shows the first few lines of a driver object structure, which stores information about a kernel driver. shows how to accomplish this.Example 10-3. Overlaying data onto a structure
kd> dt nt!_DRIVER_OBJECT 828b2648 +0x000 Type : 4 +0x002 Size : 168 +0x004 DeviceObject : 0x828b0a30 _DEVICE_OBJECT +0x008 Flags : 0x12 +0x00c DriverStart : 0xf7adb000 +0x010 DriverSize : 0x1080 +0x014 DriverSection : 0x82ad8d78 +0x018 DriverExtension : 0x828b26f0 _DRIVER_EXTENSION +0x01c DriverName : _UNICODE_STRING "\Driver\Beep" +0x024 HardwareDatabase : 0x80670ae0 _UNICODE_STRING "\REGISTRY\MACHINE\ HARDWARE\DESCRIPTION\SYSTEM" +0x028 FastIoDispatch : (null) +0x02c DriverInit : ❶0xf7adb66c long Beep!DriverEntry+0 +0x030 DriverStartIo : 0xf7adb51a void Beep!BeepStartIo+0 +0x034 DriverUnload : 0xf7adb620 void Beep!BeepUnload+0 +0x038 MajorFunction : [28] 0xf7adb46a long Beep!BeepOpen+0This is the beep driver, which is built into Windows to make a beeping noise when something is wrong. We can see that the initialization function that is called when the driver is loaded is located at offset 0xf7adb66c ❶. If this were a malicious driver, we would want to see what code was located at that address because that code is always called first when the driver is loaded. The initialization function is the only function called every time a driver is loaded. Malware will sometimes place its entire malicious payload in this function.
Symbols are specific to the version of the files being analyzed, and can change with every update or hotfix. When configured properly, WinDbg will query Microsoft’s server and automatically get the correct symbols for the files that are currently being debugged. You can set the symbol file path by selecting File ▶ Symbol File Path. To configure WinDbg to use the online symbol server, enter the following path:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
The SRV configures a server, the path c:\websymbols is a local cache for symbol information, and the URL is the fixed location of the Microsoft symbol server.
If you’re debugging on a machine that is not continuously connected to the Internet, you can manually download the symbols from Microsoft. Download the symbols specific to the OS, service pack, and architecture that you are using. The symbol files are usually a couple hundred megabytes because they contain the symbol information for all the different hotfix and patch versions for that OS and service pack.
Example 10-3. Overlaying data onto a structure
kd> dt nt!_DRIVER_OBJECT 828b2648 +0x000 Type : 4 +0x002 Size : 168 +0x004 DeviceObject : 0x828b0a30 _DEVICE_OBJECT +0x008 Flags : 0x12 +0x00c DriverStart : 0xf7adb000 +0x010 DriverSize : 0x1080 +0x014 DriverSection : 0x82ad8d78 +0x018 DriverExtension : 0x828b26f0 _DRIVER_EXTENSION +0x01c DriverName : _UNICODE_STRING "\Driver\Beep" +0x024 HardwareDatabase : 0x80670ae0 _UNICODE_STRING "\REGISTRY\MACHINE\ HARDWARE\DESCRIPTION\SYSTEM" +0x028 FastIoDispatch : (null) +0x02c DriverInit : ❶0xf7adb66c long Beep!DriverEntry+0 +0x030 DriverStartIo : 0xf7adb51a void Beep!BeepStartIo+0 +0x034 DriverUnload : 0xf7adb620 void Beep!BeepUnload+0 +0x038 MajorFunction : [28] 0xf7adb46a long Beep!BeepOpen+0This is the beep driver, which is built into Windows to make a beeping noise when something is wrong. We can see that the initialization function that is called when the driver is loaded is located at offset 0xf7adb66c ❶. If this were a malicious driver, we would want to see what code was located at that address because that code is always called first when the driver is loaded. The initialization function is the only function called every time a driver is loaded. Malware will sometimes place its entire malicious payload in this function.
Symbols are specific to the version of the files being analyzed, and can change with every update or hotfix. When configured properly, WinDbg will query Microsoft’s server and automatically get the correct symbols for the files that are currently being debugged. You can set the symbol file path by selecting File ▶ Symbol File Path. To configure WinDbg to use the online symbol server, enter the following path:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
The SRV configures a server, the path c:\websymbols is a local cache for symbol information, and the URL is the fixed location of the Microsoft symbol server.
If you’re debugging on a machine that is not continuously connected to the Internet, you can manually download the symbols from Microsoft. Download the symbols specific to the OS, service pack, and architecture that you are using. The symbol files are usually a couple hundred megabytes because they contain the symbol information for all the different hotfix and patch versions for that OS and service pack.
Войти в систему
Войти с помощью соц. сетей:
