[NTOS:EX:KD64] Add Doxygen documentation for Nt/KdSystemDebugControl.

Based from external documentation: https://www.ivanlef0u.tuxfamily.org/?p=21 https://www.ivanlef0u.tuxfamily.org/?p=382 http://pds8.egloos.com/pds/200807/09/51/Subverting_Windows_2003_Service_Pack_1_Kernel_Integrity_Protection.pdf http://www.nynaeve.net/?p=114 https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Eran%20Segal%20-%20The%20COW%20%28Container%20On%20Windows%29%20Who%20Escaped%20the%20Silo.pdf https://vidstromlabs.com/blog/memory-dumping-with-ntsystemdebugcontrol/ https://www.kernelmode.info/forum/viewtopic0aa3.html?t=5317
HBelusca · Oct 3, 2024 · 984de0d · 984de0d
1 parent 3f8c951
commit 984de0d
Show file tree

Hide file tree

Showing 2 changed files with 102 additions and 33 deletions.
diff --git a/ntoskrnl/ex/dbgctrl.c b/ntoskrnl/ex/dbgctrl.c
@@ -140,61 +140,88 @@ ExpDebuggerWorker(IN PVOID Context)
     }
 }
 
-/*++
- * @name NtSystemDebugControl
- * @implemented
+/**
+ * @brief
+ * Perform various queries to the kernel debugger.
  *
- * Perform various queries to debugger.
- * This API is subject to test-case creation to further evaluate its
- * abilities (if needed to at all)
+ * @param[in]   Command
+ * A SYSDBG_COMMAND value describing the kernel debugger command to perform.
  *
- * See: http://www.osronline.com/showthread.cfm?link=93915
- *      http://void.ru/files/Ntexapi.h
- *      http://www.codeguru.com/code/legacy/system/ntexapi.zip
- *      http://www.securityfocus.com/bid/9694
+ * @param[in]   InputBuffer
+ * Pointer to a user-provided input command-specific buffer, whose length
+ * is given by InputBufferLength.
  *
- * @param ControlCode
- *        Description of the parameter. Wrapped to more lines on ~70th
- *        column.
+ * @param[in]   InputBufferLength
+ * The size (in bytes) of the buffer pointed by InputBuffer.
  *
- * @param InputBuffer
- *        FILLME
+ * @param[out]  OutputBuffer
+ * Pointer to a user-provided command-specific output buffer, whose length
+ * is given by OutputBufferLength.
  *
- * @param InputBufferLength
- *        FILLME
+ * @param[in]   OutputBufferLength
+ * The size (in bytes) of the buffer pointed by OutputBuffer.
  *
- * @param OutputBuffer
- *        FILLME
+ * @param[out]  ReturnLength
+ * Optional pointer to a ULONG variable that receives the actual length of
+ * data written written in the output buffer. It is always zero, except for
+ * the live dump commands where an actual non-zero length is returned.
  *
- * @param OutputBufferLength
- *        FILLME
+ * @return
+ * STATUS_SUCCESS in case of success, or a proper error code otherwise.
  *
-  * @param ReturnLength
- *        FILLME
+ * @remarks
  *
- * @return STATUS_SUCCESS in case of success, proper error code otherwise
+ * - The caller must have SeDebugPrivilege, otherwise the function fails
+ *   with STATUS_ACCESS_DENIED.
  *
- * @remarks None
+ * - Only the live dump commands: SysDbgGetTriageDump, and SysDbgGetLiveKernelDump
+ *   (Win8.1+) are available even if the debugger is disabled or absent.
  *
- *--*/
+ * - The following system-critical commands are not accessible anymore
+ *   for user-mode usage with this API on NT 5.2+ (Windows 2003 SP1 and later)
+ *   systems:
+ *
+ *   SysDbgQueryVersion,
+ *   SysDbgReadVirtual and SysDbgWriteVirtual,
+ *   SysDbgReadPhysical and SysDbgWritePhysical,
+ *   SysDbgReadControlSpace and SysDbgWriteControlSpace,
+ *   SysDbgReadIoSpace and SysDbgWriteIoSpace,
+ *   SysDbgReadMsr and SysDbgWriteMsr,
+ *   SysDbgReadBusData and SysDbgWriteBusData,
+ *   SysDbgCheckLowMemory.
+ *
+ *   For these, NtSystemDebugControl() will return STATUS_NOT_IMPLEMENTED.
+ *   They are now available from kernel-mode only with KdSystemDebugControl().
+ *
+ * @note
+ * See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2339
+ *
+ * @see KdSystemDebugControl()
+ **/
 NTSTATUS
 NTAPI
 NtSystemDebugControl(
-    _In_ SYSDBG_COMMAND ControlCode,
+    _In_ SYSDBG_COMMAND Command,
     _In_reads_bytes_(InputBufferLength) PVOID InputBuffer,
     _In_ ULONG InputBufferLength,
     _Out_writes_bytes_(OutputBufferLength) PVOID OutputBuffer,
     _In_ ULONG OutputBufferLength,
     _Out_opt_ PULONG ReturnLength)
 {
-    switch (ControlCode)
+    switch (Command)
     {
+        /* Commands 0-5 */
         case SysDbgQueryModuleInformation:
         case SysDbgQueryTraceInformation:
         case SysDbgSetTracepoint:
         case SysDbgSetSpecialCall:
         case SysDbgClearSpecialCalls:
         case SysDbgQuerySpecialCalls:
+
+        /* Command 6 */
+        case SysDbgBreakPoint:
+
+        /* Commands 7-20 - Implemented by KdSystemDebugControl() instead */
         case SysDbgQueryVersion:
         case SysDbgReadVirtual:
         case SysDbgWriteVirtual:
@@ -209,9 +236,12 @@ NtSystemDebugControl(
         case SysDbgReadBusData:
         case SysDbgWriteBusData:
         case SysDbgCheckLowMemory:
+
+        /* Command 29 */
         case SysDbgGetTriageDump:
             return STATUS_NOT_IMPLEMENTED;
-        case SysDbgBreakPoint:
+
+        /* Commands 21-28 */
         case SysDbgEnableKernelDebugger:
         case SysDbgDisableKernelDebugger:
         case SysDbgGetAutoKdEnable:
@@ -220,10 +250,12 @@ NtSystemDebugControl(
         case SysDbgSetPrintBufferSize:
         case SysDbgGetKdUmExceptionEnable:
         case SysDbgSetKdUmExceptionEnable:
+
+        /* Commands 30-31 */
         case SysDbgGetKdBlockEnable:
         case SysDbgSetKdBlockEnable:
             return KdSystemDebugControl(
-                ControlCode,
+                Command,
                 InputBuffer, InputBufferLength,
                 OutputBuffer, OutputBufferLength,
                 ReturnLength, KeGetPreviousMode());

diff --git a/ntoskrnl/kd64/kdapi.c b/ntoskrnl/kd64/kdapi.c
@@ -2171,9 +2171,46 @@ KdDisableDebugger(VOID)
     return KdDisableDebuggerWithLock(TRUE);
 }
 
-/*
- * @unimplemented
- */
+/**
+ * @brief
+ * Perform various queries to the kernel debugger.
+ *
+ * @param[in]   Command
+ * A SYSDBG_COMMAND value describing the kernel debugger command to perform.
+ *
+ * @param[in]   InputBuffer
+ * Pointer to a user-provided input command-specific buffer, whose length
+ * is given by InputBufferLength.
+ *
+ * @param[in]   InputBufferLength
+ * The size (in bytes) of the buffer pointed by InputBuffer.
+ *
+ * @param[out]  OutputBuffer
+ * Pointer to a user-provided command-specific output buffer, whose length
+ * is given by OutputBufferLength.
+ *
+ * @param[in]   OutputBufferLength
+ * The size (in bytes) of the buffer pointed by OutputBuffer.
+ *
+ * @param[out]  ReturnLength
+ * Optional pointer to a ULONG variable that receives the actual length of
+ * data written written in the output buffer. It is always zero, except for
+ * the live dump commands where an actual non-zero length is returned.
+ *
+ * @param[in]   PreviousMode
+ *      FILLME
+ *
+ * @return
+ * STATUS_SUCCESS in case of success, or a proper error code otherwise.
+ *
+ * @remarks
+ * - This is a kernel-mode function, accessible only by kernel-mode drivers.
+ *
+ * @note
+ * See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2339
+ *
+ * @see NtSystemDebugControl()
+ **/
 NTSTATUS
 NTAPI
 KdSystemDebugControl(