    fb3b7b04 80578a38 81029dd0 00000000 ff2a9e18 nt!IopParseDevice+0xa12
    fb3b7b3c 805b486b ff458da8 00000000 ff2a9e18 nt!IopParseFile+0x46
    fb3b7bc4 805b1065 0000000c fb3b7c04 00000040 nt!ObpLookupObjectName+0x119
    fb3b7c18 8056b223 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb
    fb3b7c94 8056bb9a 0007fe0c c0100080 0007fdac nt!IopCreateFile+0x407
    fb3b7cf0 8056e2ac 0007fe0c c0100080 0007fdac nt!IoCreateFile+0x8e
    fb3b7d30 8053d638 0007fe0c c0100080 0007fdac nt!NtCreateFile+0x30
    fb3b7d30 7c90e4f4 0007fe0c c0100080 0007fdac nt!KiFastCallEntry+0xf8
    0007fd68 7c90d09c 7c8109a6 0007fe0c c0100080 ntdll!KiFastSystemCallRet
    0007fd6c 7c8109a6 0007fe0c c0100080 0007fdac ntdll!ZwCreateFile+0xc
    0007fe04 01004a61 00000000 c0000000 00000003 kernel32!CreateFileW+0x35f
    0007fedc 01002980 01000000 00000000 0002061c notepad!NPInit+0x4fc
    0007ff1c 01007511 01000000 00000000 000a2332 notepad!WinMain+0x4a
    0007ffc0 7c817067 0149d6ec 00000018 7ffdf000 notepad!WinMainCRTStartup+0x174
    0007fff0 00000000 0100739d 00000000 78746341 kernel32!BaseProcessStart+0x23

    commoncreate should call

    call Ntfs!NtfsCreateNewFile

    Code:
    kd> kb
    ChildEBP RetAddr  Args to Child              
    fb7af680 fc20eb32 80fdaef0 ff3d68f8 ff3d6a40 Ntfs!NtfsCreateNewFile
    fb7af8d4 fc20bf2d 80fdaef0 ff3d68f8 fb7af92c Ntfs!NtfsCommonCreate+0x12ce
    fb7af9b8 804ee119 81027020 ff3d68f8 80ee2998 Ntfs!NtfsFsdCreate+0x1dc
    fb7af9c8 fc28f90e ff3d6908 80ef3550 ff45bd80 nt!IopfCallDriver+0x31
    fb7afa14 804ee119 80ee2998 00000003 ff3d68f8 sr!SrCreate+0x1e8
    fb7afa24 80578616 ff307898 80f976c8 fb7afc04 nt!IopfCallDriver+0x31
    fb7afb04 80578a38 80ee28e0 00000000 ff45d960 nt!IopParseDevice+0xa12
    fb7afb3c 805b486b ff307898 00000000 ff45d960 nt!IopParseFile+0x46
    fb7afbc4 805b1065 0000000c fb7afc04 00000040 nt!ObpLookupObjectName+0x119
    fb7afc18 8056b223 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb
    fb7afc94 8056bb9a 0007fe0c c0100080 0007fdac nt!IopCreateFile+0x407
    fb7afcf0 8056e2ac 0007fe0c c0100080 0007fdac nt!IoCreateFile+0x8e
    fb7afd30 8053d638 0007fe0c c0100080 0007fdac nt!NtCreateFile+0x30
    fb7afd30 7c90e4f4 0007fe0c c0100080 0007fdac nt!KiFastCallEntry+0xf8
    0007fd68 7c90d09c 7c8109a6 0007fe0c c0100080 ntdll!KiFastSystemCallRet
    0007fd6c 7c8109a6 0007fe0c c0100080 0007fdac ntdll!ZwCreateFile+0xc
    0007fe04 01004a61 00000000 c0000000 00000003 kernel32!CreateFileW+0x35f
    0007fedc 01002980 01000000 00000000 0002061c notepad!NPInit+0x4fc
    0007ff1c 01007511 01000000 00000000 000a2332 notepad!WinMain+0x4a
    0007ffc0 7c817067 80000001 00f7d864 7ffdf000 notepad!WinMainCRTStartup+0x174
    0007fff0 00000000 0100739d 00000000 78746341 kernel32!BaseProcessStart+0x23
    the stack on this call

    this function takes 20 arguments

    Code:
    kd> .fnent @eip
    Exact matches:
        Ntfs!NtfsCreateNewFile = <no type information>
    
    OffStart:  00029bc7
    ProcSize:  0xe3f
    Prologue:  0x17
    Params:    0n20 (0x50 bytes)
    Locals:    0n112 (0x1c0 bytes)
    full stack on this call

    Code:
    kd> dd esp
    fb7af684  fc20eb32 80fdaef0 ff3d68f8 ff3d6a40
    fb7af694  e191f9f0 e1885f58 005e005e e1076ed0
    fb7af6a4  00120012 e1076f1c e1130000 e15dbcf0
    fb7af6b4  00000000 e15dde90 00003820 fb7af880
    fb7af6c4  fb7af810 fb7af8b0 fb7af85c fb7af894
    fb7af6d4  fb7af8a0 00a33400 00000000 c18b3580
    fb7af6e4  c18b3400 8109e151 00000000 00000000
    fb7af6f4  00000000 00000000 00000000 00000000
    some args to this function are

    Code:
    kd> du e1076ed0
    e1076ed0  "\Documents and Settings\Administ"
    e1076f10  "rator\willy.txty?.??."
    
    kd> du e1076f1c
    e1076f1c  "willy.txty?.??."
    
    kd> db c18b3400 l10
    
    c18b3400  46 49 4c 45 30 00 03 00-7b 17 6e 03 00 00 00 00  FILE0...{.n.....
    this should allocate the mft record

    fc219d70 e8e2ecffff call Ntfs!NtfsAllocateMftRecord (fc218a57)


