diff --git a/SwishDbgExt/EngExpCppEx.h b/SwishDbgExt/EngExpCppEx.h index 07b4d7f..b4aba9e 100644 --- a/SwishDbgExt/EngExpCppEx.h +++ b/SwishDbgExt/EngExpCppEx.h @@ -41,12 +41,12 @@ IsValid( ULONG64 Pointer ); -LPSTR +PSTR GetNameByOffset( - ULONG64 Offset, - LPSTR Name, - ULONG NameSize -); + _In_ ULONG64 Offset, + _Out_writes_(Length) PSTR Buffer, + _In_ ULONG Length + ); BOOLEAN IsPointerHooked( diff --git a/SwishDbgExt/EngExtCppEx.cpp b/SwishDbgExt/EngExtCppEx.cpp index db40629..0a3add7 100644 --- a/SwishDbgExt/EngExtCppEx.cpp +++ b/SwishDbgExt/EngExtCppEx.cpp @@ -425,12 +425,12 @@ Return Value: // return SIGN_EXTEND(Pointer); } -LPSTR +PSTR GetNameByOffset( _In_ ULONG64 Offset, - _Out_writes_(NameSize) LPSTR Name, - _In_ ULONG NameSize -) + _Out_writes_(Length) PSTR Buffer, + _In_ ULONG Length + ) /*++ Routine Description: @@ -449,20 +449,26 @@ Return Value: --*/ { - HRESULT hResult; - RtlZeroMemory(Name, NameSize); + CHAR DisplacementString[MAX_PATH]; + ULONG64 Displacement; + ULONG BytesRead; - if (Offset) - { - // TODO: GetOffsetSymbol() - hResult = g_Ext->m_Symbols->GetNameByOffset(Offset, (PSTR)Name, NameSize, NULL, NULL); - if (hResult != S_OK) - { - strcpy_s((LPSTR)Name, NameSize, "*UNKNOWN*"); + Buffer[0] = '\0'; + + if (Offset) { + + if (g_Ext->m_Symbols->GetNameByOffset(Offset, (PSTR)Buffer, Length, &BytesRead, &Displacement) == S_OK) { + + if (Displacement != 0) { + + StringCchPrintf(DisplacementString, _countof(DisplacementString), "+0x%x", Displacement); + + StringCchCat(Buffer, Length - _tcslen(Buffer), DisplacementString); + } } } - return Name; + return Buffer; } BOOLEAN diff --git a/SwishDbgExt/Objects.cpp b/SwishDbgExt/Objects.cpp index 269eb58..13456a0 100644 --- a/SwishDbgExt/Objects.cpp +++ b/SwishDbgExt/Objects.cpp @@ -78,7 +78,7 @@ Return Value: if (!ObTypeInit) { - ObjTypeTable = ExtRemoteTyped("(nt!_OBJECT_TYPE **)@$extin", GetExpression("nt!ObTypeIndexTable")); + ObjTypeTable = ExtRemoteTyped("(nt!_OBJECT_TYPE **)@$extin", ObTypeIndexTableAddress); ObTypeInit = TRUE; } @@ -95,7 +95,7 @@ Return Value: HandleObj->ObjectTypeIndex = ObjHeader.Field("TypeIndex").GetUchar(); - if (g_Ext->m_Data->ReadVirtual(GetExpression("nt!ObHeaderCookie"), &HeaderCookie, sizeof(HeaderCookie), NULL) == S_OK) { + if (g_Ext->m_Data->ReadVirtual(ObHeaderCookieAddress, &HeaderCookie, sizeof(HeaderCookie), NULL) == S_OK) { HandleObj->ObjectTypeIndex = (((ObjHeaderAddr >> 8) & 0xff) ^ HandleObj->ObjectTypeIndex) ^ HeaderCookie; } @@ -230,7 +230,7 @@ Return Value: if (!ObjectDir) { - ReadPointer(GetExpression("nt!ObpRootDirectoryObject"), &ObjectDir); + ReadPointer(ObpRootDirectoryObjectAddress, &ObjectDir); } Directory = ExtRemoteTyped("(nt!