What's new

Full List Of Functions Protected By Patchguard

blueelvis

BSOD Kernel Dump Analyst
Joined
Apr 14, 2014
Messages
970
Location
India

x BlueRobot

Moderator, BSOD Kernel Dump Expert, Contributor
Joined
May 7, 2013
Messages
1,878
Location
Minkowski Space
You could try parsing the strings with !stack -p too:

Code:
0: kd> !stack -p
Call Stack : 15 frames
## Stack-Pointer    Return-Address   Call-Site       
00 fffff8800c372378 fffff80002edfc53 nt!KeBugCheckEx+0 
    Parameter[0] = 000000000000001a
    Parameter[1] = 0000000000041284
    Parameter[2] = 000000005be07001
    Parameter[3] = 0000000000010edf
01 fffff8800c372380 fffff80002efe473 nt!MiLocateWsle+2e863 (perf)
    Parameter[0] = 000000005be07000
    Parameter[1] = fffffa800787aec8
    Parameter[2] = 0000000000010edf
    Parameter[3] = (unknown)       
02 fffff8800c3723c0 fffff80002ebe9c9 nt!MiDeleteVirtualAddresses+42933 (perf)
    Parameter[0] = 000000005bd50002
    Parameter[1] = 000000005bf76fff
    Parameter[2] = (unknown)       
    Parameter[3] = fffffa800787ab30
03 fffff8800c372580 fffff8000319fe90 nt!MiRemoveMappedView+d9 (perf)
    Parameter[0] = fffffa80053ed6b0
    Parameter[1] = 000000005bd50002
    Parameter[2] = (unknown)       
    Parameter[3] = (unknown)       
04 fffff8800c3726a0 fffff88004137aef nt!MiUnmapViewOfSection+1b0 (perf)
    Parameter[0] = fffffa800787ab30
    Parameter[1] = 000000005bd50002
    Parameter[2] = 0000000000000000
    Parameter[3] = (unknown)       
05 fffff8800c372760 fffff88004132523 dxgmms1!VIDMM_GLOBAL::CloseLocalAllocation+a7 
    Parameter[0] = fffffa800730b000
    Parameter[1] = fffffa80053ed6b0
    Parameter[2] = fffffa800787ab30
    Parameter[3] = 0000000000000000
06 fffff8800c372810 fffff88004118ecc dxgmms1!VIDMM_GLOBAL::CloseOneAllocation+19b 
    Parameter[0] = fffffa800730b000
    Parameter[1] = fffff8a004ca2ce0
    Parameter[2] = 0000000000000000
    Parameter[3] = (unknown)       
07 fffff8800c3728e0 fffff8800405accc dxgmms1!VidMmCloseAllocation+44 
    Parameter[0] = fffffa800730b000
    Parameter[1] = fffff8a004ca2d40
    Parameter[2] = 0000000000000000
    Parameter[3] = (unknown)       
08 fffff8800c372910 fffff8800405b3ac dxgkrnl!DXGDEVICE::DestroyAllocations+248 
    Parameter[0] = fffff8a006be0000
    Parameter[1] = fffff8a0060840c0
    Parameter[2] = 0000000000000001
    Parameter[3] = fffff8a0022e8e80
09 fffff8800c372a00 fffff8800405a651 dxgkrnl!DXGDEVICE::DestroyResource+84 
    Parameter[0] = fffff8a006be0000
    Parameter[1] = fffff8a0060840c0
    Parameter[2] = (unknown)       
    Parameter[3] = (unknown)       
0a fffff8800c372a30 fffff8800406024b dxgkrnl!DXGDEVICE::ProcessTerminationList+95 
    Parameter[0] = fffff8a006be0000
    Parameter[1] = 0000000000000001
    Parameter[2] = 0000000000000000
    Parameter[3] = 0000000000000000
0b fffff8800c372a80 fffff960001a0d32 dxgkrnl!DxgkCreateAllocation+40b 
    Parameter[0] = (unknown)       
    Parameter[1] = (unknown)       
    Parameter[2] = (unknown)       
    Parameter[3] = (unknown)       
0c fffff8800c372bb0 fffff80002e8aad3 win32k!NtGdiDdDDICreateAllocation+12 
    Parameter[0] = (unknown)       
    Parameter[1] = (unknown)       
    Parameter[2] = (unknown)       
    Parameter[3] = (unknown)       
0d fffff8800c372be0 0000000072ca13fa nt!KiSystemServiceCopyEnd+13 
    Parameter[0] = 0000000001bea7c0
    Parameter[1] = 000000000000000e
    Parameter[2] = 000000000000002b
    Parameter[3] = 0000000077caf975
 