    Code:
    kd> kb
    ChildEBP RetAddr  Args to Child              
    fb7af4a0 fc219d75 80fdaef0 81027100 00000000 Ntfs!NtfsAllocateMftRecord+0x46
    fb7af680 fc20eb32 80fdaef0 ff3d68f8 ff3d6a40 Ntfs!NtfsCreateNewFile+0x3b7
    fb7af8d4 fc20bf2d 80fdaef0 ff3d68f8 fb7af92c Ntfs!NtfsCommonCreate+0x12ce
    fb7af9b8 804ee119 81027020 ff3d68f8 80ee2998 Ntfs!NtfsFsdCreate+0x1dc
    fb7af9c8 fc28f90e ff3d6908 80ef3550 ff45bd80 nt!IopfCallDriver+0x31
    fb7afa14 804ee119 80ee2998 00000003 ff3d68f8 sr!SrCreate+0x1e8
    fb7afa24 80578616 ff307898 80f976c8 fb7afc04 nt!IopfCallDriver+0x31
    fb7afb04 80578a38 80ee28e0 00000000 ff45d960 nt!IopParseDevice+0xa12
    fb7afb3c 805b486b ff307898 00000000 ff45d960 nt!IopParseFile+0x46
    fb7afbc4 805b1065 0000000c fb7afc04 00000040 nt!ObpLookupObjectName+0x119
    fb7afc18 8056b223 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb
    fb7afc94 8056bb9a 0007fe0c c0100080 0007fdac nt!IopCreateFile+0x407
    fb7afcf0 8056e2ac 0007fe0c c0100080 0007fdac nt!IoCreateFile+0x8e
    fb7afd30 8053d638 0007fe0c c0100080 0007fdac nt!NtCreateFile+0x30
    fb7afd30 7c90e4f4 0007fe0c c0100080 0007fdac nt!KiFastCallEntry+0xf8
    0007fd68 7c90d09c 7c8109a6 0007fe0c c0100080 ntdll!KiFastSystemCallRet
    0007fd6c 7c8109a6 0007fe0c c0100080 0007fdac ntdll!ZwCreateFile+0xc
    0007fe04 01004a61 00000000 c0000000 00000003 kernel32!CreateFileW+0x35f
    0007fedc 01002980 01000000 00000000 0002061c notepad!NPInit+0x4fc
    0007ff1c 01007511 01000000 00000000 000a2332 notepad!WinMain+0x4a
    0007ffc0 7c817067 80000001 00f7d864 7ffdf000 notepad!WinMainCRTStartup+0x174
    0007fff0 00000000 0100739d 00000000 78746341 kernel32!BaseProcessStart+0x23

    further up

    Code:
    kd> kb
    ChildEBP RetAddr  Args to Child              
    fb7af3a0 fc20cb96 80fdaef0 81027100 810311d0 Ntfs!NtfsReadMftRecord+0x95
    fb7af3d8 fc20caed 80fdaef0 81027100 810311d0 Ntfs!NtfsReadFileRecord+0x7a
    fb7af410 fc218aa2 80fdaef0 810311c8 810311d0 Ntfs!NtfsLookupInFileRecord+0x37
    fb7af4a0 fc219d75 80fdaef0 81027100 00000000 Ntfs!NtfsAllocateMftRecord+0x4b
    fb7af680 fc20eb32 80fdaef0 ff3d68f8 ff3d6a40 Ntfs!NtfsCreateNewFile+0x3b7
    fb7af8d4 fc20bf2d 80fdaef0 ff3d68f8 fb7af92c Ntfs!NtfsCommonCreate+0x12ce
    fb7af9b8 804ee119 81027020 ff3d68f8 80ee2998 Ntfs!NtfsFsdCreate+0x1dc
    fb7af9c8 fc28f90e ff3d6908 80ef3550 ff45bd80 nt!IopfCallDriver+0x31
    fb7afa14 804ee119 80ee2998 00000003 ff3d68f8 sr!SrCreate+0x1e8
    fb7afa24 80578616 ff307898 80f976c8 fb7afc04 nt!IopfCallDriver+0x31
    fb7afb04 80578a38 80ee28e0 00000000 ff45d960 nt!IopParseDevice+0xa12
    fb7afb3c 805b486b ff307898 00000000 ff45d960 nt!IopParseFile+0x46
    fb7afbc4 805b1065 0000000c fb7afc04 00000040 nt!ObpLookupObjectName+0x119
    fb7afc18 8056b223 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb
    fb7afc94 8056bb9a 0007fe0c c0100080 0007fdac nt!IopCreateFile+0x407
    fb7afcf0 8056e2ac 0007fe0c c0100080 0007fdac nt!IoCreateFile+0x8e
    fb7afd30 8053d638 0007fe0c c0100080 0007fdac nt!NtCreateFile+0x30
    fb7afd30 7c90e4f4 0007fe0c c0100080 0007fdac nt!KiFastCallEntry+0xf8
    0007fd68 7c90d09c 7c8109a6 0007fe0c c0100080 ntdll!KiFastSystemCallRet
    0007fd6c 7c8109a6 0007fe0c c0100080 0007fdac ntdll!ZwCreateFile+0xc
    0007fe04 01004a61 00000000 c0000000 00000003 kernel32!CreateFileW+0x35f
    0007fedc 01002980 01000000 00000000 0002061c notepad!NPInit+0x4fc
    0007ff1c 01007511 01000000 00000000 000a2332 notepad!WinMain+0x4a
    0007ffc0 7c817067 80000001 00f7d864 7ffdf000 notepad!WinMainCRTStartup+0x174
    0007fff0 00000000 0100739d 00000000 78746341 kernel32!BaseProcessStart+0x23
    further up should lead to MftReadFileInRecord () MftCheckAttributeRecord finally allot and return back

    Code:
    eax=81027cc0 ebx=00000000 ecx=00000000 edx=80fdaef0 esi=81027100 edi=80fdaef0
    eip=fc218ad5 esp=fb7af434 ebp=fb7af4a0 iopl=0         nv up ei ng nz ac pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000296
    Ntfs!NtfsAllocateMftRecord+0x9b:
    fc218ad5 e8f1040000      call    Ntfs!NtfsAllocateRecord (fc218fcb)
    kd> p
    eax=00002be0 ebx=00000000 ecx=fc2192bb edx=00000080 esi=81027100 edi=80fdaef0
    eip=fc218ada esp=fb7af440 ebp=fb7af4a0 iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000246
    Ntfs!NtfsAllocateMftRecord+0xa0:
    fc218ada 8945dc          mov     dword ptr [ebp-24h],eax ss:0010:fb7af47c=80fdaef0

    the full set of function call grepped and sorted for a round trip should be like this

