Software Generalist

Reading Notebook: 10-March-10

Thursday, March 11th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

W32THREAD (p. 371) - One candidate in _ETHREAD that points to it is Tcb.Win32Thread. One interesting code I found on how to extract window message queues from it: http://www.cc.gatech.edu/~brendan/volatility/dl/threadqueues.py. _W32THREAD structure on x64 W2K8 (we also see that is points to _ETHREAD):

0: kd> dt _W32THREAD win32k!_W32THREAD +0x000 pEThread : Ptr64 _ETHREAD +0x008 RefCount : Uint4B +0x010 ptlW32 : Ptr64 _TL +0x018 pgdiDcattr : Ptr64 Void +0x020 pgdiBrushAttr : Ptr64 Void +0x028 pUMPDObjs : Ptr64 Void +0x030 pUMPDHeap : Ptr64 Void +0x038 pUMPDObj : Ptr64 Void +0x040 pProxyPort : Ptr64 Void +0x048 pClientID : Ptr64 Void +0x050 GdiTmpTgoList : _LIST_ENTRY

!thread output fields (p. 376) - Stack Base and Limit fields can be useful to dump raw stack data via dps command to see execution residue or when reconstructing stack trace, see, for example, this pattern: http://www.dumpanalysis.org/blog/index.php/2009/10/23/crash-dump-analysis-patterns-part-88/

tlist utility (p. 377)

Thread creation calls (pp. 380 - 381) - a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c CreateThread kernel32!CreateThread (00000000`7731c1c0) kernel32!CreateThread+0x28 (00000000`7731c1e8): call to kernel32!CreateRemoteThread (00000000`7731c200)

0: kd> uf /c CreateRemoteThread Flow analysis was incomplete, some code may be missing kernel32!CreateRemoteThread (00000000`7731c200) kernel32!CreateRemoteThread+0x134 (00000000`7731c334): call to ntdll!NtCreateThreadEx (00000000`77477790) kernel32!CreateRemoteThread+0×166 (00000000`7731c366): call to ntdll!RtlAllocateActivationContextStack (00000000`77456900) kernel32!CreateRemoteThread+0×1b4 (00000000`7731c3b4): call to ntdll!RtlQueryInformationActivationContext (00000000`77456b20) kernel32!CreateRemoteThread+0×241 (00000000`7731c441): call to ntdll!CsrClientCallServer (00000000`7747a460) kernel32!CreateRemoteThread+0×281 (00000000`7731c47d): call to ntdll!ZwResumeThread (00000000`77477230) kernel32!CreateRemoteThread+0×38b (00000000`7731c4ae): call to kernel32!_security_check_cookie (00000000`7732c200)

0: kd> uf /c NtCreateThreadEx ntdll!NtCreateThreadEx (00000000`77477790) no calls found

0: kd> uf NtCreateThreadEx ntdll!NtCreateThreadEx: 00000000`77477790 4c8bd1 mov r10,rcx 00000000`77477793 b8a5000000 mov eax,0A5h 00000000`77477798 0f05 syscall 00000000`7747779a c3 ret

0: kd> uf /c nt!NtCreateThreadEx nt!NtCreateThreadEx (fffff800`01af60fc) nt!NtCreateThreadEx+0x3d (fffff800`01af6139): call to nt!memset (fffff800`0187a4d0) nt!NtCreateThreadEx+0x5b (fffff800`01af6157): call to nt!memset (fffff800`0187a4d0) nt!NtCreateThreadEx+0x99 (fffff800`01af6195): call to nt!memset (fffff800`0187a4d0) nt!NtCreateThreadEx+0xc8 (fffff800`01af61c4): call to nt!PspBuildCreateProcessContext (fffff800`01af5204) nt!NtCreateThreadEx+0x1e1 (fffff800`01af62dd): call to nt!PspCreateThread (fffff800`01af5d40) nt!NtCreateThreadEx+0×1f0 (fffff800`01af62ec): call to nt!PspDeleteCreateProcessContext (fffff800`01af68f0)

0: kd> uf /c nt!PspCreateThread nt!PspCreateThread (fffff800`01af5d40) nt!PspCreateThread+0x102 (fffff800`01af5e42): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt!PspCreateThread+0x15b (fffff800`01af5e9b): call to nt!ObfReferenceObject (fffff800`01883250) nt!PspCreateThread+0x22f (fffff800`01af5f6f): call to nt!PspAllocateThread (fffff800`01af6338) nt!PspCreateThread+0x243 (fffff800`01af5f83): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateThread+0x2a6 (fffff800`01af5fe6): call to nt!PspInsertThread (fffff800`01af4c10) nt!PspCreateThread+0x318 (fffff800`01af6058): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateThread+0x32a (fffff800`01af606a): call to nt!_security_check_cookie (fffff800`01895e50) nt!PspCreateThread+0x36a (fffff800`01af60aa): call to nt!ObfReferenceObject (fffff800`01883250) nt!PspCreateThread+0x3a2 (fffff800`01af60e2): call to nt!ExfAcquireRundownProtection (fffff800`0184f66c) nt! ?? ::NNGAKEGL::`string'+0x2816e (fffff800`01b3628e): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x281ad (fffff800`01b362ca): call to nt!ExfReleaseRundownProtection (fffff800`0184f690) nt! ?? ::NNGAKEGL::`string'+0x281ce (fffff800`01b362eb): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x281d8 (fffff800`01b362f5): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt! ?? ::NNGAKEGL::`string'+0x281e7 (fffff800`01b36304): call to nt!ExfReleaseRundownProtection (fffff800`0184f690) nt! ?? ::NNGAKEGL::`string'+0x281ff (fffff800`01b3631c): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x2821a (fffff800`01b36337): call to nt!PspTerminateThreadByPointer (fffff800`01ad30dc)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 01-March-10

Tuesday, March 2nd, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

NtCreateProcess (pp. 349 - 351) - a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c nt!NtCreateProcess nt!NtCreateProcess (fffff800`01c51770) nt!NtCreateProcess+0x64 (fffff800`01c517d4): call to nt!NtCreateProcessEx (fffff800`01c516e0)

0: kd> uf /c nt!NtCreateProcessEx nt!NtCreateProcessEx (fffff800`01c516e0) nt!NtCreateProcessEx+0x7d (fffff800`01c5175d): call to nt!PspCreateProcess (fffff800`01c51410)

0: kd> uf /c nt!PspCreateProcess nt!PspCreateProcess (fffff800`01c51410) nt!PspCreateProcess+0xd0 (fffff800`01c514e0): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt!PspCreateProcess+0xff (fffff800`01c5150f): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateProcess+0x146 (fffff800`01c51556): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt!PspCreateProcess+0x1a6 (fffff800`01c515b6): call to nt!PspAllocateProcess (fffff800`01aac690) nt!PspCreateProcess+0x202 (fffff800`01c51612): call to nt!PspInsertProcess (fffff800`01aa6520) nt!PspCreateProcess+0x21b (fffff800`01c5162b): call to nt!PspDoHandleSweepSingle (fffff800`01b92770) nt!PspCreateProcess+0x26f (fffff800`01c5167f): call to nt!SeDeleteAccessState (fffff800`01b02f8c) nt!PspCreateProcess+0x27a (fffff800`01c5168a): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateProcess+0x287 (fffff800`01c51697): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateProcess+0x294 (fffff800`01c516a4): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateProcess+0x2a7 (fffff800`01c516b7): call to nt!_security_check_cookie (fffff800`01895e50)

NtCreateUserProcess (pp. 351 - 360) - a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c nt!NtCreateUserProcess nt!NtCreateUserProcess (fffff800`01ab2238) nt!NtCreateUserProcess+0x97 (fffff800`01ab22cf): call to nt!memset (fffff800`0187a4d0) nt!NtCreateUserProcess+0xb4 (fffff800`01ab22ec): call to nt!memset (fffff800`0187a4d0) nt!NtCreateUserProcess+0x184 (fffff800`01ab23bc): call to nt!ExRaiseDatatypeMisalignment (fffff800`01bddd20) nt!NtCreateUserProcess+0x1c2 (fffff800`01ab23fb): call to nt!memset (fffff800`0187a4d0) nt!NtCreateUserProcess+0x1dd (fffff800`01ab2416): call to nt!PspBuildCreateProcessContext (fffff800`01af5204) nt!NtCreateUserProcess+0x207 (fffff800`01ab2440): call to nt!PspCaptureCreateInfo (fffff800`01aad390) nt!NtCreateUserProcess+0x2d1 (fffff800`01ab250a): call to nt!ZwOpenFile (fffff800`01873480) nt!NtCreateUserProcess+0x311 (fffff800`01ab254a): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt!NtCreateUserProcess+0x378 (fffff800`01ab25b1): call to nt!ZwCreateSection (fffff800`01873760) nt!NtCreateUserProcess+0x3af (fffff800`01ab25e8): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt!NtCreateUserProcess+0x412 (fffff800`01ab264b): call to nt!PspCaptureProcessParameters (fffff800`01aae128) nt!NtCreateUserProcess+0x483 (fffff800`01ab26bc): call to nt!PspAllocateProcess (fffff800`01aac690) nt!NtCreateUserProcess+0x546 (fffff800`01ab277f): call to nt!ObfReferenceObject (fffff800`01883250) nt!NtCreateUserProcess+0x630 (fffff800`01ab2869): call to nt!PspAllocateThread (fffff800`01af6338) nt!NtCreateUserProcess+0x69f (fffff800`01ab28d8): call to nt!PspInsertProcess (fffff800`01aa6520) nt!NtCreateUserProcess+0x70e (fffff800`01ab2947): call to nt!PspInsertThread (fffff800`01af4c10) nt!NtCreateUserProcess+0x74f (fffff800`01ab2988): call to nt!PspCreateObjectHandle (fffff800`01b01e10) nt!NtCreateUserProcess+0x775 (fffff800`01ab29ae): call to nt!memmove (fffff800`0186fce0) nt!NtCreateUserProcess+0x7ca (fffff800`01ab2a03): call to nt!PspUpdateCreateInfo (fffff800`01aadc9c) nt!NtCreateUserProcess+0x7d9 (fffff800`01ab2a12): call to nt!SeDeleteAccessState (fffff800`01b02f8c) nt!NtCreateUserProcess+0x7e9 (fffff800`01ab2a22): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!NtCreateUserProcess+0x7f1 (fffff800`01ab2a2a): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!NtCreateUserProcess+0x7fe (fffff800`01ab2a37): call to nt!PspDeleteCreateProcessContext (fffff800`01af68f0) nt!NtCreateUserProcess+0x810 (fffff800`01ab2a49): call to nt!_security_check_cookie (fffff800`01895e50) nt!NtCreateUserProcess+0x862 (fffff800`01ab2a9b): call to nt!ZwOpenFile (fffff800`01873480) nt!NtCreateUserProcess+0x884 (fffff800`01ab2abd): call to nt!PspUpdateCreateInfo (fffff800`01aadc9c) nt! ?? ::NNGAKEGL::`string'+0x4f944 (fffff800`01b55164): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt! ?? ::NNGAKEGL::`string'+0x4f9a5 (fffff800`01b551c5): call to nt!PspUpdateCreateInfo (fffff800`01aadc9c) nt! ?? ::NNGAKEGL::`string'+0x4fa80 (fffff800`01b55298): call to nt!PspGetContextThreadInternal (fffff800`01b02660) nt! ?? ::NNGAKEGL::`string'+0x4faf3 (fffff800`01b55303): call to nt!ExfTryToWakePushLock (fffff800`0186b924) nt! ?? ::NNGAKEGL::`string'+0x4fb21 (fffff800`01b55325): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x4fb3e (fffff800`01b55342): call to nt!PspDoHandleSweepSingle (fffff800`01b92770) nt! ?? ::NNGAKEGL::`string'+0x4fb92 (fffff800`01b55392): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x4fba0 (fffff800`01b553a0): call to nt!PspDoHandleSweepSingle (fffff800`01b92770) nt! ?? ::NNGAKEGL::`string'+0x4fbb2 (fffff800`01b553b2): call to nt!PsTerminateProcess (fffff800`01b94140)

The check for import of disallowed API during post-process initialization (p. 361)

CsrCreateProcess (pp. 361 - 362) - Here’s a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c CsrCreateProcess CSRSRV!CsrCreateProcess (000007fe`fd8c76c8) CSRSRV!CsrCreateProcess+0x18 (000007fe`fd8c76e0): call to CSRSRV!CsrpCreateProcess (000007fe`fd8c7280)

0: kd> uf /c CsrpCreateProcess CSRSRV!CsrpCreateProcess (000007fe`fd8c7280) CSRSRV!CsrpCreateProcess+0x2e (000007fe`fd8c72ae): call to ntdll!RtlEnterCriticalSection (00000000`77478920) CSRSRV!CsrpCreateProcess+0x66 (000007fe`fd8c72e6): call to CSRSRV!CsrCreateThread (000007fe`fd8c77fc) CSRSRV!CsrpCreateProcess+0x78 (000007fe`fd8c72f8): call to ntdll!ZwClose (00000000`77476e00) CSRSRV!CsrpCreateProcess+0x83 (000007fe`fd8c7303): call to CSRSRV!CsrAllocateProcess (000007fe`fd8c715c) CSRSRV!CsrpCreateProcess+0xa4 (000007fe`fd8c7324): call to CSRSRV!CsrGetProcessLuid (000007fe`fd8c8790) CSRSRV!CsrpCreateProcess+0x114 (000007fe`fd8c7394): call to CSRSRV!memcpy (000007fe`fd8cadec) CSRSRV!CsrpCreateProcess+0x1ab (000007fe`fd8c742b): call to ntdll!NtSetInformationProcess (00000000`77476ed0) CSRSRV!CsrpCreateProcess+0x1d2 (000007fe`fd8c7452): call to ntdll!NtSetInformationProcess (00000000`77476ed0) CSRSRV!CsrpCreateProcess+0x257 (000007fe`fd8c74d7): call to ntdll!NtSetInformationProcess (00000000`77476ed0) CSRSRV!CsrpCreateProcess+0x277 (000007fe`fd8c74f7): call to ntdll!RtlFreeHeap (00000000`77478c80) CSRSRV!CsrpCreateProcess+0x2d8 (000007fe`fd8c7558): call to ntdll!NtQueryInformationThread (00000000`77476f60) CSRSRV!CsrpCreateProcess+0x2f0 (000007fe`fd8c7570): call to ntdll!RtlFreeHeap (00000000`77478c80) CSRSRV!CsrpCreateProcess+0x2fd (000007fe`fd8c757d): call to CSRSRV!CsrAllocateThread (000007fe`fd8c7b94) CSRSRV!CsrpCreateProcess+0x32d (000007fe`fd8c75ad): call to CSRSRV!CsrInsertThread (000007fe`fd8c7bfc) CSRSRV!CsrpCreateProcess+0x344 (000007fe`fd8c75c4): call to ntdll!RtlFreeHeap (00000000`77478c80) CSRSRV!CsrpCreateProcess+0x356 (000007fe`fd8c75d6): call to ntdll!RtlFreeHeap (00000000`77478c80) CSRSRV!CsrpCreateProcess+0x365 (000007fe`fd8c75e5): call to ntdll!RtlLeaveCriticalSection (00000000`77478960) CSRSRV!CsrpCreateProcess+0x393 (000007fe`fd8c7613): call to CSRSRV!CsrSetBackgroundPriority (000007fe`fd8c712c) CSRSRV!CsrpCreateProcess+0x3b6 (000007fe`fd8c7636): call to CSRSRV!CsrInsertProcess (000007fe`fd8c71f0) CSRSRV!CsrpCreateProcess+0x3d8 (000007fe`fd8c7658): call to ntdll!RtlLeaveCriticalSection (00000000`77478960)

No elevation, virtualization and compatibility checks for protected processes (p. 362)

KiThreadStartup (p. 363) - it looks like on x64 W2K8 it is KxStartUserThread that has this high-level call structure:

0: kd> uf /c nt!KxStartUserThread nt!KxStartUserThread (fffff800`018b56e0) nt!KiStartUserThread+0x12 (fffff800`018b5756): unresolvable call: call qword ptr [rsp+10h] nt!KiStartUserThread+0x9f (fffff800`018b57e3): call to nt!KiInitiateUserApc (fffff800`0189d710) nt!KiStartUserThread+0xbc (fffff800`018b5800): call to nt!KiRestoreDebugRegisterState (fffff800`01878860)

PspUserThreadStartup (p. 363) - high-level call structure on x64 W2K8

0: kd> uf /c PspUserThreadStartup nt!PspUserThreadStartup (fffff800`01b01ae4) nt!PspUserThreadStartup+0xa1 (fffff800`01b01b85): call to nt!MmGetSessionLocaleId (fffff800`01b028a4) nt!PspUserThreadStartup+0xdc (fffff800`01b01bc0): call to nt!DbgkCreateThread (fffff800`01b02cc0) nt!PspUserThreadStartup+0x100 (fffff800`01b01be4): call to nt!PfProcessCreateNotification (fffff800`01ab46cc) nt!PspUserThreadStartup+0x121 (fffff800`01b01c05): call to nt!PspInitializeThunkContext (fffff800`01b028e4) nt! ?? ::NNGAKEGL::`string'+0x42263 (fffff800`01b48d5a): call to nt!ExfAcquirePushLockExclusive (fffff800`0186aa60) nt! ?? ::NNGAKEGL::`string'+0x4226b (fffff800`01b48d62): call to nt!ExfReleasePushLockExclusive (fffff800`018c4b98) nt! ?? ::NNGAKEGL::`string'+0x42283 (fffff800`01b48d7a): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x42299 (fffff800`01b48d90): call to nt!PspTerminateThreadByPointer (fffff800`01ad30dc)

System-wide cookie in SharedUserData for pointer encoding/decoding API (p. 363)

LdrInitializeThunk (p. 364) - high-level call structure on x64 W2K8

0: kd> uf /c LdrInitializeThunk ntdll!LdrInitializeThunk (00000000`774568d0) ntdll!LdrInitializeThunk+0x9 (00000000`774568d9): call to ntdll!LdrpInitialize (00000000`77456990) ntdll!LdrInitializeThunk+0×13 (00000000`774568e3): call to ntdll!ZwContinue (00000000`77477140) ntdll!LdrInitializeThunk+0×1a (00000000`774568ea): call to ntdll!RtlRaiseStatus (00000000`774e8fa0) ntdll!RtlAllocateActivationContextStack+0×29 (00000000`7745692d): call to ntdll!RtlAllocateHeap (00000000`774789b0)

0: kd> uf /c LdrpInitialize Matched: 00000000`774567f0 ntdll!LdrpInitialize = <no type information> Matched: 00000000`77456990 ntdll!LdrpInitialize = <no type information> Ambiguous symbol error at ‘LdrpInitialize’

0: kd> uf /c 00000000`77456990 Flow analysis was incomplete, some code may be missing ntdll!LdrpInitialize (00000000`77456990) ntdll!LdrpInitialize+0xaa (00000000`7745689a): call to ntdll!LdrpInitializeThread (00000000`77470770) ntdll!LdrpInitialize+0xaf (00000000`7745689f): call to ntdll!ZwTestAlert (00000000`77478490) ntdll! ?? ::FNODOBFM::`string’+0×20948 (00000000`7746bb8b): call to ntdll!RtlInitializeSRWLock (00000000`774687f0) ntdll! ?? ::FNODOBFM::`string’+0×20954 (00000000`7746bb97): call to ntdll!LdrpInitializeProcess (00000000`7746ca20) ntdll! ?? ::FNODOBFM::`string’+0×20b40 (00000000`7746d540): call to ntdll!InitSecurityCookie (00000000`7746d560) ntdll! ?? ::FNODOBFM::`string’+0×20ae4 (00000000`7746e52f): call to ntdll!NtDelayExecution (00000000`77477050)

0: kd> uf /c ntdll!LdrpInitializeThread ntdll!LdrpInitializeThread (00000000`77470770) ntdll!LdrShutdownThread+0x139 (00000000`77437544): call to ntdll!LdrpCallTlsInitializers (00000000`77437630) ntdll!LdrpInitializeThread+0x16d (00000000`774376f8): call to ntdll!LdrpCallTlsInitializers (00000000`77437630) ntdll!LdrShutdownThread+0x124 (00000000`77448199): call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0) ntdll!LdrShutdownThread+0x149 (00000000`774481b5): unresolvable call: call rsi ntdll!LdrShutdownThread+0x151 (00000000`774481bd): call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00) ntdll!LdrShutdownThread+0x68 (00000000`77448238): call to ntdll!RtlEnterCriticalSection (00000000`77478920) ntdll!LdrShutdownThread+0x1cd (00000000`774483cf): call to ntdll!LdrpFreeTls (00000000`774482f0) ntdll!LdrShutdownThread+0x1e1 (00000000`774483e3): call to ntdll!RtlLeaveCriticalSection (00000000`77478960) ntdll!LdrShutdownThread+0x1e6 (00000000`774483e8): call to ntdll!LdrpCleanupThreadTlsData (00000000`77448490) ntdll!LdrShutdownThread+0x213 (00000000`77448415): call to ntdll!RtlFreeHeap (00000000`77478c80) ntdll!LdrShutdownThread+0x246 (00000000`77448448): call to ntdll!RtlFreeActivationContextStack (00000000`774480a0) ntdll!LdrpInitializeThread+0x264 (00000000`774706bf): call to ntdll!RtlLeaveCriticalSection (00000000`77478960) ntdll!LdrpInitializeThread+0x43 (00000000`774707b3): call to ntdll!RtlAllocateActivationContextStack (00000000`77456900) ntdll!LdrpInitializeThread+0x5f (00000000`774707cf): call to ntdll!RtlEnterCriticalSection (00000000`77478920) ntdll!LdrpInitializeThread+0x65 (00000000`774707d5): call to ntdll!LdrpAllocateTls (00000000`774569d0) ntdll!LdrpInitializeThread+0x13e (00000000`774708ae): call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0) ntdll!LdrpInitializeThread+0x161 (00000000`774708d5): unresolvable call: call rsi ntdll!LdrpInitializeThread+0x17c (00000000`774708e1): call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00) ntdll!LdrpInitializeThread+0x1a9 (00000000`7749017c): call to ntdll!RtlRaiseStatus (00000000`774e8fa0) ntdll!LdrpInitializeThread+0x1b5 (00000000`77490188): call to ntdll!RtlLeaveCriticalSection (00000000`77478960) ntdll!LdrpInitializeThread+0x1d0 (00000000`774901a3): call to ntdll!NtDelayExecution (00000000`77477050) ntdll!LdrpInitializeThread+0x1dc (00000000`774901af): call to ntdll!RtlEnterCriticalSection (00000000`77478920) ntdll!LdrpInitializeThread+0x233 (00000000`7749020a): call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0) ntdll!LdrpInitializeThread+0x245 (00000000`7749021c): call to ntdll!LdrpCallTlsInitializers (00000000`77437630) ntdll!LdrpInitializeThread+0x250 (00000000`77490227): call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00) ntdll!LdrShutdownThread+0x1ab (00000000`7749027e): call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0) ntdll!LdrShutdownThread+0x1bd (00000000`77490290): call to ntdll!LdrpCallTlsInitializers (00000000`77437630) ntdll!LdrShutdownThread+0x1c8 (00000000`7749029b): call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00) ntdll! ?? ::FNODOBFM::`string'+0x15c61 (00000000`774bd160): call to ntdll!NtDelayExecution (00000000`77477050) ntdll! ?? ::FNODOBFM::`string'+0x15c6e (00000000`774bd16d): call to ntdll!RtlRaiseStatus (00000000`774e8fa0) ntdll! ?? ::FNODOBFM::`string'+0x15cb0 (00000000`774bd1a6): call to ntdll!RtlEnterCriticalSection (00000000`77478920) ntdll! ?? ::FNODOBFM::`string'+0x15cbc (00000000`774bd1b2): call to ntdll!RtlLeaveCriticalSection (00000000`77478960) ntdll! ?? ::FNODOBFM::`string'+0x15cd7 (00000000`774bd1cd): call to ntdll!RtlFreeHeap (00000000`77478c80) ntdll! ?? ::FNODOBFM::`string'+0x15cfd (00000000`774bd1f3): call to ntdll!RtlFreeHeap (00000000`77478c80)

0: kd> uf /c ntdll!LdrpInitializeProcess Flow analysis was incomplete, some code may be missing ntdll!LdrpInitializeProcess (00000000`7746ca20) ntdll!LdrpInitializeProcess+0xf88 (00000000`7746bc0d): call to ntdll!LdrpUpdateOrderLinks (00000000`774644c0) ntdll!LdrpInitializeProcess+0xf9c (00000000`7746bc21): call to ntdll!RtlInsertInvertedFunctionTable (00000000`77464e50) ntdll!LdrpInitializeProcess+0xfa4 (00000000`7746bc29): call to ntdll!LdrpAllocateDataTableEntry (00000000`77464380) ntdll!LdrpInitializeProcess+0x1098 (00000000`7746bc76): call to ntdll!RtlImageNtHeaderEx (00000000`7747dc00) ntdll!LdrpInitializeProcess+0x10f1 (00000000`7746bccd): call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0) ntdll!LdrpInitializeProcess+0x110f (00000000`7746bceb): call to ntdll!LdrpUpdateOrderLinks (00000000`774644c0) ntdll!LdrpInitializeProcess+0x1123 (00000000`7746bcff): call to ntdll!RtlInsertInvertedFunctionTable (00000000`77464e50) ntdll!LdrpInitializeProcess+0x1128 (00000000`7746bd04): call to ntdll!RtlInitializeHistoryTable (00000000`7746da90) ntdll!LdrpInitializeProcess+0x11c9 (00000000`7746bd4f): call to ntdll!RtlpInitCurrentDir (00000000`7746db70) ntdll!LdrpInitializeProcess+0x1648 (00000000`7746bdca): call to ntdll!LdrLoadDll (00000000`77463e30) ntdll!LdrpInitializeProcess+0x16ba (00000000`7746bdf9): call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10) ntdll!LdrpInitializeProcess+0x171f (00000000`7746be16): call to ntdll!LdrpWalkImportDescriptor (00000000`77466390) ntdll!LdrpInitializeProcess+0x18cd (00000000`7746be5b): call to ntdll!LdrpInitializeTls (00000000`7746e380) ntdll!LdrpInitializeProcess+0x1940 (00000000`7746be88): call to ntdll!LdrpRunInitializeRoutines (00000000`77464650) ntdll!LdrpInitializeProcess+0x138e (00000000`7746bedf): call to ntdll!LdrLoadDll (00000000`77463e30) ntdll!LdrpInitializeProcess+0x13ff (00000000`7746bf0d): call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10) ntdll!LdrpInitializeProcess+0x1475 (00000000`7746bf3b): call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10) ntdll!LdrpInitializeProcess+0x14eb (00000000`7746bf69): call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10) ntdll!LdrpInitializeProcess+0x19f5 (00000000`7746bfc5): call to ntdll!_security_check_cookie (00000000`7747acb0) ntdll!LdrpInitializeProcess+0x32 (00000000`7746ca52): call to ntdll!RtlSetUnhandledExceptionFilter (00000000`7746c2d0) ntdll!LdrpInitializeProcess+0xe9 (00000000`7746ca9a): call to ntdll!RtlInitNlsTables (00000000`7746c920) ntdll!LdrpInitializeProcess+0xf6 (00000000`7746caa7): call to ntdll!RtlResetRtlTranslations (00000000`7746c410) ntdll!LdrpInitializeProcess+0xfe (00000000`7746caaf): call to ntdll!RtlpInitSRWLock (00000000`7746c530) ntdll!LdrpInitializeProcess+0x103 (00000000`7746cab4): call to ntdll!RtlpInitConditionVariable (00000000`7746c550) ntdll!LdrpInitializeProcess+0x213 (00000000`7746cb7d): call to ntdll!RtlImageNtHeader (00000000`774567b0) ntdll!LdrpInitializeProcess+0x273 (00000000`7746cbd7): call to ntdll!LdrpInitializeExecutionOptions (00000000`7746c6b0) ntdll!LdrpInitializeProcess+0x353 (00000000`7746cc2f): call to ntdll!RtlImageDirectoryEntryToData (00000000`7746a940) ntdll!LdrpInitializeProcess+0x3cd (00000000`7746cc95): call to ntdll!RtlNormalizeProcessParams (00000000`7746c2f0) ntdll!LdrpInitializeProcess+0x423 (00000000`7746cce3): call to ntdll!RtlImageDirectoryEntryToData (00000000`7746a940) ntdll!LdrpInitializeProcess+0x448 (00000000`7746cd02): call to ntdll!memset (00000000`77478830) ntdll!LdrpInitializeProcess+0x58c (00000000`7746cd53): call to ntdll!RtlpInitDeferredCriticalSection (00000000`7746c640) ntdll!LdrpInitializeProcess+0x7d5 (00000000`7746ceb5): call to ntdll!RtlInitializeCriticalSection (00000000`77455d20) ntdll!LdrpInitializeProcess+0x7fb (00000000`7746cedb): call to ntdll!RtlInitializeHeapManager (00000000`7746c7a0) ntdll!LdrpInitializeProcess+0x84b (00000000`7746cf2a): call to ntdll!RtlCreateHeap (00000000`77466ed0) ntdll!LdrpInitializeProcess+0x8e2 (00000000`7746cf51): call to ntdll!RtlAllocateActivationContextStack (00000000`77456900) ntdll!LdrpInitializeProcess+0x8f6 (00000000`7746cf65): call to ntdll!EtwpInitializeDll (00000000`7746c250) ntdll!LdrpInitializeProcess+0x916 (00000000`7746cf85): call to ntdll!RtlCreateTagHeap (00000000`7746d320) ntdll!LdrpInitializeProcess+0x942 (00000000`7746cfb1): call to ntdll!RtlCreateTagHeap (00000000`7746d320) ntdll!LdrpInitializeProcess+0x962 (00000000`7746cfd1): call to ntdll!RtlpInitEnvironmentBlock (00000000`7746d380) ntdll!LdrpInitializeProcess+0x96f (00000000`7746cfde): call to ntdll!RtlpInitParameterBlock (00000000`7746d7f0) ntdll!LdrpInitializeProcess+0xa5e (00000000`7746d068): call to ntdll!RtlInitUnicodeString (00000000`7747ad10) ntdll!LdrpInitializeProcess+0xa73 (00000000`7746d07d): call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0) ntdll!LdrpInitializeProcess+0xa87 (00000000`7746d091): call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0) ntdll!LdrpInitializeProcess+0xaf0 (00000000`7746d0fe): call to ntdll!ZwOpenDirectoryObject (00000000`77477290) ntdll!LdrpInitializeProcess+0xc2a (00000000`7746d171): call to ntdll!ZwOpenSymbolicLinkObject (00000000`77477cb0) ntdll!LdrpInitializeProcess+0xc6b (00000000`7746d1b2): call to ntdll!ZwQuerySymbolicLinkObject (00000000`77477f60) ntdll!LdrpInitializeProcess+0xc7a (00000000`7746d1c1): call to ntdll!ZwClose (00000000`77476e00) ntdll!LdrpInitializeProcess+0xe50 (00000000`7746d24d): call to ntdll!LdrpAllocateDataTableEntry (00000000`77464380) ntdll!LdrpInitializeProcess+0xee4 (00000000`7746d289): call to ntdll!RtlImageNtHeaderEx (00000000`7747dc00) ntdll!LdrpInitializeProcess+0x30d (00000000`77473eb0): call to ntdll!NtQueryInformationProcess (00000000`77476ea0) ntdll!LdrpInitializeProcess+0x635 (00000000`77473ef0): call to ntdll!RtlSetBits (00000000`77466c00) ntdll!LdrpInitializeProcess+0x873 (00000000`77473f19): call to ntdll!RtlCreateHeap (00000000`77466ed0) ntdll!LdrpInitializeProcess+0xbb8 (00000000`774744f9): call to ntdll!ZwOpenDirectoryObject (00000000`77477290) ntdll!LdrpInitializeProcess+0xe10 (00000000`77474554): call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0) ntdll!LdrpInitializeProcess+0x77 (00000000`77490a96): call to ntdll!NtQueryVirtualMemory (00000000`77476f40) ntdll!LdrpInitializeProcess+0xb3 (00000000`77490ad2): call to ntdll!NtQueryVirtualMemory (00000000`77476f40) ntdll!LdrpInitializeProcess+0x2d2 (00000000`77490b92): call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0) ntdll!LdrpInitializeProcess+0x2db (00000000`77490b9d): call to ntdll!DbgBreakPoint (00000000`77476060) ntdll!LdrpInitializeProcess+0x720 (00000000`77490d34): call to ntdll!LdrQueryImageFileExecutionOptions (00000000`77473260) ntdll!LdrpInitializeProcess+0x790 (00000000`77490da4): call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0) ntdll!LdrpInitializeProcess+0x79a (00000000`77490dae): call to ntdll!DbgBreakPoint (00000000`77476060) ntdll!LdrpInitializeProcess+0x7c6 (00000000`77490dda): call to ntdll!RtlControlStackTraceDataBase (00000000`774e3cd0) ntdll!LdrpInitializeProcess+0x8ac (00000000`77490e27): call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0) ntdll!LdrpInitializeProcess+0x8bf (00000000`77490e3a): call to ntdll!DbgBreakPoint (00000000`77476060) ntdll!LdrpInitializeProcess+0x9ff (00000000`77490e8c): call to ntdll!RtlQueryImageFileKeyOption (00000000`77473320) ntdll!LdrpInitializeProcess+0xb0f (00000000`77490ee2): call to ntdll!RtlInitUnicodeString (00000000`7747ad10) ntdll!LdrpInitializeProcess+0xcea (00000000`77490f57): call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0) ntdll!LdrpInitializeProcess+0xd01 (00000000`77490f6e): call to ntdll!LdrpInitializationFailure (00000000`774ed120) ntdll!LdrpInitializeProcess+0xd3f (00000000`77490f82): call to ntdll!RtlAllocateHeap (00000000`774789b0) ntdll!LdrpInitializeProcess+0xd7d (00000000`77490fc0): call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0) ntdll!LdrpInitializeProcess+0xd90 (00000000`77490fd3): call to ntdll!DbgBreakPoint (00000000`77476060)

