Matthieu Suiche’s blog !

Multi-Processors and KdVersionBlock

by Matthieu Suiche on Jan.05, 2009, under Debugging, Windows

Tomorrow, I’ll publish a bugfix for win32dd about the following problem: on multi-processors computers a BSOD occurs when user try to generate a Microsoft Crash dump file through the -d option.

The problem is located inside KdGetDebuggerDataBlock function, when the function try to read KdVersionBlock field an invalid pointer is returned because this field is only valid in the 1st processor KPCR.

lkd> dt nt!_KPCR ffdff000
   +0x000 NtTib            : _NT_TIB
   +0x01c SelfPcr          : 0xffdff000 _KPCR
   +0x020 Prcb             : 0xffdff120 _KPRCB
   +0x024 Irql             : 0 ''
   +0x028 IRR              : 0
   +0x02c IrrActive        : 0
   +0x030 IDR              : 0xffffffff
   +0x034 KdVersionBlock   : 0x805562b8
   +0x038 IDT              : 0x8003f400 _KIDTENTRY
   +0x03c GDT              : 0x8003f000 _KGDTENTRY
   +0x040 TSS              : 0x80042000 _KTSS
   +0x044 MajorVersion     : 1
   +0x046 MinorVersion     : 1
   +0x048 SetMember        : 1
   +0x04c StallScaleFactor : 0x6bb
   +0x050 DebugActive      : 0 ''
   +0x051 Number           : 0 ''
   +0x052 Spare0           : 0 ''
   +0x053 SecondLevelCacheAssociativity : 0x10 ''
   +0x054 VdmAlert         : 0
   +0x058 KernelReserved   : [14] 0
   +0x090 SecondLevelCacheSize : 0x80000
   +0x094 HalReserved      : [16] 0
   +0x0d4 InterruptMode    : 0
   +0x0d8 Spare1           : 0 ''
   +0x0dc KernelReserved2  : [17] 0
   +0x120 PrcbData         : _KPRCB
lkd> dt nt!_KPCR f9c2c000
   +0x000 NtTib            : _NT_TIB
   +0x01c SelfPcr          : 0xf9c2c000 _KPCR
   +0x020 Prcb             : 0xf9c2c120 _KPRCB
   +0x024 Irql             : 0 ''
   +0x028 IRR              : 0
   +0x02c IrrActive        : 0
   +0x030 IDR              : 0xffffffff
   +0x034 KdVersionBlock   : (null)
   +0x038 IDT              : 0xf9c30590 _KIDTENTRY
   +0x03c GDT              : 0xf9c30190 _KGDTENTRY
   +0x040 TSS              : 0xf9c2cd70 _KTSS
   +0x044 MajorVersion     : 1
   +0x046 MinorVersion     : 1
   +0x048 SetMember        : 2
   +0x04c StallScaleFactor : 0x650
   +0x050 DebugActive      : 0 ''
   +0x051 Number           : 0x1 ''
   +0x052 Spare0           : 0 ''
   +0x053 SecondLevelCacheAssociativity : 0x10 ''
   +0x054 VdmAlert         : 0
   +0x058 KernelReserved   : [14] 0
   +0x090 SecondLevelCacheSize : 0x80000
   +0x094 HalReserved      : [16] 1
   +0x0d4 InterruptMode    : 0
   +0x0d8 Spare1           : 0 ''
   +0x0dc KernelReserved2  : [17] 0
   +0x120 PrcbData         : _KPRCB

This piece of code is your friend if you are also experiencing some problem with it.

    //
    // Multi Processors (MP)
    // To ensure that it's running on a specific processor.
    //
    KeSetSystemAffinityThread(1);
    _asm {
       mov eax, fs:[0x1C]  // SelfPCR
       mov eax, [eax + 0x34] // KdVersionBlock
       mov KdVersionBlock, eax
   }
    //
    // Go back to default affinity.
    //
    KeRevertToUserAffinityThread();

MSDN documentation suggests to Windows Vista and later developpers to use KeSetSystemAffinityThreadEx instead of KeSetSystemAffinityThread and to use KeRevertToUserAffinityThreadEx instead of KeRevertToUserAffinityThread.

Even if there is no entry for KeRevertToUserAffinityThread inside the MSDN there is a blogpost from Windows Driver Kit (WDK) Documentation Blog about Windows Kernel Routine Name Conventions that says

Suffix – Ex – indicates that this is a new version of KeRevertToUserAffinityThread. “Ex” is an abbreviation for extension. It is a common Windows naming convention for new versions of a routine.

Thanks to Sebastien and Martim for reporting the bug.

1 Comment more...

Hey people ! Happy new year from a lazy man 2.0 :-)

by Matthieu Suiche on Jan.02, 2009, under On the fly

I was looking for the shortest way to wish to people I know happy new year for 2009.

Here is a flowchart to explain what’s going on just after I press the “Publish” wordpress button.

As you can see I use Wordpress, Twitter, and Facebook technology — that’s pretty useless but that’s funny :-)

Update will be show as “Blog [new]: #title# ( http://tinyurl.com/xxxxxx )”. It means I’ve free 98 (140 - 42) characters to wish you happy new year!

* Tools/Plugins:
Twitter updater plugin for Wordpress
Facebook application to update facebook status from Twitter

PS.I’m not dead and I’ll soonly publish an update(1.2.1) for win32dd to fix a bug with multi-core computers and Microsoft crashdump file generation.

