hfiref0x
parent
4478ad6676
commit
386f96d3a4
Binary file not shown.
Binary file not shown.
|
|
@ -1,5 +1,5 @@
|
|||
v1.7.1
|
||||
+ SeCiCallbacks/g_CiCallbacks added to the callbacks viewer
|
||||
+ SeCiCallbacks/g_CiCallbacks, DbgkLmdCallbacks added to the callbacks viewer
|
||||
+ Session object view and access rights, merge pull request #8 #9
|
||||
+ treelist updated
|
||||
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
*
|
||||
* VERSION: 1.71
|
||||
*
|
||||
* DATE: 19 Jan 2019
|
||||
* DATE: 26 Jan 2019
|
||||
*
|
||||
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
|
||||
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
|
||||
|
|
@ -1260,6 +1260,70 @@ ULONG_PTR FindPspCreateThreadNotifyRoutine(
|
|||
return Address;
|
||||
}
|
||||
|
||||
/*
|
||||
* FindDbgkLmdCallbacks
|
||||
*
|
||||
* Purpose:
|
||||
*
|
||||
* Return array address of callbacks registered with:
|
||||
*
|
||||
* DbgkLkmdRegisterCallback
|
||||
*
|
||||
*/
|
||||
ULONG_PTR FindDbgkLmdCallbacks(
|
||||
VOID)
|
||||
{
|
||||
ULONG Index;
|
||||
LONG Rel = 0;
|
||||
ULONG_PTR Address = 0;
|
||||
PBYTE ptrCode;
|
||||
hde64s hs;
|
||||
|
||||
ULONG_PTR NtOsBase = (ULONG_PTR)g_kdctx.NtOsBase;
|
||||
HMODULE hNtOs = (HMODULE)g_kdctx.NtOsImageMap;
|
||||
|
||||
ptrCode = (PBYTE)GetProcAddress(hNtOs, "DbgkLkmdUnregisterCallback");
|
||||
if (ptrCode == NULL)
|
||||
return 0;
|
||||
|
||||
Index = 0;
|
||||
Rel = 0;
|
||||
|
||||
//
|
||||
// Find DbgkLmdCallbacks pointer
|
||||
//
|
||||
do {
|
||||
hde64_disasm(ptrCode + Index, &hs);
|
||||
if (hs.flags & F_ERROR)
|
||||
break;
|
||||
|
||||
if (hs.len == 7) { //check if lea
|
||||
|
||||
if (((ptrCode[Index] == 0x4C) || (ptrCode[Index] == 0x48)) &&
|
||||
(ptrCode[Index + 1] == 0x8D))
|
||||
{
|
||||
Rel = *(PLONG)(ptrCode + Index + 3);
|
||||
break;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Index += hs.len;
|
||||
|
||||
} while (Index < 64);
|
||||
|
||||
if (Rel == 0)
|
||||
return 0;
|
||||
|
||||
Address = (ULONG_PTR)ptrCode + Index + hs.len + Rel;
|
||||
Address = NtOsBase + Address - (ULONG_PTR)hNtOs;
|
||||
|
||||
if (!kdAddressInNtOsImage((PVOID)Address))
|
||||
return 0;
|
||||
|
||||
return Address;
|
||||
}
|
||||
|
||||
/*
|
||||
* FindPspCreateProcessNotifyRoutine
|
||||
*
|
||||
|
|
@ -1529,6 +1593,59 @@ VOID DumpPsCallbacks(
|
|||
|
||||
}
|
||||
|
||||
/*
|
||||
* DumpDbgkLCallbacks
|
||||
*
|
||||
* Purpose:
|
||||
*
|
||||
* Read DbgkL* callback data from kernel and send it to output window.
|
||||
*
|
||||
*/
|
||||
VOID DumpDbgkLCallbacks(
|
||||
_In_ HWND TreeList,
|
||||
_In_ LPWSTR lpCallbackType,
|
||||
_In_ ULONG_PTR RoutinesArrayAddress,
|
||||
_In_ PRTL_PROCESS_MODULES Modules
|
||||
)
|
||||
{
|
||||
ULONG c;
|
||||
ULONG_PTR Address, Function;
|
||||
EX_FAST_REF Callbacks[DbgkLmdCount];
|
||||
|
||||
HTREEITEM RootItem;
|
||||
|
||||
//
|
||||
// Add callback root entry to the treelist.
