lpus-driver/lpus/note.md
2020-06-11 17:17:12 +07:00

54 lines
2.3 KiB
Markdown

Scanning the memory is not working well, we go with Pool tag quick scanning
[address in kernel space](https://www.codemachine.com/article_x64kvas.html)
find `MmNonPagedPoolStart` and `MmNonPagedPoolEnd` values in kernel variable.
These two variables located inside `KdDebuggerDataBlock` of type `_KDDEBUGGER_DATA64`. `KdDebuggerDataBlock` can be found somewhere in `KdVersionBlock`. `KdVersionBlock` is a member of `KPCR`. `KPCR` pointer can be get through `gs:[0x0]`
> Unfortunately this method stopped working in recent versions of Windows. Recently the KdVersionBlock member is always 0 and does not link to the kernel debugger block.
[kdbg.c](https://raw.githubusercontent.com/libvmi/libvmi/master/libvmi/os/windows/kdbg.c)
[KPCR at gs:[0x0]](https://sizzop.github.io/2016/07/07/kernel-hacking-with-hevd-part-3.html)
[finding kdbg](http://scudette.blogspot.com/2012/11/finding-kernel-debugger-block.html)
[finding kernel variables](http://moyix.blogspot.com/2008/04/finding-kernel-global-variables-in.html)
[get kernel shellcode](https://github.com/FuzzySecurity/PSKernel-Primitives/blob/master/Get-KernelShellCode.ps1)
[www.rootkit.com artifacts](https://github.com/fdiskyou/www.rootkit.com)
- GetVarXP.pdf
[ghidra on fs/gs and kdbg](https://github.com/NationalSecurityAgency/ghidra/issues/1339)
[big ram kdbg](https://laserkittens.com/big-ram-kernel-debugger-data-block/)
[](blackstormsecurity.com/docs/NO_HAT_2019.pdf)
> KPCR -> KdVersionBlock -> `_DBGKD_GET_VERSION64` -> `LIST_ENTRY _KDDEBUGGER_DATA64` (`GetDebuggerData()`) -> `_KDDEBUGGER_DATA64 KdDebuggerDataBlock` -> kernel variables
> `_KPCR gs:[0]` -> `_DBGKD_GET_VERSION64 KdVersionBlock` -> `PLIST_ENTRY DebuggerDataList` -> `PLIST_ENTRY Flink` -> `Debugger block`
This only works with windows x86, x64 Windows KdVersionBlock is always null.
[KdVersionBlock](https://web.archive.org/web/20061110120809/http://www.rootkit.com/newsread.php?newsid=153)
```
_DBGKD_GET_VERSION64* KdVersionBlock;
__asm {
mov eax, gs:[0x108]
mov KdVersionBlock, eax
}
PLIST_ENTRY dbglist = KdVersionBlock->DebuggerDataList;
DebuggerBlock dbgBlock = (DebuggerBlock)*(dbglist->Flink);
```
`AuxKlibQueryModuleInformation` to get all `PsActiveProcessModules`
[Sample](https://correy.webs.com/articles/computer/c/AuxKlibQueryModuleInformation.C.txt)