
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>

</head>

<body dir="ltr">

<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">

<p>Hey all,<br>

</p>

<p><br>

</p>

<p>I've been working to create an OSI tool for Windows XP SP3 (x86)&nbsp;and was basing my code off of the win7x86intro plugin.<br>

</p>

<p><br>

</p>

<p>I have been using&nbsp;<a href="http://msdn.mirt.net/" id="LPlnk47965">http://msdn.mirt.net/</a> as my source for finding the addresses for the data&nbsp;structures referenced in the plugin.<br>

</p>

<p><br>

</p>

<p>The following questions are based on variables found in&nbsp;&quot;<span style="font-size: 12pt;">panda/qemu/panda_plugins/win7x86intro/winx86intro.cpp&quot;:</span></p>

<ul dir="" class="">

<li><span style="font-size: 12pt;">&#8203;For Windows XP SP3, h<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);">ow do I find out&nbsp;what the value of&nbsp;&quot;KMODE_FS&quot; is? (segment number of FS in kernel

 mode)</span></span><br>

</li></ul>

<ul dir="" class="">

<li><span style="font-size: 12pt;"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);">&quot;KPCR_CURTHREAD_OFF&quot; - Is this address correct?&nbsp;<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);">I'm

 seeing an address of &quot;0x004&quot; for &quot;_KPCR.PrcbData.CurrentThread&quot;. (source: <a href="http://msdn.mirt.net/win7rtm_x86.html" id="LPlnk870498">

http://msdn.mirt.net/win7rtm_x86.html)</a></span></span></span></li></ul>

<ul dir="" class="">

<li><span style="font-size: 12pt;"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);">&quot;EPROC_TYPE&quot;

 and &quot;EPROC_SIZE&quot; - Do these values say the same for Windows XP SP3?</span></span></span></li></ul>

<ul dir="" class="">

<li><span style="font-size: 12pt;"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);">&quot;KTHREAD_KPROC_OFF&quot;&nbsp;-

 For Windows&nbsp;XP SP3, is this equivalent to &quot;<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);">_KTHREAD.ApcStatePointer.Process</span>&quot; since there is no &quot;_KTHREAD.Process&quot; in XP?&nbsp;<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);">(source:

 http://msdn.mirt.net/winxpsp3_x86.html)</span></span></span></span></li></ul>

<div><br>

</div>

<div>Some possible typos in&nbsp;<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);">&quot;</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; background-color: rgb(255, 255, 255);">panda/qemu/panda_plugins/win7x86intro/winx86intro.cpp&quot;:</span><br>

</div>

<div>

<ul>

<li>&quot;LDR_FILENAME_OFF&quot; - Should the commented text be&nbsp;&quot;_LDR_DATA_TABLE_ENTRY.FullDllName&quot;?&nbsp;<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);">(source:

<a href="http://msdn.mirt.net/win7rtm_x86.html" id="LPlnk23532">http://msdn.mirt.net/win7rtm_x86.html)</a>&#8203;</span></li></ul>

<ul>

<li><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);"></span>&quot;LDR_BASENAME_OFF&quot;&nbsp;- Should the commented text be&nbsp;&quot;_LDR_DATA_TABLE_ENTRY.BaseDllName&quot;?&nbsp;(source: http://msdn.mirt.net/win7rtm_x86.html)&#8203;<br>

</li></ul>

<ul>

<li>&quot;PEB_LDR_MEM_LINKS_OFF&quot; - Should the commented text be &quot;_PEB_LDR_DATA.InMemoryOrderModuleList&quot;?&nbsp;<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);">(source:

<a href="http://msdn.mirt.net/win7rtm_x86.html" id="LPlnk302941">http://msdn.mirt.net/win7rtm_x86.html)</a></span></li></ul>

</div>

<div><br>

</div>

<div>Thanks,<br>

</div>

<div>Evan<br>

</div>

<p><br>

</p>

</div>

</body>

</html>