    Code:
    8056ae23 e8e8d0fcff      call    nt!_SEH_prolog (80537f10)
    8056ae4e e82da0fdff      call    nt!ExAllocatePoolWithTag (80544e80)
    8056b209 e85043f8ff      call    nt!IopUpdateOtherOperationCount (804ef55e)
    8056b21e e8575d0400      call    nt!ObOpenObjectByName (805b0f7a)
    805b0fa7 e8d43ef9ff      call    nt!ExAllocatePoolWithTag (80544e80)
    805b0fd7 e8de5b0000      call    nt!ObpCaptureObjectCreateInformation (805b6bba)
    805b1005 e888600300      call    nt!SeCreateAccessState (805e7092)
    805b1028 e873490000      call    nt!ObpValidateAccessMask (805b59a0)
    805b1060 e8ed360000      call    nt!ObpLookupObjectName (805b4752)
    805b47d2 e8dfc2ffff      call    nt!ObReferenceObjectByHandle (805b0ab6)
    805b0bdf e8143e0500      call    nt!ExMapHandleToPointerEx (806049f8)
    80604a14 e86bf4ffff      call    nt!ExpLookupHandleTableEntry (80603e84)
    8056ae23 e8e8d0fcff      call    nt!_SEH_prolog (80537f10)
    805b0cfa e877350500      call    nt!ExUnlockHandleTableEntry (80604276)
    805b4865 ff909c000000    call    dword ptr [eax+9Ch]  ds:0023:8109d5fc={nt!IopParseFile (805789f2)}
    80578a11 e8a85cf7ff      call    nt!IoGetRelatedDeviceObject (804ee6be)
    804ee71a e85dfeffff      call    nt!IoGetAttachedDevice (804ee57c)
    80578a33 e8ccf1ffff      call    nt!IopParseDevice (80577c04)
    80577c0e e8fd02fcff      call    nt!_SEH_prolog (80537f10)
    80577c9a e8e5c5f7ff      call    nt!IopCheckDeviceAndDriver (804f4284)
    80577cb4 e8211d0600      call    nt!RtlMapGenericMask (805d99da)
    80577cc6 e80f1d0600      call    nt!RtlMapGenericMask (805d99da)
    80577cd5 e8c6f10600      call    nt!SeSetAccessStateGenericMapping (805e6ea0)
    80577cff e8bcfdffff      call    nt!IopCheckBackupRestorePrivilege (80577ac0)
    80577f9d e898b8f7ff      call    nt!IopInterlockedIncrementUlong (804f383a)
    8057819e e8775ef7ff      call    nt!IoAllocateIrp (804ee01a)
    805782fe e85bea0300      call    nt!ObCreateObject (805b6d5e)
    805b6d7b e88cb0f8ff      call    nt!ExInterlockedPopEntrySList (80541e0c)
    805b6dd2 e8e3fdffff      call    nt!ObpCaptureObjectCreateInformation (805b6bba)
    805b6e83 e82ef8ffff      call    nt!ObpAllocateObject (805b66b6)
    805b6779 e802e7f8ff      call    nt!ExAllocatePoolWithTag (80544e80)
    8057833e e843c4f7ff      call    nt!IopPerfLogFileCreate (804f4786)
    80578484 e8f7c9fcff      call    nt!ExAllocatePoolWithTag (80544e80)
    805784cf e810fbfaff      call    nt!RtlCopyUnicodeString (80527fe4)
    805785e6 ff15f4764d80    call    dword ptr [nt!_imp_KfRaiseIrql (804d76f4)] ds:0023:804d76f4={hal!KfRaiseIrql (806d2278)}
    805785e6 ff15f4764d80    call    dword ptr [nt!_imp_KfRaiseIrql (804d76f4)]
    80578606 ff151c774d80    call    dword ptr [nt!_imp_KfLowerIrql (804d771c)]
    80578611 e80a5bf7ff      call    nt!IofCallDriver (804ee120)
    80578606 ff151c774d80    call    dword ptr [nt!_imp_KfLowerIrql (804d771c)] ds:0023:804d771c={hal!KfLowerIrql (806d22d0)}
    80578611 e80a5bf7ff      call    nt!IofCallDriver (804ee120)
    804ee115 ff548638        call    dword ptr [esi+eax*4+38h] ds:0023:80faeab8={sr!SrCreate (fc28f726)}
    fc28f8ad e8423e0000      call    sr!SrFileNameContainsStream (fc2936f4)
    fc293738 e85fe9ffff      call    sr!SrFindCharReverse (fc29209c)
    fc28f8d2 ff15acab28fc    call    dword ptr [sr!_imp__KeInitializeEvent (fc28abac)] ds:0023:fc28abac={nt!KeInitializeEvent (804f8f22)}
    fc28f908 ff159cab28fc    call    dword ptr [sr!_imp_IofCallDriver (fc28ab9c)] ds:0023:fc28ab9c={nt!IofCallDriver (804ee120)}
    804ee115 ff548638        call    dword ptr [esi+eax*4+38h] ds:0023:80f7a068={Ntfs!NtfsFsdCreate (fc20be01)}
    fc20be0b e810a5fdff      call    Ntfs!_SEH_prolog (fc1e6320)
    fc20be3e ff15dcdc1ffc    call    dword ptr [Ntfs!_imp__KeEnterCriticalRegion (fc1fdcdc)] ds:0023:fc1fdcdc={nt!KeEnterCriticalRegion (804f6f2c)}
    fc20be54 e83fa6fdff      call    Ntfs!NtfsInitializeTopLevelIrp (fc1e6498)
    fc20be76 ff154cdd1ffc    call    dword ptr [Ntfs!_imp__IoIsOperationSynchronous (fc1fdd4c)] ds:0023:fc1fdd4c={nt!IoIsOperationSynchronous (804ee86e)}
    fc20be92 e8c7a6fdff      call    Ntfs!NtfsInitializeIrpContext (fc1e655e)
    fc1e65bf e8681e0000      call    Ntfs!ExAllocateFromNPagedLookasideList (fc1e842c)
    fc20be92 e8c7a6fdff      call    Ntfs!NtfsInitializeIrpContext (fc1e655e)
    fc20beb4 ff15d8dc1ffc    call    dword ptr [Ntfs!_imp__IoSetTopLevelIrp (fc1fdcd8)] ds:0023:fc1fdcd8={nt!IoSetTopLevelIrp (804eefd4)}
    fc20bed2 ff1548dd1ffc    call    dword ptr [Ntfs!_imp__KeInitializeEvent (fc1fdd48)] ds:0023:fc1fdd48={nt!KeInitializeEvent (804f8f22)}
    fc20bf05 ff1528dc1ffc    call    dword ptr [Ntfs!_imp__IoGetStackLimits (fc1fdc28)] ds:0023:fc1fdc28={nt!RtlpGetStackLimits (80542a50)}
    fc20bf28 e88ddcffff      call    Ntfs!NtfsCommonCreate (fc209bba)
    fc209bc4 e857c7fdff      call    Ntfs!_SEH_prolog (fc1e6320)
    fc209ccc e8bacbffff      call    Ntfs!NtfsAcquireSharedVcb (fc20688b)
    fc2068a8 ff1530e01ffc    call    dword ptr [Ntfs!_imp__ExAcquireResourceSharedLite (fc1fe030)] ds:0023:fc1fe030={nt!ExAcquireResourceSharedLite (80532842)}
    fc209d80 e8240a0000      call    Ntfs!NtfsPingVolume (fc20a7a9)
    fc226758 e88ffffbff      call    Ntfs!NtfsDecodeFileObject (fc1e66ec)
    fc209e9d e830ebfdff      call    Ntfs!NtfsAcquireSharedFcb (fc1e89d2)
    fc226883 ff1514e01ffc    call    dword ptr [Ntfs!_imp__ExAllocatePoolWithTag (fc1fe014)] ds:0023:fc1fe014={nt!ExAllocatePoolWithTag (80544e80)}
    fc209f9e e8b0080000      call    Ntfs!NtfsUpcaseName (fc20a853)
    fc20a03a e89f0b0000      call    Ntfs!NtfsFindPrefixHashEntry (fc20abde)
    fc2102a9 e842c6ffff      call    Ntfs!NtfsReleaseFcbWithPaging (fc20c8f0)
    fc2102b4 e824a5ffff      call    Ntfs!NtfsAcquireFcbWithPaging (fc20a7dd)
    fc20e81d e84efeffff      call    Ntfs!NtfsFindPrefix (fc20e670)
    fc20e940 ff1538dd1ffc    call    dword ptr [Ntfs!_imp__FsRtlDissectName (fc1fdd38)] ds:0023:fc1fdd38={nt!FsRtlDissectName (80562284)}
    fc20e972 e888afffff      call    Ntfs!NtfsCreateScb (fc2098ff)
    fc20e9b9 e89bf9ffff      call    Ntfs!NtfsIsFileNameValid (fc20e359)
    fc20e9d4 e86f7dfdff      call    Ntfs!_alloca_probe (fc1e6748)
    fc20e9e2 e8dee9ffff      call    Ntfs!NtfsInitializeIndexContext (fc20d3c5)
    fc20ea1e e82b020000      call    Ntfs!NtfsLookupEntry (fc20ec4e)
    fc20eb2d e895100000      call    Ntfs!NtfsCreateNewFile (fc20fbc7)
    =====================================================================  from file 2
