script file syntax question

WINDBG
1

I was cranking a script to walk through ssdt in lkd

.foreach (place {dd /c 1 poi nt!keServiceDescriptortable L11c}) {dd /c 1
place L1;ln place}

now a few questions is it possible for me to some how substitute L11c with

lkd> dd nt!KeServiceDescriptorTable + 0x8 L1
80559488 0000011c

without having to hardcode it ?

also is it some how possible to get back only the exact match dispalyed
instead of
all those that are near ?

lkd> .foreach (place {dd /c 1 poi nt!keServiceDescriptortable L11c}) {dd /c
1 place L1;ln place}
804e26a8 805862de
(804e26a8) nt!KiServiceTable | (804e2b18) nt!KiCallUserMode
Exact matches:
nt!KiServiceTable =
805862de 00009c68
(805862de) nt!NtAcceptConnectPort | (80586732)
nt!LpcpPrepareToWakeClient
Exact matches:
nt!NtAcceptConnectPort =
804e26ac 8056fded
(804e26a8) nt!KiServiceTable+0x4 | (804e2b18) nt!KiCallUserMode
8056fded 8b55ff8b
(8056fded) nt!NtAccessCheck | (8056fe1e) nt!MiDoPoolCopy
Exact matches:
nt!NtAccessCheck =
804e26b0 8058945b
(804e26a8) nt!KiServiceTable+0x8 | (804e2b18) nt!KiCallUserMode
8058945b 8b55ff8b
(8058945b) nt!NtAccessCheckAndAuditAlarm | (805894ad)
nt!NtConnectPort
Exact matches:
nt!NtAccessCheckAndAuditAlarm =
804e26b4 80587080
(804e26a8) nt!KiServiceTable+0xc | (804e2b18) nt!KiCallUserMode
80587080 8b55ff8b
(80587080) nt!NtAccessCheckByType | (8058710a)
nt!IopDeleteIoCompletion
Exact matches:
=======================================================

i mean display if an exact match existed if not say no exact match ?

the comp i was checking this had a hook on NtConnectPort()

Exact matches:
nt!NtCompressKey =
804e2724 810eef20
(804e26a8) nt!KiServiceTable+0x7c | (804e2b18) nt!KiCallUserMode
810eef20 2024548b <-------------------------------
========================================
lkd> !address 810eef20
810be000 - 00200000
Usage KernelSpaceUsageNonPagedPool

uf
lkd> uf 810eef20
810eef20 8b542420 mov edx,dword ptr [esp+20h]
810eef24 52 push edx
810eef25 8b542420 mov edx,dword ptr [esp+20h]
810eef29 a16cef0e81 mov eax,dword ptr ds:[810EEF6Ch]
810eef2e 52 push edx
810eef2f 8b542420 mov edx,dword ptr [esp+20h]
810eef33 8b08 mov ecx,dword ptr [eax]
810eef35 52 push edx
810eef36 8b542420 mov edx,dword ptr [esp+20h]
810eef3a 52 push edx
810eef3b 8b542420 mov edx,dword ptr [esp+20h]
810eef3f 52 push edx
810eef40 8b542420 mov edx,dword ptr [esp+20h]
810eef44 52 push edx
810eef45 8b542420 mov edx,dword ptr [esp+20h]
810eef49 52 push edx
810eef4a 8b542420 mov edx,dword ptr [esp+20h]
810eef4e 52 push edx
810eef4f 50 push eax
810eef50 ff11 call dword ptr [ecx]
810eef52 83c424 add esp,24h
810eef55 c22000 ret 20h

so it is saving all the args that were passed to this and probably
scratching a cute kitten :slight_smile:
google doesnt seem to have any info and it seems only nav is hooking this
according to
some scattered information
========================================

804e2728 804e1ff2
(804e26a8) nt!KiServiceTable+0x80 | (804e2b18) nt!KiCallUserMode
804e1ff2 241d8b55
(804e1ff2) nt!NtContinue | (804e203a) nt!NtRaiseException
Exact matches:
nt!NtContinue =

also while doing a dd is it possible for me to get the pointer only and not
the address ?
that i can pipe to further commands

in the help file i see for s (search memory ) one can use -1 so that we can
pipe them to some .foreach commands is there any thing similar for these too
??

hope the questions make sense i wrote them as i was checking

2

The value after 'l' in a range is a full expression, so you can use
poi(nt!KeServiceDescriptorTable+8) there instead of hard-coded 11c.

You can use %y in .printf to do symbol resolution, so .printf "Table
entry %y\n", place would show the address and/or symbol for place.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Friday, July 28, 2006 12:21 PM
To: Kernel Debugging Interest List
Subject: [windbg] script file syntax question

I was cranking a script to walk through ssdt in lkd

.foreach (place {dd /c 1 poi nt!keServiceDescriptortable L11c}) {dd /c 1
place L1;ln place}

now a few questions is it possible for me to some how substitute L11c
with

lkd> dd nt!KeServiceDescriptorTable + 0x8 L1
80559488 0000011c

without having to hardcode it ?

also is it some how possible to get back only the exact match dispalyed
instead of
all those that are near ?

lkd> .foreach (place {dd /c 1 poi nt!keServiceDescriptortable L11c}) {dd
/c 1 place L1;ln place}
804e26a8 805862de
(804e26a8) nt!KiServiceTable | (804e2b18) nt!KiCallUserMode
Exact matches:
nt!KiServiceTable =
805862de 00009c68
(805862de) nt!NtAcceptConnectPort | (80586732)
nt!LpcpPrepareToWakeClient
Exact matches:
nt!NtAcceptConnectPort =
804e26ac 8056fded
(804e26a8) nt!KiServiceTable+0x4 | (804e2b18) nt!KiCallUserMode
8056fded 8b55ff8b
(8056fded) nt!NtAccessCheck | (8056fe1e) nt!MiDoPoolCopy
Exact matches:
nt!NtAccessCheck =
804e26b0 8058945b
(804e26a8) nt!KiServiceTable+0x8 | (804e2b18) nt!KiCallUserMode
8058945b 8b55ff8b
(8058945b) nt!NtAccessCheckAndAuditAlarm | (805894ad)
nt!NtConnectPort
Exact matches:
nt!NtAccessCheckAndAuditAlarm =
804e26b4 80587080
(804e26a8) nt!KiServiceTable+0xc | (804e2b18) nt!KiCallUserMode
80587080 8b55ff8b
(80587080) nt!NtAccessCheckByType | (8058710a)
nt!IopDeleteIoCompletion
Exact matches:
=======================================================

i mean display if an exact match existed if not say no exact match ?

the comp i was checking this had a hook on NtConnectPort()

Exact matches:
nt!NtCompressKey =
804e2724 810eef20
(804e26a8) nt!KiServiceTable+0x7c | (804e2b18) nt!KiCallUserMode
810eef20 2024548b <-------------------------------
========================================
lkd> !address 810eef20
810be000 - 00200000
Usage KernelSpaceUsageNonPagedPool

uf
lkd> uf 810eef20
810eef20 8b542420 mov edx,dword ptr [esp+20h]
810eef24 52 push edx
810eef25 8b542420 mov edx,dword ptr [esp+20h]
810eef29 a16cef0e81 mov eax,dword ptr ds:[810EEF6Ch]
810eef2e 52 push edx
810eef2f 8b542420 mov edx,dword ptr [esp+20h]
810eef33 8b08 mov ecx,dword ptr [eax]
810eef35 52 push edx
810eef36 8b542420 mov edx,dword ptr [esp+20h]
810eef3a 52 push edx
810eef3b 8b542420 mov edx,dword ptr [esp+20h]
810eef3f 52 push edx
810eef40 8b542420 mov edx,dword ptr [esp+20h]
810eef44 52 push edx
810eef45 8b542420 mov edx,dword ptr [esp+20h]
810eef49 52 push edx
810eef4a 8b542420 mov edx,dword ptr [esp+20h]
810eef4e 52 push edx
810eef4f 50 push eax
810eef50 ff11 call dword ptr [ecx]
810eef52 83c424 add esp,24h
810eef55 c22000 ret 20h

so it is saving all the args that were passed to this and probably
scratching a cute kitten :slight_smile:
google doesnt seem to have any info and it seems only nav is hooking
this according to
some scattered information
========================================

804e2728 804e1ff2
(804e26a8) nt!KiServiceTable+0x80 | (804e2b18) nt!KiCallUserMode
804e1ff2 241d8b55
(804e1ff2) nt!NtContinue | (804e203a) nt!NtRaiseException
Exact matches:
nt!NtContinue =

also while doing a dd is it possible for me to get the pointer only and
not the address ?
that i can pipe to further commands

in the help file i see for s (search memory ) one can use -1 so that we
can pipe them to some .foreach commands is there any thing similar for
these too ??

hope the questions make sense i wrote them as i was checking

--- You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

On 7/29/06, Drew Bliss wrote:
>
> The value after ‘l’ in a range is a full expression, so you can use
> poi(nt!KeServiceDescriptorTable+8) there instead of hard-coded 11c.
>

Thanks it works fine if I substitue expressions

>
> You can use %y in .printf to do symbol resolution, so .printf “Table entry
> %y\n”, place would show the address and/or symbol for place.
>

“%y\n”,place doesnt seem to work

lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable L10}) {.printf
“Table entry %y\n”,place}
Table entry Couldn’t resolve error at ‘place’

if i do poi place instead of just place it works but cant read some memory
i have /debug switch enabled still it cant read certain memory

lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable L10}) {.printf
“Table entry %y\n”,poi place}
Table entry nt!NtAcceptConnectPort (805862de)
Table entry 00009c68 <---------------------why two results ???
Table entry nt!NtAccessCheck (8056fded)
Table entry 8b55ff8b
Table entry nt!NtAccessCheckAndAuditAlarm (8058945b)
Table entry 8b55ff8b
Table entry nt!NtAccessCheckByType (80587080)
Table entry 8b55ff8b <------------ whats being repeated here it seems
Table entry nt!NtAccessCheckByTypeAndAuditAlarm (80592a37)
Table entry 8b55ff8b
Table entry nt!NtAccessCheckByTypeResultList (806364d0)
Table entry Memory access error at ‘806364d0’ <------------

while doing a ln place seems to have no problems except that it is too much
information

lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable L10}) {ln
place}
(804e26a8) nt!KiServiceTable | (804e2b18) nt!KiCallUserMode
Exact matches:
nt!KiServiceTable =
(805862de) nt!NtAcceptConnectPort | (80586732)
nt!LpcpPrepareToWakeClient
Exact matches:
nt!NtAcceptConnectPort =
(804e26a8) nt!KiServiceTable+0x4 | (804e2b18) nt!KiCallUserMode
(8056fded) nt!NtAccessCheck | (8056fe1e) nt!MiDoPoolCopy
Exact matches:
nt!NtAccessCheck =
(804e26a8) nt!KiServiceTable+0x8 | (804e2b18) nt!KiCallUserMode
(8058945b) nt!NtAccessCheckAndAuditAlarm | (805894ad)
nt!NtConnectPort
Exact matches:
nt!NtAccessCheckAndAuditAlarm =
(804e26a8) nt!KiServiceTable+0xc | (804e2b18) nt!KiCallUserMode
(80587080) nt!NtAccessCheckByType | (8058710a)
nt!IopDeleteIoCompletion
Exact matches:
nt!NtAccessCheckByType =
(804e26a8) nt!KiServiceTable+0x10 | (804e2b18) nt!KiCallUserMode
(80592a37) nt!NtAccessCheckByTypeAndAuditAlarm | (80592ac8)
nt!NtQuerySystemTime
Exact matches:
nt!NtAccessCheckByTypeAndAuditAlarm =
(804e26a8) nt!KiServiceTable+0x14 | (804e2b18) nt!KiCallUserMode
(806364d0) nt!NtAccessCheckByTypeResultList | (80636530)
nt!SeAssignSecurityEx
Exact matches:
nt!NtAccessCheckByTypeResultList =
(804e26a8) nt!KiServiceTable+0x18 | (804e2b18) nt!KiCallUserMode
(80638661) nt!NtAccessCheckByTypeResultListAndAuditAlarm | (806386aa)
nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Exact matches:
nt!NtAccessCheckByTypeResultListAndAuditAlarm =
(804e26a8) nt!KiServiceTable+0x1c | (804e2b18) nt!KiCallUserMode
(806386aa) nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle |
(80638701) nt!NtDeleteObjectAuditAlarm
Exact matches:
nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle = information>
(804e26a8) nt!KiServiceTable+0x20 | (804e2b18) nt!KiCallUserMode
(8057559b) nt!NtAddAtom | (80575736) nt!NtSetInformationThread
Exact matches:
nt!NtAddAtom =
(804e26a8) nt!KiServiceTable+0x24 | (804e2b18) nt!KiCallUserMode
(80646ecf) nt!NtQueryBootOptions | (80646ee3) nt!NtTranslateFilePath
Exact matches:
nt!NtQueryBootEntryOrder =
nt!NtSetBootEntryOrder =
nt!NtQueryBootOptions =
nt!NtSetBootOptions =
nt!NtAddBootEntry =
nt!NtEnumerateBootEntries =
(804e26a8) nt!KiServiceTable+0x28 | (804e2b18) nt!KiCallUserMode
(80635c93) nt!NtAdjustGroupsToken | (80592466)
nt!SepMakeTokenEffectiveOnly
Exact matches:
nt!NtAdjustGroupsToken =
(804e26a8) nt!KiServiceTable+0x2c | (804e2b18) nt!KiCallUserMode
(80591fbe) nt!NtAdjustPrivilegesToken | (80592198)
nt!SeCaptureLuidAndAttributesArray
Exact matches:
nt!NtAdjustPrivilegesToken =
(804e26a8) nt!KiServiceTable+0x30 | (804e2b18) nt!KiCallUserMode
(8062ddd4) nt!NtAlertResumeThread | (8059bb36)
nt!PspFoldProcessAccountingIntoJob
Exact matches:
nt!NtAlertResumeThread =
(804e26a8) nt!KiServiceTable+0x34 | (804e2b18) nt!KiCallUserMode
(80579bb8) nt!NtAlertThread | (80579c99)
nt!ObpDestroySecurityDescriptorHeader
Exact matches:
nt!NtAlertThread =
(804e26a8) nt!KiServiceTable+0x38 | (804e2b18) nt!KiCallUserMode
(8058a6ca) nt!NtAllocateLocallyUniqueId | (8058a72f)
nt!ObCheckCreateObjectAccess
Exact matches:
nt!NtAllocateLocallyUniqueId =
(804e26a8) nt!KiServiceTable+0x3c | (804e2b18) nt!KiCallUserMode
(80624efd) nt!NtAllocateUserPhysicalPages | (806252b2)
nt!NtFreeUserPhysicalPages
Exact matches:
nt!NtAllocateUserPhysicalPages =

4

Alias names must either be surrounded by whitespace or contained within
${}. In the below if you put a space between , and place the
alias will replaced (or use ${place}).

dd displays the address and data values, so you’ll have two columns. If
you only want to process one you can use the /ps and /pS options to
.foreach to control which tokens it’ll look at. Alternately, you can
just use a plain .for to iterate over a set of addresses.

You are most likely getting invalid addresses when pulling random values
from memory.

________________________________

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Saturday, July 29, 2006 10:13 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] script file syntax question

On 7/29/06, Drew Bliss wrote:

The value after ‘l’ in a range is a full expression, so you can
use poi(nt!KeServiceDescriptorTable+8) there instead of hard-coded 11c.

Thanks it works fine if I substitue expressions

You can use %y in .printf to do symbol resolution, so .printf
“Table entry %y\n”, place would show the address and/or symbol for
place.

“%y\n”,place doesnt seem to work

lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable L10})
{.printf “Table entry %y\n”,place}
Table entry Couldn’t resolve error at ‘place’

if i do poi place instead of just place it works but cant read some
memory i have /debug switch enabled still it cant read certain memory

lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable L10})
{.printf “Table entry %y\n”,poi place}
Table entry nt!NtAcceptConnectPort (805862de)
Table entry 00009c68 <---------------------why two results ???
Table entry nt!NtAccessCheck (8056fded)
Table entry 8b55ff8b
Table entry nt!NtAccessCheckAndAuditAlarm (8058945b)
Table entry 8b55ff8b
Table entry nt!NtAccessCheckByType (80587080)
Table entry 8b55ff8b <------------ whats being repeated here it seems
Table entry nt!NtAccessCheckByTypeAndAuditAlarm (80592a37)
Table entry 8b55ff8b
Table entry nt!NtAccessCheckByTypeResultList (806364d0)
Table entry Memory access error at ‘806364d0’ <------------

while doing a ln place seems to have no problems except that it is too
much information

lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable L10}) {ln
place}
(804e26a8) nt!KiServiceTable | (804e2b18) nt!KiCallUserMode
Exact matches:
nt!KiServiceTable =
(805862de) nt!NtAcceptConnectPort | (80586732)
nt!LpcpPrepareToWakeClient
Exact matches:
nt!NtAcceptConnectPort =
(804e26a8) nt!KiServiceTable+0x4 | (804e2b18) nt!KiCallUserMode
(8056fded) nt!NtAccessCheck | (8056fe1e) nt!MiDoPoolCopy
Exact matches:
nt!NtAccessCheck =
(804e26a8) nt!KiServiceTable+0x8 | (804e2b18) nt!KiCallUserMode
(8058945b) nt!NtAccessCheckAndAuditAlarm | (805894ad)
nt!NtConnectPort
Exact matches:
nt!NtAccessCheckAndAuditAlarm =
(804e26a8) nt!KiServiceTable+0xc | (804e2b18) nt!KiCallUserMode
(80587080) nt!NtAccessCheckByType | (8058710a)
nt!IopDeleteIoCompletion
Exact matches:
nt!NtAccessCheckByType =
(804e26a8) nt!KiServiceTable+0x10 | (804e2b18) nt!KiCallUserMode
(80592a37) nt!NtAccessCheckByTypeAndAuditAlarm | (80592ac8)
nt!NtQuerySystemTime
Exact matches:
nt!NtAccessCheckByTypeAndAuditAlarm =
(804e26a8) nt!KiServiceTable+0x14 | (804e2b18) nt!KiCallUserMode
(806364d0) nt!NtAccessCheckByTypeResultList | (80636530)
nt!SeAssignSecurityEx
Exact matches:
nt!NtAccessCheckByTypeResultList =
(804e26a8) nt!KiServiceTable+0x18 | (804e2b18) nt!KiCallUserMode
(80638661) nt!NtAccessCheckByTypeResultListAndAuditAlarm |
(806386aa) nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Exact matches:
nt!NtAccessCheckByTypeResultListAndAuditAlarm = information>
(804e26a8) nt!KiServiceTable+0x1c | (804e2b18) nt!KiCallUserMode
(806386aa) nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle |
(80638701) nt!NtDeleteObjectAuditAlarm
Exact matches:
nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle = information>
(804e26a8) nt!KiServiceTable+0x20 | (804e2b18) nt!KiCallUserMode
(8057559b) nt!NtAddAtom | (80575736) nt!NtSetInformationThread
Exact matches:
nt!NtAddAtom =
(804e26a8) nt!KiServiceTable+0x24 | (804e2b18) nt!KiCallUserMode
(80646ecf) nt!NtQueryBootOptions | (80646ee3)
nt!NtTranslateFilePath
Exact matches:
nt!NtQueryBootEntryOrder =
nt!NtSetBootEntryOrder =
nt!NtQueryBootOptions =
nt!NtSetBootOptions =
nt!NtAddBootEntry =
nt!NtEnumerateBootEntries =
(804e26a8) nt!KiServiceTable+0x28 | (804e2b18) nt!KiCallUserMode
(80635c93) nt!NtAdjustGroupsToken | (80592466)
nt!SepMakeTokenEffectiveOnly
Exact matches:
nt!NtAdjustGroupsToken =
(804e26a8) nt!KiServiceTable+0x2c | (804e2b18) nt!KiCallUserMode
(80591fbe) nt!NtAdjustPrivilegesToken | (80592198)
nt!SeCaptureLuidAndAttributesArray
Exact matches:
nt!NtAdjustPrivilegesToken =
(804e26a8) nt!KiServiceTable+0x30 | (804e2b18) nt!KiCallUserMode
(8062ddd4) nt!NtAlertResumeThread | (8059bb36)
nt!PspFoldProcessAccountingIntoJob
Exact matches:
nt!NtAlertResumeThread =
(804e26a8) nt!KiServiceTable+0x34 | (804e2b18) nt!KiCallUserMode
(80579bb8) nt!NtAlertThread | (80579c99)
nt!ObpDestroySecurityDescriptorHeader
Exact matches:
nt!NtAlertThread =
(804e26a8) nt!KiServiceTable+0x38 | (804e2b18) nt!KiCallUserMode
(8058a6ca) nt!NtAllocateLocallyUniqueId | (8058a72f)
nt!ObCheckCreateObjectAccess
Exact matches:
nt!NtAllocateLocallyUniqueId =
(804e26a8) nt!KiServiceTable+0x3c | (804e2b18) nt!KiCallUserMode
(80624efd) nt!NtAllocateUserPhysicalPages | (806252b2)
nt!NtFreeUserPhysicalPages
Exact matches:
nt!NtAllocateUserPhysicalPages =

— You are currently subscribed to windbg as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

5

not really related to this thread but I recently found this command:
.shell . Awesome.

Lets you interact with the system shell or invoke your fav scripting language. I loved this feature in gdb and wasnt sure windbg had it too.
“Drew Bliss” wrote in message news:xxxxx@windbg…
Alias names must either be surrounded by whitespace or contained within ${}. In the below if you put a space between , and place the alias will replaced (or use ${place}).

dd displays the address and data values, so you’ll have two columns. If you only want to process one you can use the /ps and /pS options to .foreach to control which tokens it’ll look at. Alternately, you can just use a plain .for to iterate over a set of addresses.

You are most likely getting invalid addresses when pulling random values from memory.

------------------------------------------------------------------------------
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Saturday, July 29, 2006 10:13 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] script file syntax question

On 7/29/06, Drew Bliss wrote:
The value after ‘l’ in a range is a full expression, so you can use poi(nt!KeServiceDescriptorTable+8) there instead of hard-coded 11c.

Thanks it works fine if I substitue expressions

You can use %y in .printf to do symbol resolution, so .printf “Table entry %y\n”, place would show the address and/or symbol for place.

“%y\n”,place doesnt seem to work

lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable L10}) {.printf “Table entry %y\n”,place}
Table entry Couldn’t resolve error at ‘place’

if i do poi place instead of just place it works but cant read some memory i have /debug switch enabled still it cant read certain memory

lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable L10}) {.printf “Table entry %y\n”,poi place}
Table entry nt!NtAcceptConnectPort (805862de)
Table entry 00009c68 <---------------------why two results ???
Table entry nt!NtAccessCheck (8056fded)
Table entry 8b55ff8b
Table entry nt!NtAccessCheckAndAuditAlarm (8058945b)
Table entry 8b55ff8b
Table entry nt!NtAccessCheckByType (80587080)
Table entry 8b55ff8b <------------ whats being repeated here it seems
Table entry nt!NtAccessCheckByTypeAndAuditAlarm (80592a37)
Table entry 8b55ff8b
Table entry nt!NtAccessCheckByTypeResultList (806364d0)
Table entry Memory access error at ‘806364d0’ <------------

while doing a ln place seems to have no problems except that it is too much information

lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable L10}) {ln place}
(804e26a8) nt!KiServiceTable | (804e2b18) nt!KiCallUserMode
Exact matches:
nt!KiServiceTable =
(805862de) nt!NtAcceptConnectPort | (80586732) nt!LpcpPrepareToWakeClient
Exact matches:
nt!NtAcceptConnectPort =
(804e26a8) nt!KiServiceTable+0x4 | (804e2b18) nt!KiCallUserMode
(8056fded) nt!NtAccessCheck | (8056fe1e) nt!MiDoPoolCopy
Exact matches:
nt!NtAccessCheck =
(804e26a8) nt!KiServiceTable+0x8 | (804e2b18) nt!KiCallUserMode
(8058945b) nt!NtAccessCheckAndAuditAlarm | (805894ad) nt!NtConnectPort
Exact matches:
nt!NtAccessCheckAndAuditAlarm =
(804e26a8) nt!KiServiceTable+0xc | (804e2b18) nt!KiCallUserMode
(80587080) nt!NtAccessCheckByType | (8058710a) nt!IopDeleteIoCompletion
Exact matches:
nt!NtAccessCheckByType =
(804e26a8) nt!KiServiceTable+0x10 | (804e2b18) nt!KiCallUserMode
(80592a37) nt!NtAccessCheckByTypeAndAuditAlarm | (80592ac8) nt!NtQuerySystemTime
Exact matches:
nt!NtAccessCheckByTypeAndAuditAlarm =
(804e26a8) nt!KiServiceTable+0x14 | (804e2b18) nt!KiCallUserMode
(806364d0) nt!NtAccessCheckByTypeResultList | (80636530) nt!SeAssignSecurityEx
Exact matches:
nt!NtAccessCheckByTypeResultList =
(804e26a8) nt!KiServiceTable+0x18 | (804e2b18) nt!KiCallUserMode
(80638661) nt!NtAccessCheckByTypeResultListAndAuditAlarm | (806386aa) nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Exact matches:
nt!NtAccessCheckByTypeResultListAndAuditAlarm =
(804e26a8) nt!KiServiceTable+0x1c | (804e2b18) nt!KiCallUserMode
(806386aa) nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle | (80638701) nt!NtDeleteObjectAuditAlarm
Exact matches:
nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle =
(804e26a8) nt!KiServiceTable+0x20 | (804e2b18) nt!KiCallUserMode
(8057559b) nt!NtAddAtom | (80575736) nt!NtSetInformationThread
Exact matches:
nt!NtAddAtom =
(804e26a8) nt!KiServiceTable+0x24 | (804e2b18) nt!KiCallUserMode
(80646ecf) nt!NtQueryBootOptions | (80646ee3) nt!NtTranslateFilePath
Exact matches:
nt!NtQueryBootEntryOrder =
nt!NtSetBootEntryOrder =
nt!NtQueryBootOptions =
nt!NtSetBootOptions =
nt!NtAddBootEntry =
nt!NtEnumerateBootEntries =
(804e26a8) nt!KiServiceTable+0x28 | (804e2b18) nt!KiCallUserMode
(80635c93) nt!NtAdjustGroupsToken | (80592466) nt!SepMakeTokenEffectiveOnly
Exact matches:
nt!NtAdjustGroupsToken =
(804e26a8) nt!KiServiceTable+0x2c | (804e2b18) nt!KiCallUserMode
(80591fbe) nt!NtAdjustPrivilegesToken | (80592198) nt!SeCaptureLuidAndAttributesArray
Exact matches:
nt!NtAdjustPrivilegesToken =
(804e26a8) nt!KiServiceTable+0x30 | (804e2b18) nt!KiCallUserMode
(8062ddd4) nt!NtAlertResumeThread | (8059bb36) nt!PspFoldProcessAccountingIntoJob
Exact matches:
nt!NtAlertResumeThread =
(804e26a8) nt!KiServiceTable+0x34 | (804e2b18) nt!KiCallUserMode
(80579bb8) nt!NtAlertThread | (80579c99) nt!ObpDestroySecurityDescriptorHeader
Exact matches:
nt!NtAlertThread =
(804e26a8) nt!KiServiceTable+0x38 | (804e2b18) nt!KiCallUserMode
(8058a6ca) nt!NtAllocateLocallyUniqueId | (8058a72f) nt!ObCheckCreateObjectAccess
Exact matches:
nt!NtAllocateLocallyUniqueId =
(804e26a8) nt!KiServiceTable+0x3c | (804e2b18) nt!KiCallUserMode
(80624efd) nt!NtAllocateUserPhysicalPages | (806252b2) nt!NtFreeUserPhysicalPages
Exact matches:
nt!NtAllocateUserPhysicalPages =

— You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To unsubscribe send a blank email to xxxxx@lists.osr.com

6

In response to the original question, if all thats desired is to dump
the service table I find this to be easiest.

dps poi(nt!KeServiceDescriptorTableShadow) L
poi(nt!KeServiceDescriptorTableShadow+8)
(or really its the same as…)

kd> dps nt!KiServiceTable L poi nt!KiServiceLimit
80501030 8059849a nt!NtAcceptConnectPort
80501034 805e5666 nt!NtAccessCheck
80501038 805e8ec4 nt!NtAccessCheckAndAuditAlarm
8050103c 805e5698 nt!NtAccessCheckByType
80501040 805e8efe nt!NtAccessCheckByTypeAndAuditAlarm
80501044 805e56ce nt!NtAccessCheckByTypeResultList
80501048 805e8f42 nt!NtAccessCheckByTypeResultListAndAuditAlarm
8050104c 805e8f86 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
80501050 8060a5da nt!NtAddAtom

for the win32k table you need to flip to a non-System process context to
get at win32k

kd> !process 0 0 winlogon.exe
PROCESS 816621a8 SessionId: 0 Cid: 025c Peb: 7ffde000 ParentCid: 016c
DirBase: 05d10060 ObjectTable: e1458620 HandleCount: 630.
Image: winlogon.exe

kd> .process /p 816621a8
Implicit process is now 816621a8
.cache forcedecodeuser done

dps poi(nt!KeServiceDescriptorTableShadow+10) L
poi(nt!KeServiceDescriptorTableShadow+18)
(or)
kd> dps win32k!W32pServiceTable L poi win32k!W32pServiceLimit
bf997600 bf934ffe win32k!NtGdiAbortDoc
bf997604 bf946a92 win32k!NtGdiAbortPath
bf997608 bf8bf295 win32k!NtGdiAddFontResourceW
bf99760c bf93e718 win32k!NtGdiAddRemoteFontToDC
bf997610 bf9480a9 win32k!NtGdiAddFontMemResourceEx
bf997614 bf935262 win32k!NtGdiRemoveMergeFont
bf997618 bf935307 win32k!NtGdiAddRemoteMMInstanceToDC
bf99761c bf839cb5 win32k!NtGdiAlphaBlend
bf997620 bf9479d0 win32k!NtGdiAngleArc
bf997624 bf933a9d win32k!NtGdiAnyLinkedFonts

If you wanna get a little bit more fancy as Drew suggested, use a .for
(sorry for the example, but i like to abuse pseudo-registers =P )

kd> r$t0 = nt!KiServiceTable
kd> r$t1 = poi(nt!KiServiceLimit)
kd> .for ( r$t9=0 ; @$t9 < @$t1 ; r$t9 = @$t9+1 ) { .printf “0x%03x :
%y\n”, @$t9, poi(@$t0); r$t0=@$t0+@$ptrsize }
0x000 : nt!NtAcceptConnectPort (8059849a)
0x001 : nt!NtAccessCheck (805e5666)
0x002 : nt!NtAccessCheckAndAuditAlarm (805e8ec4)
0x003 : nt!NtAccessCheckByType (805e5698)
0x004 : nt!NtAccessCheckByTypeAndAuditAlarm (805e8efe)
0x005 : nt!NtAccessCheckByTypeResultList (805e56ce)
0x006 : nt!NtAccessCheckByTypeResultListAndAuditAlarm (805e8f42)
0x007 : nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle (805e8f86)
0x008 : nt!NtAddAtom (8060a5da)
0x009 : nt!NtQueryBootOptions (8060b84e)
0x00a : nt!NtAdjustGroupsToken (805e0a08)
0x00b : nt!NtAdjustPrivilegesToken (805e0660)
0x00c : nt!NtAlertResumeThread (805c9684)

bank kus wrote:

not really related to this thread but I recently found this command:
.shell . Awesome.

Lets you interact with the system shell or invoke your fav scripting
language. I loved this feature in gdb and wasnt sure windbg had it too.

