Reading Notebook: 25-January-10
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Kernel Process variables (p. 343)
0: kd> !process poi(PsIdleProcess)
PROCESS fffff800019910c0
   SessionId: none Cid: 0000   Peb: 00000000 ParentCid: 0000
   DirBase: 00124000 ObjectTable: fffff88000000080 HandleCount: 606.
   Image: Idle
   VadRoot fffffa8003b97c70 Vads 1 Clone 0 Private 1. Modified 0. Locked 0.
   DeviceMap 0000000000000000
   Token                            fffff88000003330
   ElapsedTime                      00:00:00.000
   UserTime                         00:00:00.000
   KernelTime                       00:00:00.000
   QuotaPoolUsage[PagedPool]        0
   QuotaPoolUsage[NonPagedPool]     0
   Working Set Sizes (now,min,max) (6, 50, 450) (24KB, 200KB, 1800KB)
   PeakWorkingSetSize               6
   VirtualSize                      0 Mb
   PeakVirtualSize                  0 Mb
   PageFaultCount                   1
   MemoryPriority                   BACKGROUND
   BasePriority                     0
   CommitCharge                     0
       THREAD fffff80001990b80 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
       Not impersonating
       DeviceMap                fffff88000007310
       Owning Process           fffff800019910c0      Image:        Idle
       Attached Process         fffffa8003bf1040      Image:        System
       Wait Start TickCount     16021         Ticks: 13224 (0:00:03:26.295)
       Context Switch Count     142852           Â
       UserTime                 00:00:00.000
       KernelTime               00:06:13.700
       Win32 Start Address nt!KiIdleLoop (0xfffff80001876880)
       Stack Init fffff80002bdadb0 Current fffff80002bdad40
       Base fffff80002bdb000 Limit fffff80002bd5000 Call 0
       Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
       Child-SP         RetAddr          Call Site
       fffff800`02bdad80 fffff800`01a43860 nt!KiIdleLoop+0x11b
       fffff800`02bdadb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4
       THREAD fffffa60005f5d40 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
       Not impersonating
       DeviceMap                fffff88000007310
       Owning Process           fffff800019910c0      Image:        Idle
       Attached Process         fffffa8003bf1040      Image:        System
       Wait Start TickCount     0             Ticks: 29245 (0:00:07:36.224)
       Context Switch Count     162365           Â
       UserTime                 00:00:00.000
       KernelTime               00:06:14.808
       Win32 Start Address nt!KiIdleLoop (0xfffff80001876880)
       Stack Init fffffa600191bdb0 Current fffffa600191bd40
       Base fffffa600191c000 Limit fffffa6001916000 Call 0
       Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
       Child-SP         RetAddr          Call Site
       fffffa60`0191bd80 fffff800`01a43860 nt!KiIdleLoop+0x11b
       fffffa60`0191bdb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4
Relevant process functions (pp. 344 - 345) - More of them can be found here: http://msdn.microsoft.com/en-us/library/ms684847(VS.85).aspx
Protected processes (pp. 346 - 348) - It can be seen in _EPROCESS block (the output taken from a complete memory dump):
0: kd> dt _EPROCESS fffffa8004b5e040
ntdll!_EPROCESS
[...]
  +0x36c ProtectedProcess : 0y1
[...]
The following script lists protected processes on W2K8:
0: kd> !for_each_process "dt _EPROCESS ImageFileName @#Process; dt _EPROCESS ProtectedProcess @#Process"
ntdll!_EPROCESS
  +0x238 ImageFileName : [16] "System"
ntdll!_EPROCESS
  +0x36c ProtectedProcess : 0y1
[...]
ntdll!_EPROCESS
  +0x238 ImageFileName : [16] "audiodg.exe"
ntdll!_EPROCESS
  +0x36c ProtectedProcess : 0y1
[...]
System process is protected because of Ksecdd.sys stores info in user space (p. 347)
PROCESS_QUERY_LIMITED_INFORMATION (p. 347)
Access violation by design for Protected Media Path processes when a kernel-mode debugger is enabled (p. 348) - this is not an optimal design in my opinion - I had problems with that: http://www.dumpanalysis.org/blog/index.php/2010/01/08/live-kernel-debugging-of-a-system-freeze-case-study/. The better way is to show a message box and gracefully exit and only emit AV if message box is bypassed.Â
Advanced .NET Debugging by M. Hewardt:
PE format and its relation to .NET (pp. 26 - 27)
AddressOfEntryPoint (pp. 28 - 29 and p. 31) - we can also use !dh command to find that address (similar to what dumpbin.exe does):
0:001> lm m notepad
start            end                module name
00000000`ff180000 00000000`ff1af000  notepad   (deferred)       Â
0:001> !dh 00000000`ff180000
[...]
OPTIONAL HEADER VALUES
    20B magic #
   8.00 linker version
   E400 size of code
  1CC00 size of initialized data
      0 size of uninitialized data
   D1B4 address of entry point
   1000 base of code
        —– new —–
00000000ff180000 image base
   1000 section alignment
    200 file alignment
      2 subsystem (Windows GUI)
   6.00 operating system version
   6.00 image version
   6.00 subsystem version
  2F000 size of image
    400 size of headers
  32C26 checksum
[…]
0:001> u 00000000`ff180000+D1B4
notepad!WinMainCRTStartup:
00000000`ff18d1b4 4883ec28       sub    rsp,28h
00000000`ff18d1b8 e88b020000     call   notepad!_security_init_cookie (00000000`ff18d448)
00000000`ff18d1bd 4883c428       add    rsp,28h
00000000`ff18d1c1 e9b6fcffff     jmp    notepad!IsTextUTF8+0xc0 (00000000`ff18ce7c)
00000000`ff18d1c6 cc             int    3
00000000`ff18d1c7 cc             int    3
00000000`ff18d1c8 cc             int    3
00000000`ff18d1c9 cc             int    3
Application domains in ASP.NET; 3 default app domains (system, shared, default) in normal app (p. 34)
!dumpdomain SOS command (pp. 35 - 36)
Low(High)FrequencyHeap and StubHeap (p. 36) - Looks like they are not normal heaps or heap segments. I plan to test all commands on x64 .NET:
0:003> !dumpdomain
--------------------------------------
System Domain: 000007fef15a8ef0
LowFrequencyHeap: 000007fef15a8f38
HighFrequencyHeap: 000007fef15a8fc8
StubHeap: 000007fef15a9058
Stage: OPEN
Name: None
--------------------------------------
Shared Domain: 000007fef15a9860
LowFrequencyHeap: 000007fef15a98a8
HighFrequencyHeap: 000007fef15a9938
StubHeap: 000007fef15a99c8
Stage: OPEN
Name: None
Assembly: 0000000000372d10
--------------------------------------
Domain 1: 0000000000360840
LowFrequencyHeap: 0000000000360888
HighFrequencyHeap: 0000000000360918
StubHeap: 00000000003609a8
Stage: OPEN
SecurityDescriptor: 00000000003630e0
Name: TestCLR.exe
[...]
- Dmitry Vostokov @ SoftwareGeneralist.com -Â
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
