Windows 7 introduces user level drivers

April 3, 2009

Windows 7 introduces the new concept of user mode drivers.  User mode device drivers can only access system(kernel) data through the Win32 API.   These do not replace kernel mode device drivers, which still run as part of the executive.  Windows 7 still uses the Layered Driver architecture.

Windows 7 KPROCESS

April 3, 2009

kd> dt nt!_KPROCESS
+0×000 Header : _DISPATCHER_HEADER
+0×010 ProfileListHead : _LIST_ENTRY
+0×018 DirectoryTableBase : Uint4B
+0×01c LdtDescriptor : _KGDTENTRY
+0×024 Int21Descriptor : _KIDTENTRY
+0×02c ActiveProcessors : _KAFFINITY_EX
+0×038 KernelTime : Uint4B
+0×03c UserTime : Uint4B
+0×040 ReadyListHead : _LIST_ENTRY
+0×048 SwapListEntry : _SINGLE_LIST_ENTRY
+0×04c VdmTrapcHandler : Ptr32 Void
+0×050 ThreadListHead : _LIST_ENTRY
+0×058 ProcessLock : Uint4B
+0×05c Affinity : _KAFFINITY_EX
+0×068 AutoAlignment : Pos 0, 1 Bit
+0×068 DisableBoost : Pos 1, 1 Bit
+0×068 DisableQuantum : Pos 2, 1 Bit
+0×068 ActiveGroupsMask : Pos 3, 1 Bit
+0×068 ReservedFlags : Pos 4, 28 Bits
+0×068 ProcessFlags : Int4B
+0×06c BasePriority : Char
+0×06d QuantumReset : Char
+0×06e Visited : UChar
+0×06f Unused3 : UChar
+0×070 ThreadSeed : [1] Uint4B
+0×074 IdealNode : [1] Uint2B
+0×076 IdealGlobalNode : Uint2B
+0×078 Flags : _KEXECUTE_OPTIONS
+0×078 ExecuteOptions : UChar
+0×079 Unused1 : UChar
+0×07a IopmOffset : Uint2B
+0×07c Unused4 : Uint4B
+0×080 StackCount : _KSTACK_COUNT
+0×084 ProcessListEntry : _LIST_ENTRY
+0×090 CycleTime : Uint8B

Win 7 DISPATCHER_HEADER

April 3, 2009

kd> dt nt!_DISPATCHER_HEADER
+0×000 Type : UChar
+0×001 ControlFlags : UChar
+0×001 Absolute : Pos 0, 1 Bit
+0×001 Coalescable : Pos 1, 1 Bit
+0×001 KeepShifting : Pos 2, 1 Bit
+0×001 EncodedTolerableDelay : Pos 3, 5 Bits
+0×001 Abandoned : UChar
+0×001 Signalling : UChar
+0×002 ThreadControlFlags : UChar
+0×002 CpuThrottled : Pos 0, 1 Bit
+0×002 CycleProfiling : Pos 1, 1 Bit
+0×002 CounterProfiling : Pos 2, 1 Bit
+0×002 Reserved : Pos 3, 5 Bits
+0×002 Hand : UChar
+0×002 Size : UChar
+0×003 TimerControlFlags : UChar
+0×003 Index : Pos 0, 6 Bits
+0×003 Inserted : Pos 6, 1 Bit
+0×003 Expired : Pos 7, 1 Bit
+0×003 DebugActive : UChar
+0×003 DpcActive : UChar
+0×000 Lock : Int4B
+0×004 SignalState : Int4B
+0×008 WaitListHead : _LIST_ENTRY

