[panda-users] win7x86intro plugin conversion

[Downing, Evan P]

Hey all,


I've been working to create an OSI tool for Windows XP SP3 (x86) and was basing my code off of the win7x86intro plugin.


I have been using http://msdn.mirt.net/ as my source for finding the addresses for the data structures referenced in the plugin.


The following questions are based on variables found in "panda/qemu/panda_plugins/win7x86intro/winx86intro.cpp":

  *   ?For Windows XP SP3, how do I find out what the value of "KMODE_FS" is? (segment number of FS in kernel mode)

  *   "KPCR_CURTHREAD_OFF" - Is this address correct? I'm seeing an address of "0x004" for "_KPCR.PrcbData.CurrentThread". (source: http://msdn.mirt.net/win7rtm_x86.html)<http://msdn.mirt.net/win7rtm_x86.html>

  *   "EPROC_TYPE" and "EPROC_SIZE" - Do these values say the same for Windows XP SP3?

  *   "KTHREAD_KPROC_OFF" - For Windows XP SP3, is this equivalent to "_KTHREAD.ApcStatePointer.Process" since there is no "_KTHREAD.Process" in XP? (source: http://msdn.mirt.net/winxpsp3_x86.html)

Some possible typos in "panda/qemu/panda_plugins/win7x86intro/winx86intro.cpp":

  *   "LDR_FILENAME_OFF" - Should the commented text be "_LDR_DATA_TABLE_ENTRY.FullDllName"? (source: http://msdn.mirt.net/win7rtm_x86.html)<http://msdn.mirt.net/win7rtm_x86.html>?

  *   "LDR_BASENAME_OFF" - Should the commented text be "_LDR_DATA_TABLE_ENTRY.BaseDllName"? (source: http://msdn.mirt.net/win7rtm_x86.html)?

  *   "PEB_LDR_MEM_LINKS_OFF" - Should the commented text be "_PEB_LDR_DATA.InMemoryOrderModuleList"? (source: http://msdn.mirt.net/win7rtm_x86.html)<http://msdn.mirt.net/win7rtm_x86.html>

Thanks,
Evan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150417/7e44f64f/attachment.htm