|
||||
//
|
||||
RootItem = AddRootEntryToList(TreeList, lpCallbackType);
|
||||
if (RootItem == 0)
|
||||
return;
|
||||
|
||||
RtlSecureZeroMemory(Callbacks, sizeof(Callbacks));
|
||||
if (kdReadSystemMemory(RoutinesArrayAddress,
|
||||
&Callbacks, sizeof(Callbacks)))
|
||||
{
|
||||
|
||||
for (c = 0; c < DbgkLmdCount; c++) {
|
||||
|
||||
if (Callbacks[c].Value) {
|
||||
|
||||
Address = (ULONG_PTR)ObGetObjectFastReference(Callbacks[c]);
|
||||
Function = (ULONG_PTR)ObGetCallbackBlockRoutine((PVOID)Address);
|
||||
if (Function < g_kdctx.SystemRangeStart)
|
||||
continue;
|
||||
|
||||
AddEntryToList(TreeList,
|
||||
RootItem,
|
||||
Function,
|
||||
NULL,
|
||||
Modules);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
* DumpKeBugCheckCallbacks
|
||||
*
|
||||
|
|
@ -2751,6 +2868,9 @@ VOID CallbacksList(
|
|||
}
|
||||
}
|
||||
|
||||
if (g_SystemCallbacks.DbgkLmdCallbacks == 0)
|
||||
g_SystemCallbacks.DbgkLmdCallbacks = FindDbgkLmdCallbacks();
|
||||
|
||||
if (g_SystemCallbacks.CiCallbacks == 0)
|
||||
g_SystemCallbacks.CiCallbacks = (ULONG_PTR)KdFindCiCallbacks(&g_kdctx);
|
||||
|
||||
|
|
@ -2973,6 +3093,17 @@ VOID CallbacksList(
|
|||
Modules);
|
||||
}
|
||||
|
||||
if (g_SystemCallbacks.DbgkLmdCallbacks) {
|
||||
|
||||
DumpDbgkLCallbacks(TreeList,
|
||||
TEXT("DbgkLmdCallback"),
|
||||
g_SystemCallbacks.DbgkLmdCallbacks,
|
||||
Modules);
|
||||
}
|
||||
|
||||
//
|
||||
// List CI callbacks
|
||||
//
|
||||
if (g_SystemCallbacks.CiCallbacks) {
|
||||
|
||||
DumpCiCallbacks(TreeList,
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
*
|
||||
* VERSION: 1.71
|
||||
*
|
||||
* DATE: 19 Jan 2019
|
||||
* DATE: 26 Jan 2019
|
||||
*
|
||||
* Common header file for the Kernel Debugger Driver support.
|
||||
*
|
||||
|
|
@ -145,6 +145,7 @@ typedef struct _OBJREF {
|
|||
#define PspCreateProcessNotifyRoutineExCount 64
|
||||
#define PspCreateThreadNotifyRoutineCount 64
|
||||
#define PspLoadImageNotifyRoutineCount 64
|
||||
#define DbgkLmdCount 8
|
||||
|
||||
typedef struct _NOTIFICATION_CALLBACKS {
|
||||
ULONG_PTR PspCreateProcessNotifyRoutine;
|
||||
|
|
@ -167,6 +168,7 @@ typedef struct _NOTIFICATION_CALLBACKS {
|
|||
ULONG_PTR IopCdRomFileSystemQueueHead;
|
||||
ULONG_PTR IopTapeFileSystemQueueHead;
|
||||
ULONG_PTR IopNetworkFileSystemQueueHead;
|
||||
ULONG_PTR DbgkLmdCallbacks;
|
||||
ULONG_PTR CiCallbacks;
|
||||
} NOTIFICATION_CALLBACKS, *PNOTIFICATION_CALLBACKS;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
8e1c7d83f179b6bbf4b58f8197bd818b8a2306e6b3ecd901e9f51eae024277c9 *Compiled\WHATSNEW.md
|
||||
6c50059342b16964bb2689b2fec85be0f6aa553868f5fd3af91b443deed2920c *Compiled\WinObjEx64.chm
|
||||
72853622b8f1f1df8f6177e74aaee46d0cfb5313f6f691bb760668cb99906afd *Compiled\WinObjEx64.exe
|
||||
793ae18b7de58aa1e5c322d458a7b7ea2151f3b320c4847dfbfc464a2d19a944 *Compiled\WinObjEx64.chm
|
||||
2cacd9914cbe9fb2ae2a2cbb7f2937cdb2e9c47aad9344167cea6abd9800f878 *Compiled\WinObjEx64.exe
|
||||
c08368b90cfe42b51b75d4e3831664e64eb4475876c1c162a43dc15487c65d8f *Docs\Callbacks.pdf
|
||||