2 Comments more...

Your hibernation file in a nutshell - Part II

by Matthieu Suiche on Dec.13, 2008, under SandMan, Windows

>> Part I < <
As I said in MoonSols blog, I decided to release the actual version of hibrshell as a free non-opensource tool. The current version is alpha, this means the project is still in developpement.

You can find hibrshell at the following link: http://www.msuiche.net/hibrshell/

Present:
* The actual version can read the hibernation file from a hibernated or resumed computer — this means hibrshell don’t mind if the first page (header) had been wiped or not.
* Moreover, Windows XP, 2003, Vista and 2008 hibernation file are compliant with hibrshell. Probably Windows Seven too — but I donnot have tested it.
* hibrshell uses Microsoft Debugging Symbols technology this explains why it is able to list process regardless of the target version.
* Only few basis features are actually provided.

help

Future:
* hibr2dmp command. To convert Microsoft hibernation file to an Microsoft crash dump file. I guess I’d be easier and more powerful to proceed to an advanced analysis with WinDbg than with my little swissknife.
* Support for Microsoft crash dump files, and raw memory snapshot will be added.

PS. If there are open positions for security research stuff in your company let me know. I’m actually looking for a new job.

Leave a Comment more...

Europol High Tech Crime Expert Meeting

by Matthieu Suiche on Dec.04, 2008, under Windows

For people who attend to my talk this week and asked for slides here is where you can download them. If you have any questions I’m reachable at matt#msuiche#net.

Leave a Comment more...

Today’s a new day: win32dd 1.2 out!

by Matthieu Suiche on Nov.05, 2008, under Windows


Download win32dd v1.2.20081105 now!


New features coming into this version — but the most notable feature is the capacity to generate Microsoft crash dump file without rebooting or generating a BSOD. This mean you can load your memory snapshot into WinDbg.

Here is a sample of output using WinDbg

  1. Symbol search path is: SRV*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
  2. Executable search path is:
  3. Windows Server 2008 Kernel Version 6001 (Service Pack 1) UP Free x86 compatible
  4. Product: WinNt, suite: TerminalServer SingleUserTS
  5. Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840
  6. Kernel base = 0×81818000 PsLoadedModuleList = 0×8192fc70
  7. Debug session time: Wed Nov  5 01:43:02.460 2008 (GMT-8)
  8. System Uptime: 0 days 0:10:45.293
  9. WARNING: Process directory table base 3DA26440 doesn‘t match CR3 00122000
  10. WARNING: Process directory table base 3DA26440 doesn’t match CR3 00122000
  11. Loading Kernel Symbols
  12. …………………………………………………………………………………………………………………….
  13. Loading User Symbols
  14. …………
  15. Loading unloaded module list
  16. …..
  17. kd> !process 0 0
  18. **** NT ACTIVE PROCESS DUMP ****
  19. PROCESS 82f58910  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
  20.     DirBase: 00122000  ObjectTable: 862000b8  HandleCount: 512.
  21.     Image: System
  22.  
  23. PROCESS 852032d0  SessionId: none  Cid: 0190    Peb: 7ffdf000  ParentCid: 0004
  24.     DirBase: 3da26020  ObjectTable: 87bd8008  HandleCount:  28.
  25.     Image: smss.exe
  26.  
  27. PROCESS 84b58b68  SessionId: 0  Cid: 0200    Peb: 7ffd8000  ParentCid: 01f4
  28.     DirBase: 3da26060  ObjectTable: 8c954fc8  HandleCount: 406.
  29.     Image: csrss.exe
  30. [..]
  31. kd> lm
  32. start    end        module name
  33. 00400000 00413000   win32dd_400000   (deferred)            
  34. 77290000 7733a000   msvcrt     (deferred)            
  35. 77340000 77403000   RPCRT4     (deferred)            
  36. 77410000 7748d000   USP10      (deferred)            
  37. 77720000 777e6000   ADVAPI32   (deferred)            
  38. 777f0000 7788d000   USER32     (deferred)            
  39. 77890000 7796b000   kernel32   (deferred)            
  40. 77b50000 77c18000   MSCTF      (deferred)            
  41. 77c20000 77d47000   ntdll      (pdb symbols)          C:\WINDOWS\Symbols\ntdll.pdb\B958B2F91A5A46B889DAFAB4D140CF252\ntdll.pdb
  42. 77d50000 77d59000   LPK        (deferred)            
  43. 77d80000 77d9e000   IMM32      (deferred)            
  44. 77e30000 77e7b000   GDI32      (deferred)            
  45. 80406000 8040e000   kdcom      (deferred)            
  46. 8040e000 8041f000   PSHED      (deferred)            
  47. 8041f000 80427000   BOOTVID    (deferred)            
  48. 80427000 80468000   CLFS       (deferred)      
  49. [..]

In addition to \\Device\\PhysicalMemory reading, win32dd 1.2 provides an option (level) to directly use physical memory address mapping (Microsoft API) to avoid to access the physical memory device.

The crashdump generation take care of the previous blogpost. And works from Windows 2000 to Windows 2008 and probably Windows Seven.

Feel free to give some feedback!

I’d like to thanks Aaron for his positive influence on win32dd developement :)

3 Comments more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...