Private vs. shared assemblies (p. 365)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 09-February-10

Tuesday, February 9th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

CreateProcess and Increase Scheduling Priority privilege (p. 351)

MS-DOS apps share the same VDM (p. 353)

HKLM\S\CCS\C\WOW\DefaultSeparateVDM (p. 353)

IMAGE_FILE_UP_SYSTEM_ONLY PE characteristic to run on a single CPU (p. 358)

Upon creation initial thread starts in kernel mode in KiThreadStartup (p. 360)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 25-January-10

Monday, January 25th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Kernel Process variables (p. 343)

0: kd> !process poi(PsIdleProcess) PROCESS fffff800019910c0 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000 DirBase: 00124000 ObjectTable: fffff88000000080 HandleCount: 606. Image: Idle VadRoot fffffa8003b97c70 Vads 1 Clone 0 Private 1. Modified 0. Locked 0. DeviceMap 0000000000000000 Token fffff88000003330 ElapsedTime 00:00:00.000 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 0 QuotaPoolUsage[NonPagedPool] 0 Working Set Sizes (now,min,max) (6, 50, 450) (24KB, 200KB, 1800KB) PeakWorkingSetSize 6 VirtualSize 0 Mb PeakVirtualSize 0 Mb PageFaultCount 1 MemoryPriority BACKGROUND BasePriority 0 CommitCharge 0

THREAD fffff80001990b80 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap fffff88000007310 Owning Process fffff800019910c0 Image: Idle Attached Process fffffa8003bf1040 Image: System Wait Start TickCount 16021 Ticks: 13224 (0:00:03:26.295) Context Switch Count 142852 UserTime 00:00:00.000 KernelTime 00:06:13.700 Win32 Start Address nt!KiIdleLoop (0xfffff80001876880) Stack Init fffff80002bdadb0 Current fffff80002bdad40 Base fffff80002bdb000 Limit fffff80002bd5000 Call 0 Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site fffff800`02bdad80 fffff800`01a43860 nt!KiIdleLoop+0x11b fffff800`02bdadb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

THREAD fffffa60005f5d40 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1 Not impersonating DeviceMap fffff88000007310 Owning Process fffff800019910c0 Image: Idle Attached Process fffffa8003bf1040 Image: System Wait Start TickCount 0 Ticks: 29245 (0:00:07:36.224) Context Switch Count 162365 UserTime 00:00:00.000 KernelTime 00:06:14.808 Win32 Start Address nt!KiIdleLoop (0xfffff80001876880) Stack Init fffffa600191bdb0 Current fffffa600191bd40 Base fffffa600191c000 Limit fffffa6001916000 Call 0 Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site fffffa60`0191bd80 fffff800`01a43860 nt!KiIdleLoop+0x11b fffffa60`0191bdb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

Relevant process functions (pp. 344 - 345) - More of them can be found here: http://msdn.microsoft.com/en-us/library/ms684847(VS.85).aspx

Protected processes (pp. 346 - 348) - It can be seen in _EPROCESS block (the output taken from a complete memory dump):

0: kd> dt _EPROCESS fffffa8004b5e040 ntdll!_EPROCESS [...] +0x36c ProtectedProcess : 0y1 [...]

The following script lists protected processes on W2K8:

0: kd> !for_each_process "dt _EPROCESS ImageFileName @#Process; dt _EPROCESS ProtectedProcess @#Process" ntdll!_EPROCESS +0x238 ImageFileName : [16] "System" ntdll!_EPROCESS +0x36c ProtectedProcess : 0y1 [...] ntdll!_EPROCESS +0x238 ImageFileName : [16] "audiodg.exe" ntdll!_EPROCESS +0x36c ProtectedProcess : 0y1 [...]

System process is protected because of Ksecdd.sys stores info in user space (p. 347)

PROCESS_QUERY_LIMITED_INFORMATION (p. 347)

Access violation by design for Protected Media Path processes when a kernel-mode debugger is enabled (p. 348) - this is not an optimal design in my opinion - I had problems with that: http://www.dumpanalysis.org/blog/index.php/2010/01/08/live-kernel-debugging-of-a-system-freeze-case-study/. The better way is to show a message box and gracefully exit and only emit AV if message box is bypassed.

Advanced .NET Debugging by M. Hewardt:

PE format and its relation to .NET (pp. 26 - 27)

AddressOfEntryPoint (pp. 28 - 29 and p. 31) - we can also use !dh command to find that address (similar to what dumpbin.exe does):

0:001> lm m notepad start end module name 00000000`ff180000 00000000`ff1af000 notepad (deferred)

0:001> !dh 00000000`ff180000 [...] OPTIONAL HEADER VALUES 20B magic # 8.00 linker version E400 size of code 1CC00 size of initialized data 0 size of uninitialized data D1B4 address of entry point 1000 base of code —– new —– 00000000ff180000 image base 1000 section alignment 200 file alignment 2 subsystem (Windows GUI) 6.00 operating system version 6.00 image version 6.00 subsystem version 2F000 size of image 400 size of headers 32C26 checksum […]

0:001> u 00000000`ff180000+D1B4 notepad!WinMainCRTStartup: 00000000`ff18d1b4 4883ec28 sub rsp,28h 00000000`ff18d1b8 e88b020000 call notepad!_security_init_cookie (00000000`ff18d448) 00000000`ff18d1bd 4883c428 add rsp,28h 00000000`ff18d1c1 e9b6fcffff jmp notepad!IsTextUTF8+0xc0 (00000000`ff18ce7c) 00000000`ff18d1c6 cc int 3 00000000`ff18d1c7 cc int 3 00000000`ff18d1c8 cc int 3 00000000`ff18d1c9 cc int 3

Application domains in ASP.NET; 3 default app domains (system, shared, default) in normal app (p. 34)

!dumpdomain SOS command (pp. 35 - 36)

Low(High)FrequencyHeap and StubHeap (p. 36) - Looks like they are not normal heaps or heap segments. I plan to test all commands on x64 .NET:

0:003> !dumpdomain -------------------------------------- System Domain: 000007fef15a8ef0 LowFrequencyHeap: 000007fef15a8f38 HighFrequencyHeap: 000007fef15a8fc8 StubHeap: 000007fef15a9058 Stage: OPEN Name: None -------------------------------------- Shared Domain: 000007fef15a9860 LowFrequencyHeap: 000007fef15a98a8 HighFrequencyHeap: 000007fef15a9938 StubHeap: 000007fef15a99c8 Stage: OPEN Name: None Assembly: 0000000000372d10 -------------------------------------- Domain 1: 0000000000360840 LowFrequencyHeap: 0000000000360888 HighFrequencyHeap: 0000000000360918 StubHeap: 00000000003609a8 Stage: OPEN SecurityDescriptor: 00000000003630e0 Name: TestCLR.exe [...]

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Advanced .NET Debugging, Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 04-January-10

Monday, January 4th, 2010

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Diagnostic Policy Service, DPS (pp. 330 - 331)

SMART (p. 332) - Don’t confuse with recursive acronym Smart Memory Analysis in Real Time (coined by me)

Windows system responsiveness performance diagnostics (p. 332)

Program Compatibility Assistant, PCA (p. 333)

_EPROCESS and _KPROCESS (pp. 337 - 339) - x64 equivalents from W2K8:

lkd> dt _EPROCESS ntdll!_EPROCESS +0x000 Pcb : _KPROCESS +0x0c0 ProcessLock : _EX_PUSH_LOCK +0x0c8 CreateTime : _LARGE_INTEGER +0x0d0 ExitTime : _LARGE_INTEGER +0x0d8 RundownProtect : _EX_RUNDOWN_REF +0x0e0 UniqueProcessId : Ptr64 Void +0x0e8 ActiveProcessLinks : _LIST_ENTRY +0x0f8 QuotaUsage : [3] Uint8B +0x110 QuotaPeak : [3] Uint8B +0x128 CommitCharge : Uint8B +0x130 PeakVirtualSize : Uint8B +0x138 VirtualSize : Uint8B +0x140 SessionProcessLinks : _LIST_ENTRY +0x150 DebugPort : Ptr64 Void +0x158 ExceptionPortData : Ptr64 Void +0x158 ExceptionPortValue : Uint8B +0x158 ExceptionPortState : Pos 0, 3 Bits +0x160 ObjectTable : Ptr64 _HANDLE_TABLE +0x168 Token : _EX_FAST_REF +0x170 WorkingSetPage : Uint8B +0x178 AddressCreationLock : _EX_PUSH_LOCK +0x180 RotateInProgress : Ptr64 _ETHREAD +0x188 ForkInProgress : Ptr64 _ETHREAD +0x190 HardwareTrigger : Uint8B +0x198 PhysicalVadRoot : Ptr64 _MM_AVL_TABLE +0x1a0 CloneRoot : Ptr64 Void +0x1a8 NumberOfPrivatePages : Uint8B +0x1b0 NumberOfLockedPages : Uint8B +0x1b8 Win32Process : Ptr64 Void +0x1c0 Job : Ptr64 _EJOB +0x1c8 SectionObject : Ptr64 Void +0x1d0 SectionBaseAddress : Ptr64 Void +0x1d8 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK +0x1e0 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY +0x1e8 Win32WindowStation : Ptr64 Void +0x1f0 InheritedFromUniqueProcessId : Ptr64 Void +0x1f8 LdtInformation : Ptr64 Void +0x200 Spare : Ptr64 Void +0x208 VdmObjects : Ptr64 Void +0x210 DeviceMap : Ptr64 Void +0x218 EtwDataSource : Ptr64 Void +0x220 FreeTebHint : Ptr64 Void +0x228 PageDirectoryPte : _HARDWARE_PTE +0x228 Filler : Uint8B +0x230 Session : Ptr64 Void +0x238 ImageFileName : [16] UChar +0x248 JobLinks : _LIST_ENTRY +0x258 LockedPagesList : Ptr64 Void +0x260 ThreadListHead : _LIST_ENTRY +0x270 SecurityPort : Ptr64 Void +0x278 Wow64Process : Ptr64 Void +0x280 ActiveThreads : Uint4B +0x284 ImagePathHash : Uint4B +0x288 DefaultHardErrorProcessing : Uint4B +0x28c LastThreadExitStatus : Int4B +0x290 Peb : Ptr64 _PEB +0x298 PrefetchTrace : _EX_FAST_REF +0x2a0 ReadOperationCount : _LARGE_INTEGER +0x2a8 WriteOperationCount : _LARGE_INTEGER +0x2b0 OtherOperationCount : _LARGE_INTEGER +0x2b8 ReadTransferCount : _LARGE_INTEGER +0x2c0 WriteTransferCount : _LARGE_INTEGER +0x2c8 OtherTransferCount : _LARGE_INTEGER +0x2d0 CommitChargeLimit : Uint8B +0x2d8 CommitChargePeak : Uint8B +0x2e0 AweInfo : Ptr64 Void +0x2e8 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO +0x2f0 Vm : _MMSUPPORT +0x358 MmProcessLinks : _LIST_ENTRY +0x368 ModifiedPageCount : Uint4B +0x36c Flags2 : Uint4B +0x36c JobNotReallyActive : Pos 0, 1 Bit +0x36c AccountingFolded : Pos 1, 1 Bit +0x36c NewProcessReported : Pos 2, 1 Bit +0x36c ExitProcessReported : Pos 3, 1 Bit +0x36c ReportCommitChanges : Pos 4, 1 Bit +0x36c LastReportMemory : Pos 5, 1 Bit +0x36c ReportPhysicalPageChanges : Pos 6, 1 Bit +0x36c HandleTableRundown : Pos 7, 1 Bit +0x36c NeedsHandleRundown : Pos 8, 1 Bit +0x36c RefTraceEnabled : Pos 9, 1 Bit +0x36c NumaAware : Pos 10, 1 Bit +0x36c ProtectedProcess : Pos 11, 1 Bit +0x36c DefaultPagePriority : Pos 12, 3 Bits +0x36c PrimaryTokenFrozen : Pos 15, 1 Bit +0x36c ProcessVerifierTarget : Pos 16, 1 Bit +0x36c StackRandomizationDisabled : Pos 17, 1 Bit +0x36c AffinityPermanent : Pos 18, 1 Bit +0x36c AffinityUpdateEnable : Pos 19, 1 Bit +0x36c CrossSessionCreate : Pos 20, 1 Bit +0x370 Flags : Uint4B +0x370 CreateReported : Pos 0, 1 Bit +0x370 NoDebugInherit : Pos 1, 1 Bit +0x370 ProcessExiting : Pos 2, 1 Bit +0x370 ProcessDelete : Pos 3, 1 Bit +0x370 Wow64SplitPages : Pos 4, 1 Bit +0x370 VmDeleted : Pos 5, 1 Bit +0x370 OutswapEnabled : Pos 6, 1 Bit +0x370 Outswapped : Pos 7, 1 Bit +0x370 ForkFailed : Pos 8, 1 Bit +0x370 Wow64VaSpace4Gb : Pos 9, 1 Bit +0x370 AddressSpaceInitialized : Pos 10, 2 Bits +0x370 SetTimerResolution : Pos 12, 1 Bit +0x370 BreakOnTermination : Pos 13, 1 Bit +0x370 DeprioritizeViews : Pos 14, 1 Bit +0x370 WriteWatch : Pos 15, 1 Bit +0x370 ProcessInSession : Pos 16, 1 Bit +0x370 OverrideAddressSpace : Pos 17, 1 Bit +0x370 HasAddressSpace : Pos 18, 1 Bit +0x370 LaunchPrefetched : Pos 19, 1 Bit +0x370 InjectInpageErrors : Pos 20, 1 Bit +0x370 VmTopDown : Pos 21, 1 Bit +0x370 ImageNotifyDone : Pos 22, 1 Bit +0x370 PdeUpdateNeeded : Pos 23, 1 Bit +0x370 VdmAllowed : Pos 24, 1 Bit +0x370 SmapAllowed : Pos 25, 1 Bit +0x370 ProcessInserted : Pos 26, 1 Bit +0x370 DefaultIoPriority : Pos 27, 3 Bits +0x370 ProcessSelfDelete : Pos 30, 1 Bit +0x370 SpareProcessFlags : Pos 31, 1 Bit +0x374 ExitStatus : Int4B +0x378 Spare7 : Uint2B +0x37a SubSystemMinorVersion : UChar +0x37b SubSystemMajorVersion : UChar +0x37a SubSystemVersion : Uint2B +0x37c PriorityClass : UChar +0x380 VadRoot : _MM_AVL_TABLE +0x3c0 Cookie : Uint4B +0x3c8 AlpcContext : _ALPC_PROCESS_CONTEXT

lkd> dt _KPROCESS ntdll!_KPROCESS +0x000 Header : _DISPATCHER_HEADER +0x018 ProfileListHead : _LIST_ENTRY +0x028 DirectoryTableBase : Uint8B +0x030 Unused0 : Uint8B +0x038 IopmOffset : Uint2B +0x040 ActiveProcessors : Uint8B +0x048 KernelTime : Uint4B +0x04c UserTime : Uint4B +0x050 ReadyListHead : _LIST_ENTRY +0x060 SwapListEntry : _SINGLE_LIST_ENTRY +0x068 InstrumentationCallback : Ptr64 Void +0x070 ThreadListHead : _LIST_ENTRY +0x080 ProcessLock : Uint8B +0x088 Affinity : Uint8B +0x090 AutoAlignment : Pos 0, 1 Bit +0x090 DisableBoost : Pos 1, 1 Bit +0x090 DisableQuantum : Pos 2, 1 Bit +0x090 ReservedFlags : Pos 3, 29 Bits +0x090 ProcessFlags : Int4B +0x094 BasePriority : Char +0x095 QuantumReset : Char +0x096 State : UChar +0x097 ThreadSeed : UChar +0x098 PowerState : UChar +0x099 IdealNode : UChar +0x09a Visited : UChar +0x09b Flags : _KEXECUTE_OPTIONS +0x09b ExecuteOptions : UChar +0x0a0 StackCount : Uint8B +0x0a8 ProcessListEntry : _LIST_ENTRY +0x0b8 CycleTime : Uint8B

Working set list, MMWSL (p. 340) - I guessed the structure name right:

lkd> dt _MMWSL nt!_MMWSL +0x000 FirstFree : Uint4B +0x004 FirstDynamic : Uint4B +0x008 LastEntry : Uint4B +0x00c NextSlot : Uint4B +0x010 Wsle : Ptr64 _MMWSLE +0x018 LowestPagableAddress : Ptr64 Void +0x020 LastInitializedWsle : Uint4B +0x024 NextEstimationSlot : Uint4B +0x028 NextAgingSlot : Uint4B +0x02c EstimatedAvailable : Uint4B +0x030 GrowthSinceLastEstimate : Uint4B +0x034 NumberOfCommittedPageTables : Uint4B +0x038 VadBitMapHint : Uint4B +0x03c NonDirectCount : Uint4B +0x040 LastVadBit : Uint4B +0x044 MaximumLastVadBit : Uint4B +0x048 LastAllocationSizeHint : Uint4B +0x04c LastAllocationSize : Uint4B +0x050 NonDirectHash : Ptr64 _MMWSLE_NONDIRECT_HASH +0x058 HashTableStart : Ptr64 _MMWSLE_HASH +0x060 HighestPermittedHashAddress : Ptr64 _MMWSLE_HASH +0x068 HighestUserAddress : Ptr64 Void +0x070 MaximumUserPageTablePages : Uint4B +0x074 MaximumUserPageDirectoryPages : Uint4B +0x078 CommittedPageTables : Ptr64 Uint4B +0x080 NumberOfCommittedPageDirectories : Uint4B +0x088 CommittedPageDirectories : [128] Uint8B +0x488 NumberOfCommittedPageDirectoryParents : Uint4B +0x490 CommittedPageDirectoryParents : [1] Uint8B

PEB (pp. 341 - 342) - here’s x64 PEB structure from W2K8:

lkd> dt _PEB ntdll!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 BitField : UChar +0x003 ImageUsesLargePages : Pos 0, 1 Bit +0x003 IsProtectedProcess : Pos 1, 1 Bit +0x003 IsLegacyProcess : Pos 2, 1 Bit +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit +0x003 SpareBits : Pos 5, 3 Bits +0x008 Mutant : Ptr64 Void +0x010 ImageBaseAddress : Ptr64 Void +0x018 Ldr : Ptr64 _PEB_LDR_DATA +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS +0x028 SubSystemData : Ptr64 Void +0x030 ProcessHeap : Ptr64 Void +0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION +0x040 AtlThunkSListPtr : Ptr64 Void +0x048 IFEOKey : Ptr64 Void +0x050 CrossProcessFlags : Uint4B +0x050 ProcessInJob : Pos 0, 1 Bit +0x050 ProcessInitializing : Pos 1, 1 Bit +0x050 ProcessUsingVEH : Pos 2, 1 Bit +0x050 ProcessUsingVCH : Pos 3, 1 Bit +0x050 ReservedBits0 : Pos 4, 28 Bits +0x058 KernelCallbackTable : Ptr64 Void +0x058 UserSharedInfoPtr : Ptr64 Void +0x060 SystemReserved : [1] Uint4B +0x064 SpareUlong : Uint4B +0x068 SparePebPtr0 : Uint8B +0x070 TlsExpansionCounter : Uint4B +0x078 TlsBitmap : Ptr64 Void +0x080 TlsBitmapBits : [2] Uint4B +0x088 ReadOnlySharedMemoryBase : Ptr64 Void +0x090 HotpatchInformation : Ptr64 Void +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void +0x0a0 AnsiCodePageData : Ptr64 Void +0x0a8 OemCodePageData : Ptr64 Void +0x0b0 UnicodeCaseTableData : Ptr64 Void +0x0b8 NumberOfProcessors : Uint4B +0x0bc NtGlobalFlag : Uint4B +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER +0x0c8 HeapSegmentReserve : Uint8B +0x0d0 HeapSegmentCommit : Uint8B +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B +0x0e8 NumberOfHeaps : Uint4B +0x0ec MaximumNumberOfHeaps : Uint4B +0x0f0 ProcessHeaps : Ptr64 Ptr64 Void +0x0f8 GdiSharedHandleTable : Ptr64 Void +0x100 ProcessStarterHelper : Ptr64 Void +0x108 GdiDCAttributeList : Uint4B +0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION +0x118 OSMajorVersion : Uint4B +0x11c OSMinorVersion : Uint4B +0x120 OSBuildNumber : Uint2B +0x122 OSCSDVersion : Uint2B +0x124 OSPlatformId : Uint4B +0x128 ImageSubsystem : Uint4B +0x12c ImageSubsystemMajorVersion : Uint4B +0x130 ImageSubsystemMinorVersion : Uint4B +0x138 ActiveProcessAffinityMask : Uint8B +0x140 GdiHandleBuffer : [60] Uint4B +0x230 PostProcessInitRoutine : Ptr64 void +0x238 TlsExpansionBitmap : Ptr64 Void +0x240 TlsExpansionBitmapBits : [32] Uint4B +0x2c0 SessionId : Uint4B +0x2c8 AppCompatFlags : _ULARGE_INTEGER +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER +0x2d8 pShimData : Ptr64 Void +0x2e0 AppCompatInfo : Ptr64 Void +0x2e8 CSDVersion : _UNICODE_STRING +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP +0x318 MinimumStackCommit : Uint8B +0x320 FlsCallback : Ptr64 _FLS_CALLBACK_INFO +0x328 FlsListHead : _LIST_ENTRY +0x338 FlsBitmap : Ptr64 Void +0x340 FlsBitmapBits : [4] Uint4B +0x350 FlsHighIndex : Uint4B +0x358 WerRegistrationData : Ptr64 Void +0x360 WerShipAssertPtr : Ptr64 Void

PEB and pointers to process heap (p. 340) - couldn’t find them after PEB on x86 and x64. Needs more clarification:

7: kd> !peb PEB at 7ffdb000 [...]

7: kd> dt _PEB ntdll!_PEB [...] +0x22c FlsHighIndex : Uint4B

7: kd> dd 7ffdb000 +0x22c +4 7ffdb230 00000000 00000000 00000000 00000000 7ffdb240 00000000 00000000 00000000 00000000 7ffdb250 00000000 00000000 00000000 00000000 7ffdb260 00000000 00000000 00000000 00000000 7ffdb270 00000000 00000000 00000000 00000000 7ffdb280 00000000 00000000 00000000 00000000 7ffdb290 00000000 00000000 00000000 00000000 7ffdb2a0 00000000 00000000 00000000 00000000

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 07-December-09

Tuesday, December 8th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

WMI CIM Studio (pp. 321 - 322)

dynamic and static MOF classes (p. 323)

WbemTest, BMF (binary MOF), Mofcomp.exe (p. 323)

Object keys as WMI class instance specifiers (\\computer\root\namespace:class_name.Key1=”…”, Key2=”…”, … ) (pp. 324 - 325)

WMI association classes (p. 325)

WQL exampe (p. 327)

wmiprvse.exe as a WMI provider host (p. 327)

wmic.exe (p. 328)

Namespace level WMI secutiry (p. 329)

WDI, Windows Diagnostic Infrastructure and its instrumentation, DiagLog, SEM Scenario Event Mapper, on-demand diagnosis (pp. 329 - 330) - looks interesting, especially in the context of possible first fault software problem solving techniques (OpenTask has published a book on this topic: http://www.dumpanalysis.com/First+Fault+Software+Problem+Solving)

Advanced Windows Debugging by M. Hewardt and D. Pravat:

LRPC_CCALL(ADDRESS) vs. OSF_CCALL(ADDRESS) vs. DG_CCALL(ADDRESS) (pp. 389 - 390)

Undocumented MSRPC (p. 391) - there is an empirical technique to find LRPC server endpoint: http://www.dumpanalysis.org/blog/index.php/2008/07/11/in-search-of-lost-pid/

!lpc message (p. 393) - some additional scenarios can be found in patterns: http://www.dumpanalysis.org/blog/index.php/2008/12/17/crash-dump-analysis-patterns-part-42e/, http://www.dumpanalysis.org/blog/index.php/2007/11/29/crash-dump-analysis-patterns-part-9d/ and various case studies involving LPC chains: http://www.dumpanalysis.org/blog/index.php/pattern-cooperation/

_PS_IMPERSONATION_INFORMATION (p. 395) - Looks like on W2K8 x64 it is another bit union:

lkd> dt -r _ETHREAD […] +0×3b0 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT +0×000 ImpersonationData : Uint8B +0×000 ImpersonationToken : Ptr64 Void +0×000 ImpersonationLevel : Pos 0, 2 Bits +0×000 EffectiveOnly : Pos 2, 1 Bit

RPC cell debugging configuration (pp. 397 - 398)

Advanced .NET Debugging by M. Hewardt:

Lutz Roeder’s .NET Reflector (pp. 15 - 16)

Roberto Farah’s PowerDbg (pp. 17 -18)

MDA Managed Debugging Assistants (pp. 19 - 21) - looks similar to WDI (Windows Diagnostic Infrastructure) on-demand diagnostics for unmanaged code mentioned in Windows Internals book

CLI(+BCL) -> CLR (p. 24)

Rotor (p. 25) - looks like it has the same value as WINE for unmanaged code: http://www.dumpanalysis.org/blog/index.php/2006/11/16/how-wine-can-help-in-crash-dump-analysis/

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Advanced .NET Debugging, Notes on Advanced Windows Debugging, Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 25-November-09

Wednesday, November 25th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

FailureActionsOnNonCrashFailures (p. 310)

WaitToKillApp(Service)Timeout (p. 311)

Shutdown ordering and preshutdown notification (pp. 312 - 313)

Shared services vulnerability to a crashing bug (p. 313) - Because an exception in one thread doesn’t affect another thread if there is no dependency (see MTCrash application, http://www.dumpanalysis.org/blog/index.php/2008/12/31/mtcrash/) if we preserve the crashed process, for example, using Crash2Hang tool (http://www.dumpanalysis.org/blog/index.php/2008/12/29/crash2hang/) we might temporarily preserve functionality of the remaining services (if there is no dependency)

CNG-KeyIso service (p. 313)

Viewing services inside processes (pp. 315 - 316) - We can also see them in Task Manager when we sort Processes by PID:

SubProcessTag (p. 316) - Here is an example from svchost.exe PID 1016 from the screenshot above:

lkd> !process 0n1016 1f Searching for Process with Cid == 3f8 Cid Handle table at fffff88008156000 with 1063 Entries in use PROCESS fffffa8004adec10 SessionId: 0 Cid: 03f8 Peb: 7fffffdd000 ParentCid: 0280 DirBase: add75000 ObjectTable: fffff88007f3c4d0 HandleCount: 436. Image: svchost.exe VadRoot fffffa80048b9220 Vads 153 Clone 0 Private 1630. Modified 1512. Locked 6. DeviceMap fffff8800802ef40 Token fffff880080aa060 ElapsedTime 5 Days 01:31:56.632 UserTime 00:00:05.257 KernelTime 00:00:04.555 QuotaPoolUsage[PagedPool] 132496 QuotaPoolUsage[NonPagedPool] 21488 Working Set Sizes (now,min,max) (3650, 50, 345) (14600KB, 200KB, 1380KB) PeakWorkingSetSize 3725 VirtualSize 78 Mb PeakVirtualSize 84 Mb PageFaultCount 38144 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 3976

[...]

THREAD fffffa8004b55060 Cid 03f8.046c Teb: 000007fffff9e000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa8004b54a80 NotificationEvent fffffa8004b52a50 SynchronizationEvent fffffa8004b55e00 NotificationEvent fffffa8004b55118 NotificationTimer Not impersonating DeviceMap fffff8800802ef40 Owning Process fffffa8004adec10 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 28044441 Ticks: 4968 (0:00:01:17.501) Context Switch Count 3784 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address dhcpcsvc6!Dhcpv6Main (0×000007fefd726884) Stack Init fffffa6003c47db0 Current fffffa6003c47230 Base fffffa6003c48000 Limit fffffa6003c42000 Call 0 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`03c47270 fffff800`018a46fa nt!KiSwapContext+0×7f fffffa60`03c473b0 fffff800`018a9feb nt!KiSwapThread+0×13a fffffa60`03c47420 fffff800`01b03a8e nt!KeWaitForMultipleObjects+0×2eb fffffa60`03c474a0 fffff800`01b040d3 nt!ObpWaitForMultipleObjects+0×26e fffffa60`03c47960 fffff800`018a1ef3 nt!NtWaitForMultipleObjects+0xe2 fffffa60`03c47bb0 00000000`776e72ca nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`03c47c20) 00000000`0272f5e8 00000000`7758bc03 ntdll!ZwWaitForMultipleObjects+0xa 00000000`0272f5f0 000007fe`fd726117 kernel32!WaitForMultipleObjectsEx+0×10b 00000000`0272f700 000007fe`fd726944 dhcpcsvc6!ProcessDhcpv6RequestForever+0×143 00000000`0272f7c0 00000000`7758be3d dhcpcsvc6!Dhcpv6Main+0xc0 00000000`0272f800 00000000`776c6a51 kernel32!BaseThreadInitThunk+0xd 00000000`0272f830 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

[...]

lkd> dt _TEB 000007fffff9e000 SubProcessTag ntdll!_TEB +0x1720 SubProcessTag : 0x00000000`00000011

Advanced .NET Debugging by M. Hewardt:

Debugging Tools for Windows (pp. 3 -4) - Here are quick links for download: http://windbg.org

No major CLR changes for .NET 3.x (p. 5)

DbgClr (p. 6)

MSBUILD XML example (pp. 6 - 7)

.load vs. .loadby (pp. 8 - 11) - Some additional load scenarios for legacy SOS and its server version can be found in comments to Managed Code Exception pattern: http://www.dumpanalysis.org/blog/index.php/2007/07/20/crash-dump-analysis-patterns-part-17/

SOSEX (pp. 10 - 11) - Added to my blog roll and links on http://DumpAnalysis.org

CLR Profiler (pp. 11 - 13) - Looks similar to functionality of unmanaged UMDH tool (user mode heap stack trace database)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Advanced .NET Debugging, Notes on Windows Internals, Reading Notebook | 2 Comments »

Reading Notebook: 20-November-09

Saturday, November 21st, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SCM executable: services.exe (p. 300) - !process 0 0 shows the start order of processes:

lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS fffffa8003bf1040 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00124000 ObjectTable: fffff88000000080 HandleCount: 568. Image: System