7e2b0bcb3a2f0947f1effed2306d0178e4ad28da6427d5d7735017630bfb960a *Screenshots\CallbackObjectView.png
|
||||
1f1f748519bbb30d09b472bf89fa0c74bf32426010b2f06fc3a4c5defaa3ee10 *Screenshots\CallbacksView.png
|
||||
|
|
@ -17,7 +17,7 @@ df0143ec4da2387e3aa1694145f8fb1f53cac46fb6e7d608cf9c49ca89bab1dc *Screenshots\Vi
|
|||
ef65a909e8d9bc7ec94ecbc0f465f24a7968d6675eadf7f25f6414c66d6b28be *Screenshots\ViewingTypeInformation.png
|
||||
89ac7dc1b82a69e0726ace4a604602ddc8d7b48f25d2ad36cdbad7d248991848 *Screenshots\ViewingUserSharedData.png
|
||||
3e1712af4fa1c6e71d266c7884e26c5a519e5ae9deda552e78556bbfc0eb2c3a *Screenshots\W32pServiceTableView.png
|
||||
4655d0f8591f86b9b93060ebceb037913734ab2b637efb76e36f02906c412a2d *Source\CHANGELOG.txt
|
||||
66b68b7769a71d4f078e43b348b701400204470e6ba88ad5c881490038d52ee3 *Source\CHANGELOG.txt
|
||||
435dcdb066fded11143b91ff0aff340a8235107530f86d09abbd8e83154eb545 *Source\FileList.txt
|
||||
a2c853517bb6199143e4ad19aac12ce642c63ddcf8c89f87753578ae422db16f *Source\TypesWithNoDesc.txt
|
||||
c9f95efd2433985838f6a45acc77464e0e79ea088b6ccbc267fd76bfb87029a2 *Source\WinObjEx64.sln
|
||||
|
|
@ -35,7 +35,7 @@ ba8dddb70f735eb298320c63a0a27ff8b0c0394c7f5b1ed002bccbc2f032b985 *Source\WinObjE
|
|||
530b49b87a69ae214ebbb6ba5ca8d3f922b9772ee20e3907bcb48b1ac1c8084e *Source\WinObjEx64\instdrv.c
|
||||
5ab4e6a630152e02897f0ff346dcf0ae22fdbf2092f1243b9a0ce4e10fadaddd *Source\WinObjEx64\instdrv.h
|
||||
b345322eabe17a9c662c61a6fe60b0e72455e85ab319ce6b071b69ccc76ad47c *Source\WinObjEx64\kldbg.c
|
||||
709ede77377dd9a3ef38765538c51abff963b11769e8e5183d89c59ee5e99ad2 *Source\WinObjEx64\kldbg.h
|
||||
4c2280fd66d3596e738a7fcfbe6cf8a2a67762c8ecb406f0b0733d82d2677596 *Source\WinObjEx64\kldbg.h
|
||||
cfc3495684b13e4dc5f502c51b984b45600c9d2e7b182eb7fbf33660155e1f2f *Source\WinObjEx64\kldbg_patterns.h
|
||||
3b2cc0b4b892f5f928902645c3dc005e83192cf1cf484cf5c878c399297a82e0 *Source\WinObjEx64\list.c
|
||||
6e82d0f095bdcf1676445ae46f9fb455164108a3ea242f83793e964158e47f4a *Source\WinObjEx64\list.h
|
||||
|
|
@ -55,7 +55,7 @@ f43e8f0a58bcf95bb66f45afdd6f424279c83f4ead4819ea0b9ba5b46c643878 *Source\WinObjE
|
|||
3f17b057283ed56debd29362433d0a97edf622e91005b2d15bca0cbb222e154f *Source\WinObjEx64\WinObjEx64.vcxproj.user
|
||||
8f8df7e5603f6b86c0cf90977d46d966b7d1c27c1f82a1404afdd4b3e33450cf *Source\WinObjEx64\extras\extras.c
|
||||
42ed73c850d44ad2d3be6e9c7a1b49ceb610a17e3895fbcc323433b991c994b2 *Source\WinObjEx64\extras\extras.h
|
||||
c0591643a86db396c764b9af132c6de1329e7278394228c8e742a5e422e0b561 *Source\WinObjEx64\extras\extrasCallbacks.c
|
||||
d27ee8b778adf45ad5187e96b4d4c8f6712e3b5758af450f673a0742d628b4fc *Source\WinObjEx64\extras\extrasCallbacks.c
|
||||
28618459665591661138fbceee04deb7b15349cf502d994ecebd2a8846d89589 *Source\WinObjEx64\extras\extrasCallbacks.h
|
||||
49aded1f2d137161240c28e96d73e7bfee46c8005204c5ed5dceb03f691a8de4 *Source\WinObjEx64\extras\extrasDrivers.c
|
||||
48c930afb73678d4614bf2dbf0df9295b08a9af80a5f9c878eeb2bf9f53c6c95 *Source\WinObjEx64\extras\extrasDrivers.h
|
||||
|
|
|
|||
Loading…
Reference in New Issue