Merge branch 'dev'

MagnetForensics · Mar 31, 2017 · f551c3d · f551c3d
2 parents 207ca90 + 6ab27cb
commit f551c3d
Show file tree

Hide file tree

Showing 9 changed files with 325 additions and 140 deletions.
diff --git a/SwishDbgExt/EngExpCppEx.h b/SwishDbgExt/EngExpCppEx.h
@@ -41,12 +41,12 @@ IsValid(
     ULONG64 Pointer
 );
 
-LPSTR
+PSTR
 GetNameByOffset(
-    ULONG64 Offset,
-    LPSTR Name,
-    ULONG NameSize
-);
+    _In_ ULONG64 Offset,
+    _Out_writes_(Length) PSTR Buffer,
+    _In_ ULONG Length
+    );
 
 BOOLEAN
 IsPointerHooked(

diff --git a/SwishDbgExt/EngExtCppEx.cpp b/SwishDbgExt/EngExtCppEx.cpp
@@ -425,12 +425,12 @@ Return Value:
     // return SIGN_EXTEND(Pointer);
 }
 
-LPSTR
+PSTR
 GetNameByOffset(
     _In_ ULONG64 Offset,
-    _Out_writes_(NameSize) LPSTR Name,
-    _In_ ULONG NameSize
-)
+    _Out_writes_(Length) PSTR Buffer,
+    _In_ ULONG Length
+    )
 /*++
 
 Routine Description:
@@ -449,20 +449,26 @@ Return Value:
 
 --*/
 {
-    HRESULT hResult;
-    RtlZeroMemory(Name, NameSize);
+    CHAR DisplacementString[MAX_PATH];
+    ULONG64 Displacement;
+    ULONG BytesRead;
 
-    if (Offset)
-    {
-        // TODO: GetOffsetSymbol()
-        hResult = g_Ext->m_Symbols->GetNameByOffset(Offset, (PSTR)Name, NameSize, NULL, NULL);
-        if (hResult != S_OK)
-        {
-            strcpy_s((LPSTR)Name, NameSize, "*UNKNOWN*");
+    Buffer[0] = '\0';
+
+    if (Offset) {
+
+        if (g_Ext->m_Symbols->GetNameByOffset(Offset, (PSTR)Buffer, Length, &BytesRead, &Displacement) == S_OK) {
+
+            if (Displacement != 0) {
+
+                StringCchPrintf(DisplacementString, _countof(DisplacementString), "+0x%x", Displacement);
+
+                StringCchCat(Buffer, Length - _tcslen(Buffer), DisplacementString);
+            }
         }
     }
 
-    return Name;
+    return Buffer;
 }
 
 BOOLEAN

diff --git a/SwishDbgExt/Objects.cpp b/SwishDbgExt/Objects.cpp
@@ -78,7 +78,7 @@ Return Value:
 
         if (!ObTypeInit)
         {
-            ObjTypeTable = ExtRemoteTyped("(nt!_OBJECT_TYPE **)@$extin", GetExpression("nt!ObTypeIndexTable"));
+            ObjTypeTable = ExtRemoteTyped("(nt!_OBJECT_TYPE **)@$extin", ObTypeIndexTableAddress);
             ObTypeInit = TRUE;
         }
 
@@ -95,7 +95,7 @@ Return Value:
 
             HandleObj->ObjectTypeIndex = ObjHeader.Field("TypeIndex").GetUchar();
 
-            if (g_Ext->m_Data->ReadVirtual(GetExpression("nt!ObHeaderCookie"), &HeaderCookie, sizeof(HeaderCookie), NULL) == S_OK) {
+            if (g_Ext->m_Data->ReadVirtual(ObHeaderCookieAddress, &HeaderCookie, sizeof(HeaderCookie), NULL) == S_OK) {
 
                 HandleObj->ObjectTypeIndex = (((ObjHeaderAddr >> 8) & 0xff) ^ HandleObj->ObjectTypeIndex) ^ HeaderCookie;
             }
@@ -230,7 +230,7 @@ Return Value:
 
     if (!ObjectDir)
     {
-        ReadPointer(GetExpression("nt!ObpRootDirectoryObject"), &ObjectDir);
+        ReadPointer(ObpRootDirectoryObjectAddress, &ObjectDir);
     }
 