PROCESS fffffa8004710040 SessionId: none Cid: 019c Peb: 7fffffdb000 ParentCid: 0004 DirBase: bc8ef000 ObjectTable: fffff880000eb7e0 HandleCount: 33. Image: smss.exe

PROCESS fffffa80047cfa40 SessionId: 0 Cid: 01e0 Peb: 7fffffd6000 ParentCid: 01d4 DirBase: b4353000 ObjectTable: fffff88007de31b0 HandleCount: 468. Image: csrss.exe

PROCESS fffffa80047e7040 SessionId: 0 Cid: 0214 Peb: 7fffffdf000 ParentCid: 019c DirBase: b31ba000 ObjectTable: fffff88007e66cb0 HandleCount: 789. Image: psxss.exe

PROCESS fffffa80047f5870 SessionId: 0 Cid: 0238 Peb: 7fffffdf000 ParentCid: 01d4 DirBase: b2919000 ObjectTable: fffff88007df7ed0 HandleCount: 101. Image: wininit.exe

PROCESS fffffa800481b5e0 SessionId: 0 Cid: 0280 Peb: 7fffffdf000 ParentCid: 0238 DirBase: b1b3d000 ObjectTable: fffff88007eac280 HandleCount: 271. Image: services.exe

PROCESS fffffa8004820360 SessionId: 0 Cid: 028c Peb: 7fffffdd000 ParentCid: 0238 DirBase: b15eb000 ObjectTable: fffff88007ecbae0 HandleCount: 728. Image: lsass.exe

PROCESS fffffa80048252d0 SessionId: 0 Cid: 0294 Peb: 7fffffde000 ParentCid: 0238 DirBase: b14f1000 ObjectTable: fffff88007ecf4d0 HandleCount: 178. Image: lsm.exe

PROCESS fffffa800429f2b0 SessionId: 0 Cid: 0338 Peb: 7fffffdf000 ParentCid: 0280 DirBase: af2a2000 ObjectTable: fffff880082807d0 HandleCount: 306. Image: svchost.exe

PROCESS fffffa8004a82270 SessionId: 0 Cid: 0374 Peb: 7fffffdb000 ParentCid: 0280 DirBase: aef26000 ObjectTable: fffff88008036e60 HandleCount: 311. Image: svchost.exe

PROCESS fffffa8004a97c10 SessionId: 0 Cid: 0398 Peb: 7fffffdd000 ParentCid: 0280 DirBase: aebb0000 ObjectTable: fffff88008009950 HandleCount: 379. Image: svchost.exe

PROCESS fffffa8004adec10 SessionId: 0 Cid: 03f8 Peb: 7fffffdd000 ParentCid: 0280 DirBase: add75000 ObjectTable: fffff88007f3c4d0 HandleCount: 395. Image: svchost.exe

PROCESS fffffa8004ae8950 SessionId: 0 Cid: 00f8 Peb: 7fffffd9000 ParentCid: 0280 DirBase: ada7a000 ObjectTable: fffff880080d4690 HandleCount: 172. Image: svchost.exe

PROCESS fffffa8004af2750 SessionId: 0 Cid: 012c Peb: 7fffffdd000 ParentCid: 0280 DirBase: ad83f000 ObjectTable: fffff880080d7b10 HandleCount: 897. Image: svchost.exe

PROCESS fffffa8004af7040 SessionId: 0 Cid: 0140 Peb: 7fffffdb000 ParentCid: 0280 DirBase: ad5c6000 ObjectTable: fffff880080e3580 HandleCount: 99. Image: SLsvc.exe

PROCESS fffffa8004b0f500 SessionId: 0 Cid: 0278 Peb: 7fffffd7000 ParentCid: 0280 DirBase: ac4ce000 ObjectTable: fffff8800812d330 HandleCount: 301. Image: svchost.exe

PROCESS fffffa8004b20770 SessionId: 0 Cid: 0194 Peb: 7fffffd4000 ParentCid: 0280 DirBase: abfd3000 ObjectTable: fffff8800814fd30 HandleCount: 354. Image: svchost.exe

PROCESS fffffa8004b315c0 SessionId: 0 Cid: 0410 Peb: 7fffffdf000 ParentCid: 0280 DirBase: abc98000 ObjectTable: fffff88008083420 HandleCount: 76. Image: svchost.exe

PROCESS fffffa8004b4a040 SessionId: 0 Cid: 0448 Peb: 7fffffdd000 ParentCid: 0280 DirBase: ab164000 ObjectTable: fffff880081a42e0 HandleCount: 479. Image: svchost.exe

PROCESS fffffa8004b9c740 SessionId: 0 Cid: 050c Peb: 7fffffdf000 ParentCid: 03f8 DirBase: a9c86000 ObjectTable: fffff880081e8750 HandleCount: 141. Image: audiodg.exe

PROCESS fffffa8004ba0880 SessionId: 0 Cid: 0524 Peb: 7fffffd7000 ParentCid: 0280 DirBase: a96a9000 ObjectTable: fffff88008217c10 HandleCount: 269. Image: svchost.exe

PROCESS fffffa8004c15c10 SessionId: 0 Cid: 0588 Peb: 7fffffda000 ParentCid: 0280 DirBase: a8906000 ObjectTable: fffff8800825a810 HandleCount: 131. Image: svchost.exe

PROCESS fffffa8004b1c7a0 SessionId: 0 Cid: 0604 Peb: 7fffffdb000 ParentCid: 0280 DirBase: a7598000 ObjectTable: fffff8800827de90 HandleCount: 373. Image: spoolsv.exe

PROCESS fffffa8004ca4040 SessionId: 0 Cid: 067c Peb: 7efdf000 ParentCid: 0280 DirBase: a6a24000 ObjectTable: fffff8800833af00 HandleCount: 71. Image: mdm.exe

PROCESS fffffa8004cbd040 SessionId: 0 Cid: 06e8 Peb: 7fffffdf000 ParentCid: 012c DirBase: a6363000 ObjectTable: fffff880083735f0 HandleCount: 310. Image: taskeng.exe

PROCESS fffffa8004cda8f0 SessionId: 0 Cid: 0720 Peb: 7fffffd3000 ParentCid: 0280 DirBase: a5dfb000 ObjectTable: fffff8800801ae20 HandleCount: 57. Image: svchost.exe

PROCESS fffffa8004cfbc10 SessionId: 0 Cid: 0768 Peb: 7fffffdc000 ParentCid: 0280 DirBase: a5400000 ObjectTable: fffff880083c46d0 HandleCount: 54. Image: svchost.exe

PROCESS fffffa8004cfb7e0 SessionId: 0 Cid: 0774 Peb: 7fffffdb000 ParentCid: 0280 DirBase: a5185000 ObjectTable: fffff880017f9bf0 HandleCount: 131. Image: svchost.exe

PROCESS fffffa8004cfdc10 SessionId: 0 Cid: 0780 Peb: 7fffffd4000 ParentCid: 0280 DirBase: a51ca000 ObjectTable: fffff880083b0270 HandleCount: 75. Image: svchost.exe

PROCESS fffffa8004d18c10 SessionId: 0 Cid: 07b4 Peb: 7fffffdb000 ParentCid: 0280 DirBase: a4acf000 ObjectTable: fffff880083de5c0 HandleCount: 147. Image: svchost.exe

PROCESS fffffa8004d2e4a0 SessionId: 0 Cid: 07d4 Peb: 7fffffdc000 ParentCid: 0280 DirBase: a4554000 ObjectTable: fffff88008404b40 HandleCount: 43. Image: svchost.exe

PROCESS fffffa8005273830 SessionId: 0 Cid: 0740 Peb: 7fffffdf000 ParentCid: 0280 DirBase: 8ac6a000 ObjectTable: fffff88008ff53f0 HandleCount: 228. Image: svchost.exe

PROCESS fffffa80052e4b10 SessionId: 0 Cid: 0a50 Peb: 7fffffda000 ParentCid: 0280 DirBase: 87170000 ObjectTable: fffff8800912ced0 HandleCount: 234. Image: svchost.exe

PROCESS fffffa80054c7770 SessionId: 0 Cid: 09a4 Peb: 7fffffd8000 ParentCid: 0280 DirBase: 129ab5000 ObjectTable: fffff8800973aa40 HandleCount: 163. Image: msdtc.exe

PROCESS fffffa8005206860 SessionId: 2 Cid: 0b10 Peb: 7fffffd9000 ParentCid: 0310 DirBase: 72584000 ObjectTable: fffff88007ea0ac0 HandleCount: 518. Image: csrss.exe

PROCESS fffffa8004dfa880 SessionId: 2 Cid: 062c Peb: 7fffffd3000 ParentCid: 0310 DirBase: 70609000 ObjectTable: fffff8800971e5c0 HandleCount: 115. Image: winlogon.exe

PROCESS fffffa8003c1bc10 SessionId: 2 Cid: 08d4 Peb: 7fffffde000 ParentCid: 012c DirBase: 6c096000 ObjectTable: fffff880082729b0 HandleCount: 311. Image: taskeng.exe

PROCESS fffffa80055b32c0 SessionId: 2 Cid: 0990 Peb: 7fffffdb000 ParentCid: 0194 DirBase: 6e1db000 ObjectTable: fffff880092f70d0 HandleCount: 76. Image: dwm.exe

PROCESS fffffa800521ac10 SessionId: 2 Cid: 0458 Peb: 7fffffd6000 ParentCid: 0840 DirBase: 6f1d2000 ObjectTable: fffff8800a00f580 HandleCount: 644. Image: explorer.exe

SvcctrlStartEvent_A3752DX and LSA_RPC_SERVER_ACTIVE (pp. 300 - 301) - this is how to check them:

lkd> !object \BaseNamedObjects Object: fffff88007df3ab0 Type: (fffffa8003bacb00) Directory ObjectHeader: fffff88007df3a80 (old version) HandleCount: 32 PointerCount: 143 Directory Object: fffff88000005d50 Name: BaseNamedObjects

Hash Address Type Name ---- ------- ---- ---- [...] fffffa800482fa30 Event SvcctrlStartEvent_A3752DX [...] fffffa80048b33e0 Event LSA_RPC_SERVER_ACTIVE [...] fffffa8004858ed0 Event SC_AutoStartComplete [...]

lkd> dt -r _KEVENT fffffa80048b33e0 ntdll!_KEVENT +0x000 Header : _DISPATCHER_HEADER +0x000 Type : 0 '' +0x001 Abandoned : 0 '' +0x001 Absolute : 0 '' +0x001 NpxIrql : 0 '' +0x001 Signalling : 0 '' +0x002 Size : 0x6 '' +0x002 Hand : 0x6 '' +0x003 Inserted : 0 '' +0x003 DebugActive : 0 '' +0x003 DpcActive : 0 '' +0x000 Lock : 393216 +0×004 SignalState : 1 +0×008 WaitListHead : _LIST_ENTRY [ 0xfffffa80`048b33e8 - 0xfffffa80`048b33e8 ]

