Unable to read win32k.sys memory

[Fanny Dwargee]

Hi again,

I'm trying to read NtUserSetWindowsHookEx routine pertaining to the module win32k.sys of a Windows7 sp1 x64 VM on Xen 4.6.

According to rekall/volatility the routine lies exactly at  the kernel adress 0xf9600007e160 so I'm trying to read it this way:

[...]

addr_t win32k_routine = 0xf9600007e160 ;

addr_t phys_addr        = vmi_translate_kv2p( vmi, win32k_routine );

printf( "LIBVMI: from kernel[0x%lX]  to physical[0x%lX]\n", win32k_routine, phys_addr );

[...]

but unfortunately always results zero (error according to the LibVMI documentation).

I'm guessing this is because of the especial case of the win32k.sys mapping, can someone shed some light on this?

Many thanks in advance,

Fanny

[Tamas K Lengyel]

Are you sure that is not just a relative virtual address? If it is, you need to add it to the base address of win32k.sys.

--
You received this message because you are subscribed to the Google Groups "vmitools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+u...@googlegroups.com.
To post to this group, send email to vmit...@googlegroups.com.
Visit this group at https://groups.google.com/group/vmitools.
For more options, visit https://groups.google.com/d/optout.

[Fanny Dwargee]

Hi Tamas,

according to the PsLoadedModuleList win32k.sys BaseAddress is 0xFFFFF96000000000 and according to the win32k.sys Rekall profile NtUserSetWindowsHookEx symbol lies at 0x7E160 relative address.

I'm afraid that issue relates to win32k.sys aka Shadow Table being paged so no accessible as usual... :?

Best regards,

Fanny

[Tamas K Lengyel]

You can check if it was paged by going through the pagetables. Use vmi_pagetable_lookup_extended to get a better look at what is going on.

Tamas

[Fanny Dwargee]

Thanks for the hint with vmi_pagetable_lookup_extended, I would try asap, anyway, as you can see on the following text from a WinDBG session, win32k.sys is paged (even without swap configured) although you're allowed to set breakpoints on any of the routines (despite the warning messages the bp works ok):

0: kd> u win32k!NtUserSetWindowsHookEx

win32k!NtUserSetWindowsHookEx:

fffff960`0007e09c ??              ???

                                     ^ Memory access error in 'u win32k!NtUserSetWindowsHookEx

0: kd> bp win32k!NtUserSetWindowsHookEx

WARNING: Software breakpoints on session addresses can cause bugchecks.

Use hardware execution breakpoints (ba e) if possible.

By the way, that session was on a virtual machine with Win7 SP0 64bits installed on my local computer that's why the routine offset is different from the SP1 one but I think this clarifies my thoughts.

Regards

[Fanny Dwargee]

Ok, that's the return from vmi_pagetable_lookup_extended call (info was zero initialized prior to call)

LIBVMI: vmi_pagetable_lookup_extended() for address 0xFFFFF9600007E160 with ret VMI_FAILURE:

              info.pte_location   : 0x0

              info.pte_value      : 0x0

              info.pgd_location   : 0x0

              info.pgd_value      : 0x0

              info.pdpte_location : 0x0

              info.pdpte_value    : 0x0

              info.pml4e_location : 0x187F90

              info.pml4e_value    : 0x0

Call returned with VMI_:FAILURE but pml4e_location was set.

Regards

[Tamas K Lengyel]

What you pasted shows that the VA does not exist at all in the pagetable you are trying to translate it in. It's not paged out, it's not mapped into the process at all. What CR3 are you using? Is it the kernel? I would not be surprised if the kernel doesn't have it mapped..

[Fanny Dwargee]

Yes, pid 4

[Tamas K Lengyel]

Yea, you are not going to find libraries loaded into the kernel, you can only find kernel modules in the kernel. You should use the pagetable for a process that has the library loaded.

[Steven Maresca]

For win32k, I would strongly recommend that you use the address space of csrss.

Steve

[Fanny Dwargee]

Gotit!

csrss have the address mapped and the disassembly match the routine code.

Both of you deserve the best

Thank you all!!