Introduction (Page Frame Number) Windows and almost all the OSs use Page Frame Number Database in order to have a track of virtually allocated pages to know which page must be freed or evicted or if a page needs to be cached and etc. All of these kinds of stuff manages through a list, called […]
Kernel Mode
Inside Windows Page Frame Number (PFN) – Part 2
Converting Physical Address to Virtual Address and Virtual Address to Physical Address MmGetVirtualForPhysical (PA -> VA) One of the purposes of using PFN database is for converting physical address to virtual address but in Windows, you can simply call nt!MmGetVirtualForPhysical and convert your physical address to virtual address, you can see a complete list of Memory […]
PyKD Tutorial – part 2
Breakpoints Breakpoints are such useful things and can give you the power of analyzing programs in a better and easier way by using PyKD. In the API Reference they introduce setBp function in the following way :
|
1 2 3 4 5 6 7 8 |
setBp( (long)offset [, (object)callback]) -> breakpoint : Set software breakpoint on executiont C++ signature : class pykd::Breakpoint * __ptr64 setBp(unsigned __int64 [,class boost::python::api::object {lvalue}]) setBp( (long)offset, (long)size, (int)accsessType [, (object)callback]) -> breakpoint : Set hardware breakpoint C++ signature : class pykd::Breakpoint * __ptr64 setBp(unsigned __int64,unsigned __int64,unsigned long [,class boost::python::api::object {lvalue}]) |
As you can see, setBp can give a pointer as its first argument and a python function as the […]
PyKD Tutorial – part 1
Using windbg script syntax is such annoying thing that almost all reverse engineers have problems dealing with it but automating debugging gives such a power that can’t be easily ignored. A good solution to solve this problem is using the power and simplicity of Python and Windbg together. If you aware, Windbg also supports c-like […]
Exploring from User-Mode to Kernel-Mode
There were times when I want to trace instructions from User Mode and continue tracing it into Kernel mode to reverse Windows’s internal implementation with my own supplied parameters from User Mode but there were a big problem and that was, How to access User Mode when you are in a Kernel Debugger or vice […]
- Debugging
- ...
How to get every detail about SSDT , GDT , IDT in a blink of an eye
In a few days ago I was looking for something to show me the SSDT and GDT (Which is really important in malware analyzing because most of rootkits are interested in hooking and changing this stuffs.) • SSDT (System Service Descriptor Table) • GDT (Global Descriptor Table) • IDT (Interrupt Descriptor Table) They’re really […]
Change User-Mode application’s virtual address through Kernel Debugging
Well, it’s somehow an odd topic but sometimes it could be really helpful in some situations. So what are the situations? Imagine sometimes you need to access windows stuffs that aren’t available from user-mode debuggers like ollydbg or through user-mode debugging (e.g memory after 0x7fffffff). In my experience I see some conditions that protectors make […]
- Debugging
- ...
Kernel Mode Debugging by Windbg
Hey there, Today I’m gonna show you how to make a kernel mode debugging using VMWare and Windbg and Windows. So why should you do this ?! It’s clear , everything such as Kernel Mode Driver Debugging , searching for zero days and understanding windows mechanism. There are other types of kernel debugging as described in […]
- CPU
- ...
A partial survey among non-general purpose registers
Hi guys, In the past few days, I was searching about non-general purpose register then I saw the following pictures that give me a new idea of posting about the non-general purpose registers. These pieces of information might have some fault because of my misunderstandings about some of them, if you see any fault then […]
- Kernel Mode
- ...
Assembly Challenge : Jump to a non-relative address without using registers
During developing a dispatch table for some instructions in binaries, one of the challenging problem which I faced, was changing the registers state in a way that doesn’t affect the program flow! So it might seem simple at first glance but what makes it complex is that I can’t use relative jumps or relative calls […]