Results 1 to 9 of 9

Thread: Can't see WIN32K with SoftIce?

  1. #1
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310

    Can't see WIN32K with SoftIce?

    Platform: Windows XP SP1; DriverStudio 3.1.
    Tried to look at some WIN32k Data/Code.
    No success. Code is INVALID, Data is ????????.
    "mod win32k" gives BF800000, but PEheader pointer is 00000000.
    Anyone has experienced such oddity?

    Cheers, Bilbo.

    Maybe paged out because too big? But PAGEIN does not work...
    Last edited by bilbo; June 14th, 2004 at 11:47.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,149
    Blog Entries
    5
    Hi

    What do you get if you try it from the context of a user mode program which has a gui component and has partially loaded enough to register some of its window classes / created its controls? Under these conditions win32k.sys should have kicked in by now I would think.

    K.

  3. #3
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    Thanks, Kayaker, I could have thought it myself. I fall again on the "context" subject.

    Furthermore, also Microsoft Kernel Debugger (kd -kl) has the same behaviour.
    On the other hand, Russinovich's LIVEKD shows win32k address space without problems.

    Best regards, Bilbo.
    Last edited by bilbo; June 15th, 2004 at 04:25.

  4. #4
    I believe this is due to the fact that win32k.sys' information is generally zeroe'd out in the PsLoadedModuleList. Only the driver name/path fields seem to contain any information. Russonivich's tool probably gets the DRIVER_OBJECT from the \Drivers\ folder in the object manager, which does contain correct information for Win32k.sys. I don't know why this is the case, but it seems to be on all Windows systems i've seen.

  5. #5
    Did you, perhaps, look at the date of the Post you are apparently attempting to answer???

    Regards,
    JMI

  6. #6
    Oops, sorry. I saw it in the little "related threads" box at the bottom of another thread and clicked over to it. I didn't even notice the dates.

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,149
    Blog Entries
    5
    Doesn't matter the date, it's still good info.

  8. #8
    Point taken.

    Regards,
    JMI

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,526
    Blog Entries
    15
    want to take one more point in this old thread ?

    Code:
    Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp.050928-1517
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553320
    Debug session time: Sat Feb  2 18:22:53.860 2008 (GMT+0)
    System Uptime: 0 days 2:28:42.394
    !process 0 0 winlogon.exe
    PROCESS 8462b4d8  SessionId: 0  Cid: 024c    Peb: 7ffde000  ParentCid: 0200
        DirBase: 0fd80060  ObjectTable: e15aea18  HandleCount: 317.
        Image: winlogon.exe
    
    lkd> .process /p 8462b4d8
    Implicit process is now 8462b4d8
    lkd> .reload /f win32k.sys
    x win32k!NtGdiCreateEllipticRgn
    bf937803 win32k!NtGdiCreateEllipticRgn = <no type information>
    lkd>
    so context is needed in lkd too

Similar Threads

  1. Subtle information disclosure in WIN32K.SYS syscall return values
    By j00ru vx tech blog in forum Blogs Forum
    Replies: 0
    Last Post: May 22nd, 2011, 11:59
  2. SoftIce Does Not Pop Up....
    By minderz in forum The Newbie Forum
    Replies: 11
    Last Post: February 23rd, 2004, 16:22
  3. XP and SoftIce
    By +NeWbiE in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: October 2nd, 2001, 13:23
  4. SoftIce
    By Taipanman in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: June 7th, 2001, 04:39
  5. SoftIce
    By MR. Candyman in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: November 8th, 2000, 13:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •