There’s a strange thing on XP SP3 (x86):
I’m trying to set kd_IHVDRIVER_mask on a running system,
using the debugger. I do have correct symbols from the MS server.
So, patching nt!Kd_IHVDRIVER_Mask, windbg resolves this
to address 80555994 :
80555994 nt!Kd_IHVDRIVER_Mask
But DbgPrintEx doesn’t seem to print.
Tracing thru DbgPrintEx, it gets the mask address
as poi(nt!KdComponentTable + 4 * index)
Windbg resolves nt!KdComponentTable to address 8054d578
and DPFLTR_IHVDRIVER_ID equals 77 (0x4D).
So 8054d578 + 4*4D = 8054D6AC, poi(8054D6AC) = 8055598c
But from the symbols, 8055598c is not nt!Kd_IHVDRIVER_Mask,
it is nt!Kd_SR_Mask (DPFLTR_SR_ID = 75)
So the address I’ve patched is 8 bytes off.
Are my calculations wrong, or there is a “bug” in XP SP3 public symbols?
Regards,
Update…
On Vista and Win7, these addresses match:
poi(nt!KdComponentTable + 4 * DPFLTR_IHVDRIVER_ID)
equals Kd_IHVDRIVER_Mask.
As for WinXP, in my DriverEntry I call
DbgSetDebugFilterState(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, TRUE);
instead of tampering with nt!Kd_IHVDRIVER_Mask , then
DbgPrintEx(DPFLTR_IHVDRIVER_ID…) seems to work fine (also in Vista+).
– pa
Pavel A. wrote:
There’s a strange thing on XP SP3 (x86):
I’m trying to set kd_IHVDRIVER_mask on a running system,
using the debugger. I do have correct symbols from the MS server.
So, patching nt!Kd_IHVDRIVER_Mask, windbg resolves this
to address 80555994 :
80555994 nt!Kd_IHVDRIVER_Mask
But DbgPrintEx doesn’t seem to print.
Tracing thru DbgPrintEx, it gets the mask address
as poi(nt!KdComponentTable + 4 * index)
Windbg resolves nt!KdComponentTable to address 8054d578
and DPFLTR_IHVDRIVER_ID equals 77 (0x4D).
So 8054d578 + 4*4D = 8054D6AC, poi(8054D6AC) = 8055598c
But from the symbols, 8055598c is not nt!Kd_IHVDRIVER_Mask,
it is nt!Kd_SR_Mask (DPFLTR_SR_ID = 75)
So the address I’ve patched is 8 bytes off.
Are my calculations wrong, or there is a “bug” in XP SP3 public symbols?
Regards,