-
Notifications
You must be signed in to change notification settings - Fork 178
/
README.html
228 lines (225 loc) · 12.5 KB
/
README.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
<!DOCTYPE html>
<html>
<head>
<title>WinDBG Anti-RootKit extension</title>
</head>
<body>
<h1 id="windbg-anti-rootkit-extension">WinDBG Anti-RootKit extension</h1>
<p><a href="https://scan.coverity.com/projects/3610"><img src="https://scan.coverity.com/projects/3610/badge.svg" alt="Coverity Scan Build Status" /></a>
<a href="https://ci.appveyor.com/project/swwwolf/wdbgark"><img src="https://ci.appveyor.com/api/projects/status/opt8hoofoc2o9avt?svg=true" alt="Build status" /></a>
<a href="https://www.gnu.org/licenses/gpl-3.0"><img src="https://img.shields.io/badge/License-GPL%20v3-blue.svg" alt="License: GPL v3" /></a></p>
<ul>
<li><a href="#preface">Preface</a></li>
<li><a href="#requirements">Requirements</a></li>
<li><a href="#supported-commands">Supported commands</a></li>
<li><a href="#supported-targets">Supported targets</a></li>
<li><a href="#sources-and-build">Sources and build</a>
<ul>
<li><a href="#build-using-vs2017">Build using VS2017</a></li>
<li><a href="#build-using-build">Build using BUILD</a></li>
<li><a href="#build-using-cmd">Build using CMD</a></li>
</ul>
</li>
<li><a href="#using">Using</a></li>
<li><a href="#faq">FAQ</a></li>
<li><a href="#help">Help</a></li>
<li><a href="#used-code">Used code</a></li>
<li><a href="#whoami">Whoami</a></li>
<li><a href="#license">License</a></li>
</ul>
<h2 id="preface">Preface</h2>
<p><a href="https://github.com/swwwolf/wdbgark">WDBGARK</a> is an extension (dynamic library) for the
<a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/index">Microsoft Debugging Tools for Windows</a>.
It main purpose is to view and analyze anomalies in Windows kernel using kernel debugger. It is possible to view
various system callbacks, system tables, object types and so on. For more user-friendly view extension uses DML.
For the most of commands kernel-mode connection is required. Feel free to use extension with live kernel-mode debugging
or with kernel-mode crash dump analysis (some commands will not work). Public symbols are required, so use them, force
to reload them, ignore checksum problems, prepare them before analysis and you'll be happy.</p>
<h2 id="requirements">Requirements</h2>
<ul>
<li>Microsoft Visual Studio 2017</li>
<li>WDK and SDK for Windows 10, version 1709 (10.0.16299.0)</li>
<li>Visual C++ Redistributable for Visual Studio 2017</li>
</ul>
<h2 id="supported-commands">Supported commands</h2>
<ul>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_scan">!wa_scan</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_systemcb">!wa_systemcb</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_objtype">!wa_objtype</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_objtypeidx">!wa_objtypeidx</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_objtypecb">!wa_objtypecb</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_callouts">!wa_callouts</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_pnptable">!wa_pnptable</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_crashdmpcall">!wa_crashdmpcall</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_ssdt">!wa_ssdt</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_w32psdt">!wa_w32psdt</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_checkmsr">!wa_checkmsr</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_idt">!wa_idt</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_gdt">!wa_gdt</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_haltables">!wa_haltables</a></li>
<li><a href="https://github.com/swwwolf/wdbgark/wiki/!wa_colorize">!wa_colorize</a></li>
<li>!wa_chknirvana</li>
<li>!wa_eop</li>
<li>!wa_cicallbacks</li>
<li>!wa_ciinfo</li>
<li>!wa_drvmajor</li>
<li>!wa_lxsdt</li>
<li>!wa_psppico</li>
<li>!wa_systables</li>
<li>!wa_apiset</li>
<li>!wa_process_anomaly</li>
<li>!wa_w32psdt</li>
<li>!wa_w32psdtflt</li>
<li>!wdrce_copyfile</li>
<li>!wdrce_cpuid</li>
</ul>
<h2 id="supported-targets">Supported targets</h2>
<ul>
<li>Microsoft Windows XP (x86)</li>
<li>Microsoft Windows 2003 (x86/x64)</li>
<li>Microsoft Windows Vista (x86/x64)</li>
<li>Microsoft Windows 7 (x86/x64)</li>
<li>Microsoft Windows 8.x (x86/x64)</li>
<li>Microsoft Windows 10 (x86/x64)</li>
</ul>
<p>Multiple targets debugging is not supported!</p>
<p>Windows BETA/RC is supported by design, but read a few notes. First, i don't care about checked builds.
Second, i don't care if you don't have <a href="https://developer.microsoft.com/en-us/windows/hardware/download-symbols">symbols</a>
(public or private). IA64/ARM is unsupported (and will not).</p>
<h2 id="sources-and-build">Sources and build</h2>
<p>Sources are organized as a Visual Studio 2017 solution.</p>
<h3 id="build-using-vs2017">Build using VS2017</h3>
<ul>
<li>Download and install latest <a href="https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit">WDK</a></li>
<li>Select <strong>Build -> Batch Build</strong> from the menu and build dummypdb module (x86 and x64).
<img src="https://raw.githubusercontent.com/swwwolf/wdbgark/master/images/batch_build.png" alt="Batch Build" /></li>
<li>Choose solution configuration and platform for the main project.</li>
<li>Build.</li>
</ul>
<h4 id="note">NOTE!</h4>
<p>Post-build event is enabled for debug build. It automatically copies linked extension into WinDBG's plugins folder (e.g. x64 target:<br />
<code>"copy /B /Y "$(OutDir)$(TargetName)$(TargetExt)" "$(WindowsSdkDir)Debuggers\x64\winext\$(TargetName)$(TargetExt)"</code>).</p>
<h3 id="build-using-build">Build using BUILD</h3>
<p>Deprecated.</p>
<h3 id="build-using-cmd">Build using CMD</h3>
<p>Yeah, it's possible to build all the stuff using simple batch script.</p>
<ul>
<li>Make sure that you have already installed PowerShell at least version 3.0.
<ul>
<li>If not, then download and install <a href="http://www.microsoft.com/en-US/download/details.aspx?id=40855">Windows Management Framework</a>.</li>
</ul>
</li>
<li>Execute the <a href="release_build.cmd">release_build.cmd</a> with a single parameter - a version.</li>
<li>Voila! If there were no errors, the archive file will be created (e.g. wdbgark.X.Y.zip).
<ul>
<li>If something is wrong, check the path to the Visual Studio 2017 in the script and/or output log file (release_build.log).</li>
</ul>
</li>
</ul>
<h2 id="using">Using</h2>
<ul>
<li>Download and install <a href="https://developer.microsoft.com/en-us/windows/hardware/download-windbg">Debugging Tools</a>.</li>
<li><a href="#sources-and-build">Build</a> or <a href="https://github.com/swwwolf/wdbgark/releases">download</a> the extention.</li>
<li>Make sure that <a href="https://www.visualstudio.com/en-us/productinfo/2017-redistribution-vs">Visual C++ Redistributable for Visual Studio 2017</a> has already been installed.</li>
<li>Copy extension to the WDK debugger's directory (e.g. WDK 10):
<ul>
<li>x64: <code>C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\</code></li>
<li>x86: <code>C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\</code></li>
</ul>
</li>
<li>Start WinDBG.</li>
<li><a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ee416588(v=vs.85).aspx">Setup</a> WinDBG to use Microsoft Symbol Server correctly or deal with them manually.</li>
<li>Load extension by <strong>.load wdbgark</strong> (you can see loaded extensions with a <strong>.chain</strong> command).</li>
<li>Execute <strong>!wdbgark.help</strong> for help or <strong>!wdbgark.wa_scan</strong> for a full system scan.</li>
<li>Have fun!</li>
</ul>
<pre><code>0: kd> .load wdbgark
0: kd> .chain
Extension DLL search Path:
<...>
Extension DLL chain:
wdbgark: image 2.5.0.0, API 2.5.0, built Fri Oct 20 17:54:03 2017
[path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\wdbgark.dll]
dbghelp: image 10.0.16299.15, API 10.0.6,
[path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll]
ext: image 10.0.16299.15, API 1.0.0,
[path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\ext.dll]
exts: image 10.0.16299.15, API 1.0.0,
[path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\WINXP\exts.dll]
kext: image 10.0.16299.15, API 1.0.0,
[path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\kext.dll]
kdexts: image 10.0.16299.15, API 1.0.0,
[path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\WINXP\kdexts.dll]
0: kd> !wdbgark.help
Commands for C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\wdbgark.dll:
!help - Displays information on available extension commands
!wa_apiset - Output user-mode and/or kernel-mode ApiSet map
!wa_callouts - Output kernel-mode win32k callouts
!wa_checkmsr - Output system MSRs (live debug only!)
!wa_chknirvana - Checks processes for Hooking Nirvana instrumentation
!wa_cicallbacks - Output kernel-mode nt!g_CiCallbacks or nt!SeCiCallbacks
!wa_ciinfo - Output Code Integrity information
!wa_colorize - Adjust WinDBG colors dynamically (prints info with no
parameters)
!wa_crashdmpcall - Output kernel-mode nt!CrashdmpCallTable
!wa_drvmajor - Output driver(s) major table
!wa_eop - Checks processes for Elevation of Privilege
!wa_gdt - Output processors GDT
!wa_haltables - Output kernel-mode HAL tables: nt!HalDispatchTable,
nt!HalPrivateDispatchTable, nt!HalIommuDispatchTable
!wa_idt - Output processors IDT
!wa_lxsdt - Output the Linux Subsystem Service Descriptor Table
!wa_objtype - Output kernel-mode object type(s)
!wa_objtypecb - Output kernel-mode callbacks registered with
ObRegisterCallbacks
!wa_objtypeidx - Output kernel-mode nt!ObTypeIndexTable
!wa_pnptable - Output kernel-mode nt!PlugPlayHandlerTable
!wa_process_anomaly - Checks processes for various anomalies
!wa_psppico - Output kernel-mode Pico tables
!wa_scan - Scan system (execute all commands)
!wa_ssdt - Output the System Service Descriptor Table
!wa_systables - Output various kernel-mode system tables
!wa_systemcb - Output kernel-mode registered callback(s)
!wa_ver - Shows extension version number
!wa_w32psdt - Output the Win32k Service Descriptor Table
!wa_w32psdtflt - Output the Win32k Service Descriptor Table Filter
!wdrce_copyfile - Copy file (live debug only!)
!wdrce_cpuid - Execute CPUID instruction (live debug only!)
!help <cmd> will give more information for a particular command
</code></pre>
<h2 id="faq">FAQ</h2>
<p>Q: What is the main purpose of the extension?<br />
A: Well, first is educational only. Second, for fun and profit.</p>
<p>Q: Do you know about PyKd? I can script the whole Anti-Rootkit using Python.<br />
A: Yeah, i know, but C++ is much better.</p>
<p>Q: Where is version 1.0?<br />
A: Lost in space of Google Code.</p>
<p>Q: When did the project start?<br />
A: February 2013 on Google Code.</p>
<p>Q: What version should i use?<br />
A: Please use x64 version only. In the era of x64 i dunno why the heck you may need to use x86 version. x64 WinDBG is
able to debug both x86 and x64. Host OS bitness is the only limitation.</p>
<p>Q: How can i help?<br />
A: Spread a word. Report issues and feature requests. I'm open for any suggestions. Thanks!</p>
<p>Q: What kind of memory dump is better to use with an extension?<br />
A: Complete memory dump.</p>
<p>Q: How to report an issue?<br />
A: Feel free to report an issue using GitHub or email to me directly, but please, attach complete memory crash dump file.</p>
<h2 id="help">Help</h2>
<p><a href="https://github.com/swwwolf/wdbgark/wiki">Wiki</a> can help.</p>
<h2 id="used-code">Used code</h2>
<ul>
<li><a href="https://github.com/dattanchu/bprinter">BPrinter</a>. BSD License.</li>
<li><a href="https://github.com/vmt/udis86">Udis86</a>. Simplified BSD License.</li>
<li><a href="https://github.com/leethomason/tinyxml2">TinyXML2</a>. Zlib license.</li>
</ul>
<h2 id="whoami">Whoami</h2>
<ul>
<li><a href="https://www.linkedin.com/in/vrusakov">LinkedIn profile</a></li>
<li><a href="https://sww-it.ru/">Blog</a></li>
</ul>
<h2 id="license">License</h2>
<p>This software is released under the GNU GPL v3 License. See the <a href="COPYING">COPYING file</a> for the full license text and
<a href="http://www.gnu.org/licenses/gpl-faq.en.html#GPLPluginsInNF">this</a> small addition.</p>
</body>
</html>