1. Find the notepad process object
kd> !process 0 0 notepad.exe
PROCESS 859c29b8 SessionId: 1 Cid: 0914 Peb: 7ffd4000 ParentCid: 0600
DirBase: 3ec4c420 ObjectTable: 921e3470 HandleCount: 57.
Image: notepad.exe
2.Switch to notepad process context
kd> .process /i 859c29b8
You need to continue execution (press 'g' ) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!
826b9394 cc int 3
3. Disassemble the NtCreateFile
kd> uf ntdll!ntCreateFile
ntdll!NtCreateFile:
77234a10 b842000000 mov eax,42h
77234a15 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
77234a1a ff12 call dword ptr [edx]
77234a1c c22c00 ret 2Ch
4. Find the content at 7ffe0300
kd> dd 7ffe0300 L1
7ffe0300 772364f0
5. Disassemble the code at 7ffe0300
kd> uf 772364f0
ntdll!KiFastSystemCall:
772364f0 8bd4 mov edx,esp
772364f2 0f34 sysenter
772364f4 c3 ret
6. Find the address of KiServiceTable
kd> x nt!KiServiceTable
826bd6f0 nt!KiServiceTable =
7. Now display the function in System Service Table
kd> dps 0x826bd6f0+0x4*0x42 L1
826bd7f8 82898e82 nt!NtCreateFile
No comments:
Post a Comment