[panda-users] win7x86intro plugin conversion
Brendan Dolan-Gavitt
brendandg at gatech.edu
Fri Apr 17 12:38:06 EDT 2015
Replies inline...
On Fri, Apr 17, 2015 at 11:25 AM, Downing, Evan P <edowning3 at gatech.edu> wrote:
> Hey all,
>
>
> I've been working to create an OSI tool for Windows XP SP3 (x86) and was
> basing my code off of the win7x86intro plugin.
>
>
> I have been using http://msdn.mirt.net/ as my source for finding the
> addresses for the data structures referenced in the plugin.
This should work, but you should be careful to get the right service
pack version, since things can change between service packs.
Another resource for this is the Volatility vtypes files, which have
python structures that describe the Windows kernel types:
https://github.com/volatilityfoundation/volatility/tree/master/volatility/plugins/overlays/windows
> The following questions are based on variables found in
> "panda/qemu/panda_plugins/win7x86intro/winx86intro.cpp":
>
> For Windows XP SP3, how do I find out what the value of "KMODE_FS" is?
> (segment number of FS in kernel mode)
The simplest way is to run XPSP3 in QEMU, and then in the monitor,
periodically do "info registers" until you get a dump of the CPU state
from kernel-mode (you can tell because it will say CPL=0). Then just
look at the line that says what FS is:
FS =00d8 06a71000 ffffffff 008f9300 DPL=0 DS16 [-WA]
In this case it would be 0xd8.
> "KPCR_CURTHREAD_OFF" - Is this address correct? I'm seeing an address of
> "0x004" for "_KPCR.PrcbData.CurrentThread". (source:
> http://msdn.mirt.net/win7rtm_x86.html)
PrcbData is at offset 0x120 in _KPCR. Then CurrentThread is at offset
0x4 in _KPRCB (the type of PrcbData). So the total offset is 0x124.
> "EPROC_TYPE" and "EPROC_SIZE" - Do these values say the same for Windows XP
> SP3?
Nope. They vary from version to version, unfortunately! I don't
remember what they are off the top of my head; you will have to use
something like WinDBG in kernel debug mode (LiveKD is a good way to do
this) to examine the values (you can do !process 0 0 in WinDBG to get
a list of processes and their addresses in memory, then "dt -r1
nt!_EPROCESS <address>" to print out the values each field in the
structure has.
> "KTHREAD_KPROC_OFF" - For Windows XP SP3, is this equivalent to
> "_KTHREAD.ApcStatePointer.Process" since there is no "_KTHREAD.Process" in
> XP? (source: http://msdn.mirt.net/winxpsp3_x86.html)
I'm not sure if that's equivalent. You could instead try to treat the
_KTHREAD as an _ETHREAD, which has a ThreadsProcess member. I
*believe* that all user threads will actually be _ETHREADs (if you
look, _ETHREAD's first member is a _KTHREAD, so if you have a _KTHREAD
in hand it's generally safe to treat is as an _ETHREAD). The only
exception might be if there are kernel threads running that don't do
anything in user mode, in which case they may not have an associated
process at all.
But with a little bit of defensive coding (check is_valid_process
after you try to get the process from the thread), you should be OK.
> Some possible typos in
> "panda/qemu/panda_plugins/win7x86intro/winx86intro.cpp":
>
> "LDR_FILENAME_OFF" - Should the commented text be
> "_LDR_DATA_TABLE_ENTRY.FullDllName"? (source:
> http://msdn.mirt.net/win7rtm_x86.html)
>
> "LDR_BASENAME_OFF" - Should the commented text be
> "_LDR_DATA_TABLE_ENTRY.BaseDllName"? (source:
> http://msdn.mirt.net/win7rtm_x86.html)
>
> "PEB_LDR_MEM_LINKS_OFF" - Should the commented text be
> "_PEB_LDR_DATA.InMemoryOrderModuleList"? (source:
> http://msdn.mirt.net/win7rtm_x86.html)
Yep, I think those are all typos. Thanks for pointing them out!
-Brendan
>
> Thanks,
> Evan
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
More information about the panda-users
mailing list