debugging kernel driver and understanding i/o routing with various structures
Let’s debug a very simple driver from pavel’s latest book on kernel programming and understand different structures along with their relationship and overall...
parsing sysmon events using krabs etw
TL;DR
krabsetw is a C++ library that simplifies interacting with ETW. It allows for any number of traces and providers to be enabled and for client code to register for event notifications from these traces. krabsetw also provides code to simplify parsing generic event data into strongly typed data types.
The repo has sufficient docs and examples to go through. I was just playing with parsing sysmon events a while back for something.
Steps
Clone and build the project from krabsetw repo with code shared above.
- make sure sysmon is installed
- launch NativeExamples.exe
- watch the events fly by.
Code
sample output when the application is run with sysmon installed
Enjoy and Profit ;)
2021
memory tracking through nt!PoolHitTag
Let’s explore how nt!PoolHitTag can be useful for while tracking memory issues. Along with useful windbg command like !pool, !poolfind, !verifier etc.
virtual to physical address using windbg
In this post let’s explore the general mechanism of how we go for virtual to physical memory. Trying to understand what happens in between.
native api and undoc windows structure using pdbex
In the prev post we saw how to use phnt to access windows native api and undoc structures.
native api and undoc windows structure using process hacker’s phnt
Quite often on windows accessing native api and undoc structures is required.
understaning CVE-2014-4113 win32k vuln with windbg
TL;DR This is taken from the mwri labs doc in links below. The vulnerability is in the function win32k!xxxHandleMenuMessages. When it calls the functio...
Lost registers during kernel debugging Win7
When kernel debugging an old target like Windows 7 after a long time using windbg. I noticed not being able to see the registers in register pane. That was k...