WinDBG - the Fun Way: Part 2

09 Apr, 21
Tags:
67
5
0
WINDBG_LOGO

In the first part we got to know the basics of the new debugger data model — Using the new objects, having custom registers, searching and filtering output, declaring anonymous types and parsing lists and arrays. In this part we will learn how to use legacy commands with dx, get to know the amazing new disassembler, create synthetic methods and types, see the fancy changes to breakpoints and use the filesystem from within the debugger.

This sounds like a lot. Because it is. So let’s start!

Legacy Commands

This new data model completely changes the debugging experience. But sometimes you do need to use one of the old commands or extensions that we all got used to, and that don’t have a matching functionality under dx.

But we can still use these under dx with Debugger.Utility.Control.ExecuteCommand, which lets us run a legacy command as part of a dx query. For example, we can use the legacy u command to unassemble the address that is pointed to by RIP in our second stack frame.

Since dx output is decimal by default and legacy commands only take hex input we first need to convert it to hex using ToDisplayString("x"):

dx Debugger.Utility.Control.ExecuteCommand("u " + @$curstack.Frames[1].Attributes.InstructionOffset.ToDisplayString("x"))
Debugger.Utility.Control.ExecuteCommand("u " + @$curstack.Frames[1].Attributes.InstructionOffset.ToDisplayString("x"))                
    [0x0]     : kdnic!TXTransmitQueuedSends+0x125:
    [0x1]     : fffff807`52ad2b61 4883c430        add     rsp,30h
    [0x2]     : fffff807`52ad2b65 5b              pop     rbx
    [0x3]     : fffff807`52ad2b66 c3              ret
    [0x4]     : fffff807`52ad2b67 4c8d4370        lea     r8,[rbx+70h]
    [0x5]     : fffff807`52ad2b6b 488bd7          mov     rdx,rdi
    [0x6]     : fffff807`52ad2b6e 488d4b60        lea     rcx,[rbx+60h]
    [0x7]     : fffff807`52ad2b72 4c8b15d7350000  mov     r10,qword ptr [kdnic!_imp_ExInterlockedInsertTailList (fffff807`52ad6150)]
    [0x8]     : fffff807`52ad2b79 e8123af8fb      call    nt!ExInterlockedInsertTailList (fffff807`4ea56590)

Another useful legacy command is !irp. This command supplies us with a lot of information about IRPs, so no need to work hard to recreate it with dx.

So we will try to run !irp for all IRPs in lsass.exe process. Let’s walk through that:

First, we need to find the process container for lsass.exe. We already know how to do that using Where(). Then we’ll pick the first process returned. Usually there should only be one lsass anyway, unless there are server silos on the machine:

dx @$lsass = @$cursession.Processes.Where(p => p.Name == “lsass.exe”).First()

Then we need to iterate over IrpList for each thread in the process and get the IRPs themselves. We can easily do that with FromListEntry() that we’ve seen already. Then we only pick the threads that have IRPs in their list:

dx -r4 @$irpThreads = @$lsass.Threads.Select(t => new {irp = Debugger.Utility.Collections.FromListEntry(t.KernelObject.IrpList, "nt!_IRP", "ThreadListEntry")}).Where(t => t.irp.Count() != 0)
@$irpThreads = @$lsass.Threads.Select(t => new {irp = 
Debugger.Utility.Collections.FromListEntry(t.KernelObject.IrpList, "nt!_IRP", "ThreadListEntry")}).Where(t => t.irp.Count() != 0)                
    [0x384]         
        irp             
            [0x0]            [Type: _IRP]
                [<Raw View>]     [Type: _IRP]
                IoStack          : Size = 12, Current IRP_MJ_DIRECTORY_CONTROL / 0x2 for Device for "\FileSystem\Ntfs"
                CurrentThread    : 0xffffb90a59477080 [Type: _ETHREAD *]
            [0x1]            [Type: _IRP]
                [<Raw View>]     [Type: _IRP]
                IoStack          : Size = 12, Current IRP_MJ_DIRECTORY_CONTROL / 0x2 for Device for "\FileSystem\Ntfs"
                CurrentThread    : 0xffffb90a59477080 [Type: _ETHREAD *]

We can stop here for a moment, click on IoStack for one of the IRPs (or run with -r5 to see all of them) and get the stack in a nice container we can work with:

dx @$irpThreads.First().irp[0].IoStack
@$irpThreads.First().irp[0].IoStack                 : Size = 12, Current IRP_MJ_DIRECTORY_CONTROL / 0x2 for Device for "\FileSystem\Ntfs"
    [0]              : IRP_MJ_CREATE / 0x0 for {...} [Type: _IO_STACK_LOCATION]
    [1]              : IRP_MJ_CREATE / 0x0 for {...} [Type: _IO_STACK_LOCATION]
    [2]              : IRP_MJ_CREATE / 0x0 for {...} [Type: _IO_STACK_LOCATION]
    [3]              : IRP_MJ_CREATE / 0x0 for {...} [Type: _IO_STACK_LOCATION]
    [4]              : IRP_MJ_CREATE / 0x0 for {...} [Type: _IO_STACK_LOCATION]
    [5]              : IRP_MJ_CREATE / 0x0 for {...} [Type: _IO_STACK_LOCATION]
    [6]              : IRP_MJ_CREATE / 0x0 for {...} [Type: _IO_STACK_LOCATION]
    [7]              : IRP_MJ_CREATE / 0x0 for {...} [Type: _IO_STACK_LOCATION]
    [8]              : IRP_MJ_CREATE / 0x0 for {...} [Type: _IO_STACK_LOCATION]
    [9]              : IRP_MJ_CREATE / 0x0 for {...} [Type: _IO_STACK_LOCATION]
    [10]             : IRP_MJ_DIRECTORY_CONTROL / 0x2 for Device for "\FileSystem\Ntfs" [Type: _IO_STACK_LOCATION]
    [11]             : IRP_MJ_DIRECTORY_CONTROL / 0x2 for Device for "\FileSystem\FltMgr" [Type: _IO_STACK_LOCATION]