_OBJECT_DIRECTORY *)@$extin", ObjectDir); diff --git a/SwishDbgExt/Process.cpp b/SwishDbgExt/Process.cpp index bbf6a2d..8d2d5da 100644 --- a/SwishDbgExt/Process.cpp +++ b/SwishDbgExt/Process.cpp @@ -177,20 +177,26 @@ Return Value: --*/ { - RtlZeroMemory(&mm_CcDllObject, sizeof(mm_CcDllObject)); + try { + + RtlZeroMemory(&mm_CcDllObject, sizeof(mm_CcDllObject)); - if (m_TypedObject.GetPtr()) { + if (m_TypedObject.GetPtr()) { - m_ImageBase = m_TypedObject.Field("DllBase").GetPtr(); - m_ImageSize = m_TypedObject.Field("SizeOfImage").GetUlong(); + m_ImageBase = m_TypedObject.Field("DllBase").GetPtr(); + m_ImageSize = m_TypedObject.Field("SizeOfImage").GetUlong(); - if (m_TypedObject.HasField("LoadTime")) { + ExtRemoteTypedEx::GetUnicodeString(m_TypedObject.Field("FullDllName"), (PWSTR)&mm_CcDllObject.FullDllName, sizeof(mm_CcDllObject.FullDllName)); + ExtRemoteTypedEx::GetUnicodeString(m_TypedObject.Field("BaseDllName"), (PWSTR)&mm_CcDllObject.DllName, sizeof(mm_CcDllObject.DllName)); - mm_CcDllObject.LoadTime.QuadPart = m_TypedObject.Field("LoadTime.QuadPart").GetUlong64(); + if (m_TypedObject.HasField("LoadTime")) { + + mm_CcDllObject.LoadTime.QuadPart = m_TypedObject.Field("LoadTime.QuadPart").GetUlong64(); + } } + } + catch (...) { - ExtRemoteTypedEx::GetUnicodeString(m_TypedObject.Field("FullDllName"), (PWSTR)&mm_CcDllObject.FullDllName, sizeof(mm_CcDllObject.FullDllName)); - ExtRemoteTypedEx::GetUnicodeString(m_TypedObject.Field("BaseDllName"), (PWSTR)&mm_CcDllObject.DllName, sizeof(mm_CcDllObject.DllName)); } } @@ -498,6 +504,9 @@ Return Value: for (Dlls.First(); !Dlls.IsDone(); Dlls.Next()) { MsDllObject Object = Dlls.Current(); + + Object.mm_CcDllObject.LoadTime.QuadPart = 0; + m_DllList.push_back(Object); } } diff --git a/SwishDbgExt/Registry.cpp b/SwishDbgExt/Registry.cpp index 5d8b2e8..8be9b48 100644 --- a/SwishDbgExt/Registry.cpp +++ b/SwishDbgExt/Registry.cpp @@ -224,8 +224,8 @@ GetKeyNode( try { - ReadPointer(GetExpression("nt!CmpMasterHive"), &CmpMasterHive); - ReadPointer(GetExpression("nt!CmpRegistryRootObject"), &CmpRegistryRootObject); + ReadPointer(CmpMasterHiveAddress, &CmpMasterHive); + ReadPointer(CmpRegistryRootObjectAddress, &CmpRegistryRootObject); ExtRemoteTyped KeyHive("(nt!_HHIVE *)@$extin", CmpMasterHive); ExtRemoteTyped KeyBody("(nt!_CM_KEY_BODY *)@$extin", CmpRegistryRootObject); diff --git a/SwishDbgExt/SwishDbgExt.cpp b/SwishDbgExt/SwishDbgExt.cpp index 9f67455..92a91fd 100644 --- a/SwishDbgExt/SwishDbgExt.cpp +++ b/SwishDbgExt/SwishDbgExt.cpp @@ -49,6 +49,15 @@ BOOLEAN g_Verbose = FALSE; #endif +ULONG64 KeNumberProcessorsAddress; +ULONG64 KiProcessorBlockAddress; +ULONG64 ObpRootDirectoryObjectAddress; +ULONG64 ObTypeIndexTableAddress; +ULONG64 ObHeaderCookieAddress; +ULONG64 CmpRegistryRootObjectAddress; +ULONG64 CmpMasterHiveAddress; + + class EXT_CLASS : public ExtExtension { public: @@ -137,6 +146,16 @@ class EXT_CLASS : public ExtExtension " under certain conditions; type `show c' for details.\n", EXT_VERSION, __DATE__); + KeNumberProcessorsAddress = GetExpression("nt!KeNumberProcessors"); + KiProcessorBlockAddress = GetExpression("nt!KiProcessorBlock"); + + ObpRootDirectoryObjectAddress = GetExpression("nt!ObpRootDirectoryObject"); + ObTypeIndexTableAddress = GetExpression("nt!ObTypeIndexTable"); + ObHeaderCookieAddress = GetExpression("nt!ObHeaderCookie"); + + CmpRegistryRootObjectAddress = GetExpression("nt!CmpRegistryRootObject"); + CmpMasterHiveAddress = GetExpression("nt!CmpMasterHive"); + DebugControl->Release(); DebugClient->Release(); @@ -1648,27 +1667,27 @@ EXT_COMMAND(ms_idt, "{base;ed,o;base;Display information for a given idt}") { ULONG64 IdtBase = GetArgU64("base", FALSE); - vector Idts = GetInterrupts(IdtBase); + vector IdtEntries = GetInterrupts(IdtBase); Dml(" |-----|-----|--------------------|--------------------------------------------------------|---------|--------|\n" " | %-3s | %-3s | %-18s | %-54s | %-7s | %-6s |\n" " |-----|-----|--------------------|--------------------------------------------------------|---------|--------|\n", "Cre", "Idx", "Address", "Name", "Patched", "Hooked"); - for each (IDT_OBJECT Idt in Idts) - { - UCHAR Name[512] = { 0 }; + for each (IDT_ENTRY IdtEntry in IdtEntries) { + + CHAR Name[MAX_PATH] = {0}; + + if (IdtEntry.Address) { - if (Idt.Entry) - { Dml(" | %3d | %3d | 0x%016I64X | %-54s | %-7s | %-6s |\n", - Idt.CoreIndex, - Idt.Index, - Idt.Entry, - Idt.Entry, - GetNameByOffset(Idt.Entry, (PSTR)Name, _countof(Name)), - Idt.Entry ? "" : "", - IsPointerHooked(Idt.Entry) ? "Yes" : "No"); + IdtEntry.CoreIndex, + IdtEntry.Index, + IdtEntry.Address, + IdtEntry.Address, + GetNameByOffset(IdtEntry.Address, (PSTR)Name, _countof(Name)), + IdtEntry.Address ? "" : "", + IsPointerHooked(IdtEntry.Address) ? "Yes" : ""); } } } diff --git a/SwishDbgExt/SwishDbgExt.h b/SwishDbgExt/SwishDbgExt.h index 95f1d75..9f56dca 100644 --- a/SwishDbgExt/SwishDbgExt.h +++ b/SwishDbgExt/SwishDbgExt.h @@ -110,6 +110,13 @@ extern "C" { // extern BOOLEAN g_Verbose; +extern ULONG64 KeNumberProcessorsAddress; +extern ULONG64 KiProcessorBlockAddress; +extern ULONG64 ObpRootDirectoryObjectAddress; +extern ULONG64 ObTypeIndexTableAddress; +extern ULONG64 ObHeaderCookieAddress; +extern ULONG64 CmpRegistryRootObjectAddress; +extern ULONG64 CmpMasterHiveAddress; VOID ReleaseObjectTypeTable( diff --git a/SwishDbgExt/System.cpp b/SwishDbgExt/System.cpp index 75b140e..2cb8f0d 100644 --- a/SwishDbgExt/System.cpp +++ b/SwishDbgExt/System.cpp @@ -593,12 +593,12 @@ Return Value: } else { - if (g_Ext->m_Data->ReadVirtual(GetExpression("nt!KeNumberProcessors"), &KeNumberProcessors, sizeof(KeNumberProcessors), NULL) != S_OK) goto CleanUp; + if (g_Ext->m_Data->ReadVirtual(KeNumberProcessorsAddress, &KeNumberProcessors, sizeof(KeNumberProcessors), NULL) != S_OK) goto CleanUp; KiProcessorBlock = (PULONG64)malloc(KeNumberProcessors * sizeof(ULONG64)); if (!KiProcessorBlock) goto CleanUp; - if (ReadPointersVirtual(KeNumberProcessors, GetExpression("nt!KiProcessorBlock"), KiProcessorBlock) != S_OK) goto CleanUp; + if (ReadPointersVirtual(KeNumberProcessors, KiProcessorBlockAddress, KiProcessorBlock) != S_OK) goto CleanUp; for (UINT i = 0; KiProcessorBlock[i] && (i < KeNumberProcessors); i += 1) { @@ -774,10 +774,10 @@ Return Value: return Vacbs; } -vector +vector GetInterrupts( _In_opt_ ULONG64 InIdtBase -) + ) /*++ Routine Description: @@ -794,104 +794,256 @@ Return Value: --*/ { - vector Idts; - ULONG KeNumberProcessors; + vector IdtTables; + vector IdtEntries; PULONG64 KiProcessorBlock; + ULONG64 Address; + ULONG64 InterruptAddress; + ULONG ActualMachine; + ULONG DispatchCodeOffset; + ULONG CoreIndex = 0; + PSTR IdtEntryString; + BYTE KeNumberProcessors; - vector IdtBases; + ActualMachine = g_Ext->m_ActualMachine; - if (!InIdtBase) - { - if (g_Ext->m_Data->ReadVirtual(GetExpression("nt!KeNumberProcessors"), &KeNumberProcessors, sizeof(KeNumberProcessors), NULL) != S_OK) goto CleanUp; + if (!InIdtBase) { - KiProcessorBlock = (PULONG64)malloc(KeNumberProcessors * sizeof(ULONG64)); - if (!KiProcessorBlock) goto CleanUp; + if (g_Ext->m_Data->ReadVirtual(KeNumberProcessorsAddress, &KeNumberProcessors, sizeof(KeNumberProcessors), NULL) == S_OK) { - if (ReadPointersVirtual(KeNumberProcessors, GetExpression("nt!KiProcessorBlock"), KiProcessorBlock) != S_OK) goto CleanUp; + KiProcessorBlock = (PULONG64)calloc(KeNumberProcessors, sizeof(ULONG64)); - ULONG PrcbOffset = 0; + if (KiProcessorBlock) { - if (GetFieldOffset("nt!_KPCR", "PrcbData", &PrcbOffset) != S_OK) GetFieldOffset("nt!_KPCR", "Prcb", &PrcbOffset); + if (ReadPointersVirtual(KeNumberProcessors, KiProcessorBlockAddress, KiProcessorBlock) == S_OK) { - for (UINT i = 0; KiProcessorBlock[i] && (i < KeNumberProcessors); i += 1) - { - ULONG64 IdtBase; - ULONG IdtOffset; - ExtRemoteTyped Pcr("(nt!_KPCR *)@$extin", (ULONG64)KiProcessorBlock[i] - PrcbOffset); + ULONG64 IdtBase; + ULONG PrcbOffset; + ULONG IdtOffset; - // g_Ext->Dml("KPCR = %I64X offset = %x\n", KiProcessorBlock[i], PrcbOffset); - // Pcr.OutFullValue(); + if (GetFieldOffset("nt!_KPCR", "PrcbData", &PrcbOffset) != S_OK) { + + GetFieldOffset("nt!_KPCR", "Prcb", &PrcbOffset); + } + + if (GetFieldOffset("nt!_KPCR", "IDT", &IdtOffset) != S_OK) { + + GetFieldOffset("nt!_KPCR", "IdtBase", &IdtOffset); + } - if (GetFieldOffset("nt!_KPCR", "IdtBase", &IdtOffset) != S_OK) GetFieldOffset("nt!_KPCR", "IDT", &IdtOffset); + for (UINT i = 0; KiProcessorBlock[i] && (i < KeNumberProcessors); i++) { - ReadPointer(KiProcessorBlock[i] - PrcbOffset + IdtOffset, &IdtBase); + ReadPointer(KiProcessorBlock[i] - PrcbOffset + IdtOffset, &IdtBase); - // if (Pcr.HasField("IdtBase")) IdtBase = Pcr.Field("IdtBase").GetPtr(); - // else if (Pcr.HasField("IDT")) IdtBase = Pcr.Field("IDT").GetPtr(); + if (IdtBase) { - if (!IdtBase) continue; + IDT_TABLE IdtTable; - IdtBases.push_back(IdtBase); + IdtTable.IdtAddress = IdtBase; + IdtTable.PrcbAddress = KiProcessorBlock[i]; + + IdtTables.push_back(IdtTable); + } + } + } + + free(KiProcessorBlock); + } } } - else - { - IdtBases.push_back(InIdtBase); + else { + + PROCESSORINFO ProcessorInfo; + IDT_TABLE IdtTable = {0}; + ULONG64 PrcbAddress; + + GetKdContext(&ProcessorInfo); + + IdtTable.IdtAddress = InIdtBase; + + if (g_Ext->m_Data4->ReadProcessorSystemData(ProcessorInfo.Processor, DEBUG_DATA_KPRCB_OFFSET, &PrcbAddress, sizeof(PrcbAddress), NULL) == S_OK) { + + IdtTable.PrcbAddress = PrcbAddress; + } + + IdtTables.push_back(IdtTable); } - UINT i = 0; - for each (ULONG64 IdtBase in IdtBases) - { - if (g_Ext->m_ActualMachine == IMAGE_FILE_MACHINE_I386) - { - IDT_OBJECT IdtEntry = { 0 }; - ExtRemoteTyped Idt("(nt!_KIDTENTRY *)@$extin", IdtBase); + IdtEntryString = (ActualMachine == IMAGE_FILE_MACHINE_I386) ? "(nt!_KIDTENTRY *)@$extin" : "(nt!_KIDTENTRY64 *)@$extin"; - for (UINT j = 0; j < 256; j += 1) - { - ULONG64 Entry = (Idt.ArrayElement(j).Field("ExtendedOffset").GetUshort() << 16) | - (Idt.ArrayElement(j).Field("Offset").GetUshort()); + if (0 == GetFieldOffset("nt!_KINTERRUPT", "DispatchCode", &DispatchCodeOffset)) { + + for each (IDT_TABLE IdtTable in IdtTables) { + + IDT_ENTRY IdtEntry = {0}; + + ExtRemoteTyped Idt(IdtEntryString, IdtTable.IdtAddress); + + for (ULONG i = 0; i < 256; i++) { + + try { + + if (ActualMachine == IMAGE_FILE_MACHINE_I386) { + + USHORT Access = Idt.ArrayElement(i).Field("Access").GetUshort(); + + IdtEntry.Dpl = (Access & IDT_ACCESS_DPL_MASK) >> 13; + IdtEntry.Type = (Access & IDT_ACCESS_TYPE_MASK) >> 8; + IdtEntry.Present = (Access & IDT_ACCESS_PRESENT_MASK) >> 15; + + Address = (Idt.ArrayElement(i).Field("ExtendedOffset").GetUshort() << 16) | + (Idt.ArrayElement(i).Field("Offset").GetUshort()); + } + else { + + IdtEntry.Dpl = Idt.ArrayElement(i).Field("Dpl").GetUshort(); + IdtEntry.Type = Idt.ArrayElement(i).Field("Type").GetUshort(); + IdtEntry.Present = Idt.ArrayElement(i).Field("Present").GetUshort(); + + Address = (((ULONG64)Idt.ArrayElement(i).Field("OffsetHigh").GetUlong() << 32) | + ((ULONG64)Idt.ArrayElement(i).Field("OffsetMiddle").GetUshort() << 16) | + ((ULONG64)Idt.ArrayElement(i).Field("OffsetLow").GetUshort())); + } + + if (Address) { + + InterruptAddress = Address - DispatchCodeOffset; + + ExtRemoteTyped Interrupt("(nt!_KINTERRUPT *)@$extin", InterruptAddress); + + if (IsValid(InterruptAddress) && (Interrupt.Field("Type").GetUshort() == INTERRUPT_OBJECT_TYPE)) { + + IdtEntry.Address = Interrupt.Field("ServiceRoutine").GetPtr(); + IdtEntry.Index = i; + IdtEntry.CoreIndex = CoreIndex; + + IdtEntries.push_back(IdtEntry); + + ExtRemoteTypedList InterruptList(Interrupt.Field("InterruptListEntry").GetPointerTo().GetPtr(), "nt!