Reading Notebook: 25-January-10
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Kernel Process variables (p. 343)
0: kd> !process poi(PsIdleProcess)
PROCESS fffff800019910c0
SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00124000 ObjectTable: fffff88000000080 HandleCount: 606.
Image: Idle
VadRoot fffffa8003b97c70 Vads 1 Clone 0 Private 1. Modified 0. Locked 0.
DeviceMap 0000000000000000
Token fffff88000003330
ElapsedTime 00:00:00.000
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (6, 50, 450) (24KB, 200KB, 1800KB)
PeakWorkingSetSize 6
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0
THREAD fffff80001990b80 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap fffff88000007310
Owning Process fffff800019910c0 Image: Idle
Attached Process fffffa8003bf1040 Image: System
Wait Start TickCount 16021 Ticks: 13224 (0:00:03:26.295)
Context Switch Count 142852
UserTime 00:00:00.000
KernelTime 00:06:13.700
Win32 Start Address nt!KiIdleLoop (0xfffff80001876880)
Stack Init fffff80002bdadb0 Current fffff80002bdad40
Base fffff80002bdb000 Limit fffff80002bd5000 Call 0
Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
fffff800`02bdad80 fffff800`01a43860 nt!KiIdleLoop+0x11b
fffff800`02bdadb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4
THREAD fffffa60005f5d40 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap fffff88000007310
Owning Process fffff800019910c0 Image: Idle
Attached Process fffffa8003bf1040 Image: System
Wait Start TickCount 0 Ticks: 29245 (0:00:07:36.224)
Context Switch Count 162365
UserTime 00:00:00.000
KernelTime 00:06:14.808
Win32 Start Address nt!KiIdleLoop (0xfffff80001876880)
Stack Init fffffa600191bdb0 Current fffffa600191bd40
Base fffffa600191c000 Limit fffffa6001916000 Call 0
Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
fffffa60`0191bd80 fffff800`01a43860 nt!KiIdleLoop+0x11b
fffffa60`0191bdb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4
Relevant process functions (pp. 344 - 345) - More of them can be found here: http://msdn.microsoft.com/en-us/library/ms684847(VS.85).aspx
Protected processes (pp. 346 - 348) - It can be seen in _EPROCESS block (the output taken from a complete memory dump):
0: kd> dt _EPROCESS fffffa8004b5e040
ntdll!_EPROCESS
[...]
+0x36c ProtectedProcess : 0y1
[...]
The following script lists protected processes on W2K8:
0: kd> !for_each_process "dt _EPROCESS ImageFileName @#Process; dt _EPROCESS ProtectedProcess @#Process"
ntdll!_EPROCESS
+0x238 ImageFileName : [16] "System"
ntdll!_EPROCESS
+0x36c ProtectedProcess : 0y1
[...]
ntdll!_EPROCESS
+0x238 ImageFileName : [16] "audiodg.exe"
ntdll!_EPROCESS
+0x36c ProtectedProcess : 0y1
[...]
System process is protected because of Ksecdd.sys stores info in user space (p. 347)
PROCESS_QUERY_LIMITED_INFORMATION (p. 347)
Access violation by design for Protected Media Path processes when a kernel-mode debugger is enabled (p. 348) - this is not an optimal design in my opinion - I had problems with that: http://www.dumpanalysis.org/blog/index.php/2010/01/08/live-kernel-debugging-of-a-system-freeze-case-study/. The better way is to show a message box and gracefully exit and only emit AV if message box is bypassed.
Advanced .NET Debugging by M. Hewardt:
PE format and its relation to .NET (pp. 26 - 27)
AddressOfEntryPoint (pp. 28 - 29 and p. 31) - we can also use !dh command to find that address (similar to what dumpbin.exe does):
0:001> lm m notepad
start end module name
00000000`ff180000 00000000`ff1af000 notepad (deferred)
0:001> !dh 00000000`ff180000
[...]
OPTIONAL HEADER VALUES
20B magic #
8.00 linker version
E400 size of code
1CC00 size of initialized data
0 size of uninitialized data
D1B4 address of entry point
1000 base of code
—– new —–
00000000ff180000 image base
1000 section alignment
200 file alignment
2 subsystem (Windows GUI)
6.00 operating system version
6.00 image version
6.00 subsystem version
2F000 size of image
400 size of headers
32C26 checksum
[…]
0:001> u 00000000`ff180000+D1B4
notepad!WinMainCRTStartup:
00000000`ff18d1b4 4883ec28 sub rsp,28h
00000000`ff18d1b8 e88b020000 call notepad!_security_init_cookie (00000000`ff18d448)
00000000`ff18d1bd 4883c428 add rsp,28h
00000000`ff18d1c1 e9b6fcffff jmp notepad!IsTextUTF8+0xc0 (00000000`ff18ce7c)
00000000`ff18d1c6 cc int 3
00000000`ff18d1c7 cc int 3
00000000`ff18d1c8 cc int 3
00000000`ff18d1c9 cc int 3
Application domains in ASP.NET; 3 default app domains (system, shared, default) in normal app (p. 34)
!dumpdomain SOS command (pp. 35 - 36)
Low(High)FrequencyHeap and StubHeap (p. 36) - Looks like they are not normal heaps or heap segments. I plan to test all commands on x64 .NET:
0:003> !dumpdomain
--------------------------------------
System Domain: 000007fef15a8ef0
LowFrequencyHeap: 000007fef15a8f38
HighFrequencyHeap: 000007fef15a8fc8
StubHeap: 000007fef15a9058
Stage: OPEN
Name: None
--------------------------------------
Shared Domain: 000007fef15a9860
LowFrequencyHeap: 000007fef15a98a8
HighFrequencyHeap: 000007fef15a9938
StubHeap: 000007fef15a99c8
Stage: OPEN
Name: None
Assembly: 0000000000372d10
--------------------------------------
Domain 1: 0000000000360840
LowFrequencyHeap: 0000000000360888
HighFrequencyHeap: 0000000000360918
StubHeap: 00000000003609a8
Stage: OPEN
SecurityDescriptor: 00000000003630e0
Name: TestCLR.exe
[...]