Friday, March 7, 2008

If some idiot send dump file to you but don't know which build they installed....

0: kd> lm v m foo*
start    end        module name
a6fa9000 a6fbf080   foo (deferred)            
    Image path: \??\C:\Windows\system32\drivers\foo.sys
    Image name: foo.sys
    Timestamp:        Mon Dec 10 13:50:02 2007 (475DB48A)
    CheckSum:         0001B348
    ImageSize:        00016080
    File version:     3.0.167.0
    Product version:  3.0.167.0
    File flags:       8 (Mask 3F) Private
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      foo Inc
    ProductName:      foo foo
    InternalName:     foo.sys
    OriginalFilename: foo.sys
    ProductVersion:   3.0.167
    FileVersion:      3.0.167
    FileDescription:  foo IPSec Driver
    LegalCopyright:   2003-2006 foo Inc. All rights reserved.
...

...

...

Posted by Hannibal at 3:10 PM 0 comments
Labels:

Thursday, March 6, 2008

Find crash position

Dump stack:

image

Launch IDA Pro:

image

Address  = 0x10480 -0x480 + 0x1a10 = 0x11a10

There we are:

image

Posted by Hannibal at 1:10 PM 0 comments
Labels:

Wednesday, March 5, 2008

Where is current IRQL?

kd> u KeGetCurrentIrql
hal!KeGetCurrentIrql:

806ed2a4 0fb70524f0dfff  movzx   eax,word ptr ds:[0FFDFF024h]
806ed2ab c3                  ret

This routine tells us that current IRQL stores at kernel address 0x0FFDFF024h. And it’s a WORD (2 bytes), in fact it’s only one byte long, the upper 8 bits are zero.

Software IRQL:
PASSIVE_LEVEL 0        // Passive release level
LOW_LEVEL 0             // Lowest interrupt level
APC_LEVEL 1              // APC interrupt level
DISPATCH_LEVEL 2     // Dispatcher level

Posted by Hannibal at 2:56 PM 0 comments
Labels:

Tuesday, March 4, 2008

PID Condition breakpoint

bp nt!NtCreateFile "j poi(@$teb+20) = 0x544'';'gc'"

0x544 is the process id.

@$teb+20 get _CLIENT_ID offset

Posted by Hannibal at 3:00 PM 0 comments
Labels:

List ZwCreateFile file name

 

bp nt!ZwCreateFile

dt _OBJECT_ATTRIBUTES poi(esp + 0xC)

Posted by Hannibal at 11:46 AM 0 comments
Labels:

我常用的一些WinDbg script

  • Choose right symbols

.printf /D "<link cmd=\".sympath SRV*H:\\OS Debug Symbols\\XP32*http://msdl.microsoft.com/download/symbols\";\".reload\"><b>Load XP32 debug symbol</b></link>\n\n"

.printf /D "<link cmd=\".sympath SRV*H:\\OS Debug Symbols\\XP_X64*http://msdl.microsoft.com/download/symbols\"><b>Load XP_X64 debug symbol</b></link>\n\n"

.printf /D "<link cmd=\".sympath SRV*H:\\OS Debug Symbols\\Vista RTM X64*http://msdl.microsoft.com/download/symbols\"><b>Load VISTA_X64 debug symbol</b></link>\n\n"

.printf /D "<link cmd=\".sympath SRV*H:\\OS Debug Symbols\\Vista RTM X86*http://msdl.microsoft.com/download/symbols\"><b>Load VISTA_X86 debug symbol</b></link>\n\n"

运行结果:

image

Posted by Hannibal at 10:01 AM 0 comments
Labels:
Subscribe to: Posts (Atom)