public long GetSymAddress(DetectedProc dp, string SymName)
{
var AddrName = SymName + "Address";
if (dp.SymbolStore.ContainsKey(AddrName))
return dp.SymbolStore[AddrName];
DebugHelp.SYMBOL_INFO symInfo = new DebugHelp.SYMBOL_INFO();
symInfo.SizeOfStruct = 0x58;
symInfo.MaxNameLen = 1024;
var rv = DebugHelp.SymFromName(hCurrentProcess, SymName, ref symInfo);
if (!rv)
{
WriteColor(ConsoleColor.Red, $"GetSymValue: {new Win32Exception(Marshal.GetLastWin32Error()).Message }.");
return MagicNumbers.BAD_VALUE_READ;
}
dp.SymbolStore.Add(AddrName, symInfo.Address);
return symInfo.Address;
}
/// <summary>
/// Prefer symbol loading.
/// </summary>
/// <param name="dp"></param>
/// <param name="ext"></param>
/// <param name="cv_data"></param>
/// <param name="SymbolCache"></param>
/// <returns></returns>
public bool GetKernelDebuggerData(DetectedProc dp, Extract ext, CODEVIEW_HEADER cv_data, string SymbolCache)
{
DebugHelp.SYMBOL_INFO symInfo = new DebugHelp.SYMBOL_INFO();
bool rv = false;
bool GotData = false;
// Locate and extract some data points
symInfo.SizeOfStruct = 0x58;
symInfo.MaxNameLen = 1024;
rv = DebugHelp.SymFromName(hCurrentProcess, "KdpDataBlockEncoded", ref symInfo);
if(!rv)
{
WriteLine($"Symbol Find : {new Win32Exception(Marshal.GetLastWin32Error()).Message }.");
return rv;
}
KernelProc = dp;
// at this point we should return true if it's encoded or not
rv = true;
return rv;
#if FALSE
I'm leaving this in for now just to show the use of DecodePointer if needed since it could be uswed in a scenerio where symbols fail
var KdpDataBlockEncoded = dp.GetByteValue(symInfo.Address);
// Convention is to use *Address for addresses or the simple name is the value it is assumed to be a pointer
dp.SymbolStore["KdDebuggerDataBlockAddress"] = GetSymAddress(dp, "KdDebuggerDataBlock");
if (KdpDataBlockEncoded == 0)
WriteColor(ConsoleColor.Green, $"Kernel KdDebuggerDataBlock @ {dp.SymbolStore["KdDebuggerDataBlockAddress"]:X16} not encoded.");
else
{
#if FALSE_NOT_NEEDED_IF_WE_USE_SYMBOLS
var KdDebuggerDataBlock = dp.VGetBlockLong(dp.KdDebuggerDataBlockAddress, ref GotData);
if (!GotData)
WriteColor(ConsoleColor.Red, "Unable to read debuggerdatablock array");
// Windbg tells us the diff for loaded modules is 0x48 and active proc is 0x50
var EncLoadedModuleList = KdDebuggerDataBlock[9];
var EncActiveProcessList = KdDebuggerDataBlock[0xA];
var PsLoadedModuleList = (long) DecodePointer((ulong) dp.KdDebuggerDataBlockAddress, (ulong)dp.KiWaitAlways, (ulong)dp.KiWaitNever,(ulong) EncLoadedModuleList);
var PsActiveProcessHead = (long) DecodePointer((ulong) dp.KdDebuggerDataBlockAddress, (ulong)dp.KiWaitAlways, (ulong)dp.KiWaitNever, (ulong) EncActiveProcessList);
WriteColor(ConsoleColor.Cyan, $"Decoded LoadedModuleList {PsLoadedModuleList}, ActiveProcessList {PsActiveProcessHead}");
#endif
}
return rv;
#endif
}
