Slide Deck 2 - Development Environment & Debugging
advertisement
Revealing Stealth Malware
UMD CMSC389M
Xeno Kovah – Jan. 2013
xkovah at gmail
Subject line starting with "UMD:"
1
All materials is licensed under a Creative
Commons “Share Alike” license.
• http://creativecommons.org/licenses/by-sa/3.0/
2
Development Environment Setup:
Userspace code
Kernel module code
Kernel debugging
3
Prelude
•
•
•
•
Use VirtualBox as your virtualization system
Start from a fresh Windows 7 64 bit VM
You should have access to MS licenses through the school
Once you have the basic VM install done, duplicate the VM,
and continue to set up the development environment in
only one copy. The other copy will be used for testing your
code.
• You will need to install the MS Visual Studio 2010
"redistributable" libraries in the testing VM otherwise even
hello world won't work in it
– http://www.microsoft.com/enus/download/details.aspx?id=14632
4
Userspace MS code development
• Install Visual Studio C++ 2010 Express
– http://www.microsoft.com/visualstudio/eng/dow
nloads#d-2010-express
– 2010 because I don't have 2012 on my machine to
test if you're having problems
– If you install from the "All in one ISO" you won't
have to go get a free registration code
– You don't need to install Silverlight or MS SQL
5
VS2010 Introduction
Make a new project
6
VS2010 Introduction
Make new file
Select .cpp
but name ".c" not ".cpp"
7
VS2010 Introduction
Write some
standard C code
Set a breakpoint
by clicking to
the left of a line.
A red dot will
appear
Run the code
8
VS2010 Introduction
Stopped at breakpoint (otherwise it would just print and exit)
9
VS2010 Introduction
You can view disassembly by right clicking anywhere while stopped at breakpoints
10
VS2010 Introduction
Can view disassembly while stopped at breakpoints
11
VS2010 Introduction
That assembly is a bit complex for hello world eh? Let's change the optimizations settings
We're going to change to "Release" build, which has more optimizations applied by default, but
which as a consequence is harder to debug if something goes wrong.
First, stop debugging.
12
VS2010 Introduction
Right click on your project and go to Properties
13
VS2010 Introduction
Go to Configuration Manager
Change to "Release" build
Hit OK twice, and run again, then Show Disassembly to see much simpler optimized code
14
VS2010 Introduction
If you want to manually play with optimizations and see their effect on the asm, they're here:
Note the difference vs. the Debug build
If you want to see the differences between Debug and Release build you can swap the
configuration back and forth as you click on different options
15
VS2010 Introduction
Microsoft really annoyingly hid easy access to the registers and memory windows in VS2010.
Registers Window = ctrl-alt-g
Memory Window(s) = ctrl-alt-m and then 1, 2, 3, or 4
http://msdn.microsoft.com/en-us/library/8b59xk0f(v=vs.90).aspx for other shortcuts
16
You gained EXP
• +100 Visual Studio EXP
17
See notes for citation
Setup VS Express for x64 build
• Install x64 Windows SDK
– To install from the web:
– http://www.microsoft.com/enus/download/details.aspx?id=8279
– To download everything up front and make a CD:
– http://www.microsoft.com/enus/download/details.aspx?id=8442
18
Install SDK
You can accept the defaults, or to save a little space, use the below configuration
This is the
important option
19
Setup VS Express for x64 build
Right click on your project and go to Properties
20
Setup VS Express for x64 build
Go to Configuration Manager
Create new platform
Select x64 and hit OK
21
Setup VS Express for x64 build
Under "General", change the Platform Toolset to Windows7.1SDK
I don't think this is strictly necessary, but do it just incase ;)
And don't forget to do it again if you change from debug build to release build
22
Setup VS Express for x64 build
Select VC++ Directories, and type the following into the Library Directories:
C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib\x64;
(don't forget the semicolon, and don't forget to do this again if you change from Debug to Release)
When you re-run the
program you should
see 64 bit assembly
23
You gained EXP
• +50 Visual Studio EXP
• +1 r0x0r point
24
Kernel Module Development
• Install Windows Driver Kit (WDK) 7.1
– http://www.microsoft.com/enus/download/details.aspx?id=11800
– We are going to use Visual Studio to code it, for the
pleasantries of syntax highlighting, search, symbol
resolution etc. But we will be compiling it outside of
Visual Studio in the WDK Build Environment. And we
will be debugging with WinDbg
– I'm told it's possible to compile drivers from within VS,
but I've never bothered to try. If you want to get it
working, LMK.
25
Kernel Driver Compiling & Loading
Right click on the solution and create a new project.
Name your project HelloKernel. BUT IT IS VERY IMPORTANT that you place it in a directory that
DOES NOT have any spaces in the name. The kernel compiler b0rks on spaces in the name.
Add a "HelloKernel.c" file to the project and copy the code from the next slide.
26
//HelloKernel.c: Skeleton kernel driver to base other code on
//Written by Xeno Kovah, Jan. 3rd 2010 for use with the "Intermediate x86" Class
//Licensed under Creative Commons Share Alike license.
//full details available here: http://creativecommons.org/licenses/by-sa/3.0
//P.s. Don't comment on the efficiency or style of the code, it's tutorial code! :P
#include <ntddk.h>
//prototypes for helper functions
//BEGIN boilerplate
NTSTATUS DefaultDispatch(PDEVICE_OBJECT DriverObject, PIRP pIRP);
void OnUnload(PDRIVER_OBJECT DriverObject);
//END boilerplate
//Function called when driver is loaded - equivalent of main()
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
//BEGIN boilerplate
unsigned int i;
for(i = 0;i < IRP_MJ_MAXIMUM_FUNCTION;i++){
DriverObject->MajorFunction[i] = DefaultDispatch;
}
DriverObject->DriverUnload = OnUnload;
//END boilerplate
//REAL CODE GOES HERE
DbgPrint("Hello Kernel!\n");
return STATUS_SUCCESS;
}
//Function called when driver is unloaded
void OnUnload(PDRIVER_OBJECT DriverObject){
DbgPrint("Goodbye Kernel!\n");
}
//Boilerplate, ignore
NTSTATUS DefaultDispatch(PDEVICE_OBJECT DriverObject, PIRP pIRP){
pIRP->IoStatus.Status = STATUS_SUCCESS;
pIRP->IoStatus.Information = 0;
IoCompleteRequest(pIRP, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
27
Kernel Driver Compiling & Loading
Go to your start menu an open the x64 checked build environment as an administrator (only
necessary the first time when making and installing signing certificates)
FYI "checked" is like a
debug build, with more
verbose prints and less
optimizations,
and "free" is like a
release build
28
Kernel Driver Compiling & Loading
Then navigate to your directory where your kernel code is
In that directory do the following commands in order to create the files on the next slide
type nul > sources (to make an empty file)
notepad sources (to open the file for editing)
type nul > makefile
notepad makefile
29
Kernel Driver Compiling & Loading
Copy to file named "sources" (make sure there's no .txt)
TARGETNAME=HelloKernel
TARGETTYPE=DRIVER
TARGETPATH=.
#add stuff here as needed
INCLUDEPATH=C:\WinDDK\7600.16385.1\inc\crt;C:\WinDDK\7600.16385.1\inc\crt\sys
#if you have a multi-file project, space-delimitate files (can use \ to wrap line)
SOURCES=HelloKernel.c
Copy to file named "makefile" in the same directory (make sure there's no .txt)
#
# DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
# file to this component. This file merely indirects to the real make file
# that is shared by all the driver components of the Windows NT DDK
#
!INCLUDE $(NTMAKEENV)\makefile.def
30
Kernel Driver Compiling & Loading
Build the file with "build -c" (the -c is for a clean build)
The .sys file is the kernel driver, and the .pdb file is the portable debug file (debugging symbols)
31
Kernel Driver Compiling & Loading
On Windows >= Vista you need to sign drivers.
Create a test signing cert.
makecert -r -pe -ss TestCertStore -n "CN=My Test Cert" testsigningcert.cer
Then set your system to trust the cert. You should do the below 2 commands on any system you
want to run the driver on. (E.g. your local system and/or a dedicated debugging system)
Execute these commands from an Administrator window (which your build env. should be)
C:\WinDDK\7600.16385.1\bin\amd64\CertMgr.exe /add testsigningcert.cer /s /r localMachine trustedpublisher
C:\WinDDK\7600.16385.1\bin\amd64\CertMgr.exe /add testsigningcert.cer /s /r localMachine root
Now actually sign the driver. You will have to redo the sign command every time you recompile
your driver. (put following command all on one line)
signtool sign /v /s TestCertStore /n "My Test Cert" /t
http://timestamp.verisign.com/scripts/timestamp.dll amd64\HelloKernel.sys
And then verify that the signing worked
signtool verify /v /pa amd64\HelloKernel.sys
32
Kernel Driver Compiling & Loading
Now we need to put your local machine into "test signing mode". This isn't necessary when you
are loading the driver on a machine with debugging enabled, but we don't want to go there yet.
