寄托天下 寄托天下
查看: 2279|回复: 0

[编程天地] 用GDB+QEMU找WINDOWS KERNEL BASE的方法 [复制链接]

Rank: 11Rank: 11Rank: 11Rank: 11

声望
3110
寄托币
48275
注册时间
2003-9-1
精华
44
帖子
1795

荣誉版主 GRE斩浪之魂 Golden Apple

发表于 2010-8-18 05:39:13 |显示全部楼层
本帖最后由 DriverEntry 于 2010-8-18 05:41 编辑

REF:
http://hexblog.com/2009/02/advanced_windows_kernel_debugg.html
http://www.hex-rays.com/idapro/debugger/gdb_vmware_winkernel.pdf

目标:找到WINDOWS KERNEL BASE ADDRESS.

环境+工具: LINUX HOST, GDB, QEMU , WINDOWS XP VM

方法:
1. 启动 QEMU WINDOWS VM. 然后按 CTL+ALT+2 , 切换到 QEMU MONITOR. 输入 gdbserver 1234
2. On Linux host, start gdb, then type "target remote localohost:1234". Then the Windows VM is debugged by GDB.

3. On qemu monitor, type "info registers", then look fs segment, find its base address, (the second number), as shown in the figure1. This is the address of "kpcr", it is 0xffdff000 on the test VM.

4. Then get the value of KdVersionBlock :
kdversionblock = Dword(kpcr+0x34). It is 0x8054c738 on the test VM.

5. Then get the "kernbase" :
kernbase = Dword (kdversionblock+ 16). It is 0x804d7000 on the test VM.

6. Verify that is the correct address. Should see 0x4d 0x5a, 0x90 as the
signature of the pe file.

(step 4,5,6 is shown in the figure 2).
附件: 你需要登录才可以下载或查看附件。没有帐号?立即注册
回应

使用道具 举报

RE: 用GDB+QEMU找WINDOWS KERNEL BASE的方法 [修改]
您需要登录后才可以回帖 登录 | 立即注册

问答
Offer
投票
面经
最新
精华
转发
转发该帖子
用GDB+QEMU找WINDOWS KERNEL BASE的方法
https://bbs.gter.net/thread-1140873-1-1.html
复制链接
发送
报offer 祈福 爆照
回顶部