Dumping GDT entries using WinDbg
Master Blaster
I just started experimenting with WinDbg and I have couple of
questions regrading its ability to dissect GDT entries. My setup is as
follows: I'm using a virtual machine that runs Windows XP SP2. My host
OS is Windows XP SP3. I'm debugging the guest OS through a faked
serail port.
Now, when I want to dump a specific GDT entry I use the following
syntax:
db gdtr + 8 * <x> l 8
where <x> is the ordinal of the entry I wish to dump.What I'm looking
for is a more convinient way to do this, perhaps some command which
provides index based access in a way which resembles C arrays,
something like:
gdt[0], gdt[1], gdt[x], etc...
Moreover, another useful feature that I'm looking for is the ability
to dissect an entry to its various bitwise fields. Is there anythin
like it?
Thanks in advance.
Ivan Brugiolo [MSFT]
lkd> ??((ntkrnlpa!_KGDTENTRY *)0x8003f000)[5]
struct _KGDTENTRY
+0x000 LimitLow : 0x20ab
+0x002 BaseLow : 0x2000
+0x004 HighWord : __unnamed
lkd> ??((ntkrnlpa!_KGDTENTRY *)0x8003f000)[5].HighWord.Bits
struct __unnamed
+0x000 BaseMid : 0y00000100 (0x4)
+0x000 Type : 0y01011 (0xb)
+0x000 Dpl : 0y00
+0x000 Pres : 0y1
+0x000 LimitHi : 0y0000
+0x000 Sys : 0y0
+0x000 Reserved_0 : 0y0
+0x000 Default_Big : 0y0
+0x000 Granularity : 0y0
+0x000 BaseHi : 0y10000000 (0x80)
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Master Blaster" <a.master...@gmail.com> wrote in message
news:2aec594e-9d3a-4b4c...@t2g2000yqn.googlegroups.com...
Master Blaster
<ivanb...@online.microsoft.com> wrote:
> something like this ?
>
> lkd> ??((ntkrnlpa!_KGDTENTRY *)0x8003f000)[5]
> struct _KGDTENTRY
> +0x000 LimitLow : 0x20ab
> +0x002 BaseLow : 0x2000
> +0x004 HighWord : __unnamed
>
> lkd> ??((ntkrnlpa!_KGDTENTRY *)0x8003f000)[5].HighWord.Bits
> struct __unnamed
> +0x000 BaseMid : 0y00000100 (0x4)
> +0x000 Type : 0y01011 (0xb)
> +0x000 Dpl : 0y00
> +0x000 Pres : 0y1
> +0x000 LimitHi : 0y0000
> +0x000 Sys : 0y0
> +0x000 Reserved_0 : 0y0
> +0x000 Default_Big : 0y0
> +0x000 Granularity : 0y0
> +0x000 BaseHi : 0y10000000 (0x80)
>
> --
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of any included script samples are subject to the terms specified athttp://www.microsoft.com/info/cpyright.htm
>
>
> news:2aec594e-9d3a-4b4c...@t2g2000yqn.googlegroups.com...
>
>
>
> > Hi everyone,
> > I just started experimenting with WinDbg and I have couple of
> > questions regrading its ability to dissect GDT entries. My setup is as
> > follows: I'm using a virtual machine that runs Windows XP SP2. My host
> > OS is Windows XP SP3. I'm debugging the guest OS through a faked
> > serail port.
>
> > Now, when I want to dump a specific GDT entry I use the following
> > syntax:
> > db gdtr + 8 * <x> l 8
> > where <x> is the ordinal of the entry I wish to dump.What I'm looking
> > for is a more convinient way to do this, perhaps some command which
> > provides index based access in a way which resembles C arrays,
> > something like:
> > gdt[0], gdt[1], gdt[x], etc...
>
> > Moreover, another useful feature that I'm looking for is the ability
> > to dissect an entry to its various bitwise fields. Is there anythin
> > like it?
>
>
> - Show quoted text -
I had to use ntoskrnl instead of ntkrnlpa, but this is exactly what I
was hoping to find.
Thansk.