Execute the following in an Administrator window.
bcdedit -set TESTSIGNING ON
We also need to turn up the debug print verbosity or we won't be able to see the DbgPrint output.
Add the following to a file named "VerboseDebugPrint.reg" and then double click the .reg file.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter]
"DEFAULT"=dword:ffffffff
Reboot your machine
33
Kernel Driver Compiling & Loading
Now you can actually load it. Copy the below to a file called "load.bat" in your HelloKernel dir
setlocal
del %windir%\System32\drivers\HelloKernel.sys
copy amd64\HelloKernel.sys %windir%\System32\drivers\HelloKernel.sys
sc.exe create HelloKernel binpath= %windir%\System32\drivers\HelloKernel.sys type= kernel start= demand error= normal DisplayName= HelloKernelBla
sc.exe start HelloKernel
sc.exe stop HelloKernel
sc.exe delete HelloKernel
endlocal
Now install DbgView: http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx
Run DbgView as Administrator, enable "Capture Kernel" and verbose kernel output, and disable
"Capture Win32"
34
Kernel Driver Compiling & Loading
If everything goes correctly and you're in test signing mode you should see something like this
And DbgView should show this
35
Level Up!
•
•
•
•
You unlocked "Mad Kernel Skills"
+50 Kernel EXP
+1 Skill Point
+5 r0x0r Points
36
See notes for citation
Windows Kernel Debugging
37
WinDbg
• WinDbg is basically the only option these days for
Windows kernel debugging (there used to be
something called SoftICE if you happen to see that
referenced in older documents)
• Four scenarios
– VM to VM
• Most compatible, what we will prefer in this class
– Host to VM
• Only works if you've got a Windows host
– Host to Host
• Should prefer firewire over serial
– Local
• Less convenient on Windows > Vista, but still useful
38
VM to VM
Windows VM
user
kernel
Windows VM
WinDbg
Kdcom.dll
Kdcom.dll
Ntoskrnl.exe
Ntoskrnl.exe
user
kernel
COM1
COM1
debugger
debuggee
VMM: VMware, VirtualBox, etc
Named
Pipe
Host OS: Mac, Linux, Windows, etc
39
See notes for more detailed description of kdcom
Using the existing CSIC setup VMs
• Debugger must always be started before debuggee,
because it makes the pipe that debuggee connects to
• When you log in to a CSIC machine, first execute the
following command to create copies of the VMs that
are specific to you:
• /export/data/vbox/bin/startvm Debugger
• Once that command launches Debugger, then do the
same command but replace Debugger with Debuggee
• If something goes wrong, delete the following folder
and try again:
• /export/data/vbox/images/<your user name>
• If it still doesn't work, email me your machine it's not
working on (and try another machine and LMK if that
40
doesn't work either)
Configuring VirtualBox for kernel debugging
VM Debuggee
*Enable virtual serial port
*Use named pipe
- Windows name: \\.\pipe\whatever
- Linux/Mac name: /tmp/whatever
* UNCHECK "Create Pipe"
* Boot with debugging support (described on
slides this + 3/4)
This is what we're going to
use in this class
VM Debugger
*Enable virtual serial port
*Use named pipe
- Windows name: \\.\pipe\whatever
- Linux name: /tmp/whatever
* CHECK "Create Pipe"
41
Install VirtualBox on whatever OS you want, then
make your own 2 VMs which are Win 7 x64 (NOT XP)
Configuring VMWare for kernel debugging
VM Debuggee
*Boot with dbg support (see next slide)
*Add virtual serial port
*Use named pipe
- Windows name: \\.\pipe\whatever
- Linux name: /tmp/whatever
* This end is a server
Instructions are for VMWare
Workstation/Fusion, still
doable with VMWare Player,
but you have to add stuff
directly to the VMX config, so
not supported in this class for
now until I have a chance to
test
VM Debugger
*Add virtual serial port
*Use named pipe
- Windows name: \\.\pipe\whatever
- Linux name: /tmp/whatever
* This end is a client
* Other end is a virtual machine
43
Booting with Debugging Enabled (XP)
Edit C:\boot.ini to duplicate the existing entry and
add at the end:
/debugport=COM1 /baudrate=115200
44
Booting with Debugging Enabled
(>= Vista)
(from administrator cmd.exe)
bcdedit /dbgsettings SERIAL /noumex
bcdedit /debug on
(or "bcdedit /dbgsettings 1394 CHANNEL:1
/noumex" if doing firewire debugging)
Can also use msconfig.exe for stuff besides the /noumex
Important! Once you start debugging do the following windbg
command so you can see DbgPrints
ed nt!Kd_DEFAULT_MASK 0xFFFFFFFF
45
Connecting Debugger
46
Connecting Debugger 2
or
47
Mouse over to see
description of which type of
window it opens up
48
49
50
51
52
Getting kernel debug symbols
You can also download symbols for offline
debugging, in which case you'd just put
put the folder you installed them into.
