Results 1 to 3 of 3

Thread: windbg and SSDT

  1. #1

    windbg and SSDT

    I am a novice on Windbg so please go easy on me.

    I was poking through the SSDT and came across addresses that seemed odd with no accompanying functions.

    Check out bad60b30, which I have dumped partly below SSDT info.

    Does this seem normal to you more experienced types, or is it something that needs further attention?

    804e26a8  8058fdf5 nt!NtAcceptConnectPort
    804e26ac  805790f1 nt!NtAccessCheck
    804e26b0  80587999 nt!NtAccessCheckAndAuditAlarm
    804e26b4  80591130 nt!NtAccessCheckByType
    804e26b8  8058da83 nt!NtAccessCheckByTypeAndAuditAlarm
    804e26bc  8063807e nt!NtAccessCheckByTypeResultList
    804e26c0  8063a207 nt!NtAccessCheckByTypeResultListAndAuditAlarm
    804e26c4  8063a250 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
    804e26c8  8057a6e4 nt!NtAddAtom
    804e26cc  80649047 nt!NtQueryBootOptions
    804e26d0  80637835 nt!NtAdjustGroupsToken
    804e26d4  8058d0a1 nt!NtAdjustPrivilegesToken
    804e26d8  8062f97c nt!NtAlertResumeThread
    804e26dc  8057abcd nt!NtAlertThread
    804e26e0  80588928 nt!NtAllocateLocallyUniqueId
    804e26e4  806268ff nt!NtAllocateUserPhysicalPages
    804e26e8  805dd3c9 nt!NtAllocateUuids
    804e26ec  bad60b30
    804e26f0  805d9767 nt!NtAreMappedFilesTheSame
    804e26f4  805a24ba nt!NtAssignProcessToJobObject
    804e26f8  804e2cb4 nt!NtCallbackReturn
    804e26fc  8064905b nt!NtModifyBootEntry
    lkd> db bad60b30
    bad60b30  55 8b ec 81 ec 04 02 00-00 8b 0d 90 30 d6 ba 56  U...........0..V
    bad60b40  57 8b 7d 08 8b 11 8d 45-08 6a 00 50 6a 00 52 68  W.}....E.j.Pj.Rh
    bad60b50  80 00 00 00 57 ff 15 38-30 d6 ba 85 c0 0f 85 bb  ....W..80.......
    bad60b60  00 00 00 8b 45 08 03 05-00 42 d6 ba 8b 00 89 45  ....E....B.....E
    bad60b70  fc a1 dc 40 d6 ba 85 c0-0f 84 97 00 00 00 e8 37  ...@...........7
    bad60b80  1a 00 00 3b 45 fc 0f 84-89 00 00 00 8d 85 fc fe  ...;E...........
    bad60b90  ff ff 50 e8 68 f7 ff ff-8b 55 08 8d 8d fc fd ff  ..P.h....U......
    bad60ba0  ff 51 52 e8 98 f7 ff ff-8d 85 fc fd ff ff 50 6a  .QR...........Pj
    lkd> u bad60b30
    bad60b30 55              push    ebp
    bad60b31 8bec            mov     ebp,esp
    bad60b33 81ec04020000    sub     esp,204h
    bad60b39 8b0d9030d6ba    mov     ecx,dword ptr ds:[0BAD63090h]
    bad60b3f 56              push    esi
    bad60b40 57              push    edi
    bad60b41 8b7d08          mov     edi,dword ptr [ebp+8]
    bad60b44 8b11            mov     edx,dword ptr [ecx]

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Hooked NtAllocateVirtualMemory (Id 0x11) on XP from the looks of it I believe

  3. #3
    Quote Originally Posted by Kayaker View Post
    Hooked NtAllocateVirtualMemory (Id 0x11) on XP from the looks of it I believe
    Thanks there Kayaker. Tracked it down in trusty old ice. Seems to be hooked by hcmon.sys, a vmware USB monitor for VM Player.

    It was kind of stupid how I picked it up. I am still working the same problem with tracking notepad down to the MFT level. It happens via Shell32.dll and Shlwapi.dll mainly and there is a call from shell32 to k32!readfile. Unfortunately, something is loading notepad into the file cache and it gets read from there, so I tried loading every app I could to see if it would overwrite the cache. Normally, I don't use VM Player.

Similar Threads

  1. Replies: 5
    Last Post: May 7th, 2014, 15:49
  2. SSDT Hooks
    By azfk in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: February 19th, 2010, 09:39
  3. Vmware snapshot and SSDT
    By ZaiRoN in forum Blogs Forum
    Replies: 1
    Last Post: June 4th, 2008, 17:53
  4. SSDT Hooking + AV
    By bruno in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: December 6th, 2007, 12:31
  5. windbg final
    By 0rp in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: January 24th, 2005, 09:05


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts