Black.hat: debug

Wednesday, July 6, 2011

Windbg Script for Kernelcallbacks under x86 Architecture

$$ x86 Kernel Callback Finder for CreateProcess/LoadImage/CreateThread/Registry

$$ Frank Boldewin / www.reconstructer.org



.printf "\nCreateProcess Callbacks:\n"

.printf "------------------------\n"



aS CPNAddr  "nt!PspCreateProcessNotifyRoutine";

aS CPNCount "poi(nt!PspCreateProcessNotifyRoutineCount)";

aS Counter  "@$t0";



.block

{

  .for (r ${Counter} = 0; ${Counter} < ${CPNCount}; r ${Counter} = ${Counter} + 1)

  {

    .printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${CPNAddr} + ${Counter} *4))&-8)+4);

  }

}



.printf "\nLoadImage Callbacks:\n"

.printf "--------------------\n"



aS LINAddr  "nt!PspLoadImageNotifyRoutine";

aS LINCount "poi(nt!PspLoadImageNotifyRoutineCount)";



.block

{

  .for (r ${Counter} = 0; ${Counter} < ${LINCount}; r ${Counter} = ${Counter} + 1)

  {

    .printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${LINAddr} + ${Counter} *4))&-8)+4);

  }

}



.printf "\nCreateThread Callbacks:\n"

.printf "-----------------------\n"



aS CTNAddr  "nt!PspCreateThreadNotifyRoutine";

aS CTNCount "poi(nt!PspCreateThreadNotifyRoutineCount)";



.block

{

  .for (r ${Counter} = 0; ${Counter} < ${CTNCount}; r ${Counter} = ${Counter} + 1)

  {

    .printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${CTNAddr} + ${Counter} *4))&-8)+4);

  }

}



.printf "\nRegistry (CMP) Callbacks:\n"

.printf "-------------------------\n"



aS CMNAddr  "nt!CmpCallBackVector";

aS CMNCount "poi(nt!CmpCallBackCount)";



.block

{

  .for (r ${Counter} = 0; ${Counter} < ${CMNCount}; r ${Counter} = ${Counter} + 1)

  {

    .printf "Callback: %d - Address: 0x%08x\n", ${Counter}+1, poi(((dwo(${CMNAddr} + ${Counter} *4))&-8)+4);  

  }

}



ad ${/v:CPNAddr};

ad ${/v:CPNCount};

ad ${/v:LINAddr};

ad ${/v:LINCount};

ad ${/v:CTNAddr};

ad ${/v:CTNCount};

ad ${/v:CMNAddr};

ad ${/v:CMNCount};

ad ${/v:Counter};