Also if you're working on your own code,
you can specify the folder where you have
the .pdb files.
53
If “Source mode
on” is clicked,
when you step, it
will step one source
line at a time
(assuming you have
source)
Step into
Continue
Step over
Stop debugging
Restart debugging
Step out
If “Source mode
off” is clicked,
when you step, it
will step one asm
instruction at a
time
Set breakpoint
wherever the
cursor is currently
54
WinDbg breakpoints
• bp <address> : Set breakpoint
– Address can be number or human readable input like
“main” or “Example1:main”
– This will be a software (int 3) breakpoint
• bl : Breakpoints list
• bd <bp ID> : Breakpoint disable
– <bp ID> as given by first column of bl
• be <bp ID> : Breakpoint enable
– <bp ID> as given by first column of bl
• bc <bp ID> : Breakpoint clear (delete)
55
WINDBG! UH! GOOD GOD Y'ALL!
What is it good for? Absolutely everything!
Say it again!
• You will undoubtedly need to use WinDbg to debug
your 2nd homework
• Also tangentially useful for some rootkit techniques
which tools don't catch.
• Once you have excellent WinDbg-fu, you will be an
unstoppable monster – "like me"
56
See notes for citation
FYI
• The rest of the slides are just FYI about other
ways to do debugging, and some windbg
commands to come back to later when you
learn more about the techniques they're
meant to detect
57
Host to VM
Windows VM
Kdcom.dll
user
kernel
Ntoskrnl.exe
Virtual Serial Port
COM1
VMM: VMware,
VirtualBox, etc
Named
Pipe
Host OS: Windows only
WinDbg
58
Connecting Debugger
59
Configuring VMWare for kernel debugging
(tested on VMWare Server 1.x (Windows & Linux), & ESX & vSphere)
(for ESX/vSphere don't put the \\.\pipe\ in front of names)
VM Debuggee
*Add virtual serial port
*Use named pipe
- Windows name: \\.\pipe\whatever
- Linux name: /tmp/whatever
* This end is a server
This slide is for if you want to
test this with your own VMs
Host Debugger (Windows only)
*In WinDbg on the host when you've
selected kernel debug
*Under the COM tab
- Port: \\.\pipe\whatever
- Click the “pipe” checkbox
60
Host to Host
Windows Host
user
kernel
Windows Host
WinDbg
Kd1394.dll
Kd1394.dll
Ntoskrnl.exe
Ntoskrnl.exe
FW port
debugger
FireWire Cable
user
kernel
FW port
debuggee
(Connection can be firewire, serial, or USB, though I've never tried USB)
61
Connecting Debugger
62
Configuring Physical Hosts for kernel debugging
Host Debuggee
*Boot with dbg support (see earlier slide)
This slide is for if you want to
test this with your own hosts
Host Debugger (Windows only)
*In WinDbg on the host when you've
selected kernel debug
*Under the COM tab
- Port: \\.\pipe\whatever
- Click the “pipe” checkbox
63
Local Debugging
Windows Host
user
kernel
WinDbg
Kdcom.dll
Ntoskrnl.exe
debugger & debuggee
64
Connecting Debugger
65
WinDbg Rootkit Searching
Cheat-Sheet
• List all processes
– !process 0 0
– will be fooled by DKOM process unlinking!
• Change into a process context
– .process <pid> or .process <EPROCESS address>
• List all kernel drivers
– lmf
• "list loaded modules with file information"
– will be fooled by DKOM driver unlinking!