Win 7 KTHREAD

April 3, 2009

kd> dt nt!_KTHREAD
+0×000 Header : _DISPATCHER_HEADER
+0×010 CycleTime : Uint8B
+0×018 HighCycleTime : Uint4B
+0×020 QuantumTarget : Uint8B
+0×028 InitialStack : Ptr32 Void
+0×02c StackLimit : Ptr32 Void
+0×030 KernelStack : Ptr32 Void
+0×034 ThreadLock : Uint4B
+0×038 WaitRegister : _KWAIT_STATUS_REGISTER
+0×039 Running : UChar
+0×03a Alerted : [2] UChar
+0×03c KernelStackResident : Pos 0, 1 Bit
+0×03c ReadyTransition : Pos 1, 1 Bit
+0×03c ProcessReadyQueue : Pos 2, 1 Bit
+0×03c WaitNext : Pos 3, 1 Bit
+0×03c SystemAffinityActive : Pos 4, 1 Bit
+0×03c Alertable : Pos 5, 1 Bit
+0×03c GdiFlushActive : Pos 6, 1 Bit
+0×03c UserStackWalkActive : Pos 7, 1 Bit
+0×03c ApcInterruptRequest : Pos 8, 1 Bit
+0×03c ForceDeferSchedule : Pos 9, 1 Bit
+0×03c QuantumEndMigrate : Pos 10, 1 Bit
+0×03c Reserved1 : Pos 11, 1 Bit
+0×03c Reserved2 : Pos 12, 20 Bits
+0×03c MiscFlags : Int4B
+0×040 ApcState : _KAPC_STATE
+0×040 ApcStateFill : [23] UChar
+0×057 Priority : Char
+0×058 NextProcessor : Uint4B
+0×05c DeferredProcessor : Uint4B
+0×060 ApcQueueLock : Uint4B
+0×064 ContextSwitches : Uint4B
+0×068 State : UChar
+0×069 NpxState : Char
+0×06a WaitIrql : UChar
+0×06b WaitMode : Char
+0×06c WaitStatus : Int4B
+0×070 WaitBlockList : Ptr32 _KWAIT_BLOCK
+0×074 WaitListEntry : _LIST_ENTRY
+0×074 SwapListEntry : _SINGLE_LIST_ENTRY
+0×07c Queue : Ptr32 _KQUEUE
+0×080 WaitTime : Uint4B
+0×084 KernelApcDisable : Int2B
+0×086 SpecialApcDisable : Int2B
+0×084 CombinedApcDisable : Uint4B
+0×088 Teb : Ptr32 Void
+0×090 Timer : _KTIMER
+0×090 TimerFill : [40] UChar
+0×0b8 AutoAlignment : Pos 0, 1 Bit
+0×0b8 DisableBoost : Pos 1, 1 Bit
+0×0b8 EtwStackTraceApc1Inserted : Pos 2, 1 Bit
+0×0b8 EtwStackTraceApc2Inserted : Pos 3, 1 Bit
+0×0b8 CalloutActive : Pos 4, 1 Bit
+0×0b8 ApcQueueable : Pos 5, 1 Bit
+0×0b8 EnableStackSwap : Pos 6, 1 Bit
+0×0b8 GuiThread : Pos 7, 1 Bit