    fc20fbd1 e84a67fdff      call    Ntfs!_SEH_prolog (fc1e6320)
    fc219c17 e83efbfeff      call    Ntfs!NtfsCheckValidAttributeAccess (fc20975a)
    fc219cad e820fdfeff      call    Ntfs!NtfsAccessCheck (fc2099d2)
    fc219cdb e885faffff      call    Ntfs!NtfsCacheSharedSecurityForCreate (fc219765)
    fc219d4c ff152cdd1ffc    call    dword ptr [Ntfs!_imp__FsRtlFindInTunnelCache (fc1fdd2c)] ds:0023:fc1fdd2c={nt!FsRtlFindInTunnelCache (805605ea)}
    fc219d70 e8e2ecffff      call    Ntfs!NtfsAllocateMftRecord (fc218a57)
    fc218a5e e8bdd8fcff      call    Ntfs!_SEH_prolog (fc1e6320)
    fc218a6c e8eaddfeff      call    Ntfs!NtfsAcquireExclusiveScb (fc20685b)
    fc20686d e813ffffff      call    Ntfs!NtfsAcquireExclusiveFcb (fc206785)
    fc2067ac e87900feff      call    Ntfs!NtfsAcquireResourceExclusive (fc1e682a)
    fc20687c e8effffdff      call    Ntfs!NtfsSnapshotScb (fc1e6870)
    fc218a9d e81440ffff      call    Ntfs!NtfsLookupInFileRecord (fc20cab6)
    fc20cae8 e86f000000      call    Ntfs!NtfsReadFileRecord (fc20cb5c)
    fc20cb76 e855bafdff      call    Ntfs!NtfsFindCachedFileRecord (fc1e85d0)
    fc1e85dc e8b7ffffff      call    Ntfs!NtfsFindFileRecordCacheEntry (fc1e8598)
    fc20cb91 e86d000000      call    Ntfs!NtfsReadMftRecord (fc20cc03)
    fc20cc0a e81197fdff      call    Ntfs!_SEH_prolog (fc1e6320)
    fc20cc84 e8a3fdffff      call    Ntfs!NtfsMapStream (fc20ca2c)
    fc20ca68 ff157cdc1ffc    call    dword ptr [Ntfs!_imp__CcMapData (fc1fdc7c)] ds:0023:fc1fdc7c={nt!CcMapData (8055f30c)}
    8055f313 e8f88bfdff      call    nt!_SEH_prolog (80537f10)
    8055f392 e85585f8ff      call    nt!CcGetVirtualAddress (804e78ec)
    8055f411 e823000000      call    nt!CcMapData+0x12d (8055f439)
    8055f42b e81b8bfdff      call    nt!_SEH_epilog (80537f4b)
    fc20fbd1 e84a67fdff      call    Ntfs!_SEH_prolog (fc1e6320)
    fc20ccc8 e8b5010000      call    Ntfs!NtfsCheckFileRecord (fc20ce82)
    fc20cf3f e8fdfdffff      call    Ntfs!NtfsCheckAttributeRecord (fc20cd41)
    fc20ccd9 e827000000      call    Ntfs!NtfsReadMftRecord+0x1d1 (fc20cd05)
    fc20cd05 e88397fdff      call    Ntfs!_abnormal_termination (fc1e648d)
    fc20ccf3 e8ffb8fdff      call    Ntfs!NtfsAddToFileRecordCache (fc1e85f7)
    fc1e8618 ff15b4de1ffc    call    dword ptr [Ntfs!_imp__CcRemapBcb (fc1fdeb4)] ds:0023:fc1fdeb4={nt!CcRemapBcb (804e1654)}
    fc20ccf8 e80396fdff      call    Ntfs!_SEH_epilog (fc1e6300)
    fc20caa5 e8ac060000      call    Ntfs!NtfsFindInFileRecord (fc20d156)
    fc218ad5 e8f1040000      call    Ntfs!NtfsAllocateRecord (fc218fcb)
    fc218ae1 e83d000000      call    Ntfs!NtfsAllocateMftRecord+0xc0 (fc218b23)
    fc218aec e80fd8fcff      call    Ntfs!_SEH_epilog (fc1e6300)
    fc219da1 e848eaffff      call    Ntfs!NtfsPinMftRecord (fc2187ee)
    fc219dc1 e879edffff      call    Ntfs!NtfsInitializeMftRecord (fc218b3f)
    fc219dcc ff1510e01ffc    call    dword ptr [Ntfs!_imp_ExAcquireFastMutexUnsafe (fc1fe010)] ds:0023:fc1fe010={nt!ExAcquireFastMutexUnsafe (805425f4)}
    fc219e06 e8146dffff      call    Ntfs!NtfsCreateFcb (fc210b1f)
    fc219e1b e8bd09ffff      call    Ntfs!NtfsAcquireFcbWithPaging (fc20a7dd)
    fc219e2c ff1524e01ffc    call    dword ptr [Ntfs!_imp_ExReleaseFastMutexUnsafe (fc1fe024)] ds:0023:fc1fe024={nt!ExReleaseFastMutexUnsafe (80542614)}
    fc219f1b e8ecf3ffff      call    Ntfs!NtfsInitializeFcbAndStdInfo (fc21930c)
    fc219f4e e8d560ffff      call    Ntfs!NtfsCreateLcb (fc210028)
    fc219fc6 e85bf5ffff      call    Ntfs!NtfsOpenNewAttr (fc219526)
    fc21a08d e89becffff      call    Ntfs!NtfsAddLink (fc218d2d)
    fc21a113 e8e1e9ffff      call    Ntfs!NtfsAssignSecurity (fc218af9)
    fc21a150 e897cdfeff      call    Ntfs!NtfsWriteLog (fc206eec)
    fc21a186 e800e7ffff      call    Ntfs!NtfsUpdateFcb (fc21888b)
    fc21a1be e87d1fffff      call    Ntfs!NtfsEncryptionCreateCallback (fc20c140)
    fc21a1d7 e89d7dffff      call    Ntfs!NtfsPostUsnChangeEx (fc211f79)
    fc21a265 ff15c0dc1ffc    call    dword ptr [Ntfs!_imp__FsRtlNotifyFilterReportChange (fc1fdcc0)] ds:0023:fc1fdcc0={nt!FsRtlNotifyFilterReportChange (8056429c)}
    fc21a2bb e8bdd7ffff      call    Ntfs!NtfsInsertHashEntry (fc217a7d)
    fc21a2c9 e886d4ffff      call    Ntfs!NtfsInsertPrefix (fc217754)
    fc21a2df e89ff1ffff      call    Ntfs!NtfsCreateNewFile+0xc4d (fc219483)
    fc20fcd0 e87d6bfdff      call    Ntfs!__security_check_cookie (fc1e6852)
    fc20fcd5 e82666fdff      call    Ntfs!_SEH_epilog (fc1e6300)
    fc20a193 e855040000      call    Ntfs!NtfsCommonCreate+0x150c (fc20a5ed)
    fc20a1b7 e87cc4fdff      call    Ntfs!NtfsCompleteRequest (fc1e6638)
    fc20a1c4 e837c1fdff      call    Ntfs!_SEH_epilog (fc1e6300)
    fc20bf64 ff151cdc1ffc    call    dword ptr [Ntfs!_imp__IoGetTopLevelIrp (fc1fdc1c)] ds:0023:fc1fdc1c={nt!IoGetTopLevelIrp (804ee74e)}
    fc20bf73 ff15d8dc1ffc    call    dword ptr [Ntfs!_imp__IoSetTopLevelIrp (fc1fdcd8)] ds:0023:fc1fdcd8={nt!IoSetTopLevelIrp (804eefd4)}
    fc20bf80 ff15d4dc1ffc    call    dword ptr [Ntfs!_imp__KeLeaveCriticalRegion (fc1fdcd4)] ds:0023:fc1fdcd4={nt!KeLeaveCriticalRegion (804f6f3e)}
    fc20bf9d ff15546320fc    call    dword ptr [Ntfs!NtfsData+0x1d4 (fc206354)] ds:0023:fc206354={Ntfs!EFSFilePostCreate (fc1e8863)}
    fc20c023 e810a6fdff      call    Ntfs!NtfsCompleteRequest (fc1e6638)
    fc20c034 e8c7a2fdff      call    Ntfs!_SEH_epilog (fc1e6300)
    fc28fa1d e812170000      call    sr!SrHandleEvent (fc291134)
    fc28fa89 ff1580ab28fc    call    dword ptr [sr!_imp_IofCompleteRequest (fc28ab80)] ds:0023:fc28ab80={nt!IofCompleteRequest (804ee1b0)}
    80578655 ff15f4764d80    call    dword ptr [nt!_imp_KfRaiseIrql (804d76f4)] ds:0023:804d76f4={hal!KfRaiseIrql (806d2278)}
    80578655 ff15f4764d80    call    dword ptr [nt!_imp_KfRaiseIrql (804d76f4)]
    80578693 e84ec1fcff      call    nt!ExFreePoolWithTag (805447e6)
    80578699 e8565df7ff      call    nt!IoFreeIrp (804ee3f4)
    805786a1 ff151c774d80    call    dword ptr [nt!_imp_KfLowerIrql (804d771c)]
    80578699 e8565df7ff      call    nt!IoFreeIrp (804ee3f4)
    805786a1 ff151c774d80    call    dword ptr [nt!_imp_KfLowerIrql (804d771c)] ds:0023:804d771c={hal!KfLowerIrql (806d22d0)}
    8057880c e8ad5ef7ff      call    nt!IoGetRelatedDeviceObject (804ee6be)
    8057884c e8ffa0faff      call    nt!ObfReferenceObject (80522950)
    805789e4 e862f5fbff      call    nt!_SEH_epilog (80537f4b)
    805b4cc2 e89bdef6ff      call    nt!ObfDereferenceObject (80522b62)

    here are the files
    Attached Files Attached Files
    Last edited by blabberer; March 22nd, 2014 at 18:27.

  4. #139
    Quote Originally Posted by blabberer View Post
    set a breakpoint on nt!IopCreateFile hit g ...now in vm say yes to the msgbox
    Frustrating stuff. There's something about windbg that is not user friendly or obvious. I did not have near this kind of problem using and learning SI.

    Of course, I am using virtualKD, which I am just about to scrap. Sorry Kayaker.

    I have gotten to the point where I am looking at the notepad window with the message box saying it cannot find the file...do i want to create it. When I set the BP in windbg, I had to type bp nt!IopCreateFile in the kd> box then I hit enter...which you forgot to mention.

    Immediately, it gave me Breakpoint 0 hit....nt!IopCreateFile. How did it go off on a BP when I took no action? Now I can't press the OK button on the notepad messagebox because the cursor has become a permanent hourglass.

    I have seen the same thing in SI when I set a BP, which went off before I could activate an OK button. There's no reason it should go off on CreateFile, however. That's the reason I scrapped a direct BP on CreateFile in SI and used my indirect method of getting into the code using message BP on a hwnd.

    I just think this entire method of a debugger requiring a pipe, or a serial port is the heights of hoakiness. I can understand it for certain drivers for a display, or whatever, but this anal crap about requiring it in general is so typical of microsoft.

  5. #140
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Context, context, context.

    Get the current context when IopCreateFile breaks indiscriminately like that and you'll probably find it's vmtools.
    kd> !process -1 0

    Instead set a context specific breakpoint with the /p Eprocess switch

    !process 0 0

    PROCESS 82306b48 Image: notepad.exe

    Here I set the bp by changing the context and using the $proc pseudo register

    kd> .process 82306b48
    Implicit process is now 82306b48

    kd> bp /p @$proc nt!IopCreateFile
    kd> bl
    0 e 8057c084 0001 (0001) nt!IopCreateFile
    Match process data 82306b48

    kd> g
    Breakpoint 0 hit
    nt!IopCreateFile:
    8057c084 6a3c push 3Ch
    kd> !process -1 0
    PROCESS 82306b48 Image: notepad.exe

    Following blabberers footsteps:
    Code:
    kd> kb
    ChildEBP RetAddr  Args to Child              
    b2324c94 8057c31d 0007fe0c c0100080 0007fdac nt!IopCreateFile
    b2324cf0 8057c360 0007fe0c c0100080 0007fdac nt!IoCreateFile+0x8e
    b2324d30 804dd98f 0007fe0c c0100080 0007fdac nt!NtCreateFile+0x30
    b2324d30 7c90e4f4 0007fe0c c0100080 0007fdac nt!KiFastCallEntry+0xfc
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    0007fe04 01004a61 0100a900 c0000000 00000003 0x7c90e4f4
    0007ffa8 8058b9b5 0007ffe0 010075ba 01001898 0x1004a61
    0008001c 00000000 00000001 00000006 00000034 nt!CcPfBeginAppLaunch+0x190
    kd> dt nt!_object_attributes poi(@esp+c)
       +0x000 Length           : 0x18
       +0x004 RootDirectory    : 0x0000000c Void
       +0x008 ObjectName       : 0x0007fdec _UNICODE_STRING "willy.txt"
       +0x00c Attributes       : 0x40
       +0x010 SecurityDescriptor : (null) 
       +0x014 SecurityQualityOfService : 0x0007fdd0 Void

    I don't care if you don't use VirtualKD. But "45x Faster Windows Kernel debugging with Virtual Machines." is good enough for me.

  6. #141
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    if you scrap virtual kd you will be sitting there for hours waiting for windbg to return back from a single step with registers

    pipe debugging turns of register dumping by default and will still be too slow for a saints patience.

    instead of cribbing about wife however obtuse she is try to pretend to live with her atleast your dreams will be sweet.


    i wrote ignore spurious breaks (they are not spurious perse but spurious for your context)

    trash what you are doing sit back relaxed with a coffee unlearn all the shit you have learnt till now and start from scratch.


    do you agree doing things serially is far far slower than processing parallelly expecially when the queue is very long (millions or billions of requests per time frame)

    do you agree in parallel processing doing things asynchronously is faster and profitable overall than synchronous operation ?? (requests that are sent by queen elizabeth are processed first request by waxford with a recommendation from angela merkel gets processed earlier than request from plain citizen waxford ) ??

    queen elizabeths request comes directly to the manager while citizen waxford has to deal with the grouchy security first and the wax smile pasted angry lady next just to get a form let alone transact


    IopCreatefile is a processor it can process only one request at any given time ( it doesnt care if the request came from queen elizabeth or if the impatient waxford is requesting it it knows it got a valid request and will process it and wait for next

    the manager / the security / the receptionist / the others / all in tandem decide which request to send first to IopCreateFile()

    and they all know the request is a winning request that travelled across the channel and reached france and there can be no request for the next 13 months.
    or all request for the next 13 months will be simply rejected however important they are.

    the request sent by notepad is very low priority request

    there can always be several requests of higher priority that can preempt the request by notepad.exe the request by notepad will be processed when there are no request to process that have a higher priority than notepad.

    that is how windows works and that is how windbg works

    you need to be in the context / context / context / context of what you doing for you to transact.

    yes there can be several breaks before your notpad gets created and several breaks after your notepad leaves IopCreateFile into unknown unchartered territory

    you need to be able to deal with them all

    once you get in the right stack frame you need to disable all the breaks

    you should have at the most ZERO breaks or at the MOSTEST ONE one shot break further up your chain.

    if you leave the break on IopCreatfile as it is and merrily step away

    you will break thousands of time when you press p (single step)


    because a single step command to reach from windbg in host to the right agent in the targets kernel that will tell the processor to step forward one step in the waxford'notepads.open,context thread may take anything from several nanoseconds to several minutes depending on umpteen factors.

    and the kernel isnt going to sit idle waiting for the limping notepad from wax to come and enjoy its holiday in miami beach.

    it will and shall be processing trillions (well a bit exaggerated but millions for sure) requests and some of them may be queens notepad with secret encryted messages that are sent to a router that credits billions of pounds into an unnumbered cayman island bank
    and yes queen will get her billion pounds earlier than your request for 10 pound even though you applied to get your pound years earlier than queen.

    thats life and that how you have to pretend to live whether you like it or not whether you love it or not whether you are sorry about it or not.

  7. #142
    Quote Originally Posted by Kayaker View Post
    Context, context, context.

    Get the current context when IopCreateFile breaks indiscriminately like that and you'll probably find it's vmtools.
    kd> !process -1 0
    To put things in a different context, you probably know me well enough by now to know that I was venting due to a bad hair experience.

    The problem is, K., that my mouse froze with an hourglass, making both windbg and my vm unresponsive. That's what I was p/o'd about. I have spent hour after hour troubleshooting this stuff and I am not a newbie to com ports, IRQs, etc.

    I still don't understand why the VM serial port is set to a pipe and boot.ini is set to com1. I have seen some people suggest it should be set to com2. I have not spent enough time reasoning this out. windbg is obviously using a feature in the PCI bus controller to route data serially through a port (pipe) which the VM connects to on the other end. But the OS in the VM needs to access that data from the VM and it is using com1.

    So, how does the VM connect to windbg on serial port 0 via a pipe, then connect to the VM OS on com1? VM serial port 0 should be com1 in normal circumstances. In fact, that's the option supplied if it is not configured as a pipe.

    I spent the better part of yesterday bringing my XP SP3 updates up to date. Then I updated my mobo BIOS. I wanted to eliminate any problems the OS might be contributing. I unloaded DS3.2 with SI and I am running with a bare bones VM.

    It's seems that virtualKD only adds an entry to the vmx file and adds a line to boot.ini in the VM OS. It just occurred to me that I might still have the mods to the vmx config file set to the settings required by SI. I'll need to look at that. SI used vmouse.present statement and I may be having issues with the mouse being confused. Nothing worse than a confused mouse.

    Last night when I posted my vent, I was beyond caring. virtual KD had just started behaving erratically for no known reason.

    Quote Originally Posted by Kayaker View Post
    Instead set a context specific breakpoint with the /p Eprocess switch
    I appreciate this advice but I need to get the setup stable first. SI did the same thing when I set a BP on createfile but it did not freeze up. I could get back in with a ctrl-D and change the BP. Can't do that here. Once that hourdglass cursor appears there's no way in or out.


    Quote Originally Posted by Kayaker View Post
    I don't care if you don't use VirtualKD. But "45x Faster Windows Kernel debugging with Virtual Machines." is good enough for me.
    Hopefully you did not take my comment as a shot. I was apologizing because you recommended it. A night's sleep puts a different slant on things.

  8. #143
    Quote Originally Posted by blabberer View Post
    if you scrap virtual kd you will be sitting there for hours waiting for windbg to return back from a single step with registers
    I'm saying this with humour, so you wont lose it, but you are in fact admitting that vmware is a slow piece of crap.

    Only Microsoft could have devised a debugger like this but we are stuck with it since Numega decided to dissolve. So, let's make the best of it, right?

