REF:http://hexblog.com/2009/02/advanced_windows_kernel_debugg.htmlhttp://www.hex-rays.com/idapro/debugger/gdb_vmware_winkernel.pdf
目标:找到WINDOWS KERNEL BASE ADDRESS.
环境+工具: LINUX HOST, GDB, QEMU , WINDOWS XP VM
方法:
1. 启动 QEMU WINDOWS VM. 然后按 CTL+ALT+2 , 切换到 QEMU MONITOR. 输入 gdbserver 1234
1. 启动 QEMU WINDOWS VM. 然后按 CTL+ALT+2 , 切换到 QEMU MONITOR. 输入 gdbserver 1234
2. On Linux host, start gdb, then type "target remote localohost:1234". Then the Windows VM is debugged by GDB.
3. On qemu monitor, type "info registers", then look fs segment, find its base address, (the second number), as shown in the figure1. This is the address of "kpcr", it is 0xffdff000 on the test VM.
4. Then get the value of KdVersionBlock :
kdversionblock = Dword(kpcr+0x34). It is 0x8054c738 on the test VM.
5. Then get the "kernbase" :
kernbase = Dword (kdversionblock+ 16). It is 0x804d7000 on the test VM.
6. Verify that is the correct address. Should see 0x4d 0x5a, 0x90 as the signature of the pe file.
(step 4,5,6 is shown in the figure 2).
No comments:
Post a Comment