Reading Notebook: 25-January-10

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Kernel Process variables (p. 343)

0: kd> !process poi(PsIdleProcess)
PROCESS fffff800019910c0
SessionId: none  Cid: 0000    Peb: 00000000  ParentCid: 0000
DirBase: 00124000  ObjectTable: fffff88000000080  HandleCount: 606.
Image: Idle
VadRoot fffffa8003b97c70 Vads 1 Clone 0 Private 1. Modified 0. Locked 0.
DeviceMap 0000000000000000
Token                             fffff88000003330
ElapsedTime                       00:00:00.000
UserTime                          00:00:00.000
KernelTime                        00:00:00.000
QuotaPoolUsage[PagedPool]         0
QuotaPoolUsage[NonPagedPool]      0
Working Set Sizes (now,min,max)  (6, 50, 450) (24KB, 200KB, 1800KB)
PeakWorkingSetSize                6
VirtualSize                       0 Mb
PeakVirtualSize                   0 Mb
PageFaultCount                    1
MemoryPriority                    BACKGROUND
BasePriority                      0
CommitCharge                      0

        THREAD fffff80001990b80  Cid 0000.0000  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap                 fffff88000007310
Owning Process            fffff800019910c0       Image:         Idle
Attached Process          fffffa8003bf1040       Image:         System
Wait Start TickCount      16021          Ticks: 13224 (0:00:03:26.295)
Context Switch Count      142852
UserTime                  00:00:00.000
KernelTime                00:06:13.700
Win32 Start Address nt!KiIdleLoop (0xfffff80001876880)
Stack Init fffff80002bdadb0 Current fffff80002bdad40
Base fffff80002bdb000 Limit fffff80002bd5000 Call 0
Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP          RetAddr           Call Site
fffff800`02bdad80 fffff800`01a43860 nt!KiIdleLoop+0x11b
fffff800`02bdadb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

        THREAD fffffa60005f5d40  Cid 0000.0000  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap                 fffff88000007310
Owning Process            fffff800019910c0       Image:         Idle
Attached Process          fffffa8003bf1040       Image:         System
Wait Start TickCount      0              Ticks: 29245 (0:00:07:36.224)
Context Switch Count      162365
UserTime                  00:00:00.000
KernelTime                00:06:14.808
Win32 Start Address nt!KiIdleLoop (0xfffff80001876880)
Stack Init fffffa600191bdb0 Current fffffa600191bd40
Base fffffa600191c000 Limit fffffa6001916000 Call 0
Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP          RetAddr           Call Site
fffffa60`0191bd80 fffff800`01a43860 nt!KiIdleLoop+0x11b
fffffa60`0191bdb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

Relevant process functions (pp. 344 - 345) - More of them can be found here: http://msdn.microsoft.com/en-us/library/ms684847(VS.85).aspx

Protected processes (pp. 346 - 348) - It can be seen in _EPROCESS block (the output taken from a complete memory dump):

0: kd> dt _EPROCESS fffffa8004b5e040
ntdll!_EPROCESS
[...]
+0x36c ProtectedProcess : 0y1
[...]

The following script lists protected processes on W2K8:

0: kd> !for_each_process "dt _EPROCESS ImageFileName @#Process; dt _EPROCESS ProtectedProcess @#Process"
ntdll!_EPROCESS
+0x238 ImageFileName : [16]  "System"
ntdll!_EPROCESS
+0x36c ProtectedProcess : 0y1
[...]
ntdll!_EPROCESS
+0x238 ImageFileName : [16]  "audiodg.exe"
ntdll!_EPROCESS
+0x36c ProtectedProcess : 0y1
[...]

System process is protected because of Ksecdd.sys stores info in user space (p. 347)

PROCESS_QUERY_LIMITED_INFORMATION (p. 347)

Access violation by design for Protected Media Path processes when a kernel-mode debugger is enabled (p. 348) - this is not an optimal design in my opinion - I had problems with that: http://www.dumpanalysis.org/blog/index.php/2010/01/08/live-kernel-debugging-of-a-system-freeze-case-study/. The better way is to show a message box and gracefully exit and only emit AV if message box is bypassed. 

 

Advanced .NET Debugging by M. Hewardt:

PE format and its relation to .NET (pp. 26 - 27)

AddressOfEntryPoint (pp. 28 - 29 and p. 31) - we can also use !dh command to find that address (similar to what dumpbin.exe does):

0:001> lm m notepad
start             end                 module name
00000000`ff180000 00000000`ff1af000   notepad    (deferred)        

0:001> !dh 00000000`ff180000
[...]
OPTIONAL HEADER VALUES
20B magic #
8.00 linker version
E400 size of code
1CC00 size of initialized data
0 size of uninitialized data
D1B4 address of entry point
1000 base of code
—– new —–
00000000ff180000 image base
1000 section alignment
200 file alignment
2 subsystem (Windows GUI)
6.00 operating system version
6.00 image version
6.00 subsystem version
2F000 size of image
400 size of headers
32C26 checksum
[…]

0:001> u 00000000`ff180000+D1B4
notepad!WinMainCRTStartup:
00000000`ff18d1b4 4883ec28        sub     rsp,28h
00000000`ff18d1b8 e88b020000      call    notepad!_security_init_cookie (00000000`ff18d448)
00000000`ff18d1bd 4883c428        add     rsp,28h
00000000`ff18d1c1 e9b6fcffff      jmp     notepad!IsTextUTF8+0xc0 (00000000`ff18ce7c)
00000000`ff18d1c6 cc              int     3
00000000`ff18d1c7 cc              int     3
00000000`ff18d1c8 cc              int     3
00000000`ff18d1c9 cc              int     3

Application domains in ASP.NET; 3 default app domains (system, shared, default) in normal app (p. 34)

!dumpdomain SOS command (pp. 35 - 36)

Low(High)FrequencyHeap and StubHeap (p. 36) - Looks like they are not normal heaps or heap segments. I plan to test all commands on x64 .NET:

0:003> !dumpdomain
--------------------------------------
System Domain: 000007fef15a8ef0
LowFrequencyHeap: 000007fef15a8f38
HighFrequencyHeap: 000007fef15a8fc8
StubHeap: 000007fef15a9058
Stage: OPEN
Name: None
--------------------------------------
Shared Domain: 000007fef15a9860
LowFrequencyHeap: 000007fef15a98a8
HighFrequencyHeap: 000007fef15a9938
StubHeap: 000007fef15a99c8
Stage: OPEN
Name: None
Assembly: 0000000000372d10
--------------------------------------
Domain 1: 0000000000360840
LowFrequencyHeap: 0000000000360888
HighFrequencyHeap: 0000000000360918
StubHeap: 00000000003609a8
Stage: OPEN
SecurityDescriptor: 00000000003630e0
Name: TestCLR.exe
[...]

Leave a Reply

You must be logged in to post a comment.