WM_DEVICECHANGE (p. 303)

Service startup (pp. 303 - 307) - I use this command to see what functions SvcCtrlMain potentially calls (we can then inspect the called function for its potential calls too):

lkd> .process /r /p fffffa800481b5e0 Implicit process is now fffffa80`0481b5e0

lkd> uf /c SvcCtrlMain services!SvcctrlMain (00000000`ffe68d18) services!SvcctrlMain+0x2f (00000000`ffe68d47): call to kernel32!SetUnhandledExceptionFilter (00000000`77592c40) services!SvcctrlMain+0x3a (00000000`ffe68d52): call to kernel32!SetErrorMode (00000000`7758c740) services!SvcctrlMain+0x48 (00000000`ffe68d60): call to ntdll!RtlSetProcessIsCritical (00000000`77745f10) services!SvcctrlMain+0x58 (00000000`ffe68d70): call to kernel32!HeapSetInformation (00000000`7758f020) services!SvcctrlMain+0x7a (00000000`ffe68d92): call to services!ScStartTracingSession (00000000`ffe70920) services!SvcctrlMain+0x7f (00000000`ffe68d97): call to services!ScWriteLogHeader (00000000`ffe71178) services!SvcctrlMain+0x94 (00000000`ffe68dac): call to ntdll!NtOpenProcessToken (00000000`776e7c70) services!SvcctrlMain+0xb0 (00000000`ffe68dc8): call to services!ScRemoveProcessPrivileges (00000000`ffe6ff54) services!SvcctrlMain+0xf2 (00000000`ffe68e0a): call to ADVAPI32!RegOpenKeyExW (000007fe`fdd5ace8) services!SvcctrlMain+0x12c (00000000`ffe68e44): call to ADVAPI32!RegQueryValueExW (000007fe`fdd5a688) services!SvcctrlMain+0x152 (00000000`ffe68e57): call to ADVAPI32!RegCloseKey (000007fe`fdd5a7f0) services!SvcctrlMain+0x158 (00000000`ffe68e5d): call to services!ScInitTcpKeepAlive (00000000`ffe7000c) services!SvcctrlMain+0x164 (00000000`ffe68e69): call to kernel32!GetModuleHandleW (00000000`7759d860) services!SvcctrlMain+0x197 (00000000`ffe68e82): call to kernel32!GetProcAddress (00000000`7759d8a0) services!SvcctrlMain+0x1ea (00000000`ffe68eaa): call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60) services!SvcctrlMain+0x201 (00000000`ffe68ec1): call to kernel32!LocalAlloc (00000000`7758ce70) services!SvcctrlMain+0x243 (00000000`ffe68ee4): call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60) services!SvcctrlMain+0x282 (00000000`ffe68f04): call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60) services!SvcctrlMain+0x299 (00000000`ffe68f1b): call to kernel32!LocalAlloc (00000000`7758ce70) services!SvcctrlMain+0x2db (00000000`ffe68f3e): call to kernel32!ExpandEnvironmentStringsW (00000000`7758db60) services!SvcctrlMain+0x308 (00000000`ffe68f4c): call to services!ScCreateWellKnownSids (00000000`ffe70130) services!SvcctrlMain+0×339 (00000000`ffe68f5e): call to services!ScCreateAutoStartEvent (00000000`ffe6fe48) services!SvcctrlMain+0×384 (00000000`ffe68f8a): call to services!ScRegOpenKeyExW (00000000`ffe626b0) services!SvcctrlMain+0×397 (00000000`ffe68fa1): call to kernel32!CreateEventW (00000000`7758be70) services!SvcctrlMain+0×426 (00000000`ffe68fbf): call to services!ScGetStartEvent (00000000`ffe6fc94) services!SvcctrlMain+0×452 (00000000`ffe68fcc): call to services!ScCreateScManagerObject (00000000`ffe70f40) services!SvcctrlMain+0×485 (00000000`ffe68fe0): call to ntdll!RtlGetNtProductType (00000000`776cee90) services!SvcctrlMain+0×4b3 (00000000`ffe68fef): call to services!ScCheckLastKnownGood (00000000`ffe6f8a4) services!SvcctrlMain+0×4df (00000000`ffe68ffc): call to services!ScGetComputerName (00000000`ffe6fbd8) services!SvcctrlMain+0×564 (00000000`ffe69062): call to ntdll!RtlInitializeResource (00000000`776b5d70) services!SvcctrlMain+0×571 (00000000`ffe6906f): call to ntdll!RtlInitializeResource (00000000`776b5d70) services!SvcctrlMain+0×57e (00000000`ffe6907c): call to ntdll!RtlInitializeResource (00000000`776b5d70) services!SvcctrlMain+0×584 (00000000`ffe69082): call to services!ScGenerateServiceDB (00000000`ffe70ca8) services!SvcctrlMain+0×5b7 (00000000`ffe69096): call to services!ScGetAccountDomainInfo (00000000`ffe6f36c) services!SvcctrlMain+0×617 (00000000`ffe690aa): call to ntdll!RtlInitializeCriticalSection (00000000`776c5d20) services!SvcctrlMain+0×61d (00000000`ffe690b0): call to services!ScInitTransactNamedPipe (00000000`ffe6e43c) services!SvcctrlMain+0×62c (00000000`ffe690bf): call to kernel32!CreateEventW (00000000`7758be70) services!SvcctrlMain+0×670 (00000000`ffe690e4): call to ADVAPI32!RegOpenKeyW (000007fe`fdd52550) services!SvcctrlMain+0×82b (00000000`ffe690f2): call to services!ScInitBSM (00000000`ffe6e58c) services!SvcctrlMain+0×83a (00000000`ffe69101): call to kernel32!CreateEventW (00000000`7758be70) services!SvcctrlMain+0×857 (00000000`ffe6911e): call to ntdll!RtlInitializeCriticalSection (00000000`776c5d20) services!SvcctrlMain+0×85d (00000000`ffe69124): call to kernel32!GetCurrentProcessId (00000000`7758cf10) services!SvcctrlMain+0×865 (00000000`ffe6912c): call to USER32!RegisterServicesProcess (00000000`774a1010) services!SvcctrlMain+0×89f (00000000`ffe69148): call to services!ScLockDatabase (00000000`ffe66244) services!SvcctrlMain+0×8da (00000000`ffe69155): call to services!ScEnableRpcInterface (00000000`ffe6e8c4) services!SvcctrlMain+0×923 (00000000`ffe6917f): call to services!WPP_SF_ (00000000`ffe62608) services!SvcctrlMain+0×931 (00000000`ffe6918d): call to kernel32!SetConsoleCtrlHandler (00000000`7758e660) services!SvcctrlMain+0×974 (00000000`ffe691a2): call to kernel32!SetProcessShutdownParameters (00000000`775e4e90) services!SvcctrlMain+0×9cd (00000000`ffe691cd): call to services!WPP_SF_ (00000000`ffe62608) services!SvcctrlMain+0×9d9 (00000000`ffe691d9): call to services!ScesrvInitializeServer (00000000`ffe6ebe0) services!SvcctrlMain+0xa14 (00000000`ffe691e6): call to services!SvcStartRPCProxys (00000000`ffe6f510) services!SvcctrlMain+0xa19 (00000000`ffe691eb): call to services!InitNCEvents (00000000`ffe6f0d0) services!SvcctrlMain+0xa22 (00000000`ffe691f4): call to services!ScUpdateServiceSidCache (00000000`ffe6ecac) services!SvcctrlMain+0xa27 (00000000`ffe691f9): call to services!ScCheckAutostartEventsEnabled (00000000`ffe6eafc) services!SvcctrlMain+0xa34 (00000000`ffe69206): call to kernel32!SetEvent (00000000`77586840) services!SvcctrlMain+0xa70 (00000000`ffe69214): call to services!ScAutoStartServices (00000000`ffe6c820) […]

HKLM\S\CCS\C\W\NoInteractiveServices (p. 305)

HKLM\S\CCS\C\ServicesPipeTimeout (p. 306)

Delayed auto-start services (p. 307)

BootVerificationProgram (p. 309)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 16-November-09

Monday, November 16th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

ChangeServiceConfig2 (p. 292) - http://msdn.microsoft.com/en-us/library/ms681988(VS.85).aspx

sc qprivs <service name> (p. 293) - example for Terminal Service:

C:\Users\Administrator>sc qprivs TermService [SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: TermService PRIVILEGES : SeAssignPrimaryTokenPrivilege : SeAuditPrivilege : SeChangeNotifyPrivilege : SeCreateGlobalPrivilege : SeImpersonatePrivilege : SeIncreaseQuotaPrivilege

Union of privileges for svchost.exe (p. 294)

Service SID (restricted and unrestricted) (p. 295)

process - window station - desktop - windows (p. 297) - an entity relationship diagram on slide 14 (Intro: Windows) in my past Selected Citrix Tools presentation: http://www.dumpanalysis.org/CitrixTools/Selected%20Citrix%20Troubleshooting%20Tools.htm

Hung non-interactive services waiting for user input (p. 298) - this partially inspired Message Box crash dump analysis pattern: http://www.dumpanalysis.org/blog/index.php/2008/02/19/crash-dump-analysis-patterns-part-51/

SERVICE_INTERACTIVE_PROCESS Type modifier only for local system accounts (p. 298)

Shatter attacks by window messages (p. 299)

Interactive Services Detection (UI0Detect) service (p. 299)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Reading Notebook: 09-November-09

Monday, November 9th, 2009

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SApp - SCP - SCM (p. 282)

HKLM\S\CCS\Ss\<>\ErrorControl = 3, SERVICE_ERROR_CRITICAL (p. 284) - can be used to force BSOD if service startup fails for postmortem memory dump analysis of the failure

HKLM\S\CCS\Ss\<>\PreshutdownTimeout (p. 286)

HKLM\S\CCS\Ss\<>\RequiredPrivileges (p. 286)

Service threads (p. 287) - some typical thread stack traces can be seen in this case study that also show that service main thread calls control handler functions: http://www.dumpanalysis.org/blog/index.php/2007/10/01/windows-service-crash-dumps-on-vista/

Service accounts (p. 288) - attached WinDbg will not download symbols from MS symbol server unless Run as Administrator

- Dmitry Vostokov @ SoftwareGeneralist.com -

Posted in Notes on Windows Internals, Reading Notebook | No Comments »

Archive for the ‘Notes on Windows Internals’ Category

Reading Notebook: 10-March-10

Reading Notebook: 01-March-10

Reading Notebook: 09-February-10

Reading Notebook: 25-January-10

Reading Notebook: 04-January-10

Reading Notebook: 07-December-09

Reading Notebook: 25-November-09

Reading Notebook: 20-November-09

Reading Notebook: 16-November-09

Reading Notebook: 09-November-09

Pages

Archives

Categories