+0×0b8 ReservedFlags : Pos 8, 24 Bits
+0×0b8 ThreadFlags : Int4B
+0×0c0 WaitBlock : [4] _KWAIT_BLOCK
+0×120 QueueListEntry : _LIST_ENTRY
+0×128 TrapFrame : Ptr32 _KTRAP_FRAME
+0×12c FirstArgument : Ptr32 Void
+0×130 CallbackStack : Ptr32 Void
+0×130 CallbackDepth : Uint4B
+0×134 ServiceTable : Ptr32 Void
+0×138 ApcStateIndex : UChar
+0×139 BasePriority : Char
+0×13a PriorityDecrement : Char
+0×13a ForegroundBoost : Pos 0, 4 Bits
+0×13a UnusualBoost : Pos 4, 4 Bits
+0×13b Preempted : UChar
+0×13c AdjustReason : UChar
+0×13d AdjustIncrement : Char
+0×13e PreviousMode : Char
+0×13f Saturation : Char
+0×140 SystemCallNumber : Uint4B
+0×144 FreezeCount : Uint4B
+0×148 UserAffinity : _GROUP_AFFINITY
+0×154 Process : Ptr32 _KPROCESS
+0×158 Affinity : _GROUP_AFFINITY
+0×164 IdealProcessor : Uint4B
+0×168 UserIdealProcessor : Uint4B
+0×16c ApcStatePointer : [2] Ptr32 _KAPC_STATE
+0×174 SavedApcState : _KAPC_STATE
+0×174 SavedApcStateFill : [23] UChar
+0×18b WaitReason : UChar
+0×18c SuspendCount : Char
+0×18d Spare1 : Char
+0×18e OtherPlatformFill : UChar
+0×190 Win32Thread : Ptr32 Void
+0×194 StackBase : Ptr32 Void
+0×198 SuspendApc : _KAPC
+0×198 SuspendApcFill0 : [1] UChar
+0×199 ResourceIndex : UChar
+0×198 SuspendApcFill1 : [3] UChar
+0×19b QuantumReset : UChar
+0×198 SuspendApcFill2 : [4] UChar
+0×19c KernelTime : Uint4B
+0×198 SuspendApcFill3 : [36] UChar
+0×1bc WaitPrcb : Ptr32 _KPRCB
+0×198 SuspendApcFill4 : [40] UChar
+0×1c0 LegoData : Ptr32 Void
+0×198 SuspendApcFill5 : [47] UChar
+0×1c7 LargeStack : UChar
+0×1c8 UserTime : Uint4B
+0×1cc SuspendSemaphore : _KSEMAPHORE
+0×1cc SuspendSemaphorefill : [20] UChar
+0×1e0 SListFaultCount : Uint4B
+0×1e4 ThreadListEntry : _LIST_ENTRY
+0×1ec MutantListHead : _LIST_ENTRY
+0×1f4 SListFaultAddress : Ptr32 Void
+0×1f8 ThreadCounters : Ptr32 _KTHREAD_COUNTERS
+0×1fc XStateSave : Ptr32 _XSTATE_SAVE

