Hello!
I am having a problem when I try to view some memory regions, specifically when I try to view the Win32p entry in the Service Descriptor Table Shadow. If I execute the following command: “dds poi(KeServideDescriptorTableShadow+10) L10” I get nothing, just ??.
If I change to a user thread with: “.thread /p /r xxx” the previous command works fine. Why is that happening?
Thank you!
i am not sure what you term as win32p entry and google doesn’t return
anything with that keyword except for some viruses branded so
also i assume it is service and not servide
i go with win32k and if it is so
you would need to be in a process that has win32k loaded
for the service table entries to be loaded
like !process 0 0 Explorer.exe
.process /p <_EPROCESS> of explorer.exe
dds poi(KeServiceDescriptorTableShadow+10) L10
if you are in a process context which loads win32k.sys and use .reload
/f win32k.sys
your command will provide the symbolic names too
kd> lm m w*
start end module name
<---------------------no win32k.sys im module list
kd> dds poi(KeServiceDescriptorTableShadow+10) L10
bf999b80 ???
bf999b84 ???
bf999b88 ???
bf999b8c ???
bf999b90 ???
bf999b94 ???
bf999b98 ???
bf999b9c ???
bf999ba0 ???
bf999ba4 ???
bf999ba8 ???
bf999bac ???
bf999bb0 ???
bf999bb4 ???
bf999bb8 ???
bf999bbc ???
kd> !process 0 0 explorer.exe
PROCESS ffac9da0 SessionId: 0 Cid: 0560 Peb: 7ffdc000 ParentCid: 053c
DirBase: 008cd000 ObjectTable: e1d756e8 HandleCount: 417.
Image: explorer.exe
kd> .process /p ffac9da0
Implicit process is now ffac9da0
.cache forcedecodeuser done
kd> dds poi(KeServiceDescriptorTableShadow+10) L10
bf999b80 bf935f7e
bf999b84 bf947b29
bf999b88 bf88ca52
bf999b8c bf93f6f0
bf999b90 bf949140
bf999b94 bf936212
bf999b98 bf9362b7
bf999b9c bf83b4cd
bf999ba0 bf948a67
bf999ba4 bf934a17
bf999ba8 bf94905f
bf999bac bf90f2f4
bf999bb0 bf902318
bf999bb4 bf809fdf
bf999bb8 bf948f31
bf999bbc bf94a72d
kd> .reload /f win32k.sys
kd> dds poi(KeServiceDescriptorTableShadow+10) L10
bf999b80 bf935f7e win32k!NtGdiAbortDoc
bf999b84 bf947b29 win32k!NtGdiAbortPath
bf999b88 bf88ca52 win32k!NtGdiAddFontResourceW
bf999b8c bf93f6f0 win32k!NtGdiAddRemoteFontToDC
bf999b90 bf949140 win32k!NtGdiAddFontMemResourceEx
bf999b94 bf936212 win32k!NtGdiRemoveMergeFont
bf999b98 bf9362b7 win32k!NtGdiAddRemoteMMInstanceToDC
bf999b9c bf83b4cd win32k!NtGdiAlphaBlend
bf999ba0 bf948a67 win32k!NtGdiAngleArc
bf999ba4 bf934a17 win32k!NtGdiAnyLinkedFonts
bf999ba8 bf94905f win32k!NtGdiFontIsLinked
bf999bac bf90f2f4 win32k!NtGdiArcInternal
bf999bb0 bf902318 win32k!NtGdiBeginPath
bf999bb4 bf809fdf win32k!NtGdiBitBlt
bf999bb8 bf948f31 win32k!NtGdiCancelDC
bf999bbc bf94a72d win32k!NtGdiCheckBitmapBits
On 10/30/12, xxxxx@gmail.com wrote:
> Hello!
>
> I am having a problem when I try to view some memory regions, specifically
> when I try to view the Win32p entry in the Service Descriptor Table Shadow.
> If I execute the following command: “dds
> poi(KeServideDescriptorTableShadow+10) L10” I get nothing, just ??.
>
> If I change to a user thread with: “.thread /p /r xxx” the previous command
> works fine. Why is that happening?
>
> Thank you!
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Thank you very much for your time!
All you have said works perfectly, but I still wonder why I have to change to a user process which has win32k loaded. AFAIK the Service Descriptor Tables are stored in kernel memory, am I wrong?
Thank you!