    Quote Originally Posted by blabberer View Post
    pipe debugging turns of register dumping by default and will still be too slow for a saints patience.
    I was reading up on pipes just to refresh rusted parts of my brain. They are implemented as FIFO buffers in the software rendition of serial communication. In normal serial hardware, FIFO buffers are used to store serial bits before sending. Interrupts are used by peripherals like serial ports to tell the CPU when service is required. The CPU controls the data flow using an RTS line, which it turns negative to tell the comm equipment to take a break.

    VMs implement pipes as software buffers. So windbg is communicating with a buffer set up by the VM. Or. if the VM wants to set it's serial0 (com1) port to use the com1 port on the hosts hardware, it can do that. Unfortunately, I think windbg requires a null modem connection which I don't think a VM can supply, hence the use of pipes.

    Stop me anytime you disagree.

    Quote Originally Posted by blabberer View Post
    instead of cribbing about wife however obtuse she is try to pretend to live with her atleast your dreams will be sweet.
    many wives specialize in cribbing so why should I not crib when said wife does not perform in an ideal manner? After all, everything SHOULD be perfect, should it not?


    Quote Originally Posted by blabberer View Post
    i wrote ignore spurious breaks (they are not spurious perse but spurious for your context)

    trash what you are doing sit back relaxed with a coffee unlearn all the shit you have learnt till now and start from scratch.
    Ah...so you've done this before?


    Quote Originally Posted by blabberer View Post
    IopCreatefile is a processor it can process only one request at any given time
    yes...I am aware of the time-slice processing of computers. I am aware that IopCreateFile has other things to do than wait for me. However, in SI, I could figure other ways around that whereas in this new learning curve I am somewhat handcuffed, especially when the mouse freezes.


    Quote Originally Posted by blabberer View Post
    you need to be in the context / context / context / context of what you doing for you to transact.
    I have an intimate relationship with contexts from having plied my trade with SI. SI dealt with it differently. If something else had priority, SI would just break, allowing you access to the command line. Sometimes you could just hit go till it broke in the code you wanted. Other times there were too many intervening breaks.

    The windbg/vm arrangement causes a conflict with the mouse and no one on the Net seems to have an answer for that.


    Quote Originally Posted by blabberer View Post
    if you leave the break on IopCreatfile as it is and merrily step away you will break thousands of time when you press p (single step)
    familiar with that from SI. I was religious about disabling the breakpoint that got me there, especially if it was a general breakpoint that could break on system activity. Many a time I have sworn at myself after hitting go, realizing I had forgotten to disable a break, getting stuck in the middle of foreign code. Sometimes i could step out of it but just as often that triggered the app.

    You are preaching to the converted. I am from the Kayaker school of contexts.

  9. #144
    Quote Originally Posted by blabberer View Post
    trash what you are doing sit back relaxed with a coffee unlearn all the shit you have learnt till now and start from scratch.
    OK...that's done. I reset the entire system from scratch and followed your earlier instructions.

    I get to my VM desktop and windbg tells me the debuggee is running. I go into the debugge, hit run/notepad willy15.text I hit enter and get a notepad window with the message box claiming Cannot find the willy15.txt file.

    I get the mouse out of the vm window, go to windbg/debug/break and windebug allows me to enter bp nt!IopCreateFile.

    I hit F5 and go back to the vm window so I can press OK in the message box window but i can't because the mouse cursor is an hour glass.

    There is no rhyme, reason, or logic for that. There is no explanation anywhere on the Net for that because it is not supposed to do that. And no one has any frigging idea why it is doing that, only Gates and whoever wrote vmware.

    I played around with it using ctrl-Alt and got rid of the hourglass. Now I have a cursor but when I press it nothing happens on the OK button in the message box.

    It's obvious that the cursor I am seeing is the host cursor. When I press ctrl-Alt, it now disappears.

    I am going back to read what Kayaker said about contexts.

  10. #145
    Quote Originally Posted by Kayaker View Post
    kd> !process -1 0

    Instead set a context specific breakpoint with the /p Eprocess switch

    !process 0 0

    PROCESS 82306b48 Image: notepad.exe
    Hokay...sometimes I'm a bit thick, but no thicker than two short planks.

    Followed your recipe and had success. The hourglass appeared but I managed to force it off using ctrl-Alt and a couple of mouse presses. Notepad took it and I was able to got back to windbg and follow the rest.

    Right now, I am a bit bagged and I am going to sign off and do this later. Thanks to you and blabs for bearing with me.

    Although this method works for creating a file, I'd like to find a way to attack it from explorer by double-clicking notepad with a bp set on IopCreateFile. I notice it is just a sub-function of ZwCreateFile and I fear it will lead to the same problem, where notepad is already open.

    Let's not be negative though, eh?

    Code:
    kd> .process 84ce0c18
    Implicit process is now 84ce0c18
    WARNING: .cache forcedecodeuser is not enabled
    kd> bp /p @$proc nt!IopCreateFile
    kd> bl
     0 e 8056ca21     0001 (0001) nt!IopCreateFile
         Match process data 84ce0c18
    
    kd> g
    watchdog!WdUpdateRecoveryState: Recovery enabled.
    Breakpoint 0 hit
    nt!IopCreateFile:
    8056ca21 6a3c            push    3Ch
    kd> !process -1 0 
    PROCESS 84ce0c18  SessionId: 0  Cid: 0788    Peb: 7ffde000  ParentCid: 0398
        DirBase: 0e1a3000  ObjectTable: e188d818  HandleCount:  27.
        Image: notepad.exe
    
    kd> kb
    ChildEBP RetAddr  Args to Child              
    f5489c94 8056ccba 0007fe0c c0100080 0007fdac nt!IopCreateFile
    f5489cf0 8056cdf0 0007fe0c c0100080 0007fdac nt!IoCreateFile+0x8e
    f5489d30 804de7ec 0007fe0c c0100080 0007fdac nt!NtCreateFile+0x30
    f5489d30 7c90e4f4 0007fe0c c0100080 0007fdac nt!KiFastCallEntry+0xf8
    0007fd68 7c90d09c 7c8109a6 0007fe0c c0100080 ntdll!KiFastSystemCallRet
    0007fd6c 7c8109a6 0007fe0c c0100080 0007fdac ntdll!ZwCreateFile+0xc
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    0007fe04 01004a61 0100a900 c0000000 00000003 0x7c8109a6
    0007ffd0 8054b6b8 0007ffc8 84db1020 ffffffff 0x1004a61
    00080008 00000000 000000c4 00000000 00000020 nt!ExFreePoolWithTag+0x676

  11. #146
    Quote Originally Posted by Kayaker View Post
    kd> .process 82306b48
    Could you have used kd> .context 82306b48 here?

    Also, with !process -1 0 or !process 0 0, how do you know which numbers to use in there?

    According to msoft the parameters are /s = session and /m = module but in one example it looks like this:

    !process [/s Session] [/m Module] 0 Flags ImageName

    There's a zero sitting right in the middle of it with no explanation.

    msoft sure are fun when they explain things. As I told you before, they use $mft with reference to the entire mft when they have defined the $ value as applying to the first 16 system metafiles, which means $mft is the very first file in the mft. Also, they use pidl as reference to a structure after claiming the p is a pointer to an idl structure.