Win 7 ETHREAD struct

April 3, 2009

kd> dt nt!_ETHREAD
+0×000 Tcb : _KTHREAD
+0×200 CreateTime : _LARGE_INTEGER
+0×208 ExitTime : _LARGE_INTEGER
+0×208 KeyedWaitChain : _LIST_ENTRY
+0×210 ExitStatus : Int4B
+0×210 OfsChain : Ptr32 Void
+0×214 PostBlockList : _LIST_ENTRY
+0×214 ForwardLinkShadow : Ptr32 Void
+0×218 StartAddress : Ptr32 Void
+0×21c TerminationPort : Ptr32 _TERMINATION_PORT
+0×21c ReaperLink : Ptr32 _ETHREAD
+0×21c KeyedWaitValue : Ptr32 Void
+0×220 ActiveTimerListLock : Uint4B
+0×224 ActiveTimerListHead : _LIST_ENTRY
+0×22c Cid : _CLIENT_ID
+0×234 KeyedWaitSemaphore : _KSEMAPHORE
+0×234 AlpcWaitSemaphore : _KSEMAPHORE
+0×248 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0×24c IrpList : _LIST_ENTRY
+0×254 TopLevelIrp : Uint4B
+0×258 DeviceToVerify : Ptr32 _DEVICE_OBJECT
+0×25c CpuQuotaApc : Ptr32 _PSP_CPU_QUOTA_APC
+0×260 Win32StartAddress : Ptr32 Void
+0×264 LegacyPowerObject : Ptr32 Void
+0×268 ThreadListEntry : _LIST_ENTRY
+0×270 RundownProtect : _EX_RUNDOWN_REF
+0×274 ThreadLock : _EX_PUSH_LOCK
+0×278 ReadClusterSize : Uint4B
+0×27c MmLockOrdering : Int4B
+0×280 CrossThreadFlags : Uint4B
+0×280 Terminated : Pos 0, 1 Bit
+0×280 ThreadInserted : Pos 1, 1 Bit
+0×280 HideFromDebugger : Pos 2, 1 Bit
+0×280 ActiveImpersonationInfo : Pos 3, 1 Bit
+0×280 SystemThread : Pos 4, 1 Bit
+0×280 HardErrorsAreDisabled : Pos 5, 1 Bit
+0×280 BreakOnTermination : Pos 6, 1 Bit
+0×280 SkipCreationMsg : Pos 7, 1 Bit
+0×280 SkipTerminationMsg : Pos 8, 1 Bit
+0×280 CopyTokenOnOpen : Pos 9, 1 Bit
+0×280 ThreadIoPriority : Pos 10, 3 Bits
+0×280 ThreadPagePriority : Pos 13, 3 Bits
+0×280 RundownFail : Pos 16, 1 Bit
+0×284 SameThreadPassiveFlags : Uint4B
+0×284 ActiveExWorker : Pos 0, 1 Bit
+0×284 ExWorkerCanWaitUser : Pos 1, 1 Bit
+0×284 MemoryMaker : Pos 2, 1 Bit
+0×284 ClonedThread : Pos 3, 1 Bit
+0×284 KeyedEventInUse : Pos 4, 1 Bit
+0×284 RateApcState : Pos 5, 2 Bits
+0×284 SelfTerminate : Pos 7, 1 Bit
+0×288 SameThreadApcFlags : Uint4B
+0×288 Spare : Pos 0, 1 Bit
+0×288 StartAddressInvalid : Pos 1, 1 Bit
+0×288 EtwPageFaultCalloutActive : Pos 2, 1 Bit
+0×288 OwnsProcessWorkingSetExclusive : Pos 3, 1 Bit
+0×288 OwnsProcessWorkingSetShared : Pos 4, 1 Bit
+0×288 OwnsSystemCacheWorkingSetExclusive : Pos 5, 1 Bit
+0×288 OwnsSystemCacheWorkingSetShared : Pos 6, 1 Bit
+0×288 OwnsSessionWorkingSetExclusive : Pos 7, 1 Bit
+0×289 OwnsSessionWorkingSetShared : Pos 0, 1 Bit
+0×289 OwnsProcessAddressSpaceExclusive : Pos 1, 1 Bit
+0×289 OwnsProcessAddressSpaceShared : Pos 2, 1 Bit
+0×289 SuppressSymbolLoad : Pos 3, 1 Bit
+0×289 Prefetching : Pos 4, 1 Bit
+0×289 OwnsDynamicMemoryShared : Pos 5, 1 Bit
+0×289 OwnsChangeControlAreaExclusive : Pos 6, 1 Bit
+0×289 OwnsChangeControlAreaShared : Pos 7, 1 Bit
+0×28a OwnsPagedPoolWorkingSetExclusive : Pos 0, 1 Bit
+0×28a OwnsPagedPoolWorkingSetShared : Pos 1, 1 Bit
+0×28a OwnsSystemPtesWorkingSetExclusive : Pos 2, 1 Bit
+0×28a OwnsSystemPtesWorkingSetShared : Pos 3, 1 Bit
+0×28a Spare1 : Pos 4, 4 Bits
+0×28b PriorityRegionActive : UChar
+0×28c CacheManagerActive : UChar
+0×28d DisablePageFaultClustering : UChar
+0×28e ActiveFaultCount : UChar
+0×28f LockOrderState : UChar
+0×290 AlpcMessageId : Uint4B
+0×294 AlpcMessage : Ptr32 Void
+0×294 AlpcReceiveAttributeSet : Uint4B
+0×298 AlpcWaitListEntry : _LIST_ENTRY
+0×2a0 CacheManagerCount : Uint4B
+0×2a4 CmCallbackCount : Uint4B
+0×2a8 IrpListLock : Uint4B
+0×2ac IoBoostCount : Uint4B
+0×2b0 ReservedForSynchTracking : Ptr32 Void

Win 7 EPROCESS

April 3, 2009

Behold, the magnificent Windows 7 EPROCESS structure.

