Page 2 of 2 First 12
  1. #21
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM & WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring <_<
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Full List Of Functions Protected By Patchguard

    Quote Originally Posted by x BlueRobot View Post
    You mean prefix, suffix denotes a common ending of a word; sorry I'm being a grammar Nazi

    Thanks for the dump file!
    You are welcome.
    Quote Originally Posted by Jared View Post
    Quote Originally Posted by x BlueRobot View Post
    You mean prefix, suffix denotes a common ending of a word; sorry I'm being a grammar Nazi

    Thanks for the dump file!
    How did I miss that? I'm usually the one who corrects grammar.
    I don't think that you will find it ever now
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:


    • Ad Bot

      advertising
      Beep.

        
       

  2. #22

    Re: Full List Of Functions Protected By Patchguard

    Quote Originally Posted by Jared View Post
    Quote Originally Posted by x BlueRobot View Post
    You mean prefix, suffix denotes a common ending of a word; sorry I'm being a grammar Nazi

    Thanks for the dump file!
    How did I miss that? I'm usually the one who corrects grammar.
    Zw, Nt, Ke, Mi, MM... too many prefixes and bleep bloops.

  3. #23
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,857

    Re: Full List Of Functions Protected By Patchguard

    You could try parsing the strings with !stack -p too:

    Code:
    0: kd> !stack -p
    Call Stack : 15 frames
    ## Stack-Pointer    Return-Address   Call-Site       
    00 fffff8800c372378 fffff80002edfc53 nt!KeBugCheckEx+0 
        Parameter[0] = 000000000000001a
        Parameter[1] = 0000000000041284
        Parameter[2] = 000000005be07001
        Parameter[3] = 0000000000010edf
    01 fffff8800c372380 fffff80002efe473 nt!MiLocateWsle+2e863 (perf)
        Parameter[0] = 000000005be07000
        Parameter[1] = fffffa800787aec8
        Parameter[2] = 0000000000010edf
        Parameter[3] = (unknown)       
    02 fffff8800c3723c0 fffff80002ebe9c9 nt!MiDeleteVirtualAddresses+42933 (perf)
        Parameter[0] = 000000005bd50002
        Parameter[1] = 000000005bf76fff
        Parameter[2] = (unknown)       
        Parameter[3] = fffffa800787ab30
    03 fffff8800c372580 fffff8000319fe90 nt!MiRemoveMappedView+d9 (perf)
        Parameter[0] = fffffa80053ed6b0
        Parameter[1] = 000000005bd50002
        Parameter[2] = (unknown)       
        Parameter[3] = (unknown)       
    04 fffff8800c3726a0 fffff88004137aef nt!MiUnmapViewOfSection+1b0 (perf)
        Parameter[0] = fffffa800787ab30
        Parameter[1] = 000000005bd50002
        Parameter[2] = 0000000000000000
        Parameter[3] = (unknown)       
    05 fffff8800c372760 fffff88004132523 dxgmms1!VIDMM_GLOBAL::CloseLocalAllocation+a7 
        Parameter[0] = fffffa800730b000
        Parameter[1] = fffffa80053ed6b0
        Parameter[2] = fffffa800787ab30
        Parameter[3] = 0000000000000000
    06 fffff8800c372810 fffff88004118ecc dxgmms1!VIDMM_GLOBAL::CloseOneAllocation+19b 
        Parameter[0] = fffffa800730b000
        Parameter[1] = fffff8a004ca2ce0
        Parameter[2] = 0000000000000000
        Parameter[3] = (unknown)       
    07 fffff8800c3728e0 fffff8800405accc dxgmms1!VidMmCloseAllocation+44 
        Parameter[0] = fffffa800730b000
        Parameter[1] = fffff8a004ca2d40
        Parameter[2] = 0000000000000000
        Parameter[3] = (unknown)       
    08 fffff8800c372910 fffff8800405b3ac dxgkrnl!DXGDEVICE::DestroyAllocations+248 
        Parameter[0] = fffff8a006be0000
        Parameter[1] = fffff8a0060840c0
        Parameter[2] = 0000000000000001
        Parameter[3] = fffff8a0022e8e80
    09 fffff8800c372a00 fffff8800405a651 dxgkrnl!DXGDEVICE::DestroyResource+84 
        Parameter[0] = fffff8a006be0000
        Parameter[1] = fffff8a0060840c0
        Parameter[2] = (unknown)       
        Parameter[3] = (unknown)       
    0a fffff8800c372a30 fffff8800406024b dxgkrnl!DXGDEVICE::ProcessTerminationList+95 
        Parameter[0] = fffff8a006be0000
        Parameter[1] = 0000000000000001
        Parameter[2] = 0000000000000000
        Parameter[3] = 0000000000000000
    0b fffff8800c372a80 fffff960001a0d32 dxgkrnl!DxgkCreateAllocation+40b 
        Parameter[0] = (unknown)       
        Parameter[1] = (unknown)       
        Parameter[2] = (unknown)       
        Parameter[3] = (unknown)       
    0c fffff8800c372bb0 fffff80002e8aad3 win32k!NtGdiDdDDICreateAllocation+12 
        Parameter[0] = (unknown)       
        Parameter[1] = (unknown)       
        Parameter[2] = (unknown)       
        Parameter[3] = (unknown)       
    0d fffff8800c372be0 0000000072ca13fa nt!KiSystemServiceCopyEnd+13 
        Parameter[0] = 0000000001bea7c0
        Parameter[1] = 000000000000000e
        Parameter[2] = 000000000000002b
        Parameter[3] = 0000000077caf975
    blueelvis and Jared say thanks for this.
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  4. #24
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM & WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring <_<
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Full List Of Functions Protected By Patchguard

    Anyone have an idea as to how I could get the function names?
    Code:
    4: kd> u nt!KiSwapThread+0x3a7
    nt!KiSwapThread+0x3a7:
    fffff800`564be9e7 f6426802        test    byte ptr [rdx+68h],2
    fffff800`564be9eb 0f85fa601300    jne     nt! ?? ::FNODOBFM::`string'+0x8b3b (fffff800`565f4aeb)
    fffff800`564be9f1 488b4208        mov     rax,qword ptr [rdx+8]
    fffff800`564be9f5 483902          cmp     qword ptr [rdx],rax
    fffff800`564be9f8 0f820afdffff    jb      nt!KiSwapThread+0xc8 (fffff800`564be708)
    fffff800`564be9fe e99e601300      jmp     nt! ?? ::FNODOBFM::`string'+0x8af1 (fffff800`565f4aa1)
    fffff800`564bea03 488d83d0010000  lea     rax,[rbx+1D0h]
    fffff800`564bea0a 41bf01000000    mov     r15d,1
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

  5. #25
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,857

    Re: Full List Of Functions Protected By Patchguard

    Code:
    4: kd> u nt!KiSwapThread+0x3a7
    nt!KiSwapThread+0x3a7:
    fffff800`564be9e7 f6426802        test    byte ptr [rdx+68h],2
    fffff800`564be9eb 0f85fa601300    jne     nt! ?? ::FNODOBFM::`string'+0x8b3b (fffff800`565f4aeb)
    fffff800`564be9f1 488b4208        mov     rax,qword ptr [rdx+8]
    fffff800`564be9f5 483902          cmp     qword ptr [rdx],rax
    fffff800`564be9f8 0f820afdffff    jb      nt!KiSwapThread+0xc8 (fffff800`564be708)
    fffff800`564be9fe e99e601300      jmp     nt! ?? ::FNODOBFM::`string'+0x8af1 (fffff800`565f4aa1)
    fffff800`564bea03 488d83d0010000  lea     rax,[rbx+1D0h]
    fffff800`564bea0a 41bf01000000    mov     r15d,1
    The address fffff800`565f4aa1 is the location of the jump instruction. Have you tried using the .fnent command on the address of the jump location?
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  6. #26
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM & WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring <_<
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Full List Of Functions Protected By Patchguard

    I will try that.

    I tried .fnent on this one -
    Code:
    fffff800`564be9eb 0f85fa601300    jne     nt! ?? ::FNODOBFM::`string'+0x8b3b (fffff800`565f4aeb)
    and got that no such function.
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

  7. #27
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,857

    Re: Full List Of Functions Protected By Patchguard

    I tried it with a different dump file where the function name was known, and got this:

    Code:
    0: kd> .fnent fffff800`02ebeb7f
    Debugger function entry 00000000`0033abd8 for:
    (fffff800`02ebe8f0)   nt!MiRemoveMappedView+0x28f   |  (fffff800`02ebedb4)   nt!PsReturnProcessPagedPoolQuota
    
    BeginAddress      = 00000000`000a2932
    EndAddress        = 00000000`000a2db4
    UnwindInfoAddress = 00000000`001b8bb0
    
    Unwind info at fffff800`02fd4bb0, 18 bytes
      version 1, flags 4, prolog 13, codes 4
      00: offs 13, unwind op 4, op info e    UWOP_SAVE_NONVOL FrameOffset: e0 reg: r14.
      02: offs 8, unwind op 4, op info 3    UWOP_SAVE_NONVOL FrameOffset: 120 reg: rbx.
    
    Chained info:
    BeginAddress      = 00000000`000a28f0
    EndAddress        = 00000000`000a2932
    UnwindInfoAddress = 00000000`001b8b9c
    
    Unwind info at fffff800`02fd4b9c, 14 bytes
      version 1, flags 0, prolog 11, codes 8
      00: offs 11, unwind op 1, op info 0    UWOP_ALLOC_LARGE FrameOffset: e8.
      02: offs a, unwind op 0, op info f    UWOP_PUSH_NONVOL reg: r15.
      03: offs 8, unwind op 0, op info d    UWOP_PUSH_NONVOL reg: r13.
      04: offs 6, unwind op 0, op info c    UWOP_PUSH_NONVOL reg: r12.
      05: offs 4, unwind op 0, op info 7    UWOP_PUSH_NONVOL reg: rdi.
      06: offs 3, unwind op 0, op info 6    UWOP_PUSH_NONVOL reg: rsi.
      07: offs 2, unwind op 0, op info 5    UWOP_PUSH_NONVOL reg: rbp.
    Using the ln command, then gives:

    Code:
    0: kd> ln nt+000a28f0
    Browse module
    Set bu breakpoint
    
    (fffff800`02ebe8f0)   nt!MiRemoveMappedView   |  (fffff800`02ebedb4)   nt!PsReturnProcessPagedPoolQuota
    Exact matches:
        nt!MiRemoveMappedView (<no parameter info>)
    The disassembly was this:

    Code:
    0: kd> u fffff80002ebe9c9 //RIP address
    nt!MiRemoveMappedView+0xd9:
    fffff800`02ebe9c9 4d8bb5a8030000  mov     r14,qword ptr [r13+3A8h]
    fffff800`02ebe9d0 4989ada8030000  mov     qword ptr [r13+3A8h],rbp
    fffff800`02ebe9d7 4883cbff        or      rbx,0FFFFFFFFFFFFFFFFh
    fffff800`02ebe9db 498d8d98030000  lea     rcx,[r13+398h]
    fffff800`02ebe9e2 488bc3          mov     rax,rbx
    fffff800`02ebe9e5 f0480fc101      lock xadd qword ptr [rcx],rax
    fffff800`02ebe9ea a802            test    al,2
    fffff800`02ebe9ec 0f858d010000    jne     nt!MiRemoveMappedView+0x28f (fffff800`02ebeb7f)
    blueelvis says thanks for this.
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  8. #28
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM &amp; WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring &lt;_&lt;
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Full List Of Functions Protected By Patchguard

    After using this method multiple times, it seems that if we use the Beginning Address from the last section, it always gives an exact match.
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

  9. #29

    Re: Full List Of Functions Protected By Patchguard

    This is correct, for the most part. What you are seeing when you see the oddball function names is an optimized function, thus no symbolic info lines up. However, some quick backtracing (as you've done in this thread) can get you, most times, to what is actually there.
    MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8

  10. #30
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM &amp; WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring &lt;_&lt;
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Full List Of Functions Protected By Patchguard

    Quote Originally Posted by cluberti View Post
    This is correct, for the most part. What you are seeing when you see the oddball function names is an optimized function, thus no symbolic info lines up. However, some quick backtracing (as you've done in this thread) can get you, most times, to what is actually there.
    Are there any exceptions as well?
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

  11. #31

    Re: Full List Of Functions Protected By Patchguard

    Depends on what might be being stored in the registers, and what as locals, what platform (x86 vs x64), driver code versus app code, etc.
    blueelvis says thanks for this.
    MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8

  12. #32
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM &amp; WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring &lt;_&lt;
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Full List Of Functions Protected By Patchguard

    I found a list of the prefixes -

    https://en.wikipedia.org/wiki/Ntoskrnl.exe
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

Page 2 of 2 First 12

Similar Threads

  1. Replies: 0
    Last Post: 08-10-2014, 03:11 AM
  2. Replies: 0
    Last Post: 10-15-2013, 05:46 PM
  3. Replies: 0
    Last Post: 05-10-2012, 05:41 PM

Log in

Log in