$$ x86 Kernel Callback Finder for CreateProcess/LoadImage/CreateThread/Registry
$$ Frank Boldewin / www.reconstructer.org
.printf "\nCreateProcess Callbacks:\n"
.printf "------------------------\n"
aS CPNAddr "nt!PspCreateProcessNotifyRoutine";
aS CPNCount "poi(nt!PspCreateProcessNotifyRoutineCount)";
aS Counter "@$t0";
.block
{
.for (r ${Counter} = 0; ${Counter} < ${CPNCount}; r ${Counter} = ${Counter} + 1)
{
.printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${CPNAddr} + ${Counter} *4))&-8)+4);
}
}
.printf "\nLoadImage Callbacks:\n"
.printf "--------------------\n"
aS LINAddr "nt!PspLoadImageNotifyRoutine";
aS LINCount "poi(nt!PspLoadImageNotifyRoutineCount)";
.block
{
.for (r ${Counter} = 0; ${Counter} < ${LINCount}; r ${Counter} = ${Counter} + 1)
{
.printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${LINAddr} + ${Counter} *4))&-8)+4);
}
}
.printf "\nCreateThread Callbacks:\n"
.printf "-----------------------\n"
aS CTNAddr "nt!PspCreateThreadNotifyRoutine";
aS CTNCount "poi(nt!PspCreateThreadNotifyRoutineCount)";
.block
{
.for (r ${Counter} = 0; ${Counter} < ${CTNCount}; r ${Counter} = ${Counter} + 1)
{
.printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${CTNAddr} + ${Counter} *4))&-8)+4);
}
}
.printf "\nRegistry (CMP) Callbacks:\n"
.printf "-------------------------\n"
aS CMNAddr "nt!CmpCallBackVector";
aS CMNCount "poi(nt!CmpCallBackCount)";
.block
{
.for (r ${Counter} = 0; ${Counter} < ${CMNCount}; r ${Counter} = ${Counter} + 1)
{
.printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${CMNAddr} + ${Counter} *4))&-8)+4);
}
}
ad ${/v:CPNAddr};
ad ${/v:CPNCount};
ad ${/v:LINAddr};
ad ${/v:LINCount};
ad ${/v:CTNAddr};
ad ${/v:CTNCount};
ad ${/v:CMNAddr};
ad ${/v:CMNCount};
ad ${/v:Counter};
Wednesday, July 6, 2011
Windbg Script for Kernelcallbacks under x86 Architecture
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment