[lorddoskias]

Is there a way to programatically acquire _KPCR's address. I know it is at address fs:[0x1c] so by using inline assembly this can be done, but is there another way to do it without using inline assembly?

[EP_X0FF]

Code: Select all

 return (PKPCR) (ULONG_PTR) __readfsdword (FIELD_OFFSET (KPCR, SelfPcr));

[lorddoskias]

Thanks, I just found out this. Now another question:

I'm trying to print the address of PsLoadedModuleList as a PoC to see I can parse the KdVersionBlock. Here is the code I use:

Code: Select all

void printGlobVars() {

	 PKPCR var;
	 PDBGKD_GET_VERSION64 versionBlock;
	 PKDDEBUGGER_DATA64 debugData;


	 //get pointer to the KPCR
     var = __readfsdword(0x1c);

	 versionBlock = var->KdVersionBlock;      <= up to here everything is fine 
	 
	 debugData = versionBlock->DebuggerDataList; <= in visual studio debugger I see that all members have the value 0 

	 DbgPrint("Address of PsLoadedModule list is 0x%p\n", debugData->PsLoadedModuleList); <== so this gives 0x000000
} 

But I think I'm having problems parsing the ULONG64, I'm running inside a 32bit Win 7, but I was left with the impression that irrespective of what the version of the OS is the struct is always of type 64?

[EP_X0FF]

And on which CPU this executed?

[lorddoskias]

The VM has a single CPU so I'd say 0

[nullptr]

Try this

Code: Select all

    versionBlock = (PDBGKD_GET_VERSION64)var->KdVersionBlock;
/*
    if (!MmIsAddressValid(versionBlock))
    {
        DbgPrint("invalid address for versionBlock\n");
        return status;
    }  
*/
    debugData = (PKDDEBUGGER_DATA64) ((PLIST_ENTRY64)(versionBlock->DebuggerDataList))->Flink;

    DbgPrint("PsLoadedModuleList: 0x%08X\n", (ULONG)(debugData->PsLoadedModuleList & 0xFFFFFFFF));

[lorddoskias]

Try this

Code: Select all

    versionBlock = (PDBGKD_GET_VERSION64)var->KdVersionBlock;
/*
    if (!MmIsAddressValid(versionBlock))
    {
        DbgPrint("invalid address for versionBlock\n");
        return status;
    }  
*/
    debugData = (PKDDEBUGGER_DATA64) ((PLIST_ENTRY64)(versionBlock->DebuggerDataList))->Flink;

    DbgPrint("PsLoadedModuleList: 0x%08X\n", (ULONG)(debugData->PsLoadedModuleList & 0xFFFFFFFF));

That's quality man, thanks a lot!

[g4mbit]

I know that this is kind of a old thread, but I believe my question is still relevant.

The code above is valid for x86, but what about x64?
From what I've found so far, you can get the KPCR on x64 this way, since the structure is pretty different:

Code: Select all

PKPCR = (PKPCR) _readgsdword(FIELD_OFFSET(KPCR, Self));

From that point, I could try to get the kdVersionBlock, but I'm getting a bug check 0x3b with access violation (0xc0000005).

How do we get the version block and then the debugger data list?

[EP_X0FF]

I know that this is kind of a old thread, but I believe my question is still relevant.

The code above is valid for x86, but what about x64?
From what I've found so far, you can get the KPCR on x64 this way, since the structure is pretty different:

Code: Select all

PKPCR = (PKPCR) _readgsdword(FIELD_OFFSET(KPCR, Self));

From that point, I could try to get the kdVersionBlock, but I'm getting a bug check 0x3b with access violation (0xc0000005).

How do we get the version block and then the debugger data list?

Mindless copy-pasting.
PKPCR = (PKPCR) _readgsdword(FIELD_OFFSET(KPCR, Self));

x64 pointers are not 32 bit size.

[g4mbit]

Yes. That works fine.

But from that point, how do I get to the kdVersionBlock and then the DebuggerDataList, always keeping in mind that I'm trying to do this in x64.

The following code gives me a BS right away.

Code: Select all

PKPCR pKpCR = (PKPCR) _readgsdword(FIELD_OFFSET(KPCR, Self));
PVOID version = pKPCR->KdVersionBlock;