    Must be a hoot working at Redmond when Gates comes back to work and can't load the win 8.1 upgrade. I would love to have eaves dropped on that conversation when Gates called in the CEO to explain it.

  12. #147
    Quote Originally Posted by Kayaker View Post
    Context, context, context.
    Heck, Kayaker, you're closing in on 4000 posts and blabs, a self-proclaimed blabberer only has 1388. I just cleared 700 and I have no idea how I got that many. Wherever did you find the time and energy, especially for all those detailed explanations to the likes of me?

    Congrats.

    Where has the time gone since fravia and greythorne, not to mention Ork?

  13. #148
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    There's a zero sitting right in the middle of it with no explanation.
    doc

    Code:
    If Process is 0 and ImageName is omitted, the debugger displays information about all active processes.

    flags 0

    doc saya

    Code:
     If Flags is 0, only a minimal amount of information is displayed
    
    
    In Windows XP and later, the default is 0x3 if Process is omitted or if Process is either 0 or -1; otherwise, the default is 0xF

    a comparison between default output that is plain !process without any arguments
    and an explicit command that reveals the same information viz !process 0 3 windbg.exe in windows xp

    Code:
    lkd> !process exe 0 3 windbg
    
    GetPointerFromAddress: unable to read from 80558a54
    PROCESS 8625d688  SessionId: 0  Cid: 0cc0    Peb: 7ffde000  ParentCid: 0380
        DirBase: 10e80460  ObjectTable: e31fe2c0  HandleCount:  81.
        Image: windbg.exe
        VadRoot 86111970 Vads 138 Clone 0 Private 8653. Modified 11. Locked 1.
        DeviceMap e3082820
        Token                             e17fc4c8
        ElapsedTime                       00:03:17.562
        UserTime                          00:00:44.828
        KernelTime                        00:00:04.578
        QuotaPoolUsage[PagedPool]         78796
        QuotaPoolUsage[NonPagedPool]      5640
        Working Set Sizes (now,min,max)  (10148, 50, 345) (40592KB, 200KB, 1380KB)
        PeakWorkingSetSize                10148
        VirtualSize                       75 Mb
        PeakVirtualSize                   76 Mb
        PageFaultCount                    26234
        MemoryPriority                    BACKGROUND
        BasePriority                      8
        CommitCharge                      8952
    
            THREAD 8616d3e8  Cid 0cc0.0cb4  Teb: 7ffdd000 Win32Thread: e1556d70 WAIT: (WrUserRequest) UserMode Non-Alertable
                86382178  SynchronizationEvent
    
            THREAD 86121020  Cid 0cc0.0220  Teb: 7ffdc000 Win32Thread: e1e28008 RUNNING on processor 0
    
    lkd> !process 
    PROCESS 8625d688  SessionId: 0  Cid: 0cc0    Peb: 7ffde000  ParentCid: 0380
        DirBase: 10e80460  ObjectTable: e31fe2c0  HandleCount:  81.
        Image: windbg.exe
        VadRoot 86111970 Vads 138 Clone 0 Private 8653. Modified 11. Locked 1.
        DeviceMap e3082820
        Token                             e17fc4c8
        ElapsedTime                       00:03:23.062
        UserTime                          00:00:45.000
        KernelTime                        00:00:04.593
        QuotaPoolUsage[PagedPool]         78796
        QuotaPoolUsage[NonPagedPool]      5640
        Working Set Sizes (now,min,max)  (10148, 50, 345) (40592KB, 200KB, 1380KB)
        PeakWorkingSetSize                10148
        VirtualSize                       75 Mb
        PeakVirtualSize                   76 Mb
        PageFaultCount                    26234
        MemoryPriority                    BACKGROUND
        BasePriority                      8
        CommitCharge                      8952
    
            THREAD 8616d3e8  Cid 0cc0.0cb4  Teb: 7ffdd000 Win32Thread: e1556d70 WAIT: (WrUserRequest) UserMode Non-Alertable
                86382178  SynchronizationEvent
    
            THREAD 86121020  Cid 0cc0.0220  Teb: 7ffdc000 Win32Thread: e1e28008 RUNNING on processor 0

    !processs takes an _EPROCESS or Cid as input whereeas
    .context takes the PageDirectoryBase As input not an _EPROCESS or Cid

    Code:
    lkd> dt nt!_EPROCESS -ya Pc->Dir @$proc
       +0x000 Pcb     : 
          +0x018 DirectoryTableBase : 
           [00] 0x10e80460
           [01] 0xdbaf
    lkd> !process 0 0 windbg.exe
    PROCESS 8625d688  SessionId: 0  Cid: 0cc0    Peb: 7ffde000  ParentCid: 0380
        DirBase: 10e80460  ObjectTable: e31fe2c0  HandleCount: 106.
        Image: windbg.exe

  14. #149
    Quote Originally Posted by blabberer View Post
    doc
    Thanks for explanation on process. Just want to verify something.

    In SI, an expression with square brackets as in [exp] is interpreted as the value in eax.

    Is poi the equivalent of that?. ie. does poi (eax) mean the value at eax?




    I saw this expression for evaluating a mouse press:

    bp [address] "j (poi(ebp+c)==0202) '';'gc'"

    Which breaks on windows message WM_LBUTTONUP. It seems to be saying that the bp should break if ebp+c = 0x202.

    I seem to remember you giving an example where something similar was used in getmessage, or some function in the winmain message loop. It's too bad windbg doesn't have the equivalent of the SI bmsg breakpoint where I could have used the expression above as:

    bp hwnd "j (poi(ebp+c)==0202) '';'gc'"

    The problem I see with breaking in the message loop is having to trace through scads of code to ID the button pressed. I'd have to do it anyway but it's easier if it breaks in explorer as opposed to winmain.

    Also, all that's required in SI is providing the hwnd obtained from SPYXX and the wmsg #.

  15. #150
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    http://reverseengineering.stackexchange.com/questions/3288/how-can-i-set-a-breakpoint-for-a-button-click/3295#3295

Similar Threads

  1. NTFS reversing
    By WaxfordSqueers in forum The Newbie Forum
    Replies: 21
    Last Post: April 28th, 2013, 00:56
  2. Qt Internals & Reversing
    By Daniel Pistelli in forum Blogs Forum
    Replies: 11
    Last Post: December 5th, 2008, 04:12
  3. problem with NTFS file encryption
    By Hero in forum The Newbie Forum
    Replies: 10
    Last Post: October 22nd, 2004, 03:49
  4. New project: RSA-65 analysis on GetDataBack for NTFS
    By Lbolt99 in forum RCE Cryptographics
    Replies: 6
    Last Post: August 1st, 2002, 14:48
  5. Write to NTFS
    By tentakkel in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: October 8th, 2001, 17:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •