Crash dumps and KeCapturePersistentThreadState
I found here a very entertaining undocumented function exported by the kernel, which is not referenced inside the kernel, but which does a very interesting thing. Namely, it writes into the transferred piece of memory a full minidump at the given time.
It is very useful given the fact that there (in the dump) there are offsets of non-exported structures like PsLoadedModuleList, which can be useful.
Thanks to Freeman for the help)
Input parameters:
Context - the current context (you can from the balda, you just need to fill in the EIP & ESP)
Thread - the current thread. you can specify NULL, then it will take the current
BugCheckCode, ParametersX - the bugcheck code and arguments that it will write to the dump.
VirtualAddress - the address of the allocated 16 pages of memory (64kb), where it will put neatly prepared kreshdamp.
Example:
')
Dump Header:
Using the function: www.everfall.com/paste/id.php?mkgmkfg1a057
Kodes gets the dump, shows the address MmPfnDatabase, PsActiveProcessHead, PsLoadedModuleList and dumps the dump to disk. You can safely push the dump into WinDbg and study
In general, a very entertaining thing ...
You will need to rewrite your gr8lkd (http://gr8lkd.googlecode.com/) using this feature.
It is very useful given the fact that there (in the dump) there are offsets of non-exported structures like PsLoadedModuleList, which can be useful.
Thanks to Freeman for the help)
ULONG
NTAPI
KeCapturePersistentThreadState(
PCONTEXT Context,
PKTHREAD Thread,
ULONG BugCheckCode,
ULONG BugCheckParameter1,
ULONG BugCheckParameter2,
ULONG BugCheckParameter3,
ULONG BugCheckParameter4,
PVOID VirtualAddress
);Input parameters:
Context - the current context (you can from the balda, you just need to fill in the EIP & ESP)
Thread - the current thread. you can specify NULL, then it will take the current
BugCheckCode, ParametersX - the bugcheck code and arguments that it will write to the dump.
VirtualAddress - the address of the allocated 16 pages of memory (64kb), where it will put neatly prepared kreshdamp.
Example:
')
Dump Header:
typedef struct _DUMP_HEADER {
/* 00 */ ULONG Signature;
/* 04 */ ULONG ValidDump;
/* 08 */ ULONG MajorVersion;
/* 0c */ ULONG MinorVersion;
/* 10 */ ULONG DirectoryTableBase;
/* 14 */ PULONG PfnDataBase;
/* 18 */ PLIST_ENTRY PsLoadedModuleList;
/* 1c */ PLIST_ENTRY PsActiveProcessHead;
/* 20 */ ULONG MachineImageType;
/* 24 */ ULONG NumberProcessors;
/* 28 */ ULONG BugCheckCode;
/* 2c */ ULONG BugCheckParameter1;
/* 30 */ ULONG BugCheckParameter2;
/* 34 */ ULONG BugCheckParameter3;
/* 38 */ ULONG BugCheckParameter4;
/* 3c */ CHAR VersionUser[32];
/* 5c */ UCHAR PaeEnabled;
UCHAR NotUsed[3];
/* 60 */ PVOID KdDebuggerDataBlock;
} DUMP_HEADER, *PDUMP_HEADER;Using the function: www.everfall.com/paste/id.php?mkgmkfg1a057
Kodes gets the dump, shows the address MmPfnDatabase, PsActiveProcessHead, PsLoadedModuleList and dumps the dump to disk. You can safely push the dump into WinDbg and study
In general, a very entertaining thing ...
You will need to rewrite your gr8lkd (http://gr8lkd.googlecode.com/) using this feature.
Source: https://habr.com/ru/post/40504/
All Articles