_KINTERRUPT", "InterruptListEntry"); + + for (InterruptList.StartHead(); InterruptList.HasNode(); InterruptList.Next()) { - IdtEntry.Entry = Entry; - IdtEntry.Index = j; - IdtEntry.CoreIndex = i; + IdtEntry.Address = InterruptList.GetTypedNode().Field("ServiceRoutine").GetPtr(); + IdtEntry.Index = i; + IdtEntry.CoreIndex = CoreIndex; - Idts.push_back(IdtEntry); + IdtEntries.push_back(IdtEntry); + } + } + else { + + IdtEntry.Address = Address; + IdtEntry.Index = i; + IdtEntry.CoreIndex = CoreIndex; + + IdtEntries.push_back(IdtEntry); + } + } + } + catch (...) { + + } } + + CoreIndex++; } - else - { - for (UINT j = 0; j < 256; j += 1) - { - KIDTENTRY64 IdtEntry64 = { 0 }; - IDT_OBJECT IdtEntry = { 0 }; + } + else { - if (g_Ext->m_Data->ReadVirtual(IdtBase + j * sizeof(KIDTENTRY64), - &IdtEntry64, - sizeof(IdtEntry64), NULL) != S_OK) goto CleanUp; + for each (IDT_TABLE IdtTable in IdtTables) { - ULONG64 Entry = IdtEntry64.OffsetHigh; - Entry <<= 32; - Entry |= IdtEntry64.OffsetMiddle << 16; - Entry |= IdtEntry64.OffsetLow; + IDT_ENTRY IdtEntry = {0}; + + ExtRemoteTyped Idt(IdtEntryString, IdtTable.IdtAddress); + + for (ULONG i = 0; i < 256; i++) { + + try { + + ExtRemoteTyped InterruptObject; + + ExtRemoteTyped Prcb("(nt!_KPRCB *)@$extin", IdtTable.PrcbAddress); - IdtEntry.Entry = Entry; - IdtEntry.Dpl = IdtEntry64.Dpl; - IdtEntry.Present = IdtEntry64.Present; - IdtEntry.Type = IdtEntry64.Type; + if (ActualMachine == IMAGE_FILE_MACHINE_I386) { - IdtEntry.Index = j; - IdtEntry.CoreIndex = i; + InterruptObject = Prcb.Field("VectorToInterruptObject").GetPointerTo(); - Idts.push_back(IdtEntry); + USHORT Access = Idt.ArrayElement(i).Field("Access").GetUshort(); + + IdtEntry.Dpl = (Access & IDT_ACCESS_DPL_MASK) >> 13; + IdtEntry.Type = (Access & IDT_ACCESS_TYPE_MASK) >> 8; + IdtEntry.Present = (Access & IDT_ACCESS_PRESENT_MASK) >> 15; + + Address = (Idt.ArrayElement(i).Field("ExtendedOffset").GetUshort() << 16) | + (Idt.ArrayElement(i).Field("Offset").GetUshort()); + } + else { + + InterruptObject = Prcb.Field("InterruptObject").GetPointerTo(); + + IdtEntry.Dpl = Idt.ArrayElement(i).Field("Dpl").GetUshort(); + IdtEntry.Type = Idt.ArrayElement(i).Field("Type").GetUshort(); + IdtEntry.Present = Idt.ArrayElement(i).Field("Present").GetUshort(); + + Address = (((ULONG64)Idt.ArrayElement(i).Field("OffsetHigh").GetUlong() << 32) | + ((ULONG64)Idt.ArrayElement(i).Field("OffsetMiddle").GetUshort() << 16) | + ((ULONG64)Idt.ArrayElement(i).Field("OffsetLow").GetUshort())); + } + + if (Address) { + + if (i >= 0x30) { + + ULONG InterruptIndex = (ActualMachine == IMAGE_FILE_MACHINE_I386) ? i - 0x30 : i; + + InterruptAddress = InterruptObject.ArrayElement(InterruptIndex).GetPtr(); + } + else { + + InterruptAddress = NULL; + } + + ExtRemoteTyped Interrupt("(nt!_KINTERRUPT *)@$extin", InterruptAddress); + + if (IsValid(InterruptAddress) && (Interrupt.Field("Type").GetUshort() == INTERRUPT_OBJECT_TYPE)) { + + IdtEntry.Address = Interrupt.Field("ServiceRoutine").GetPtr(); + IdtEntry.Index = i; + IdtEntry.CoreIndex = CoreIndex; + + IdtEntries.push_back(IdtEntry); + + ExtRemoteTypedList InterruptList(Interrupt.Field("InterruptListEntry").GetPointerTo().GetPtr(), "nt!