And as the final step we will iterate over every thread, and over every IRP in them, and ExecuteCommand !irp <irp address>. Here too we need casting and ToDisplayString("x") to match the format expected by legacy commands (the output of !irp is very long so we trimmed it down to focus on the interesting data):

dx -r3 @$irpThreads.Select(t => t.irp.Select(i => Debugger.Utility.Control.ExecuteCommand("!irp " + ((__int64)&i).ToDisplayString("x"))))
@$irpThreads.Select(t => t.irp.Select(i => Debugger.Utility.Control.ExecuteCommand("!irp " + ((__int64)&i).ToDisplayString("x"))))                
    [0x384]         
        [0x0]           
            [0x0]            : Irp is active with 12 stacks 11 is current (= 0xffffb90a5b8f4d40)
            [0x1]            :  No Mdl: No System Buffer: Thread ffffb90a59477080:  Irp stack trace.  
            [0x2]            :      cmd  flg cl Device   File     Completion-Context
            [0x3]            :  [N/A(0), N/A(0)]
            ...
            [0x34]           : Irp Extension present at 0xffffb90a5b8f4dd0:
        [0x1]           
            [0x0]            : Irp is active with 12 stacks 11 is current (= 0xffffb90a5bd24840)
            [0x1]            :  No Mdl: No System Buffer: Thread ffffb90a59477080:  Irp stack trace.  
            [0x2]            :      cmd  flg cl Device   File     Completion-Context
            [0x3]            :  [N/A(0), N/A(0)]
            ...
            [0x34]           : Irp Extension present at 0xffffb90a5bd248d0:

Most of the information given to us by !irp we can get by parsing the IRPs with dx and dumping the IoStack for each. But there are a few things we might have a harder time to get but receive from the legacy command such as the existence and address of an IrpExtension and information about a possible Mdl linked to the Irp.

Disassembler

We used the u command as an example, though in this case there actually is functionality implementing this in dx, through Debugger.Utility.Code.CreateDisassember and DisassembleBlock, creating iterable and searchable disassembly:

dx -r3 Debugger.Utility.Code.CreateDisassembler().DisassembleBlocks(@$curstack.Frames[1].Attributes.InstructionOffset)
Debugger.Utility.Code.CreateDisassembler().DisassembleBlocks(@$curstack.Frames[1].Attributes.InstructionOffset)                
    [0xfffff80752ad2b61] : Basic Block [0xfffff80752ad2b61 - 0xfffff80752ad2b67)
        StartAddress     : 0xfffff80752ad2b61
        EndAddress       : 0xfffff80752ad2b67
        Instructions    
            [0xfffff80752ad2b61] : add         rsp,30h
            [0xfffff80752ad2b65] : pop         rbx
            [0xfffff80752ad2b66] : ret
    [0xfffff80752ad2b67] : Basic Block [0xfffff80752ad2b67 - 0xfffff80752ad2b7e)
        StartAddress     : 0xfffff80752ad2b67
        EndAddress       : 0xfffff80752ad2b7e
        Instructions    
            [0xfffff80752ad2b67] : lea         r8,[rbx+70h]
            [0xfffff80752ad2b6b] : mov         rdx,rdi
            [0xfffff80752ad2b6e] : lea         rcx,[rbx+60h]
            [0xfffff80752ad2b72] : mov         r10,qword ptr [kdnic!__imp_ExInterlockedInsertTailList (fffff80752ad6150)]
            [0xfffff80752ad2b79] : call        ntkrnlmp!ExInterlockedInsertTailList (fffff8074ea56590)
    [0xfffff80752ad2b7e] : Basic Block [0xfffff80752ad2b7e - 0xfffff80752ad2b80)
        StartAddress     : 0xfffff80752ad2b7e
        EndAddress       : 0xfffff80752ad2b80
        Instructions    
            [0xfffff80752ad2b7e] : jmp         kdnic!TXTransmitQueuedSends+0xd0 (fffff80752ad2b0c)
    [0xfffff80752ad2b80] : Basic Block [0xfffff80752ad2b80 - 0xfffff80752ad2b81)
        StartAddress     : 0xfffff80752ad2b80
        EndAddress       : 0xfffff80752ad2b81
        Instructions
   ...

And the cleaned-up version, picking only the instructions and flattening the tree:

dx -r2 Debugger.Utility.Code.CreateDisassembler().DisassembleBlocks(@$curstack.Frames[1].Attributes.InstructionOffset).Select(b => b.Instructions).Flatten()
Debugger.Utility.Code.CreateDisassembler().DisassembleBlocks(@$curstack.Frames[1].Attributes.InstructionOffset).Select(b => b.Instructions).Flatten()                
    [0x0]           
        [0xfffff80752ad2b61] : add         rsp,30h
        [0xfffff80752ad2b65] : pop         rbx
        [0xfffff80752ad2b66] : ret
    [0x1]           
        [0xfffff80752ad2b67] : lea         r8,[rbx+70h]
        [0xfffff80752ad2b6b] : mov         rdx,rdi
        [0xfffff80752ad2b6e] : lea         rcx,[rbx+60h]
        [0xfffff80752ad2b72] : mov         r10,qword ptr [kdnic!__imp_ExInterlockedInsertTailList (fffff80752ad6150)]
        [0xfffff80752ad2b79] : call        ntkrnlmp!ExInterlockedInsertTailList (fffff8074ea56590)
    [0x2]           
        [0xfffff80752ad2b7e] : jmp         kdnic!TXTransmitQueuedSends+0xd0 (fffff80752ad2b0c)
    [0x3]           
        [0xfffff80752ad2b80] : int         3
    [0x4]           
        [0xfffff80752ad2b81] : int         3
   ...

Synthetic Methods

Another functionality that we get with this debugger data model is to create functions of our own and use them, with this syntax:

0: kd> dx @$multiplyByThree = (x => x * 3)
@$multiplyByThree = (x => x * 3)
0: kd> dx @$multiplyByThree(5)
@$multiplyByThree(5) : 15

Or we can have functions taking multiple arguments:

0: kd> dx @$add = ((x, y) => x + y)
@$add = ((x, y) => x + y)
0: kd> dx @$add(5, 7)
@$add(5, 7)      : 12

Or if we want to really go a few levels up, we can apply these functions to the disassembly output we saw earlier to find all writes into memory in ZwSetInformationProcess. For that there are a few checks we need to apply to each instruction to know whether or not it’s a write into memory:

  • Does it have at least 2 operands?
    For example, ret will have zero and jmp <address> will have one. We only care about cases where one value is being written into some location, which will always require two operands. To verify that we will check for each instruction Operands.Count() > 1.
  • Is this a memory reference?
    We are only interested in writes into memory and want to ignore instructions like mon r10, rcx. To do that, we will check for each instruction its Operands[0].Attributes.IsMemoryReference == true.
    We check Operands[0] because that will be the destination. If we wanted to find memory reads we would have checked the source, which is in Operands[1].
  • Is the destination operand an output?
    We want to filter out instructions where memory is referenced but not written into. To check that we will use Operands[0].IsOutput == true.
  • As our last filter we want to ignore memory writes into the stack, which will look like mov [rsp+0x18], 1 or mov [rbp-0x10], rdx.
    We will check the register of the first operand and make sure its index is not the rsp index (0x14) or rbp index (0x15).

We will write a function, @$isMemWrite, that receives a block and only returns the instructions that contain a memory write, based in these checks. Then we can create a disassembler, disassemble our target function and only print the memory writes in it:

dx -r0 @$rspId = 0x14
dx -r0 @$rbpId = 0x15
dx -r0 @$isMemWrite = (b => b.Instructions.Where(i => i.Operands.Count() > 1 && i.Operands[0].Attributes.IsOutput && i.Operands[0].Registers[0].Id != @$rspId && i.Operands[0].Registers[0].Id != @$rbpId && i.Operands[0].Attributes.IsMemoryReference))
dx -r0 @$findMemWrite = (a => Debugger.Utility.Code.CreateDisassembler().DisassembleBlocks(a).Select(b => @$isMemWrite(b)))
dx -r2 @$findMemWrite(&nt!ZwSetInformationProcess).Where(b => b.Count() != 0)
@$findMemWrite(&nt!ZwSetInformationProcess).Where(b => b.Count() != 0)                
    [0xfffff8074ebd23d4]
        [0xfffff8074ebd23e9] : mov         qword ptr [r10+80h],rax
        [0xfffff8074ebd23f5] : mov         qword ptr [r10+44h],rax
    [0xfffff8074ebd2415]
        [0xfffff8074ebd2421] : mov         qword ptr [r10+98h],r8
        [0xfffff8074ebd2428] : mov         qword ptr [r10+0F8h],r9
        [0xfffff8074ebd2433] : mov         byte ptr gs:[5D18h],al
    [0xfffff8074ebd25b2]
        [0xfffff8074ebd25c3] : mov         qword ptr [rcx],rax
        [0xfffff8074ebd25c9] : mov         qword ptr [rcx+8],rax
        [0xfffff8074ebd25d0] : mov         qword ptr [rcx+10h],rax
        [0xfffff8074ebd25d7] : mov         qword ptr [rcx+18h],rax
        [0xfffff8074ebd25df] : mov         qword ptr [rcx+0A0h],rax
    [0xfffff8074ebd263f]
        [0xfffff8074ebd264f] : and         byte ptr [rax+5],0FDh
    [0xfffff8074ebd26da]
        [0xfffff8074ebd26e3] : mov         qword ptr [rcx],rax
        [0xfffff8074ebd26e9] : mov         qword ptr [rcx+8],rax
        [0xfffff8074ebd26f0] : mov         qword ptr [rcx+10h],rax
        [0xfffff8074ebd26f7] : mov         qword ptr [rcx+18h],rax
        [0xfffff8074ebd26ff] : mov         qword ptr [rcx+0A0h],rax
        [0xfffff8074ebd2708] : mov         word ptr [rcx+72h],ax
     ...

As another project combining almost everything mentioned here, we can try to create a version of !apc using dx. To simplify we will only look for kernel APCs. To do that, we have a few steps:

  • Iterate over all the processes using @$cursession.Processes to find the ones containing threads where KTHREAD.ApcState.KernelApcPending is set to 1.
  • Make a container in the process with only the threads that have pending kernel APCs. Ignore the rest.
  • For each of these threads, iterate over KTHREAD.ApcState.ApcListHead[0] (contains the kernel APCs) and gather interesting information about them. We can do that with the FromListHead() method we’ve seen earlier.
    To make our container as similar as possible to !apc, we will only get KernelRoutine and RundownRoutine, though in your implementation you might find there are other fields that interest you as well.
  • To make the container easier to navigate, collect process name, ID and EPROCESS address, and thread ID and ETHREAD address.
  • In our implementation we implemented a few helper functions:
    @$printLn — runs the legacy command ln with the supplied address, to get information about the symbol
    @$extractBetween — extract a string between two other strings, will be used for getting a substring from the output of @$printLn
    @$printSymbol — Sends an address to @$printLn and extracts the symbol name only using @$extractSymbol
    @$apcsForThread — Finds all kernel APCs for a thread and creates a container with their KernelRoutine and RundownRoutine.

We then got all the processes that have threads with pending kernel APCs and saved it into the @$procWithKernelApcs register, and then in a separate command got the APC information using @$apcsForThread. We also cast the EPPROCESS and ETHREAD pointers to void* so dx doesn’t print the whole structure when we print the final result.

This was our way of solving this problem, but there can be others, and yours doesn’t have to be identical to ours!

The script we came up with is:

dx -r0 @$printLn = (a => Debugger.Utility.Control.ExecuteCommand(“ln “+((__int64)a).ToDisplayString(“x”)))
dx -r0 @$extractBetween = ((x,y,z) => x.Substring(x.IndexOf(y) + y.Length, x.IndexOf(z) — x.IndexOf(y) — y.Length))
dx -r0 @$printSymbol = (a => @$extractBetween(@$printLn(a)[3], “ “, “|”))
dx -r0 @$apcsForThread = (t => new {TID = t.Id, Object = (void*)&t.KernelObject, Apcs = Debugger.Utility.Collections.FromListEntry(*(nt!_LIST_ENTRY*)&t.KernelObject.Tcb.ApcState.ApcListHead[0], “nt!_KAPC”, “ApcListEntry”).Select(a => new { Kernel = @$printSymbol(a.KernelRoutine), Rundown = @$printSymbol(a.RundownRoutine)})})
dx -r0 @$procWithKernelApc = @$cursession.Processes.Select(p => new {Name = p.Name, PID = p.Id, Object = (void*)&p.KernelObject, ApcThreads = p.Threads.Where(t => t.KernelObject.Tcb.ApcState.KernelApcPending != 0)}).Where(p => p.ApcThreads.Count() != 0)
dx -r6 @$procWithKernelApc.Select(p => new { Name = p.Name, PID = p.PID, Object = p.Object, ApcThreads = p.ApcThreads.Select(t => @$apcsForThread(t))})

And it produces the following output:

dx -r6 @$procWithKernelApc.Select(p => new { Name = p.Name, PID = p.PID, Object = p.Object, ApcThreads = p.ApcThreads.Select(t => @$apcsForThread(t))})
@$procWithKernelApc.Select(p => new { Name = p.Name, PID = p.PID, Object = p.Object, ApcThreads = p.ApcThreads.Select(t => @$apcsForThread(t))})                
    [0x15b8]        
        Name             : SearchUI.exe
            Length           : 0xc
        PID              : 0x15b8
        Object           : 0xffffb90a5b1300c0 [Type: void *]
        ApcThreads      
            [0x159c]        
                TID              : 0x159c
                Object           : 0xffffb90a5b14f080 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0x1528]        
                TID              : 0x1528
                Object           : 0xffffb90a5aa6b080 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0x16b4]        
                TID              : 0x16b4
                Object           : 0xffffb90a59f1e080 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0x16a0]        
                TID              : 0x16a0
                Object           : 0xffffb90a5b141080 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0x16b8]        
                TID              : 0x16b8
                Object           : 0xffffb90a5aab20c0 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0x1740]        
                TID              : 0x1740
                Object           : 0xffffb90a5ab362c0 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0x1780]        
                TID              : 0x1780
                Object           : 0xffffb90a5b468080 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0x1778]        
                TID              : 0x1778
                Object           : 0xffffb90a5b6f7080 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0x17d0]        
                TID              : 0x17d0
                Object           : 0xffffb90a5b1e8080 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0x17d4]        
                TID              : 0x17d4
                Object           : 0xffffb90a5b32f080 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0x17f8]        
                TID              : 0x17f8
                Object           : 0xffffb90a5b32e080 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0xb28]         
                TID              : 0xb28
                Object           : 0xffffb90a5b065600 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList   
            [0x1850]        
                TID              : 0x1850
                Object           : 0xffffb90a5b6a5080 [Type: void *]
                Apcs            
                    [0x0]           
                        Kernel           :   nt!EmpCheckErrataList   
                        Rundown          :   nt!EmpCheckErrataList

Not as pretty as !apc, but still pretty

We can also print it as a table, receive information about the processes and be able to explore the APCs of each process separately:

dx -g @$procWithKernelApc.Select(p => new { Name = p.Name, PID = p.PID, Object = p.Object, ApcThreads = p.ApcThreads.Select(t => @$apcsForThread(t))})

But wait, what are all these APCs withnt!EmpCheckErrataList? And why does SearchUI.exe have all of them? What does this process have to do with erratas?

The secret is that there are not actually APCs meant to callnt!EmpCheckErrataList. And no, the symbols are not wrong.

The thing we see here is happening because the compiler is being smart — when it sees a few different functions that have the same code, it makes them all point to the same piece of code, instead of duplicating this code multiple times. You might think that this is not a thing that would happen very often, but lets look at the disassembly for nt!EmpCheckErrataList (the old way this time):

u EmpCheckErrataList
nt!EmpCheckErrataList:
fffff807`4eb86010 c20000          ret     0
fffff807`4eb86013 cc              int     3
fffff807`4eb86014 cc              int     3
fffff807`4eb86015 cc              int     3
fffff807`4eb86016 cc              int     3

This is actually just a stub. It might be a function that has not been implemented yet (probably the case for this one) or a function that is meant to be a stub for a good reason. The function that is the real KernelRoutine/RundownRoutine of these APCs is nt!KiSchedulerApcNop, and is meant to be a stub on purpose, and has been for many years. And we can see it has the same code and points to the same address:

u nt!KiSchedulerApcNop
nt!EmpCheckErrataList:
fffff807`4eb86010 c20000          ret     0
fffff807`4eb86013 cc              int     3
fffff807`4eb86014 cc              int     3
fffff807`4eb86015 cc              int     3
fffff807`4eb86016 cc              int     3

So why do we see so many of these APCs?

When a thread is being suspended, the system creates a semaphore and queues an APC to the thread that will wait on that semaphore. The thread will be waiting until someone asks the resume it, and then the system will free the semaphore and the thread will stop waiting and will resume. The APC itself doesn’t need to do much, but it must have a KernelRoutine and a RundownRoutine, so the system places a stub there. In the symbols this stub receives the name of one of the functions that have this “code”, this time nt!EmpCheckErrataList, but it can be a different one in the next version.

Anyone interested in the suspension mechanism can look at ReactOS. The code for these functions changed a bit since, and the stub function was renamed from KiSuspendNop to KiSchedulerApcNop, but the general design stayed similar.

But I got distracted, this is not what this blog was supposed to be talking about. Let’s get back to WinDbg and synthetic functions:

Synthetic Types

After covering synthetic methods, we can also add our own named types and use them to parse data where the type is not available to us.

For example, let’s try to print the PspCreateProcessNotifyRoutine array, which holds all the registered process notify routines — function that are registered by drivers and will receive a notification whenever a process starts. But this array doesn’t contain pointers to the registered routines. Instead it contains pointers to the non-documented EX_CALLBACK_ROUTINE_BLOCK structure.

So to parse this array, we need to make sure WinDbg knows this type — to do that we use Synthetic Types. We start by creating a header file containing all the types we want to define (I used c:\temp\header.h). In this case it’s just EX_CALLBACK_ROUTINE_BLOCK, that we can find in ReactOS:

typedef struct _EX_CALLBACK_ROUTINE_BLOCK
{
    _EX_RUNDOWN_REF RundownProtect;
    void* Function;
    void* Context;
} EX_CALLBACK_ROUTINE_BLOCK, *PEX_CALLBACK_ROUTINE_BLOCK;

Now we can ask WinDbg to load it and add the types to the nt module:

dx Debugger.Utility.Analysis.SyntheticTypes.ReadHeader("c:\\temp\\header.h", "nt")
Debugger.Utility.Analysis.SyntheticTypes.ReadHeader("c:\\temp\\header.h", "nt")                 : ntkrnlmp.exe(header.h)
    ReturnEnumsAsObjects : false
    RegisterSyntheticTypeModels : false
    Module           : ntkrnlmp.exe
    Header           : header.h
    Types

This gives us an object which lets us see all the types added to this module.
Now that we defined the type, we can use it with CreateInstance:

dx Debugger.Utility.Analysis.SyntheticTypes.CreateInstance("_EX_CALLBACK_ROUTINE_BLOCK", *(__int64*)&nt!PspCreateProcessNotifyRoutine)
Debugger.Utility.Analysis.SyntheticTypes.CreateInstance("_EX_CALLBACK_ROUTINE_BLOCK", *(__int64*)&nt!PspCreateProcessNotifyRoutine)                
    RundownProtect   [Type: _EX_RUNDOWN_REF]
    Function         : 0xfffff8074cbdff50 [Type: void *]
    Context          : 0x6e496c4102031400 [Type: void *]

It’s important to notice that CreateInstance only takes __int64 inputs so any other type has to be cast. It’s good to know this in advance because the error messages these modules return are not always easy to understand.

Now, if we look at our output, and specifically at Context, something seems weird. And actually if we try to dump Function we will see it doesn’t point to any code:

dq 0xfffff8074cbdff50
fffff807`4cbdff50  ????????`???????? ????????`????????
fffff807`4cbdff60  ????????`???????? ????????`????????
fffff807`4cbdff70  ????????`???????? ????????`????????
fffff807`4cbdff80  ????????`???????? ????????`????????
fffff807`4cbdff90  ????????`???????? ????????`????????

