Skip to content

progmboy/win32kext

Repository files navigation

win32kext

windbg plugin for win32k debugging

Usage

gh     [object handle]               -- HMGR entry of handle (GDI object like DC/BITMAP/PALETTE etc)
uh     [object handle]               -- USER entry of handle (USER object like WINDOW/MENU etc)
duh    [-h]                          -- Dump USER entry of handle (USER object like WINDOW/MENU etc)
dgh    [-h]                          -- Dump HMGR entry of handle (GDI object like DC/BITMAP/PALETTE etc)
dpsurf [SURFACE ptr]                 -- SURFACE
dpso   [SURFOBJ ptr]                 -- SURFACE struct from SURFOBJ
dr     [REGION ptr]                  -- REGION
cr     [REGION ptr]                  -- check REGION
dppal  [PALETTE ptr]                 -- PALETTE
help                                 -- show help

eg

kd> !gh rcx
Object Type         DC(1)
Handle              0x18010665
Object              0xffffa03dc4838010
kd> dq 0xffffa03dc4838010+1f8 l1
ffffa03d`c4838208  ffffa03d`c02a4b00
kd> !dpsurf ffffa03d`c02a4b00
!!!WARNING!!!surface struct has been changed(our=(0x278, system=0x2b8) please check it.and the information may be wrong
SURFACE structure at 0xffffa03dc02a4b00:
--------------------------------------------------
DHSURF          dhsurf        0x0000000000000000
HSURF           hsurf         0x000000000005068a
DHPDEV          dhpdev        0x0000000000000000
HDEV            hdev          0xffffa03dc001c010
SIZEL           sizlBitmap.cx 0x63d
SIZEL           sizlBitmap.cy 0x32
ULONG           cjBits        0x4dfa8
PVOID           pvBits        0x00000000046e0000
PVOID           pvScan0       0x00000000046e0000
LONG            lDelta        0x18f4
ULONG           iUniq         0x940
ULONG           iBitmapFormat 0x6, BMF_32BPP
USHORT          iType         0x0, STYPE_BITMAP
USHORT          fjBitmap      0x811
PPALETTE        ppal          0xffffa03dc3d33e10
--------------------------------------------------
1: kd> !duh -h
Usage: !duh [args]

args list:
-p [process] filter object by process
-t [type id] filter object by type id
   valid type:
   id:1 - Window
   id:2 - Menu
   id:3 - Cursor
   id:4 - DeferWindowPos
   id:5 - WindowHook
   id:6 - MemoryHandle
   id:7 - CPD
   id:8 - AcceleratorTable
   id:9 - CsDde
   id:10 - Conversation
   id:11 - pxs
   id:12 - Monitor
   id:13 - Keyboard
   id:14 - KeyboardLayout
   id:15 - EventHook
   id:16 - Timer
   id:17 - InputContext
   id:18 - HidData
   id:20 - TouchInputInfo
   id:21 - GestureInfo
   id:23 - BaseWindow
example:
!duh
    will dump user object in system
!duh -p 0xffffffff13450080
    will dump user object create by process 0xffffffff13450080
!duh -t 1
    will dump all window object
!duh -t 1 -p 0xffffffff13450080
    will dump all window object create by process 0xffffffff13450080

eg

1: kd> !duh
Total 0x380 handles
handle=0x00010002 object=0xffffa99640830000 process=0xffffc409f16d4080 type=(01)Window        
handle=0x00010003 object=0xffffa99640850000 process=0xffffc409f16d4080 type=(03)Cursor        
handle=0x00010004 object=0xffffa99640830150 process=0xffffc409f16d4080 type=(01)Window        
handle=0x00010005 object=0xffffa996408500a0 process=0xffffc409f16d4080 type=(03)Cursor        
handle=0x00010006 object=0xffffa996408302a0 process=0xffffc409f16d4080 type=(01)Window  

1: kd> !duh -p 0xffffc409f16d4080 -t 1
Total 0x380 handles
handle=0x00010002 object=0xffffa99640830000 process=0xffffc409f16d4080 type=(01)Window        
handle=0x00010004 object=0xffffa99640830150 process=0xffffc409f16d4080 type=(01)Window        
handle=0x00010006 object=0xffffa996408302a0 process=0xffffc409f16d4080 type=(01)Window        
handle=0x00010008 object=0xffffa996408303f0 process=0xffffc409f16d4080 type=(01)Window        
handle=0x0001000a object=0xffffa99640830540 process=0xffffc409f16d4080 type=(01)Window        
handle=0x0001000c object=0xffffa99640830690 process=0xffffc409f16d4080 type=(01)Window        
user control-c break

1: kd> !duh -t 1
Total 0x380 handles
handle=0x00010002 object=0xffffa99640830000 process=0xffffc409f16d4080 type=(01)Window        w        
handle=0x00020016 object=0xffffa99640832e70 process=0xffffc409f168e240 type=(01)Window        
handle=0x00020018 object=0xffffa99640832d20 process=0xffffc409e96c1080 type=(01)Window        
handle=0x0002001a object=0xffffa99640832bd0 process=0xffffc409e96c1080 type=(01)Window        
handle=0x0003001c object=0xffffa99640832a80 process=0xffffc409f168e240 type=(01)Window        
user control-c break


1: kd> !dgh -h
Usage: !dgh [args]

args list:
-p [process] filter object by process
-t [type id] filter object by type id
   valid type:
   id:1 - DC
   id:2 - ColorTransform
   id:4 - Rgn
   id:5 - Bitmap
   id:7 - Path
   id:8 - Palette
   id:9 - ColorSpace
   id:10 - Font
   id:14 - ColorTransform
   id:15 - Sprite
   id:16 - Brush
   id:18 - LogicSurface
   id:19 - Space
   id:21 - ServerMetafile
   id:28 - Driver
   id:138 - Font2
example:
!dgh
    will dump gdi object in system
!dgh -p 0xffffffff13450080
    will dump gdi object create by process 0xffffffff13450080
!dgh -t 5
    will dump all bitmap object
!dgh -t 1 -p 0xffffffff13450080
    will dump all bitmap object create by process 0xffffffff13450080

eg

1: kd> !dgh -t 5
Handle:0x0085000f Object=0xffffa99640890000 Type=Bitmap(5) entry=0xffffa99640a00168 processx=0x0
Handle:0x0005001d Object=0xffffa99640890580 Type=Bitmap(5) entry=0xffffa99640a002b8 processx=0x0
Handle:0x00050031 Object=0xffffa996408902c0 Type=Bitmap(5) entry=0xffffa99640a00498 processx=0x0
Handle:0x00050032 Object=0xffffa99640890840 Type=Bitmap(5) entry=0xffffa99640a004b0 processx=0x0
Handle:0x00050033 Object=0xffffa99640890b00 Type=Bitmap(5) entry=0xffffa99640a004c8 processx=0x0

1: kd> !dgh
Handle:0x0004000a Object=0xffffa99640602d00 Type=Rgn(4) entry=0xffffa99640a000f0 processx=0x0
Handle:0x0088000b Object=0xffffa996408e0000 Type=Palette(8) entry=0xffffa99640a00108 processx=0x0
Handle:0x0008000c Object=0xffffa996408e0090 Type=Palette(8) entry=0xffffa99640a00120 processx=0x0
Handle:0x0008000d Object=0xffffa996408e0120 Type=Palette(8) entry=0xffffa99640a00138 processx=0x0
Handle:0x0008000e Object=0xffffa996408e01b0 Type=Palette(8) entry=0xffffa99640a00150 processx=0x0

Supported system

!!!ONLY TEST ON!!! windows 10 1803 1903 64bits

why not 32 bits?

Guys you need change your Computer

TODO

  • DC OBJECT
  • BRUSH OBJECT
  • WINDOW OBJECT
  • MENU OBJECT
  • PDEV OBJECT
  • DUMP HANDLE
  • FONT OBJECT
  • DCOMP OBJECT

Thanks to

SimpleOpt