66
WinDbg Rootkit Searching
Cheat-Sheet 2
• Search for inline hooks in a exe/dll/sys file
– !chkimg -d <module name>
– !for_each_module !chkimg -d @#ModuleName
• Examine each thread's ServiceTable to see which
SystemServiceDescriptorTable struct it's pointing
at (there should only be two results and they
should correspond to the addresses of
KeServiceDescriptorTable or
KeServiceDescriptorTableShadow
– !for_each_thread ".echo Thread: @#Thread; dt
nt!_kthread ServiceTable @#Thread"
67
WinDbg Rootkit Searching
Cheat-Sheet 3
• Examine the SSDT function pointers
– dd KeServiceDescriptorTable L 10
• says to print 0x10 dword values starting at KeServiceDescriptorTable
8055c700
8055c710
8055c720
8055c730
80504480 00000000 0000011c 805048f4
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
– The 0x80504480 is ServiceTableBase (start of the array of
function pointers) and 0x11C is the total number of function
pointers
– dds 0x80504480 L 112
• Says to print the symbol names for the 0x112 dwords which are going
to be printed out
80504480
80504484
80504488
8050448c
80504490
…
805a4630 nt!NtAcceptConnectPort
805f140e nt!NtAccessCheck
805f4c44 nt!NtAccessCheckAndAuditAlarm
805f1440 nt!NtAccessCheckByType
805f4c7e nt!NtAccessCheckByTypeAndAuditAlarm
68
WinDbg Rootkit Searching
Cheat-Sheet 4
• Check the sysenter MSRs
– rdmsr 0x176 (for IA32_SYSENTER_EIP)
– rdmsr 0x174 (for IA32_SYSENTER_CS)
• Examine the IDT and GDT by using the !protmode plugin from
Intermediate x86 class
• Examine the IDT
– !idt –a (shows all entries)
– !idt (shows only some entries which don't point at nt or hal)
• Break on each module load during boot
– sxe -c ".lastevent" ld
• Just list each module loading
– sxn -c ".lastevent" ld
• Turn off breaks/notifications
– sxi -c "" ld
69
Listing registered callbacks in WinDbg
•
http://analyze-v.com/?p=746 - process/memory image load
(PsSetCreateProcessNotifyRoutine[Ex]/PsSetImageLoadNotifyRoutine)
• http://analyze-v.com/?p=756 - registry callbacks(CmRegisterCallback[Ex])
• Here comes a new challenger! Hadoken!
• http://www.moonsols.com/2011/02/17/global-windows-callbacks-and-windbg/
kd> $$>a<c:\pscallbacks.wbs
************************************************
* This command brought to you by Analyze-v.com *
************************************************
************************************
* Printing image load callbacks... *
************************************
**********************************************
* Printing process notification callbacks... *
**********************************************
814ec008 ff2508605c81 jmp dword ptr ds:[815C6008h]
70
See notes for citation
Moar WinDbg (display device driver stack)
kd> !object \device\keyboardclass0
Object: 814e7d28 Type: (819b8ca0) Device
ObjectHeader: 814e7d10 (old version)
HandleCount: 0 PointerCount: 3
Directory Object: e1006948 Name: KeyboardClass0
kd> !devstack 814e7d28
!DevObj !DrvObj
!DevExt ObjectName
> 814e7d28 \Driver\Kbdclass 814e7de0 KeyboardClass0
814e7020 \Driver\i8042prt 814e70d8
8167c030 \Driver\ACPI
819a32e8 00000070
!DevNode 818f7348 :
DeviceInst is "ACPI\PNP0303\4&5289e18&0"
ServiceName is "i8042prt"
71
Moar WinDbg 2 (display driver object)
kd> !devobj 814e7d28
Device object (814e7d28) is for:
KeyboardClass0 \Driver\Kbdclass DriverObject 814ea0b8
Current Irp 00000000 RefCount 0 Type 0000000b Flags 00002044
Dacl e13cf7cc DevExt 814e7de0 DevObjExt 814e7ec0
ExtensionFlags (0000000000)
AttachedTo (Lower) 814e7020 \Driver\i8042prt
Device queue is not busy.
kd> dt nt!_DRIVER_OBJECT 814ea0b8
+0x000 Type
:4
+0x002 Size
: 168
+0x004 DeviceObject : 0x81872030 _DEVICE_OBJECT
+0x008 Flags
: 0x12
+0x00c DriverStart : 0xf9c4c000
+0x010 DriverSize
: 0x6000
+0x014 DriverSection : 0x819b7aa8
+0x018 DriverExtension : 0x814ea160 _DRIVER_EXTENSION
+0x01c DriverName
: _UNICODE_STRING "\Driver\Kbdclass"
+0x024 HardwareDatabase : 0x80670de0 _UNICODE_STRING
"\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x028 FastIoDispatch : (null)
+0x02c DriverInit
: 0xf9c50610 long kbdclass!GsDriverEntry+0
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction : [28] 0xf9c4cdd0 long kbdclass!KeyboardClassCreate+0
72
Moar WinDbg 3 (display next driver object)
kd> !devobj 814e7020
Device object (814e7020) is for:
\Driver\i8042prt DriverObject 814ea410
Current Irp 00000000 RefCount 0 Type 00000027 Flags 00002004
DevExt 814e70d8 DevObjExt 814e7368
ExtensionFlags (0000000000)
AttachedDevice (Upper) 814e7d28 \Driver\Kbdclass
AttachedTo (Lower) 8167c030 \Driver\ACPI
Device queue is not busy.
kd> dt nt!_DRIVER_OBJECT 814ea410
+0x000 Type
:4
+0x002 Size
: 168
+0x004 DeviceObject : 0x817dda40 _DEVICE_OBJECT
+0x008 Flags
: 0x12
+0x00c DriverStart : 0xf9a2c000
+0x010 DriverSize
: 0xcd00
+0x014 DriverSection : 0x81973070
+0x018 DriverExtension : 0x814ea4b8 _DRIVER_EXTENSION
+0x01c DriverName
: _UNICODE_STRING "\Driver\i8042prt"
+0x024 HardwareDatabase : 0x80670de0 _UNICODE_STRING
"\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x028 FastIoDispatch : (null)
+0x02c DriverInit
: 0xf9a35285 long i8042prt!GsDriverEntry+0
+0x030 DriverStartIo : 0xf9a2c910 void i8042prt!I8xStartIo+0 (hooked by some bootkits)
+0x034 DriverUnload : 0xf9a32eb6 void i8042prt!I8xUnload+0
+0x038 MajorFunction : [28] 0xf9a2faa6 long i8042prt!I8xCreate+0
73
Moar WinDbg 4 (print IRP table)
kd> dps 814ea410+0x38 L1C
814ea448 f9a2faa6 i8042prt!I8xCreate
814ea44c 804f355a nt!IopInvalidDeviceRequest
814ea450 f9a32e18 i8042prt!I8xClose
814ea454 804f355a nt!IopInvalidDeviceRequest
814ea458 804f355a nt!IopInvalidDeviceRequest
814ea45c 804f355a nt!IopInvalidDeviceRequest
814ea460 804f355a nt!IopInvalidDeviceRequest
814ea464 804f355a nt!IopInvalidDeviceRequest
814ea468 804f355a nt!IopInvalidDeviceRequest
814ea46c f9a2e1f9 i8042prt!I8xFlush
814ea470 804f355a nt!IopInvalidDeviceRequest
814ea474 804f355a nt!IopInvalidDeviceRequest
814ea478 804f355a nt!IopInvalidDeviceRequest
814ea47c 804f355a nt!IopInvalidDeviceRequest
814ea480 f9a32e4b i8042prt!I8xDeviceControl
814ea484 f9a2c836 i8042prt!I8xInternalDeviceControl
814ea488 804f355a nt!IopInvalidDeviceRequest
814ea48c 804f355a nt!IopInvalidDeviceRequest
814ea490 804f355a nt!IopInvalidDeviceRequest
814ea494 804f355a nt!IopInvalidDeviceRequest
814ea498 804f355a nt!IopInvalidDeviceRequest
814ea49c 804f355a nt!IopInvalidDeviceRequest
814ea4a0 f9a337ea i8042prt!I8xPower
814ea4a4 f9a2fa59 i8042prt!I8xSystemControl
814ea4a8 804f355a nt!IopInvalidDeviceRequest
814ea4ac 804f355a nt!IopInvalidDeviceRequest
814ea4b0 804f355a nt!IopInvalidDeviceRequest
814ea4b4 f9a2f990 i8042prt!I8xPnP
dps = display processor-sized pointer
(meaning it decides whether it should
be 16-64 bits), as a pointer to a symbol
dds = display dword as a pointer
to a symbol
74
Level up!
•
•
•
•
•
+50 Kernel EXP
+50 VM EXP
+120 WinDbg EXP
+1 Skill Point, +1 r0x0r Point
You acquired "Laboskopia WinDbg scripts"!
– http://www.laboskopia.com/download/SysecLabsWindbg-Script.zip
• Now use em!
– http://www.reconstructer.org/papers/Hunting%20rootkits
%20with%20Windbg.pdf
75
See notes for citation
