[lorddoskias]

Changed as purposed but still nothing:

Code: Select all

void findKdDebuggerBlock(PDRIVER_OBJECT DriverObject) {
	
	DWORD bytesScanned;
	DWORD sectionSize = 0;
	PVOID kernelbase = GetNtosBaseAddr(DriverObject);
	PVOID sectionAddress = GetDataSectionAddress(kernelbase, &sectionSize);
	char *debugData = (char *)sectionAddress;

	for(bytesScanned = 0; bytesScanned < sectionSize; bytesScanned++) {
		if(((PKDDEBUGGER_DATA64)debugData)->MmHighestUserAddress == MmHighestUserAddress &&
		   ((PKDDEBUGGER_DATA64)debugData)->MmSystemRangeStart == MmSystemRangeStart &&
		   ((PKDDEBUGGER_DATA64)debugData)->MmUserProbeAddress == MmUserProbeAddress ) {
			   DbgPrint("Found KDEVERSIOIN BLOCK AT 0x%p\n", debugData);
			   break;
		}

		debugData++;
	}

	DbgPrint("Exhausted search space and found nothing\n");
}

Any more ideas? Also, the members in debuggerdata are pointers or the actual value? Because MmHighestUserAddress is declared as PVOID, so it is a pointer not the value, whereas the member in the debuggerdata might be the actual data?

[redp]

Any more ideas? Also, the members in debuggerdata are pointers or the actual value?

They are pointers (except MmPageSize). So you need search for addresses but your code searching for values of exported symbols

[lorddoskias]

Well, the exported variables are declared as PVOID so I assume it is the address and if the members of the debugger_block are also pointers shouldn't those values match?

[EP_X0FF]

Well, the exported variables are declared as PVOID so I assume it is the address and if the members of the debugger_block are also pointers shouldn't those values match?

Is it so difficult to double check via debugger this data with your code?

[kmd]

Windows 7 Kernel Version 7601 (Service Pack 1) MP (16 procs) Free x64

out of curiosity what cpu it was?

[EP_X0FF]

Windows 7 Kernel Version 7601 (Service Pack 1) MP (16 procs) Free x64

out of curiosity what cpu it was?

It was my old 2 x E5620 Xeon CPU's (2x8).

Necroposting isn't something really good. Thread closed.