Experts,
Is there a constant location for the MSRs for a hardware. I have a
crash dump and it is pretty messed up, windbg isn’t of much help, I am
trying to manually find a few OS data structures to help me debug.
So I ask, given a full memory dump, can one find the location of
critical system registers like MSR etc? If so How?
thanks
ami
MSRs aren’t defined to be stored by the processor in physical memory.
-----Original Message-----
From: Ami Awbadhho
Sent: Monday, August 01, 2011 7:36
To: Windows System Software Devs Interest List
Subject: [ntdev] Model Specific Registers
Experts,
Is there a constant location for the MSRs for a hardware. I have a
crash dump and it is pretty messed up, windbg isn’t of much help, I am
trying to manually find a few OS data structures to help me debug.
So I ask, given a full memory dump, can one find the location of
critical system registers like MSR etc? If so How?
thanks
ami
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Ami Awbadhho wrote:
Is there a constant location for the MSRs for a hardware. I have a
crash dump and it is pretty messed up, windbg isn’t of much help, I am
trying to manually find a few OS data structures to help me debug.So I ask, given a full memory dump, can one find the location of
critical system registers like MSR etc? If so How?
MSRs are not stored in a system dump, mostly because MSRs are not
“critical system registers”. The number of MSRs varies widely from
processor to processor – that’s a lot to keep track of.
Why isn’t windbg of much help? What problem do you think you have that
MSRs would help with?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
ok i understand that MSRs won help. How about the KPCR, is that there?
and is it’s location constant?
as i said before i this is a highly mangled dump, and it cant find
psLoadedModuleList etc, so not debuggable, but it is important that I
debug it, so I am trying to manually find these variables…
On Mon, Aug 1, 2011 at 11:16 PM, Tim Roberts wrote:
> Ami Awbadhho wrote:
>> Is there a constant location for the MSRs for a hardware. I have a
>> crash dump and it is pretty messed up, windbg isn’t of much help, I am
>> trying to manually find a few OS data structures to help me debug.
>>
>> So I ask, given a full memory dump, can one find the location of
>> critical system registers like MSR etc? If so How?
>
> MSRs are ?not stored in a system dump, mostly because MSRs are not
> “critical system registers”. ?The number of MSRs varies widely from
> processor to processor – that’s a lot to keep track of.
>
> Why isn’t windbg of much help? ?What problem do you think you have that
> MSRs would help with?
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Note that it is a machine-specific REGISTER, so unless there is some known
location where these are stored by the OS, they will not appear in the dump.
joe
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ami Awbadhho
Sent: Monday, August 01, 2011 10:36 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Model Specific Registers
Experts,
Is there a constant location for the MSRs for a hardware. I have a
crash dump and it is pretty messed up, windbg isn’t of much help, I am
trying to manually find a few OS data structures to help me debug.
So I ask, given a full memory dump, can one find the location of
critical system registers like MSR etc? If so How?
thanks
ami
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
KPCR is not a register, it s a Windows Internal data structure, the location
of KPCR was constant till WinXP, but with ASLR in vista and above, it is
also dynamically located.
On Mon, Aug 1, 2011 at 11:34 PM, Ami Awbadhho wrote:
> ok i understand that MSRs won help. How about the KPCR, is that there?
> and is it’s location constant?
>
> as i said before i this is a highly mangled dump, and it cant find
> psLoadedModuleList etc, so not debuggable, but it is important that I
> debug it, so I am trying to manually find these variables…
>
>
>
> On Mon, Aug 1, 2011 at 11:16 PM, Tim Roberts wrote:
> > Ami Awbadhho wrote:
> >> Is there a constant location for the MSRs for a hardware. I have a
> >> crash dump and it is pretty messed up, windbg isn’t of much help, I am
> >> trying to manually find a few OS data structures to help me debug.
> >>
> >> So I ask, given a full memory dump, can one find the location of
> >> critical system registers like MSR etc? If so How?
> >
> > MSRs are not stored in a system dump, mostly because MSRs are not
> > “critical system registers”. The number of MSRs varies widely from
> > processor to processor – that’s a lot to keep track of.
> >
> > Why isn’t windbg of much help? What problem do you think you have that
> > MSRs would help with?
> >
> > –
> > Tim Roberts, xxxxx@probo.com
> > Providenza & Boekelheide, Inc.
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> >
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- ab
but is there a way to locate it, by manually scanning the dump? or how
abt locating the kernel from the dump?is that possible?
On Tue, Aug 2, 2011 at 1:11 PM, A B wrote:
> KPCR is not a register, it s a Windows Internal data structure, the location
> of KPCR was constant till WinXP, but with ASLR in vista and above, it is
> also dynamically located.
>
>
> On Mon, Aug 1, 2011 at 11:34 PM, Ami Awbadhho wrote:
>>
>> ok i understand that MSRs won help. How about the KPCR, is that there?
>> and is it’s location constant?
>>
>> as i said before i this is a highly mangled dump, and it cant find
>> psLoadedModuleList etc, so not debuggable, but it is important that I
>> debug it, so I am trying to manually find these variables…
>>
>>
>>
>> On Mon, Aug 1, 2011 at 11:16 PM, Tim Roberts wrote:
>> > Ami Awbadhho wrote:
>> >> Is there a constant location for the MSRs for a hardware. I have a
>> >> crash dump and it is pretty messed up, windbg isn’t of much help, I am
>> >> trying to manually find a few OS data structures to help me debug.
>> >>
>> >> So I ask, given a full memory dump, can one find the location of
>> >> critical system registers like MSR etc? If so How?
>> >
>> > MSRs are ?not stored in a system dump, mostly because MSRs are not
>> > “critical system registers”. ?The number of MSRs varies widely from
>> > processor to processor – that’s a lot to keep track of.
>> >
>> > Why isn’t windbg of much help? ?What problem do you think you have that
>> > MSRs would help with?
>> >
>> > –
>> > Tim Roberts, xxxxx@probo.com
>> > Providenza & Boekelheide, Inc.
>> >
>> >
>> > —
>> > NTDEV is sponsored by OSR
>> >
>> > For our schedule of WDF, WDM, debugging and other seminars visit:
>> > http://www.osr.com/seminars
>> >
>> > To unsubscribe, visit the List Server section of OSR Online at
>> > http://www.osronline.com/page.cfm?name=ListServer
>> >
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> –
>
> - ab
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
For winxp both the kernel location and the critical data structures are
fixed.
To scan for KPCR you will need to identify the structure in the memory. That
is possible, this is due to the fact that KPCR is self referencing. That is,
there is a self pointer inside the structure which points to the base of the
structure. So an incremental scan is likely to locate it, assuming the
following:
#2 is simple, or brute force of scanning the entire kernel space is possible
(you dnt need entire space too, these structs are located pretty low in the
kernel space).
#1 is tough, that is because to get the virtual address conversion you will
need CR3 register. Which is stored in the TSS data structure, which again is
part of KPCR. Now, there can be cases (like in XP) where the KPCR is mapped
in the first 8MB of virtual address (which means that physical and virtual
addresses are same), so you can find out the virtual address and do the
corrections and load it, but in vista and above, I have seen the kernel
being loaded above the 8MB limit (probably due to ASLR) and so does KPCR. In
those cases you can not directly find th VA, you will need to find the TSS
first and go on about it.
The kernel can be found out though, by scanning sectain ranges of the memory
and then verifying by actually dumping it’s export table. I am not sure how
that will help though. because, to do what you want to do (from your posts),
you will need the psLoadedModuleList or tha PsPcID Table, and those would
all need virtual addresses to locate and walk, so i would first find out
CR3, KPCR, then kernel to get the pieces of this puzzle…
Experts, please correct me if I am wrong, I am after all a noob, compared to
many of you…
On Tue, Aug 2, 2011 at 9:58 PM, Ami Awbadhho wrote:
> but is there a way to locate it, by manually scanning the dump? or how
> abt locating the kernel from the dump?is that possible?
>
> On Tue, Aug 2, 2011 at 1:11 PM, A B wrote:
> > KPCR is not a register, it s a Windows Internal data structure, the
> location
> > of KPCR was constant till WinXP, but with ASLR in vista and above, it is
> > also dynamically located.
> >
> >
> > On Mon, Aug 1, 2011 at 11:34 PM, Ami Awbadhho
> wrote:
> >>
> >> ok i understand that MSRs won help. How about the KPCR, is that there?
> >> and is it’s location constant?
> >>
> >> as i said before i this is a highly mangled dump, and it cant find
> >> psLoadedModuleList etc, so not debuggable, but it is important that I
> >> debug it, so I am trying to manually find these variables…
> >>
> >>
> >>
> >> On Mon, Aug 1, 2011 at 11:16 PM, Tim Roberts wrote:
> >> > Ami Awbadhho wrote:
> >> >> Is there a constant location for the MSRs for a hardware. I have a
> >> >> crash dump and it is pretty messed up, windbg isn’t of much help, I
> am
> >> >> trying to manually find a few OS data structures to help me debug.
> >> >>
> >> >> So I ask, given a full memory dump, can one find the location of
> >> >> critical system registers like MSR etc? If so How?
> >> >
> >> > MSRs are not stored in a system dump, mostly because MSRs are not
> >> > “critical system registers”. The number of MSRs varies widely from
> >> > processor to processor – that’s a lot to keep track of.
> >> >
> >> > Why isn’t windbg of much help? What problem do you think you have
> that
> >> > MSRs would help with?
> >> >
> >> > –
> >> > Tim Roberts, xxxxx@probo.com
> >> > Providenza & Boekelheide, Inc.
> >> >
> >> >
> >> > —
> >> > NTDEV is sponsored by OSR
> >> >
> >> > For our schedule of WDF, WDM, debugging and other seminars visit:
> >> > http://www.osr.com/seminars
> >> >
> >> > To unsubscribe, visit the List Server section of OSR Online at
> >> > http://www.osronline.com/page.cfm?name=ListServer
> >> >
> >>
> >> —
> >> NTDEV is sponsored by OSR
> >>
> >> For our schedule of WDF, WDM, debugging and other seminars visit:
> >> http://www.osr.com/seminars
> >>
> >> To unsubscribe, visit the List Server section of OSR Online at
> >> http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> >
> > –
> >
> > - ab
> > — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> > other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the
> > List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- ab