public long GetSymAddress(DetectedProc dp, string SymName) { var AddrName = SymName + "Address"; if (dp.SymbolStore.ContainsKey(AddrName)) return dp.SymbolStore[AddrName]; DebugHelp.SYMBOL_INFO symInfo = new DebugHelp.SYMBOL_INFO(); symInfo.SizeOfStruct = 0x58; symInfo.MaxNameLen = 1024; var rv = DebugHelp.SymFromName(hCurrentProcess, SymName, ref symInfo); if (!rv) { WriteColor(ConsoleColor.Red, $"GetSymValue: {new Win32Exception(Marshal.GetLastWin32Error()).Message }."); return MagicNumbers.BAD_VALUE_READ; } dp.SymbolStore.Add(AddrName, symInfo.Address); return symInfo.Address; }
/// <summary> /// Prefer symbol loading. /// </summary> /// <param name="dp"></param> /// <param name="ext"></param> /// <param name="cv_data"></param> /// <param name="SymbolCache"></param> /// <returns></returns> public bool GetKernelDebuggerData(DetectedProc dp, Extract ext, CODEVIEW_HEADER cv_data, string SymbolCache) { DebugHelp.SYMBOL_INFO symInfo = new DebugHelp.SYMBOL_INFO(); bool rv = false; bool GotData = false; // Locate and extract some data points symInfo.SizeOfStruct = 0x58; symInfo.MaxNameLen = 1024; rv = DebugHelp.SymFromName(hCurrentProcess, "KdpDataBlockEncoded", ref symInfo); if(!rv) { WriteLine($"Symbol Find : {new Win32Exception(Marshal.GetLastWin32Error()).Message }."); return rv; } KernelProc = dp; // at this point we should return true if it's encoded or not rv = true; return rv; #if FALSE I'm leaving this in for now just to show the use of DecodePointer if needed since it could be uswed in a scenerio where symbols fail var KdpDataBlockEncoded = dp.GetByteValue(symInfo.Address); // Convention is to use *Address for addresses or the simple name is the value it is assumed to be a pointer dp.SymbolStore["KdDebuggerDataBlockAddress"] = GetSymAddress(dp, "KdDebuggerDataBlock"); if (KdpDataBlockEncoded == 0) WriteColor(ConsoleColor.Green, $"Kernel KdDebuggerDataBlock @ {dp.SymbolStore["KdDebuggerDataBlockAddress"]:X16} not encoded."); else { #if FALSE_NOT_NEEDED_IF_WE_USE_SYMBOLS var KdDebuggerDataBlock = dp.VGetBlockLong(dp.KdDebuggerDataBlockAddress, ref GotData); if (!GotData) WriteColor(ConsoleColor.Red, "Unable to read debuggerdatablock array"); // Windbg tells us the diff for loaded modules is 0x48 and active proc is 0x50 var EncLoadedModuleList = KdDebuggerDataBlock[9]; var EncActiveProcessList = KdDebuggerDataBlock[0xA]; var PsLoadedModuleList = (long) DecodePointer((ulong) dp.KdDebuggerDataBlockAddress, (ulong)dp.KiWaitAlways, (ulong)dp.KiWaitNever,(ulong) EncLoadedModuleList); var PsActiveProcessHead = (long) DecodePointer((ulong) dp.KdDebuggerDataBlockAddress, (ulong)dp.KiWaitAlways, (ulong)dp.KiWaitNever, (ulong) EncActiveProcessList); WriteColor(ConsoleColor.Cyan, $"Decoded LoadedModuleList {PsLoadedModuleList}, ActiveProcessList {PsActiveProcessHead}"); #endif } return rv; #endif }