     Directory = ExtRemoteTyped("(nt!_OBJECT_DIRECTORY *)@$extin", ObjectDir);

diff --git a/SwishDbgExt/Process.cpp b/SwishDbgExt/Process.cpp
@@ -177,20 +177,26 @@ Return Value:
 
 --*/
 {
-    RtlZeroMemory(&mm_CcDllObject, sizeof(mm_CcDllObject));
+    try {
+
+        RtlZeroMemory(&mm_CcDllObject, sizeof(mm_CcDllObject));
 
-    if (m_TypedObject.GetPtr()) {
+        if (m_TypedObject.GetPtr()) {
 
-        m_ImageBase = m_TypedObject.Field("DllBase").GetPtr();
-        m_ImageSize = m_TypedObject.Field("SizeOfImage").GetUlong();
+            m_ImageBase = m_TypedObject.Field("DllBase").GetPtr();
+            m_ImageSize = m_TypedObject.Field("SizeOfImage").GetUlong();
 
-        if (m_TypedObject.HasField("LoadTime")) {
+            ExtRemoteTypedEx::GetUnicodeString(m_TypedObject.Field("FullDllName"), (PWSTR)&mm_CcDllObject.FullDllName, sizeof(mm_CcDllObject.FullDllName));
+            ExtRemoteTypedEx::GetUnicodeString(m_TypedObject.Field("BaseDllName"), (PWSTR)&mm_CcDllObject.DllName, sizeof(mm_CcDllObject.DllName));
 
-            mm_CcDllObject.LoadTime.QuadPart = m_TypedObject.Field("LoadTime.QuadPart").GetUlong64();
+            if (m_TypedObject.HasField("LoadTime")) {
+
+                mm_CcDllObject.LoadTime.QuadPart = m_TypedObject.Field("LoadTime.QuadPart").GetUlong64();
+            }
         }
+    }
+    catch (...) {
 
-        ExtRemoteTypedEx::GetUnicodeString(m_TypedObject.Field("FullDllName"), (PWSTR)&mm_CcDllObject.FullDllName, sizeof(mm_CcDllObject.FullDllName));
-        ExtRemoteTypedEx::GetUnicodeString(m_TypedObject.Field("BaseDllName"), (PWSTR)&mm_CcDllObject.DllName, sizeof(mm_CcDllObject.DllName));
     }
 }
 
@@ -498,6 +504,9 @@ Return Value:
             for (Dlls.First(); !Dlls.IsDone(); Dlls.Next()) {
 
                 MsDllObject Object = Dlls.Current();
+
+                Object.mm_CcDllObject.LoadTime.QuadPart = 0;
+
                 m_DllList.push_back(Object);
             }
         }

diff --git a/SwishDbgExt/Registry.cpp b/SwishDbgExt/Registry.cpp
@@ -224,8 +224,8 @@ GetKeyNode(
 
     try {
 
-        ReadPointer(GetExpression("nt!CmpMasterHive"), &CmpMasterHive);
-        ReadPointer(GetExpression("nt!CmpRegistryRootObject"), &CmpRegistryRootObject);
+        ReadPointer(CmpMasterHiveAddress, &CmpMasterHive);
+        ReadPointer(CmpRegistryRootObjectAddress, &CmpRegistryRootObject);
 
         ExtRemoteTyped KeyHive("(nt!_HHIVE *)@$extin", CmpMasterHive);
         ExtRemoteTyped KeyBody("(nt!_CM_KEY_BODY *)@$extin", CmpRegistryRootObject);

diff --git a/SwishDbgExt/SwishDbgExt.cpp b/SwishDbgExt/SwishDbgExt.cpp
@@ -49,6 +49,15 @@ BOOLEAN g_Verbose = FALSE;
 #endif
 
 
+ULONG64 KeNumberProcessorsAddress;
+ULONG64 KiProcessorBlockAddress;
+ULONG64 ObpRootDirectoryObjectAddress;
+ULONG64 ObTypeIndexTableAddress;
+ULONG64 ObHeaderCookieAddress;
+ULONG64 CmpRegistryRootObjectAddress;
+ULONG64 CmpMasterHiveAddress;
+
+
 class EXT_CLASS : public ExtExtension
 {
 public:
@@ -137,6 +146,16 @@ class EXT_CLASS : public ExtExtension
                 "       under certain conditions; type `show c' for details.\n",
                 EXT_VERSION, __DATE__);
 
+        KeNumberProcessorsAddress = GetExpression("nt!KeNumberProcessors");
+        KiProcessorBlockAddress = GetExpression("nt!KiProcessorBlock");
+
+        ObpRootDirectoryObjectAddress = GetExpression("nt!ObpRootDirectoryObject");
+        ObTypeIndexTableAddress = GetExpression("nt!ObTypeIndexTable");
+        ObHeaderCookieAddress = GetExpression("nt!ObHeaderCookie");
+
+        CmpRegistryRootObjectAddress = GetExpression("nt!CmpRegistryRootObject");
+        CmpMasterHiveAddress = GetExpression("nt!CmpMasterHive");
+
         DebugControl->Release();
         DebugClient->Release();
 
@@ -1648,27 +1667,27 @@ EXT_COMMAND(ms_idt,
     "{base;ed,o;base;Display information for a given idt}")
 {
     ULONG64 IdtBase = GetArgU64("base", FALSE);
-    vector<IDT_OBJECT> Idts = GetInterrupts(IdtBase);
+    vector<IDT_ENTRY> IdtEntries = GetInterrupts(IdtBase);
 
     Dml("    |-----|-----|--------------------|--------------------------------------------------------|---------|--------|\n"
         "    | <col fg=\"emphfg\">%-3s</col> | <col fg=\"emphfg\">%-3s</col> | <col fg=\"emphfg\">%-18s</col> | <col fg=\"emphfg\">%-54s</col> | <col fg=\"emphfg\">%-7s</col> | <col fg=\"emphfg\">%-6s</col> |\n"
         "    |-----|-----|--------------------|--------------------------------------------------------|---------|--------|\n",
         "Cre", "Idx", "Address", "Name", "Patched", "Hooked");
 
-    for each (IDT_OBJECT Idt in Idts)
-    {
-        UCHAR Name[512] = { 0 };
+    for each (IDT_ENTRY IdtEntry in IdtEntries) {
+
+        CHAR Name[MAX_PATH] = {0};
+
+        if (IdtEntry.Address) {
 
-        if (Idt.Entry)
-        {
             Dml("    | %3d | %3d | <link cmd = \"u 0x%016I64X L5\">0x%016I64X</link> | %-54s | <col fg=\"changed\">%-7s</col> | <col fg=\"changed\">%-6s</col> |\n",
-                Idt.CoreIndex,
-                Idt.Index,
-                Idt.Entry,
-                Idt.Entry,
-                GetNameByOffset(Idt.Entry, (PSTR)Name, _countof(Name)),
-                Idt.Entry ? "" : "",
-                IsPointerHooked(Idt.Entry) ? "Yes" : "No");
+                IdtEntry.CoreIndex,
+                IdtEntry.Index,
+                IdtEntry.Address,
+                IdtEntry.Address,
+                GetNameByOffset(IdtEntry.Address, (PSTR)Name, _countof(Name)),
+                IdtEntry.Address ? "" : "",
+                IsPointerHooked(IdtEntry.Address) ? "Yes" : "");
         }
     }
 }

diff --git a/SwishDbgExt/SwishDbgExt.h b/SwishDbgExt/SwishDbgExt.h
@@ -110,6 +110,13 @@ extern "C" {
 //
 
 extern BOOLEAN g_Verbose;
+extern ULONG64 KeNumberProcessorsAddress;
+extern ULONG64 KiProcessorBlockAddress;
+extern ULONG64 ObpRootDirectoryObjectAddress;
+extern ULONG64 ObTypeIndexTableAddress;
+extern ULONG64 ObHeaderCookieAddress;
+extern ULONG64 CmpRegistryRootObjectAddress;
+extern ULONG64 CmpMasterHiveAddress;
 
 VOID
 ReleaseObjectTypeTable(