2.3 KiB
Scanning the memory is not working well, we go with Pool tag quick scanning
find MmNonPagedPoolStart and MmNonPagedPoolEnd values in kernel variable.
These two variables located inside KdDebuggerDataBlock of type _KDDEBUGGER_DATA64. KdDebuggerDataBlock can be found somewhere in KdVersionBlock. KdVersionBlock is a member of KPCR. KPCR pointer can be get through gs:[0x0]
Unfortunately this method stopped working in recent versions of Windows. Recently the KdVersionBlock member is always 0 and does not link to the kernel debugger block.
- GetVarXP.pdf
KPCR -> KdVersionBlock ->
_DBGKD_GET_VERSION64->LIST_ENTRY _KDDEBUGGER_DATA64(GetDebuggerData()) ->_KDDEBUGGER_DATA64 KdDebuggerDataBlock-> kernel variables
_KPCR gs:[0]->_DBGKD_GET_VERSION64 KdVersionBlock->PLIST_ENTRY DebuggerDataList->PLIST_ENTRY Flink->Debugger block
This only works with windows x86, x64 Windows KdVersionBlock is always null.
_DBGKD_GET_VERSION64* KdVersionBlock;
__asm {
mov eax, gs:[0x108]
mov KdVersionBlock, eax
}
PLIST_ENTRY dbglist = KdVersionBlock->DebuggerDataList;
DebuggerBlock dbgBlock = (DebuggerBlock)*(dbglist->Flink);
AuxKlibQueryModuleInformation to get all PsActiveProcessModules
Sample