KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

KdVersionBlock in x64

https://www.kernelmode.info/forum/viewtopic.php?f=13&t=1424

Page 2 of 2

Re: KdVersionBlock in x64

PostPosted:Sun Jan 22, 2012 10:24 pm
by lorddoskias
Changed as purposed but still nothing:
Code: Select all
void findKdDebuggerBlock(PDRIVER_OBJECT DriverObject) {
	
	DWORD bytesScanned;
	DWORD sectionSize = 0;
	PVOID kernelbase = GetNtosBaseAddr(DriverObject);
	PVOID sectionAddress = GetDataSectionAddress(kernelbase, &sectionSize);
	char *debugData = (char *)sectionAddress;

	for(bytesScanned = 0; bytesScanned < sectionSize; bytesScanned++) {
		if(((PKDDEBUGGER_DATA64)debugData)->MmHighestUserAddress == MmHighestUserAddress &&
		   ((PKDDEBUGGER_DATA64)debugData)->MmSystemRangeStart == MmSystemRangeStart &&
		   ((PKDDEBUGGER_DATA64)debugData)->MmUserProbeAddress == MmUserProbeAddress ) {
			   DbgPrint("Found KDEVERSIOIN BLOCK AT 0x%p\n", debugData);
			   break;
		}

		debugData++;
	}

	DbgPrint("Exhausted search space and found nothing\n");
}
Any more ideas? Also, the members in debuggerdata are pointers or the actual value? Because MmHighestUserAddress is declared as PVOID, so it is a pointer not the value, whereas the member in the debuggerdata might be the actual data?

Re: KdVersionBlock in x64

PostPosted:Mon Jan 23, 2012 7:10 am
by redp
lorddoskias wrote: Any more ideas? Also, the members in debuggerdata are pointers or the actual value?
They are pointers (except MmPageSize). So you need search for addresses but your code searching for values of exported symbols

Re: KdVersionBlock in x64

PostPosted:Mon Jan 23, 2012 10:47 am
by lorddoskias
Well, the exported variables are declared as PVOID so I assume it is the address and if the members of the debugger_block are also pointers shouldn't those values match?

Re: KdVersionBlock in x64

PostPosted:Tue Jan 24, 2012 8:13 am
by EP_X0FF
lorddoskias wrote:Well, the exported variables are declared as PVOID so I assume it is the address and if the members of the debugger_block are also pointers shouldn't those values match?
Is it so difficult to double check via debugger this data with your code?

Re: KdVersionBlock in x64

PostPosted:Sat Apr 14, 2012 11:52 am
by kmd
EP_X0FF wrote:Windows 7 Kernel Version 7601 (Service Pack 1) MP (16 procs) Free x64
out of curiosity what cpu it was?

Re: KdVersionBlock in x64

PostPosted:Sat Apr 14, 2012 12:20 pm
by EP_X0FF
kmd wrote:
EP_X0FF wrote:Windows 7 Kernel Version 7601 (Service Pack 1) MP (16 procs) Free x64
out of curiosity what cpu it was?
It was my old 2 x E5620 Xeon CPU's (2x8).

Necroposting isn't something really good. Thread closed.
All times are UTC
Page 2 of 2
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/