From 335786ff4e92e059c19e3a6d242c92ccd8c31c21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?= Date: Sun, 12 Mar 2023 02:10:05 +0100 Subject: [PATCH] ** WIP ** [NTOS:KDBG] Call KdGetVersion API on connection in order to retrieve the KdDebuggerData block and some kernel pointers. + Fix the three UNIMPLEMENTED; usages in KdSend/ReceivePacket(). --- ntoskrnl/kdbg/kdb.h | 10 ++++++++++ ntoskrnl/kdbg/kdb_cli.c | 17 ++++++++++------- ntoskrnl/kdbg/kdbg.c | 41 ++++++++++++++++++++++++++++++++++++++--- 3 files changed, 58 insertions(+), 10 deletions(-) diff --git a/ntoskrnl/kdbg/kdb.h b/ntoskrnl/kdbg/kdb.h index b76c4706bc57e..de61971aadf45 100644 --- a/ntoskrnl/kdbg/kdb.h +++ b/ntoskrnl/kdbg/kdb.h @@ -61,6 +61,16 @@ typedef enum _KD_CONTINUE_TYPE /* GLOBALS *******************************************************************/ +extern ULONG_PTR NtosBase; +extern DBGKD_GET_VERSION64 KdVersion; +extern PKDDEBUGGER_DATA64 KdDebuggerData; +extern PLIST_ENTRY ProcessListHead; +extern PLIST_ENTRY ModuleListHead; +extern PFN_COUNT* NumberOfPhysicalPages; +//#define PsActiveProcessHead (*ProcessListHead) +//#define PsLoadedModuleList (*ModuleListHead) +//#define MmNumberOfPhysicalPages (*NumberOfPhysicalPages) + extern volatile PCHAR KdbInitFileBuffer; extern PEPROCESS KdbCurrentProcess; diff --git a/ntoskrnl/kdbg/kdb_cli.c b/ntoskrnl/kdbg/kdb_cli.c index 91e63f1134704..259415d163bff 100644 --- a/ntoskrnl/kdbg/kdb_cli.c +++ b/ntoskrnl/kdbg/kdb_cli.c @@ -90,8 +90,6 @@ BOOLEAN ExpKdbgExtDefWrites(ULONG Argc, PCHAR Argv[]); BOOLEAN ExpKdbgExtIrpFind(ULONG Argc, PCHAR Argv[]); BOOLEAN ExpKdbgExtHandle(ULONG Argc, PCHAR Argv[]); -extern char __ImageBase; - #ifdef __ROS_DWARF__ static BOOLEAN KdbpCmdPrintStruct(ULONG Argc, PCHAR Argv[]); #endif @@ -125,6 +123,13 @@ BOOLEAN IN ULONG Argc, IN PCH Argv[]); +ULONG_PTR NtosBase = 0; +DBGKD_GET_VERSION64 KdVersion = {0}; +PKDDEBUGGER_DATA64 KdDebuggerData = NULL; +PLIST_ENTRY ProcessListHead = NULL; +PLIST_ENTRY ModuleListHead = NULL; +PFN_COUNT* NumberOfPhysicalPages = NULL; + static PKDBG_CLI_ROUTINE KdbCliCallbacks[10]; static BOOLEAN KdbUseIntelSyntax = FALSE; /* Set to TRUE for intel syntax */ static BOOLEAN KdbBreakOnModuleLoad = FALSE; /* Set to TRUE to break into KDB when a module is loaded */ @@ -1918,7 +1923,6 @@ KdbpCmdProc( BOOLEAN ReferencedProcess = FALSE; PCHAR State, pend, str1, str2; ULONG_PTR ul; - extern LIST_ENTRY PsActiveProcessHead; if (Argc >= 2 && _stricmp(Argv[1], "list") == 0) { @@ -1957,7 +1961,7 @@ KdbpCmdProc( Entry = Entry->Flink; } - while(Entry != &PsActiveProcessHead); + while (Entry != &PsActiveProcessHead); } else if (Argc >= 2 && _stricmp(Argv[1], "attach") == 0) { @@ -2067,9 +2071,8 @@ KdbpCmdMod( { if (!KdbpSymFindModule(NULL, 0, &LdrEntry)) { - ULONG_PTR ntoskrnlBase = (ULONG_PTR)__ImageBase; KdbpPrint(" Base Size Name\n"); - KdbpPrint(" %p %08x %s\n", (PVOID)ntoskrnlBase, 0, "ntoskrnl.exe"); + KdbpPrint(" %p %08x %s\n", (PVOID)NtosBase, 0, "ntoskrnl.exe"); return TRUE; } @@ -2083,7 +2086,7 @@ KdbpCmdMod( KdbpPrintUnicodeString(&LdrEntry->BaseDllName); KdbpPrint("\n"); - if(DisplayOnlyOneModule || !KdbpSymFindModule(NULL, i++, &LdrEntry)) + if (DisplayOnlyOneModule || !KdbpSymFindModule(NULL, i++, &LdrEntry)) break; } diff --git a/ntoskrnl/kdbg/kdbg.c b/ntoskrnl/kdbg/kdbg.c index b61d19f8abac9..a83418b25cb65 100644 --- a/ntoskrnl/kdbg/kdbg.c +++ b/ntoskrnl/kdbg/kdbg.c @@ -14,7 +14,13 @@ /* GLOBALS *******************************************************************/ -static ULONG KdbgNextApiNumber = DbgKdContinueApi; +///// static ULONG KdbgNextApiNumber = DbgKdContinueApi; +static ULONG KdbgNextApiNumber = +#ifdef KDBG + DbgKdGetVersionApi; +#else + DbgKdContinueApi; +#endif static CONTEXT KdbgContext; static EXCEPTION_RECORD64 KdbgExceptionRecord; static BOOLEAN KdbgFirstChanceException; @@ -85,6 +91,7 @@ KdSendPacket( if (PacketType == PACKET_TYPE_KD_STATE_CHANGE64) { PDBGKD_ANY_WAIT_STATE_CHANGE WaitStateChange = (PDBGKD_ANY_WAIT_STATE_CHANGE)MessageHeader->Buffer; + if (WaitStateChange->NewState == DbgKdLoadSymbolsStateChange) { /* Load or unload symbols */ @@ -102,10 +109,13 @@ KdSendPacket( KdbgFirstChanceException = WaitStateChange->u.Exception.FirstChance; return; } + // DbgKdCommandStringStateChange + KdbPrintf("%s: WaitState %d is UNIMPLEMENTED\n", __FUNCTION__, WaitStateChange->NewState); } else if (PacketType == PACKET_TYPE_KD_STATE_MANIPULATE) { PDBGKD_MANIPULATE_STATE64 ManipulateState = (PDBGKD_MANIPULATE_STATE64)MessageHeader->Buffer; + if (ManipulateState->ApiNumber == DbgKdGetContextApi) { KD_CONTINUE_TYPE Result; @@ -117,6 +127,7 @@ KdSendPacket( KeSetContextPc(&KdbgContext, KeGetContextPc(&KdbgContext) + 2); } + /* Finally, enter KDBG proper */ Result = KdbEnterDebuggerException(&KdbgExceptionRecord, KdbgContext.SegCs & 1, &KdbgContext, @@ -138,10 +149,26 @@ KdSendPacket( KdbgNextApiNumber = DbgKdContinueApi; return; } + else if (ManipulateState->ApiNumber == DbgKdGetVersionApi) + { + PLIST_ENTRY DebuggerDataList; + + /* Copy the relevant data */ + RtlCopyMemory(&KdVersion, &ManipulateState->u.GetVersion64, sizeof(KdVersion)); + DebuggerDataList = (PLIST_ENTRY)(ULONG_PTR)KdVersion.DebuggerDataList; + NtosBase = (ULONG_PTR)KdVersion.KernBase; + KdDebuggerData = CONTAINING_RECORD(DebuggerDataList->Flink, KDDEBUGGER_DATA64, Header.List); + ProcessListHead = (PLIST_ENTRY)*(ULONG_PTR*)&KdDebuggerData->PsActiveProcessHead; + ModuleListHead = (PLIST_ENTRY)*(ULONG_PTR*)&KdDebuggerData->PsLoadedModuleList; + NumberOfPhysicalPages = (PFN_COUNT*)*(ULONG_PTR*)&KdDebuggerData->MmNumberOfPhysicalPages; + /* Note that NtosBase is also == (ULONG_PTR)KdDebuggerData->KernBase; */ + + KdbgNextApiNumber = DbgKdContinueApi; + return; + } } KdbPrintf("%s: PacketType %d is UNIMPLEMENTED\n", __FUNCTION__, PacketType); - return; } KDSTATUS @@ -176,7 +203,9 @@ KdReceivePacket( if (PacketType == PACKET_TYPE_KD_STATE_MANIPULATE) { PDBGKD_MANIPULATE_STATE64 ManipulateState = (PDBGKD_MANIPULATE_STATE64)MessageHeader->Buffer; + RtlZeroMemory(MessageHeader->Buffer, MessageHeader->MaximumLength); + if (KdbgNextApiNumber == DbgKdGetContextApi) { ManipulateState->ApiNumber = DbgKdGetContextApi; @@ -191,10 +220,16 @@ KdReceivePacket( MessageData->Buffer = (PCHAR)&KdbgContext; return KdPacketReceived; } + else if (KdbgNextApiNumber == DbgKdGetVersionApi) + { + ManipulateState->ApiNumber = DbgKdGetVersionApi; + return KdPacketReceived; + } else if (KdbgNextApiNumber != DbgKdContinueApi) { - KdbPrintf("%s:%d is UNIMPLEMENTED\n", __FUNCTION__, __LINE__); + KdbPrintf("%s: ApiNumber %d is UNIMPLEMENTED\n", __FUNCTION__, KdbgNextApiNumber); } + ManipulateState->ApiNumber = DbgKdContinueApi; ManipulateState->u.Continue.ContinueStatus = KdbgContinueStatus;