_KINTERRUPT", "InterruptListEntry"); + + for (InterruptList.StartHead(); InterruptList.HasNode(); InterruptList.Next()) { + + IdtEntry.Address = InterruptList.GetTypedNode().Field("ServiceRoutine").GetPtr(); + IdtEntry.Index = i; + IdtEntry.CoreIndex = CoreIndex; + + IdtEntries.push_back(IdtEntry); + } + } + else { + + IdtEntry.Address = Address; + IdtEntry.Index = i; + IdtEntry.CoreIndex = CoreIndex; + + IdtEntries.push_back(IdtEntry); + } + } + } + catch (...) { + + } } - } - i += 1; + CoreIndex++; + } } -CleanUp: - return Idts; + return IdtEntries; } vector @@ -922,12 +1074,12 @@ Return Value: if (!InGdtBase) { - if (g_Ext->m_Data->ReadVirtual(GetExpression("nt!KeNumberProcessors"), &KeNumberProcessors, sizeof(KeNumberProcessors), NULL) != S_OK) goto CleanUp; + if (g_Ext->m_Data->ReadVirtual(KeNumberProcessorsAddress, &KeNumberProcessors, sizeof(KeNumberProcessors), NULL) != S_OK) goto CleanUp; KiProcessorBlock = (PULONG64)malloc(KeNumberProcessors * sizeof(ULONG64)); if (!KiProcessorBlock) goto CleanUp; - if (ReadPointersVirtual(KeNumberProcessors, GetExpression("nt!KiProcessorBlock"), KiProcessorBlock) != S_OK) goto CleanUp; + if (ReadPointersVirtual(KeNumberProcessors, KiProcessorBlockAddress, KiProcessorBlock) != S_OK) goto CleanUp; ULONG PrcbOffset; diff --git a/SwishDbgExt/System.h b/SwishDbgExt/System.h index fea16de..40c5a6b 100644 --- a/SwishDbgExt/System.h +++ b/SwishDbgExt/System.h @@ -52,6 +52,12 @@ typedef struct _SSDT_ENTRY { #define SC_SIGNATURE_NT5 0x6E4F6373 // "scOn" in ASCII. #define SERVICE_SIGNATURE 0x76724573 // "sErv" in ASCII. +#define INTERRUPT_OBJECT_TYPE 22 + +#define IDT_ACCESS_TYPE_MASK 0x0F00 +#define IDT_ACCESS_DPL_MASK 0x6000 +#define IDT_ACCESS_PRESENT_MASK 0x8000 + typedef struct _SERVICE_ENTRY { WCHAR Name[MAX_PATH]; WCHAR Desc[MAX_PATH]; @@ -96,16 +102,20 @@ typedef struct _VACB_OBJECT ULONG64 SharedCacheMap; } VACB_OBJECT, *PVACB_OBJECT; -typedef struct _IDT_OBJECT -{ +typedef struct _IDT_ENTRY { ULONG CoreIndex; ULONG Index; - ULONG64 Entry; + ULONG64 Address; USHORT Dpl; USHORT Present; USHORT Type; -} IDT_OBJECT, *PIDT_OBJECT; +} IDT_ENTRY, *PIDT_ENTRY; + +typedef struct _IDT_TABLE { + ULONG64 IdtAddress; + ULONG64 PrcbAddress; +} IDT_TABLE, *PIDT_TABLE; typedef struct _GDT_OBJECT { @@ -162,24 +172,6 @@ typedef struct _KTIMER { ULONG64 DeferredRoutine; } KTIMER, *PKTIMER; -typedef union _KIDTENTRY64 -{ - struct - { - USHORT OffsetLow; - USHORT Selector; - USHORT IstIndex : 3; - USHORT Reserved0 : 5; - USHORT Type : 5; - USHORT Dpl : 2; - USHORT Present : 1; - USHORT OffsetMiddle; - ULONG OffsetHigh; - ULONG Reserved1; - }; - UINT64 Alignment; -} KIDTENTRY64, *PKIDTENTRY64; - typedef union _KGDTENTRY64 { struct @@ -314,7 +306,7 @@ GetPartitionType( _In_ ULONG Type ); -vector +vector GetInterrupts( _In_opt_ ULONG64 InIdtBase );