Posts

Virtual Functions and VTables

Image
Virtual Functions are a fundamental aspect of OOP programming features such as polymorphism. Any Virtual Functions are stored within a dispatch table called a VTable or Virtual Method Table. The VTable is essentially a array of virtual function pointers. It is possible to find the VTable using WinDbg, and I will demonstrate this within this blog post. Virtual Functions and Virtual Function Table Pointers I've written a very simple program using C++ to demonstrate the syntax of Virtual Functions. As you can see, there are two classes called A and B. A is the base class in which Class B will inherit any members or member functions from. By using the virtual keyword on the function in Class A called Function, it specifies that the function is a Virtual Function and not a standard function. When Class B inherits Class A's properties, then the Function is redefined within Class B which can be seen on Line 14. Please note this is not function overloading, since the function still ret...

Debugging Stop 0x9F - Power IRPs and PnP Manager

Image
You may have noticed or not have noticed with a few Stop 0x9F, the 0x4 value being the first parameter which indicates that a power IRP has failed to synchronize with the PnP Manager. The PnP Manager is a subsystem of the I/O Manager, and is used to allow devices to be added or removed without little interaction from the user. The best example to illustrate this point, would the insertion or removal of USB flash drives or any USB connected. The user will not have to install any additional drivers to use the device or configure any settings. The USB flash drive will almost instantaneously be added to the file system, and be able to managed by the user. This is a result of the design of the PnP Manager and the code used within the driver. The PnP Manager can't be directly interacted with any driver routines. The PnP Manager is both present in Kernel-Mode and User-Mode. The User-Mode version will interact with the Kernel-Mode version. The PnP Manager is also responsible for maintainin...

February: Blog Post List

Image
This is hopefully going to be the upcoming blog posts for February : VTables and Virtual Functions Thread Storage Slots I/O Completion Ports IRP Queues PE Header Sections Registry Internals URBs and USB Internals I'm also going to explore the I/O Manager more, since I haven't written much about it, and to be honest haven't read anything properly which is related to I/O for a while.

Types of Page Faults

Image
This blog post will expand upon the idea of Page Faults, which resolve problems with Virtual to Physical Address Translation, and take a look at the different kinds of Page Faults which can happen. Collided Page Faults Collided Page Faults are common on modern systems which have multiple threads. A Collided Page Fault is a situation whereby a thread within the same process or from a different process, causes a Page Fault on a page which is already paged-in by another thread of the same process or a different thread from a different process as mentioned before. Before reading the rest of this section, the concept of Transition will apply to the PFN Database and not to PTEs and Prototype PTEs. Transition in terms of the PFN Database, will mean that the page isn't in a working set list or present on any paging lists, therefore the page will not be owned by anyone and will be in Transition when a I/O operation is being performed on it. I haven't been able to find the correct symbol...

Rootkits: Direct Kernel Object Manipulation and Processes

Image
DKOM is one of the methods commonly used and implemented by Rootkits, in order to remain undetected, since this the main purpose of a roottkit. To be able to access Kernel-Mode code and data structures without detection from security programs or tools used by security analysts and researchers. Rootkits are probably less of a problem than they used to be, with most rootkit detection tools being able to find all the variations of a rootkit, unless of course others are produced. Rootkits are able to steal information and hide other directories and files to remain undetected. Usually, all objects are managed by the Object Manager, however, with DKOM, this technique completely bypasses the Object Manager, making it harder for rootkits to be detected. DKOM can also be used to modify the privilege level of a thread, hide processes and ports, and hide device drivers.  Rootkits will commonly check the operating system version to be able to adapt to the environment in which it is running in....

List of WHEA Data Structures

I've listed other WHEA data structures in my other blog posts, and therefore will not be listing the same ones here. The purpose of this blog post is to list the WHEA data structures available with WinDbg, and Microsoft's Public Symbol Server. The information within the structures has more or less been explained in my other WHEA posts, but if in doubt please leave a comment or read the WDK documentation. _WHEA_ERROR_STATUS _WHEA_ERROR_RECORD_HEADER_FLAGS _WHEA_ERROR_PACKET_V2 _WHEA_ERROR_PACKET_FLAGS _WHEA_ERROR_TYPE _WHEA_ERROR_SEVERITY _WHEA_ERROR_SOURCE_TYPE _WHEA_ERROR_PACKET_DATA_FORMAT _WHEA_ERROR_RECORD _WHEA_ERROR_RECORD_HEADER _WHEA_ERROR_RECORD_SECTION_DESCRIPTOR _WHEA_REVISION _WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS _WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS

Understanding PCI Configuration Space

Image
I noticed in a dump file I was debugging for a user on Sysnative Forums, within the call stack there was a few references to PCI Configuration Space. The PCI Configuration Space can be accessed by device drivers and other programs which use software drivers to gather additional information. The call stack in the example was easy to find a possible cause, however, the topic of this discussion will be explaining the PCI Configuration Space. The driver in question belongs to CPU-Z. PCI Configuration Space The PCI Configuration Space is a set of registers, on PCI Express (PCIe) buses, this configuration space may be referred to as the the Extended Configuration Space. These registers are then mapped to memory locations such as the I/O Address Space of the CPU.  The Configuration Space is typically 256 bytes, and can be accessed with Read/Write Configuration Cycles. The target device for the Configuration Space Access is selected with the Initialization Device Select (IDSEL) signal, whi...