Hello,
my driver uses some harcoded offsets to some attributes of internal system structures. I know this is definitely one of the worst solutions ever, but there is absolutely no way for me not to do so.
I get those offsets via the .dt command in WinDBG.
Now I want to get these offsets for some operating systems that I do not own. Unfortunately I cannot afford 4 operating systems just because I need to attach WinDBG to them for these few offsets. So, how can I force WinDBG to use the symbol file for a specific operating system without attaching WinDBG to that operating system?
The only possibility I can think of is a crash dump. I can simply load a crash dump for that operating system and then do my stuff?!
Is there any other (easier) possibilty than loading crash dumps, or, if not, can someone provide simple 96K kernel (crash) dumps for the following operating system?
Windows XP SP2 X86
Windows XP SP2 X64
Windows Vista SP0 X86
Windows Vista SP0 X64
-Patrick
No. This won’t work. For XP, there’s the /3GB switch to worry about,
and for Vista there’s load address randomization that will kill this.
But none of that matters, because the implications of this plan are that
you are never going to debug your on any of these operating
systems, which is just a deal breaker.
Good luck,
mm
xxxxx@vansoftcorp.com wrote:
> Hello,
> my driver uses some harcoded offsets to some attributes of internal system structures. I know this is definitely one of the worst solutions ever, but there is absolutely no way for me not to do so.
>
> I get those offsets via the .dt command in WinDBG.
>
> Now I want to get these offsets for some operating systems that I do not own. Unfortunately I cannot afford 4 operating systems just because I need to attach WinDBG to them for these few offsets. So, how can I force WinDBG to use the symbol file for a specific operating system without attaching WinDBG to that operating system?
>
> The only possibility I can think of is a crash dump. I can simply load a crash dump for that operating system and then do my stuff?!
>
> Is there any other (easier) possibilty than loading crash dumps, or, if not, can someone provide simple 96K kernel (crash) dumps for the following operating system?
>
> Windows XP SP2 X86
> Windows XP SP2 X64
> Windows Vista SP0 X86
> Windows Vista SP0 X64
>
> -Patrick
>
I do not use offsets to the internal structures instances. I use offsets from the beginning of such a structures (e.g. EPROCESS) to one of its attributes.
Anyway, I’ll stick to crash dumps then.
Thank you
You are more that messed up, that structure has changed at times with
hotfixes so forget this crap you will never get it right. Whatever your
product is, basically it is MALWARE if you try this stuff.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
wrote in message news:xxxxx@windbg…
>I do not use offsets to the internal structures instances. I use offsets
>from the beginning of such a structures (e.g. EPROCESS) to one of its
>attributes.
>
> Anyway, I’ll stick to crash dumps then.
>
> Thank you
>