Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

windbg and SSDT

Questions concerning tools (other than OllyDbg) - IDA Pro, SoftIce, member contributions, etc.
<b>NOTE:</b> You must <b>always</b> make sure you cannot find what you are looking for in our <a href="/collaborative/tools">Collaborative RCE Tool Library</a> before asking for <b>any</b> tools that can do this or that though!
Locked
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

windbg and SSDT

Post by WaxfordSqueers »

I am a novice on Windbg so please go easy on me. :devil:

I was poking through the SSDT and came across addresses that seemed odd with no accompanying functions.

Check out bad60b30, which I have dumped partly below SSDT info.

Does this seem normal to you more experienced types, or is it something that needs further attention?

Code: Select all

804e26a8  8058fdf5 nt!NtAcceptConnectPort
804e26ac  805790f1 nt!NtAccessCheck
804e26b0  80587999 nt!NtAccessCheckAndAuditAlarm
804e26b4  80591130 nt!NtAccessCheckByType
804e26b8  8058da83 nt!NtAccessCheckByTypeAndAuditAlarm
804e26bc  8063807e nt!NtAccessCheckByTypeResultList
804e26c0  8063a207 nt!NtAccessCheckByTypeResultListAndAuditAlarm
804e26c4  8063a250 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
804e26c8  8057a6e4 nt!NtAddAtom
804e26cc  80649047 nt!NtQueryBootOptions
804e26d0  80637835 nt!NtAdjustGroupsToken
804e26d4  8058d0a1 nt!NtAdjustPrivilegesToken
804e26d8  8062f97c nt!NtAlertResumeThread
804e26dc  8057abcd nt!NtAlertThread
804e26e0  80588928 nt!NtAllocateLocallyUniqueId
804e26e4  806268ff nt!NtAllocateUserPhysicalPages
804e26e8  805dd3c9 nt!NtAllocateUuids
804e26ec  bad60b30
804e26f0  805d9767 nt!NtAreMappedFilesTheSame
804e26f4  805a24ba nt!NtAssignProcessToJobObject
804e26f8  804e2cb4 nt!NtCallbackReturn
804e26fc  8064905b nt!NtModifyBootEntry


lkd> db bad60b30
bad60b30  55 8b ec 81 ec 04 02 00-00 8b 0d 90 30 d6 ba 56  U...........0..V
bad60b40  57 8b 7d 08 8b 11 8d 45-08 6a 00 50 6a 00 52 68  W.}....E.j.Pj.Rh
bad60b50  80 00 00 00 57 ff 15 38-30 d6 ba 85 c0 0f 85 bb  ....W..80.......
bad60b60  00 00 00 8b 45 08 03 05-00 42 d6 ba 8b 00 89 45  ....E....B.....E
bad60b70  fc a1 dc 40 d6 ba 85 c0-0f 84 97 00 00 00 e8 37  [email protected]
bad60b80  1a 00 00 3b 45 fc 0f 84-89 00 00 00 8d 85 fc fe  ...;E...........
bad60b90  ff ff 50 e8 68 f7 ff ff-8b 55 08 8d 8d fc fd ff  ..P.h....U......
bad60ba0  ff 51 52 e8 98 f7 ff ff-8d 85 fc fd ff ff 50 6a  .QR...........Pj

lkd> u bad60b30

bad60b30 55              push    ebp
bad60b31 8bec            mov     ebp,esp
bad60b33 81ec04020000    sub     esp,204h
bad60b39 8b0d9030d6ba    mov     ecx,dword ptr ds:[0BAD63090h]
bad60b3f 56              push    esi
bad60b40 57              push    edi
bad60b41 8b7d08          mov     edi,dword ptr [ebp+8]
bad60b44 8b11            mov     edx,dword ptr [ecx]
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Hooked NtAllocateVirtualMemory (Id 0x11) on XP from the looks of it I believe

http://j00ru.vexillium.org/ntapi/
WaxfordSqueers
Senior Member
Posts: 1000
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Kayaker wrote:Hooked NtAllocateVirtualMemory (Id 0x11) on XP from the looks of it I believe

http://j00ru.vexillium.org/ntapi/
Thanks there Kayaker. Tracked it down in trusty old ice. Seems to be hooked by hcmon.sys, a vmware USB monitor for VM Player.

It was kind of stupid how I picked it up. I am still working the same problem with tracking notepad down to the MFT level. It happens via Shell32.dll and Shlwapi.dll mainly and there is a call from shell32 to k32!readfile. Unfortunately, something is loading notepad into the file cache and it gets read from there, so I tried loading every app I could to see if it would overwrite the cache. Normally, I don't use VM Player.
Locked