So what happened?
The problem is not our cast to EX_CALLBACK_ROUTINE_BLOCK, but the address we are casting. If we dump the values in PspCreateProcessNotifyRoutine we might see what it is:

dx ((void**[0x40])&nt!PspCreateProcessNotifyRoutine).Where(a => a != 0)
((void**[0x40])&nt!PspCreateProcessNotifyRoutine).Where(a => a != 0)                
    [0]              : 0xffffb90a530504ef [Type: void * *]
    [1]              : 0xffffb90a532a512f [Type: void * *]
    [2]              : 0xffffb90a53da9d5f [Type: void * *]
    [3]              : 0xffffb90a53da9ccf [Type: void * *]
    [4]              : 0xffffb90a53e5d15f [Type: void * *]
    [5]              : 0xffffb90a571469ef [Type: void * *]
    [6]              : 0xffffb90a5714722f [Type: void * *]
    [7]              : 0xffffb90a571473df [Type: void * *]
    [8]              : 0xffffb90a597d989f [Type: void * *]

The lower half-byte in all of these is 0xF, while we know that pointers in x64 machines are always aligned to 8 bytes, and usually to 0x10. This is because I oversimplified it earlier — these are not pointers to EX_CALLBACK_ROUTINE_BLOCK, they are actually EX_CALLBACK structures (another type that is not in the public pdb), containing an EX_RUNDOWN_REF. But to make this example simpler we will treat them as simple pointers that have been ORed with 0xF, since this is good enough for our purposes. If you ever choose to write a driver that will handle PspCreateProcessNotifyRoutine please do not use this hack, look into ReactOS and do things properly. ?
So to fix our command we just need to align the addresses to 0x10 before casting them. To do that we do:

<address> & 0xFFFFFFFFFFFFFFF0

Or the nicer version:

<address> & ~0xF

Let’s use that in our command:

dx Debugger.Utility.Analysis.SyntheticTypes.CreateInstance("_EX_CALLBACK_ROUTINE_BLOCK", (*(__int64*)&nt!PspCreateProcessNotifyRoutine) & ~0xf)
Debugger.Utility.Analysis.SyntheticTypes.CreateInstance("_EX_CALLBACK_ROUTINE_BLOCK", (*(__int64*)&nt!PspCreateProcessNotifyRoutine) & ~0xf)                
    RundownProtect   [Type: _EX_RUNDOWN_REF]
    Function         : 0xfffff8074ea7f310 [Type: void *]
    Context          : 0x0 [Type: void *]

This looks better. Let’s check that Function actually points to a function this time:

ln 0xfffff8074ea7f310
Browse module
Set bu breakpoint
(fffff807`4ea7f310)   nt!ViCreateProcessCallback   |  (fffff807`4ea7f330)   nt!RtlStringCbLengthW
Exact matches:
    nt!ViCreateProcessCallback (void)

Looks much better! Now we can get define this cast as a synthetic method and get the function addresses for all routines in the array:

dx -r0 @$getCallbackRoutine = (a => Debugger.Utility.Analysis.SyntheticTypes.CreateInstance("_EX_CALLBACK_ROUTINE_BLOCK", (__int64)(a & ~0xf)))
dx ((void**[0x40])&nt!PspCreateProcessNotifyRoutine).Where(a => a != 0).Select(a => @$getCallbackRoutine(a).Function)
((void**[0x40])&nt!PspCreateProcessNotifyRoutine).Where(a => a != 0).Select(a => @$getCallbackRoutine(a).Function)                
    [0]              : 0xfffff8074ea7f310 [Type: void *]
    [1]              : 0xfffff8074ff97220 [Type: void *]
    [2]              : 0xfffff80750a41330 [Type: void *]
    [3]              : 0xfffff8074f8ab420 [Type: void *]
    [4]              : 0xfffff8075106d9f0 [Type: void *]
    [5]              : 0xfffff807516dd930 [Type: void *]
    [6]              : 0xfffff8074ff252c0 [Type: void *]
    [7]              : 0xfffff807520b6aa0 [Type: void *]
    [8]              : 0xfffff80753a63cf0 [Type: void *]

But this will be more fun if we could see the symbols instead of the addresses. We already know how to get the symbols by executing the legacy command ln, but this time we will do it with .printf. First we will write a helper function @$getsym which will run the command printf "%y", <address>:

dx -r0 @$getsym = (x => Debugger.Utility.Control.ExecuteCommand(".printf\"%y\", " + ((__int64)x).ToDisplayString("x"))[0])

Then we will send every function address to this method, to print the symbol:

dx ((void**[0x40])&nt!PspCreateProcessNotifyRoutine).Where(a => a != 0).Select(a => @$getsym(@$getCallbackRoutine(a).Function))
((void**[0x40])&nt!PspCreateProcessNotifyRoutine).Where(a => a != 0).Select(a => @$getsym(@$getCallbackRoutine(a).Function))                
    [0]              : nt!ViCreateProcessCallback (fffff807`4ea7f310)
    [1]              : cng!CngCreateProcessNotifyRoutine (fffff807`4ff97220)
    [2]              : WdFilter!MpCreateProcessNotifyRoutineEx (fffff807`50a41330)
    [3]              : ksecdd!KsecCreateProcessNotifyRoutine (fffff807`4f8ab420)
    [4]              : tcpip!CreateProcessNotifyRoutineEx (fffff807`5106d9f0)
    [5]              : iorate!IoRateProcessCreateNotify (fffff807`516dd930)
    [6]              : CI!I_PEProcessNotify (fffff807`4ff252c0)
    [7]              : dxgkrnl!DxgkProcessNotify (fffff807`520b6aa0)
    [8]              : peauth+0x43cf0 (fffff807`53a63cf0)

There, much nicer!

Breakpoints

Conditional Breakpoint

Conditional breakpoints are a huge pain-point when debugging. And with the old MASM syntax they’re almost impossible to use. I spent hours trying to get them to work the way I wanted to, but the command turns out to be so awful that I can’t even understand what I was trying to do, not to mention why it doesn’t filter anything or how to fix it.

Well, these days are over. We can now use dx queries for conditional breakpoints with the following syntax: bp /w “dx query" <address>.

For example, let’s say we are trying to debug an issue involving file opens by Wow64 processes. The function NtOpenProcess is called all the time, but we only care about calls done by Wow64 processes, which are not the majority of processes on modern systems. So to avoid helplessly going through 100 debugger breaks until we get lucky or struggle with MASM-style conditional breakpoints, we can do this instead:

bp /w "@$curprocess.KernelObject.WoW64Process != 0" nt!NtOpenProcess

We then let the machine run, and when the breakpoint is hit we can check if it worked:

Breakpoint 3 hit
nt!NtOpenProcess:
fffff807`2e96b7e0 4883ec38        sub     rsp,38h
dx @$curprocess.KernelObject.WoW64Process
@$curprocess.KernelObject.WoW64Process                 : 0xffffc10f5163b390 [Type: _EWOW64PROCESS *]
    [+0x000] Peb              : 0xf88000 [Type: void *]
    [+0x008] Machine          : 0x14c [Type: unsigned short]
    [+0x00c] NtdllType        : PsWowX86SystemDll (1) [Type: _SYSTEM_DLL_TYPE]
dx @$curprocess.Name
@$curprocess.Name : IpOverUsbSvc.exe
    Length           : 0x10

The process that triggered our breakpoint is a WoW64 process!
For anyone who has ever tried using conditional breakpoints with MASM, this is a life-changing addition.

Other Breakpoint Options

There are a few other interesting breakpoint options found under Debugger.Utility.Control:

  • SetBreakpointAtSourceLocation — allowing us to set a breakpoint in a module whose source file is available to us, with this syntax: dx Debugger.Utility.Control.SetBreakpointAtSourceLocation("MyModule!myFile.cpp", “172”)
  • SetBreakpointAtOffset — sets a breakpoint at an offset inside a function — dx Debugger.Utility.Control.SetBreakpointAtOffset("NtOpenFile", 8, “nt")
  • SetBreakpointForReadWriteFile — similar to the legacy ba command but with more readable syntax, this lets us set a breakpoint to issue a debug break whenever anyone reads or writes to an address. It has default configuration of type = Hardware Write and size = 1.
    For example, let’s try to break on every read of Ci!g_CiOptions, a variable whose size is 4 bytes:
dx Debugger.Utility.Control.SetBreakpointForReadWrite(&Ci!g_CiOptions, “Hardware Read”, 0x4)

We let the machine keep running and almost immediately our breakpoint is hit:

0: kd> g
Breakpoint 0 hit
CI!CiValidateImageHeader+0x51b:
fffff807`2f6fcb1b 740c je CI!CiValidateImageHeader+0x529 (fffff807`2f6fcb29)

CI!CiValidateImageHeader read this global variable when validating an image header. In this specific example, we will see reads of this variable very often and writes into it are the more interesting case, as it can show us an attempt to tamper with signature validation.

An interesting thing to notice about these commands in that they don’t just set a breakpoint, they actually return it as an object we can control, which has attributes like IsEnabledCondition (allowing us to set a condition), PassCount (telling us how many times this breakpoint has been hit) and more.

FileSystem

Under Debugger.Utility we have the FileSystem module, letting us query and control the file system on the host machine (not the machine we are debugging) from within the debugger:

dx -r1 Debugger.Utility.FileSystem
Debugger.Utility.FileSystem
CreateFile       [CreateFile(path, [disposition]) - Creates a file at the specified path and returns a file object.  'disposition' can be one of 'CreateAlways' or 'CreateNew']
CreateTempFile   [CreateTempFile() - Creates a temporary file in the %TEMP% folder and returns a file object]
CreateTextReader [CreateTextReader(file | path, [encoding]) - Creates a text reader over the specified file.  If a path is passed instead of a file, a file is opened at the specified path.  'encoding' can be 'Utf16', 'Utf8', or 'Ascii'.  'Ascii' is the default]
CreateTextWriter [CreateTextWriter(file | path, [encoding]) - Creates a text writer over the specified file.  If a path is passed instead of a file, a file is created at the specified path.  'encoding' can be 'Utf16', 'Utf8', or 'Ascii'.  'Ascii' is the default]
CurrentDirectory : C:\WINDOWS\system32
DeleteFile       [DeleteFile(path) - Deletes a file at the specified path]
FileExists       [FileExists(path) - Checks for the existance of a file at the specified path]
OpenFile         [OpenFile(path) - Opens a file read/write at the specified path]
TempDirectory    : C:\Users\yshafir\AppData\Local\Temp

We can create files, open them, write into them, delete them or check if a file exists in a certain path. To see a simple example, let’s dump the contents of our current directory — C:\Windows\System32:

dx -r1 Debugger.Utility.FileSystem.CurrentDirectory.Files
Debugger.Utility.FileSystem.CurrentDirectory.Files                
    [0x0]            : C:\WINDOWS\system32\07409496-a423-4a3e-b620-2cfb01a9318d_HyperV-ComputeNetwork.dll
    [0x1]            : C:\WINDOWS\system32\1
    [0x2]            : C:\WINDOWS\system32\103
    [0x3]            : C:\WINDOWS\system32\108
    [0x4]            : C:\WINDOWS\system32\11
    [0x5]            : C:\WINDOWS\system32\113
    ...
    [0x44]           : C:\WINDOWS\system32\93
    [0x45]           : C:\WINDOWS\system32\98
    [0x46]           : C:\WINDOWS\system32\@AppHelpToast.png
    [0x47]           : C:\WINDOWS\system32\@AudioToastIcon.png
    [0x48]           : C:\WINDOWS\system32\@BackgroundAccessToastIcon.png
    [0x49]           : C:\WINDOWS\system32\@bitlockertoastimage.png
    [0x4a]           : C:\WINDOWS\system32\@edptoastimage.png
    [0x4b]           : C:\WINDOWS\system32\@EnrollmentToastIcon.png
    [0x4c]           : C:\WINDOWS\system32\@language_notification_icon.png
    [0x4d]           : C:\WINDOWS\system32\@optionalfeatures.png
    [0x4e]           : C:\WINDOWS\system32\@VpnToastIcon.png
    [0x4f]           : C:\WINDOWS\system32\@WiFiNotificationIcon.png
    [0x50]           : C:\WINDOWS\system32\@windows-hello-V4.1.gif
    [0x51]           : C:\WINDOWS\system32\@WindowsHelloFaceToastIcon.png
    [0x52]           : C:\WINDOWS\system32\@WindowsUpdateToastIcon.contrast-black.png
    [0x53]           : C:\WINDOWS\system32\@WindowsUpdateToastIcon.contrast-white.png
    [0x54]           : C:\WINDOWS\system32\@WindowsUpdateToastIcon.png
    [0x55]           : C:\WINDOWS\system32\@WirelessDisplayToast.png
    [0x56]           : C:\WINDOWS\system32\@WwanNotificationIcon.png
    [0x57]           : C:\WINDOWS\system32\@WwanSimLockIcon.png
    [0x58]           : C:\WINDOWS\system32\aadauthhelper.dll
    [0x59]           : C:\WINDOWS\system32\aadcloudap.dll
    [0x5a]           : C:\WINDOWS\system32\aadjcsp.dll
    [0x5b]           : C:\WINDOWS\system32\aadtb.dll
    [0x5c]           : C:\WINDOWS\system32\aadWamExtension.dll
    [0x5d]           : C:\WINDOWS\system32\AboutSettingsHandlers.dll
    [0x5e]           : C:\WINDOWS\system32\AboveLockAppHost.dll
    [0x5f]           : C:\WINDOWS\system32\accessibilitycpl.dll
    [0x60]           : C:\WINDOWS\system32\accountaccessor.dll
    [0x61]           : C:\WINDOWS\system32\AccountsRt.dll
    [0x62]           : C:\WINDOWS\system32\AcGenral.dll
    ...

We can choose to delete one of these files:

dx -r1 Debugger.Utility.FileSystem.CurrentDirectory.Files[1].Delete()

Or delete it through DeleteFile:

dx Debugger.Utility.FileSystem.DeleteFile(“C:\\WINDOWS\\system32\\71”)

Notice that in this module paths have to have double backslash (“\\”), as they would if we had called the Win32 API ourselves.

As a last exercise we’ll put together a few of the things we learned here — we’re going to create a breakpoint on a kernel variable, get the symbol that accessed it from the stack and write the symbol the accessed it into a file on our host machine.

Let’s break it down into steps:

  • Open a file to write the results to.
  • Create a text writer, which we will use to write into the file.
  • Create a breakpoint for access into a variable. In this case we’ll choose nt!PsInitialSystemProcess and set a breakpoint for read access. We will use the old MASM syntax to run a dx command every time the breakpoint is hit and move on: ba r4 <address> "dx <command>; g"
    Our command will use @$curstack to get the address that accessed the variable, and then use the @$getsym helper function we wrote earlier to find the symbol for it. We’ll use our text writer to write the result into the file.
  • Finally, we will close the file.

Putting it all together:

dx -r0 @$getsym = (x => Debugger.Utility.Control.ExecuteCommand(".printf\"%y\", " + ((__int64)x).ToDisplayString("x"))[0])
dx @$tmpFile = Debugger.Utility.FileSystem.TempDirectory.OpenFile("log.txt")
dx @$txtWriter = Debugger.Utility.FileSystem.CreateTextWriter(@$tmpFile)
ba r4 nt!PsInitialSystemProcess "dx @$txtWriter.WriteLine(@$getsym(@$curstack.Frames[0].Attributes.InstructionOffset)); g"

We let the machine run for as long as we want, and when we want to stop the logging we can disable or clear the breakpoint and close the file with dx @$tmpFile.Close().

Now we can open our @$tmpFile and look at the results:

That’s it! What an amazingly easy way to log information about the debugger!

So that’s the end of our WinDbg series! All the scripts in this series will be uploaded to a github repo, as well as some new ones not included here. I suggest you investigate this data model further, because we didn’t even cover all the different methods it contains. Write cool tools of your own and share them with the world :)

And as long as this guide was, these are not even all the possible options in the new data model. And I didn’t even mention the new support for Javascript! You can get more information about using Javascript in WinDbg and the new and exciting support for TTD (time travel debugging) in this excellent post.