kd> dt nt!_EPROCESS
+0×000 Pcb : _KPROCESS
+0×098 ProcessLock : _EX_PUSH_LOCK
+0×0a0 CreateTime : _LARGE_INTEGER
+0×0a8 ExitTime : _LARGE_INTEGER
+0×0b0 RundownProtect : _EX_RUNDOWN_REF
+0×0b4 UniqueProcessId : Ptr32 Void
+0×0b8 ActiveProcessLinks : _LIST_ENTRY
+0×0c0 ProcessQuotaUsage : [2] Uint4B
+0×0c8 ProcessQuotaPeak : [2] Uint4B
+0×0d0 CommitCharge : Uint4B
+0×0d4 SpareUlongPtr : [2] Uint4B
+0×0dc PeakVirtualSize : Uint4B
+0×0e0 VirtualSize : Uint4B
+0×0e4 SessionProcessLinks : _LIST_ENTRY
+0×0ec DebugPort : Ptr32 Void
+0×0f0 ExceptionPortData : Ptr32 Void
+0×0f0 ExceptionPortValue : Uint4B
+0×0f0 ExceptionPortState : Pos 0, 3 Bits
+0×0f4 ObjectTable : Ptr32 _HANDLE_TABLE
+0×0f8 Token : _EX_FAST_REF
+0×0fc WorkingSetPage : Uint4B
+0×100 AddressCreationLock : _EX_PUSH_LOCK
+0×104 RotateInProgress : Ptr32 _ETHREAD
+0×108 ForkInProgress : Ptr32 _ETHREAD
+0×10c HardwareTrigger : Uint4B
+0×110 PhysicalVadRoot : Ptr32 _MM_AVL_TABLE
+0×114 CloneRoot : Ptr32 Void
+0×118 NumberOfPrivatePages : Uint4B
+0×11c NumberOfLockedPages : Uint4B
+0×120 Win32Process : Ptr32 Void
+0×124 Job : Ptr32 _EJOB
+0×128 SectionObject : Ptr32 Void
+0×12c SectionBaseAddress : Ptr32 Void
+0×130 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0×134 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0×138 Win32WindowStation : Ptr32 Void
+0×13c InheritedFromUniqueProcessId : Ptr32 Void
+0×140 LdtInformation : Ptr32 Void
+0×144 Spare : Ptr32 Void
+0×148 VdmObjects : Ptr32 Void
+0×14c DeviceMap : Ptr32 Void
+0×150 EtwDataSource : Ptr32 Void
+0×154 FreeTebHint : Ptr32 Void
+0×158 PageDirectoryPte : _HARDWARE_PTE
+0×158 Filler : Uint8B
+0×160 Session : Ptr32 Void
+0×164 ImageFileName : [16] UChar
+0×174 JobLinks : _LIST_ENTRY
+0×17c LockedPagesList : Ptr32 Void
+0×180 ThreadListHead : _LIST_ENTRY
+0×188 SecurityPort : Ptr32 Void
+0×18c PaeTop : Ptr32 Void
+0×190 ActiveThreads : Uint4B
+0×194 ImagePathHash : Uint4B
+0×198 DefaultHardErrorProcessing : Uint4B
+0×19c LastThreadExitStatus : Int4B
+0×1a0 Peb : Ptr32 _PEB
+0×1a4 PrefetchTrace : _EX_FAST_REF
+0×1a8 ReadOperationCount : _LARGE_INTEGER
+0×1b0 WriteOperationCount : _LARGE_INTEGER
+0×1b8 OtherOperationCount : _LARGE_INTEGER
+0×1c0 ReadTransferCount : _LARGE_INTEGER
+0×1c8 WriteTransferCount : _LARGE_INTEGER
+0×1d0 OtherTransferCount : _LARGE_INTEGER
+0×1d8 CommitChargeLimit : Uint4B
+0×1dc CommitChargePeak : Uint4B
+0×1e0 AweInfo : Ptr32 Void
+0×1e4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0×1e8 Vm : _MMSUPPORT
+0×250 MmProcessLinks : _LIST_ENTRY
+0×258 ModifiedPageCount : Uint4B
+0×25c Flags2 : Uint4B
+0×25c JobNotReallyActive : Pos 0, 1 Bit
+0×25c AccountingFolded : Pos 1, 1 Bit
+0×25c NewProcessReported : Pos 2, 1 Bit
+0×25c ExitProcessReported : Pos 3, 1 Bit
+0×25c ReportCommitChanges : Pos 4, 1 Bit
+0×25c LastReportMemory : Pos 5, 1 Bit
+0×25c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0×25c HandleTableRundown : Pos 7, 1 Bit
+0×25c NeedsHandleRundown : Pos 8, 1 Bit
+0×25c RefTraceEnabled : Pos 9, 1 Bit
+0×25c NumaAware : Pos 10, 1 Bit
+0×25c ProtectedProcess : Pos 11, 1 Bit
+0×25c DefaultPagePriority : Pos 12, 3 Bits
+0×25c PrimaryTokenFrozen : Pos 15, 1 Bit
+0×25c ProcessVerifierTarget : Pos 16, 1 Bit
+0×25c StackRandomizationDisabled : Pos 17, 1 Bit
+0×25c AffinityPermanent : Pos 18, 1 Bit
+0×25c AffinityUpdateEnable : Pos 19, 1 Bit
+0×25c CrossSessionCreate : Pos 20, 1 Bit
+0×260 Flags : Uint4B
+0×260 CreateReported : Pos 0, 1 Bit
+0×260 NoDebugInherit : Pos 1, 1 Bit
+0×260 ProcessExiting : Pos 2, 1 Bit
+0×260 ProcessDelete : Pos 3, 1 Bit
+0×260 Wow64SplitPages : Pos 4, 1 Bit
+0×260 VmDeleted : Pos 5, 1 Bit
+0×260 OutswapEnabled : Pos 6, 1 Bit
+0×260 Outswapped : Pos 7, 1 Bit
+0×260 ForkFailed : Pos 8, 1 Bit
+0×260 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0×260 AddressSpaceInitialized : Pos 10, 2 Bits
+0×260 SetTimerResolution : Pos 12, 1 Bit
+0×260 BreakOnTermination : Pos 13, 1 Bit
+0×260 DeprioritizeViews : Pos 14, 1 Bit
+0×260 WriteWatch : Pos 15, 1 Bit
+0×260 ProcessInSession : Pos 16, 1 Bit
+0×260 OverrideAddressSpace : Pos 17, 1 Bit
+0×260 HasAddressSpace : Pos 18, 1 Bit
+0×260 LaunchPrefetched : Pos 19, 1 Bit
+0×260 InjectInpageErrors : Pos 20, 1 Bit
+0×260 VmTopDown : Pos 21, 1 Bit
+0×260 ImageNotifyDone : Pos 22, 1 Bit
+0×260 PdeUpdateNeeded : Pos 23, 1 Bit
+0×260 VdmAllowed : Pos 24, 1 Bit
+0×260 PropagateNode : Pos 25, 1 Bit
+0×260 ProcessInserted : Pos 26, 1 Bit
+0×260 DefaultIoPriority : Pos 27, 3 Bits
+0×260 ProcessSelfDelete : Pos 30, 1 Bit
+0×260 SpareProcessFlags : Pos 31, 1 Bit
+0×264 ExitStatus : Int4B
+0×268 Spare7 : Uint2B
+0×26a SubSystemMinorVersion : UChar
+0×26b SubSystemMajorVersion : UChar
+0×26a SubSystemVersion : Uint2B
+0×26c PriorityClass : UChar
+0×270 VadRoot : _MM_AVL_TABLE
+0×290 Cookie : Uint4B
+0×294 Spare8 : Uint4B
+0×298 AlpcContext : _ALPC_PROCESS_CONTEXT
+0×2a8 TimerResolutionLink : _LIST_ENTRY
+0×2b0 RequestedTimerResolution : Uint4B
+0×2b4 ActiveThreadsHighWatermark : Uint4B
+0×2b8 ConsoleHostProcess : Uint4B
+0×2bc CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK

Debug setup

April 2, 2009

The current setup: Kernel debugging requires two computers to be connected through either a COM port, a 1394 firewire cable, a USB 2.0 cable, or over a network. I will be using a 1394 cable. If you do not have one already, you may purchase a 1394 card for very cheap ($5) on amazon.com, which will come with the driver, the card, and the firewire cable itself. (God I love amazon.com). Both the host and the target computers I am using are running Windows 7 beta, build 7000.

Ok so with Windows 7 all debug settings, as in Vista, must be modified with bcdedit. Don’t forget to run the cmd shell as administrator! I will be editing the {current} boot entry, and not adding a separate debug entry.

First command: bcdedit /debug {current} on

Second command: bcdedit /dbgsettings 1394 CHANNEL:44

Now restart the target computer (the computer to be debugged), and on the host computer run Windbg.exe (as administrator!!!). If you do not have Windbg.exe, just google debugging tools for Windows and you will easily find it and it is free.

We must now edit the symbol file path if we are to gleam any relevant information from the target computer. Symbol files are files which enable us to enter commands into the debugger and they give us important information about system files. If both computers have an internet connection, the easiest thing to do is to use Microsoft’s symbol repository. This is easy to do and involves editing the Symbol file path. In Windbg, go to file->Symbol File Path. Add a new path here which is:

SRV*your local folder for symbols*http://msdl.microsoft.com/download/symbols

I created a folder under C:\symbols. So my symbol file path reads: SRV*C:\symbols*http://msdl.microsoft.com/download/symbols

This is all you need if you want to debug the kernel files. For now this is all we will need, though when we develop our driver we will need to add it’s symbol file to the path. Click reload symbols, and now all the kernel symbols files should be ready to query.

Ok, now connect to the target by going to File->KernelDebug. Now select the 1394 tab, channel is 44, and click ok. We should now be connected to the target machine. Look for the break icon at the top of the Windbg GUI. This icon will be used whenever we wish to halt the target computer and peek into the kernel. We should now be successfully connected to the target machine!

Let’s give it one command to ensure everything is working properly:

dt nt!_EPROCESS. If the symbol files have been properly configured you will receive an output which shows the EPROCESS struct, with all member variables and offsets.

…The Latest…

April 2, 2009

So I have been officially unemployed for 3 days now. I am currently drinking dunkin donuts coffee which was brewed this morning yet still tastes good enough. I am waiting for the expanding files part to complete on my failing hard drive/cdrom drive, not really sure which is crapping the sheets. The point is the sheets are soiled.

The unemployed saga continues…

Most Popular System Call Hooks

April 1, 2009

NtQuerySystemInformation

NtEnumerateKey

NtQueryDirectoryFile

If the System Service Descriptor Table (SSDT) itself is not hooked, do not assume all is well.  The KiFastCallEntry Model Specific Register points to the SSDT in newer pentium processors and is used as a mechanism supporting SysEnter instructions.  This register can be checked in the following way:

bool MSRVerifier()
{
unsigned int KiFast;
__asm
{
mov ecx, 0×176
rdmsr
mov KiFast, eax

}

if(KiFastCallEntry != KI_FAST_CALL_ENTRY)
DbgPrint(“\n The Ki Fast Call Entry pointer was illegally modified!”);
return true;
}
Where KI_FAST_CALL_ENTRY is defined as:

1. define KI_FAST_CALL_ENTRY                 0×804de6f0//XP sp3 value       0×804dd89f//XP sp2 value

We can reliably use a defined location for this check of the location of the SSDT.  For more dynamic functionality, we can import the address of the SSDT through a dllimport call.

If we go one more layer lower, the first few bytes of the function which was pointed to in the SSDT might have been replace with an inline hook. This can be detected by dereferrencing a pointer to the function start address and progressively scanning for unconditional jump codes in the first few bytes of the function.  A more sophisticated attacker may choose to place an inline hook at a later location in the target function logic.  This may be a place which will always be branched to after, for example, logic which verifies parameters and as long as they validate will reach a certain point of the function.  This is something I will be digging deeper into in the Windows 7 driver.

Windows 7

April 1, 2009

Well today I was accepted into the Windows 7 DDK beta and received my free copy of Windows 7 Beta (7000-0-081212-1400) Ultimate.  I am installing 7 on my desktop, though it only has 512mb RAM.  I will probably have to upgrade it as soon as possible.  Either way, the Windows 7 device driver building will be on it’s way shortly.
I will provide step by step instructions on setting up a Debug environment on Windows 7 and connecting the target computer to the host with a firewire cable.

Stay tuned..