blueelvis

BSOD Kernel Dump Analyst
Joined
Apr 14, 2014
Messages
970
Location
India
Anyone have an idea as to how I could get the function names?
Code:
4: kd> u nt!KiSwapThread+0x3a7
nt!KiSwapThread+0x3a7:
fffff800`564be9e7 f6426802        test    byte ptr [rdx+68h],2
fffff800`564be9eb 0f85fa601300    jne     nt! ?? ::FNODOBFM::`string'+0x8b3b (fffff800`565f4aeb)
fffff800`564be9f1 488b4208        mov     rax,qword ptr [rdx+8]
fffff800`564be9f5 483902          cmp     qword ptr [rdx],rax
fffff800`564be9f8 0f820afdffff    jb      nt!KiSwapThread+0xc8 (fffff800`564be708)
fffff800`564be9fe e99e601300      jmp     nt! ?? ::FNODOBFM::`string'+0x8af1 (fffff800`565f4aa1)
fffff800`564bea03 488d83d0010000  lea     rax,[rbx+1D0h]
fffff800`564bea0a 41bf01000000    mov     r15d,1
 

x BlueRobot

Moderator, BSOD Kernel Dump Expert, Contributor
Joined
May 7, 2013
Messages
1,878
Location
Minkowski Space
Code:
4: kd> u nt!KiSwapThread+0x3a7
nt!KiSwapThread+0x3a7:
fffff800`564be9e7 f6426802        test    byte ptr [rdx+68h],2
fffff800`564be9eb 0f85fa601300    jne     nt! ?? ::FNODOBFM::`string'+0x8b3b (fffff800`565f4aeb)
fffff800`564be9f1 488b4208        mov     rax,qword ptr [rdx+8]
fffff800`564be9f5 483902          cmp     qword ptr [rdx],rax
fffff800`564be9f8 0f820afdffff    jb      nt!KiSwapThread+0xc8 (fffff800`564be708)
fffff800`564be9fe e99e601300      jmp     nt! ?? ::FNODOBFM::`string'+0x8af1 (fffff800`565f4aa1)
fffff800`564bea03 488d83d0010000  lea     rax,[rbx+1D0h]
fffff800`564bea0a 41bf01000000    mov     r15d,1
The address fffff800`565f4aa1 is the location of the jump instruction. Have you tried using the .fnent command on the address of the jump location?
 

blueelvis

BSOD Kernel Dump Analyst
Joined
Apr 14, 2014
Messages
970
Location
India
I will try that.

I tried .fnent on this one -
Code:
fffff800`564be9eb 0f85fa601300    jne     nt! ?? ::FNODOBFM::`string'+0x8b3b (fffff800`565f4aeb)
and got that no such function.
 

x BlueRobot

Moderator, BSOD Kernel Dump Expert, Contributor
Joined
May 7, 2013
Messages
1,878
Location
Minkowski Space
I tried it with a different dump file where the function name was known, and got this:

Code:
0: kd> .fnent fffff800`02ebeb7f
Debugger function entry 00000000`0033abd8 for:
(fffff800`02ebe8f0)   nt!MiRemoveMappedView+0x28f   |  (fffff800`02ebedb4)   nt!PsReturnProcessPagedPoolQuota

BeginAddress      = 00000000`000a2932
EndAddress        = 00000000`000a2db4
UnwindInfoAddress = 00000000`001b8bb0

Unwind info at fffff800`02fd4bb0, 18 bytes
  version 1, flags 4, prolog 13, codes 4
  00: offs 13, unwind op 4, op info e    UWOP_SAVE_NONVOL FrameOffset: e0 reg: r14.
  02: offs 8, unwind op 4, op info 3    UWOP_SAVE_NONVOL FrameOffset: 120 reg: rbx.

Chained info:
BeginAddress      = 00000000`000a28f0
EndAddress        = 00000000`000a2932
UnwindInfoAddress = 00000000`001b8b9c

Unwind info at fffff800`02fd4b9c, 14 bytes
  version 1, flags 0, prolog 11, codes 8
  00: offs 11, unwind op 1, op info 0    UWOP_ALLOC_LARGE FrameOffset: e8.
  02: offs a, unwind op 0, op info f    UWOP_PUSH_NONVOL reg: r15.
  03: offs 8, unwind op 0, op info d    UWOP_PUSH_NONVOL reg: r13.
  04: offs 6, unwind op 0, op info c    UWOP_PUSH_NONVOL reg: r12.
  05: offs 4, unwind op 0, op info 7    UWOP_PUSH_NONVOL reg: rdi.
  06: offs 3, unwind op 0, op info 6    UWOP_PUSH_NONVOL reg: rsi.
  07: offs 2, unwind op 0, op info 5    UWOP_PUSH_NONVOL reg: rbp.
Using the ln command, then gives:

Code:
0: kd> ln nt+000a28f0
Browse module
Set bu breakpoint

(fffff800`02ebe8f0)   nt!MiRemoveMappedView   |  (fffff800`02ebedb4)   nt!PsReturnProcessPagedPoolQuota
Exact matches:
    nt!MiRemoveMappedView (<no parameter info>)
The disassembly was this:

Code:
0: kd> u fffff80002ebe9c9 //RIP address
nt!MiRemoveMappedView+0xd9:
fffff800`02ebe9c9 4d8bb5a8030000  mov     r14,qword ptr [r13+3A8h]
fffff800`02ebe9d0 4989ada8030000  mov     qword ptr [r13+3A8h],rbp
fffff800`02ebe9d7 4883cbff        or      rbx,0FFFFFFFFFFFFFFFFh
fffff800`02ebe9db 498d8d98030000  lea     rcx,[r13+398h]
fffff800`02ebe9e2 488bc3          mov     rax,rbx
fffff800`02ebe9e5 f0480fc101      lock xadd qword ptr [rcx],rax
fffff800`02ebe9ea a802            test    al,2
fffff800`02ebe9ec 0f858d010000    jne     nt!MiRemoveMappedView+0x28f (fffff800`02ebeb7f)
 

blueelvis

BSOD Kernel Dump Analyst
Joined
Apr 14, 2014
Messages
970
Location
India
After using this method multiple times, it seems that if we use the Beginning Address from the last section, it always gives an exact match.
 

cluberti

Senior Member
Joined
Mar 2, 2012
Messages
411
Location
Redmond
This is correct, for the most part. What you are seeing when you see the oddball function names is an optimized function, thus no symbolic info lines up. However, some quick backtracing (as you've done in this thread) can get you, most times, to what is actually there.
 

blueelvis

BSOD Kernel Dump Analyst
Joined
Apr 14, 2014
Messages
970
Location
India
This is correct, for the most part. What you are seeing when you see the oddball function names is an optimized function, thus no symbolic info lines up. However, some quick backtracing (as you've done in this thread) can get you, most times, to what is actually there.
Are there any exceptions as well?:huh:
 

cluberti

Senior Member
Joined
Mar 2, 2012
Messages
411
Location
Redmond
Depends on what might be being stored in the registers, and what as locals, what platform (x86 vs x64), driver code versus app code, etc.
 
Top