“Drew Bliss” > mailto:xxxxx> wrote in message
> news:xxxxx@windbg…
> Alias names must either be surrounded by whitespace or contained
> within ${}. In the below if you put a space between , and
> place the alias will replaced (or use ${place}).
>
> dd displays the address and data values, so you’ll have two
> columns. If you only want to process one you can use the /ps and
> /pS options to .foreach to control which tokens it’ll look at.
> Alternately, you can just use a plain .for to iterate over a set
> of addresses.
>
> You are most likely getting invalid addresses when pulling random
> values from memory.
>
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] *On Behalf Of *raj_r
> Sent: Saturday, July 29, 2006 10:13 AM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] script file syntax question
>
> On 7/29/06, Drew Bliss > mailto:xxxxx> wrote:
>
> The value after ‘l’ in a range is a full expression, so you
> can use poi(nt!KeServiceDescriptorTable+8) there instead of
> hard-coded 11c.
>
>
>
> Thanks it works fine if I substitue expressions
>
>
>
>
> You can use %y in .printf to do symbol resolution, so .printf
> “Table entry %y\n”, place would show the address and/or symbol
> for place.
>
>
>
> “%y\n”,place doesnt seem to work
>
> lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable
> L10}) {.printf “Table entry %y\n”,place}
> Table entry Couldn’t resolve error at ‘place’
>
>
> if i do poi place instead of just place it works but cant read
> some memory i have /debug switch enabled still it cant read
> certain memory
>
> lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable
> L10}) {.printf “Table entry %y\n”,poi place}
> Table entry nt!NtAcceptConnectPort (805862de)
> Table entry 00009c68 <---------------------why two results ???
> Table entry nt!NtAccessCheck (8056fded)
> Table entry 8b55ff8b
> Table entry nt!NtAccessCheckAndAuditAlarm (8058945b)
> Table entry 8b55ff8b
> Table entry nt!NtAccessCheckByType (80587080)
> Table entry 8b55ff8b <------------ whats being repeated here it seems
> Table entry nt!NtAccessCheckByTypeAndAuditAlarm (80592a37)
> Table entry 8b55ff8b
> Table entry nt!NtAccessCheckByTypeResultList (806364d0)
> Table entry Memory access error at ‘806364d0’ <------------
>
>
>
>
> while doing a ln place seems to have no problems except that it is
> too much information
>
>
>
>
>
>
> lkd> .foreach (place {dd /c 1 poi nt!KeServiceDescriptorTable
> L10}) {ln place}
> (804e26a8) nt!KiServiceTable | (804e2b18) nt!KiCallUserMode
> Exact matches:
> nt!KiServiceTable =
> (805862de) nt!NtAcceptConnectPort | (80586732)
> nt!LpcpPrepareToWakeClient
> Exact matches:
> nt!NtAcceptConnectPort =
> (804e26a8) nt!KiServiceTable+0x4 | (804e2b18)
> nt!KiCallUserMode
> (8056fded) nt!NtAccessCheck | (8056fe1e) nt!MiDoPoolCopy
> Exact matches:
> nt!NtAccessCheck =
> (804e26a8) nt!KiServiceTable+0x8 | (804e2b18) nt!KiCallUserMode
> (8058945b) nt!NtAccessCheckAndAuditAlarm | (805894ad)
> nt!NtConnectPort
> Exact matches:
> nt!NtAccessCheckAndAuditAlarm =
> (804e26a8) nt!KiServiceTable+0xc | (804e2b18) nt!KiCallUserMode
> (80587080) nt!NtAccessCheckByType | (8058710a)
> nt!IopDeleteIoCompletion
> Exact matches:
> nt!NtAccessCheckByType =
> (804e26a8) nt!KiServiceTable+0x10 | (804e2b18)
> nt!KiCallUserMode
> (80592a37) nt!NtAccessCheckByTypeAndAuditAlarm | (80592ac8)
> nt!NtQuerySystemTime
> Exact matches:
> nt!NtAccessCheckByTypeAndAuditAlarm =
> (804e26a8) nt!KiServiceTable+0x14 | (804e2b18)
> nt!KiCallUserMode
> (806364d0) nt!NtAccessCheckByTypeResultList | (80636530)
> nt!SeAssignSecurityEx
> Exact matches:
> nt!NtAccessCheckByTypeResultList =
> (804e26a8) nt!KiServiceTable+0x18 | (804e2b18)
> nt!KiCallUserMode
> (80638661) nt!NtAccessCheckByTypeResultListAndAuditAlarm |
> (806386aa) nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
> Exact matches:
> nt!NtAccessCheckByTypeResultListAndAuditAlarm = > information>
> (804e26a8) nt!KiServiceTable+0x1c | (804e2b18)
> nt!KiCallUserMode
> (806386aa)
> nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle |
> (80638701) nt!NtDeleteObjectAuditAlarm
> Exact matches:
> nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle = > type information>
> (804e26a8) nt!KiServiceTable+0x20 | (804e2b18)
> nt!KiCallUserMode
> (8057559b) nt!NtAddAtom | (80575736) nt!NtSetInformationThread
> Exact matches:
> nt!NtAddAtom =
> (804e26a8) nt!KiServiceTable+0x24 | (804e2b18)
> nt!KiCallUserMode
> (80646ecf) nt!NtQueryBootOptions | (80646ee3)
> nt!NtTranslateFilePath
> Exact matches:
> nt!NtQueryBootEntryOrder =
> nt!NtSetBootEntryOrder =
> nt!NtQueryBootOptions =
> nt!NtSetBootOptions =
> nt!NtAddBootEntry =
> nt!NtEnumerateBootEntries =
> (804e26a8) nt!KiServiceTable+0x28 | (804e2b18)
> nt!KiCallUserMode
> (80635c93) nt!NtAdjustGroupsToken | (80592466)
> nt!SepMakeTokenEffectiveOnly
> Exact matches:
> nt!NtAdjustGroupsToken =
> (804e26a8) nt!KiServiceTable+0x2c | (804e2b18)
> nt!KiCallUserMode
> (80591fbe) nt!NtAdjustPrivilegesToken | (80592198)
> nt!SeCaptureLuidAndAttributesArray
> Exact matches:
> nt!NtAdjustPrivilegesToken =
> (804e26a8) nt!KiServiceTable+0x30 | (804e2b18)
> nt!KiCallUserMode
> (8062ddd4) nt!NtAlertResumeThread | (8059bb36)
> nt!PspFoldProcessAccountingIntoJob
> Exact matches:
> nt!NtAlertResumeThread =
> (804e26a8) nt!KiServiceTable+0x34 | (804e2b18)
> nt!KiCallUserMode
> (80579bb8) nt!NtAlertThread | (80579c99)
> nt!ObpDestroySecurityDescriptorHeader
> Exact matches:
> nt!NtAlertThread =
> (804e26a8) nt!KiServiceTable+0x38 | (804e2b18)
> nt!KiCallUserMode
> (8058a6ca) nt!NtAllocateLocallyUniqueId | (8058a72f)
> nt!ObCheckCreateObjectAccess
> Exact matches:
> nt!NtAllocateLocallyUniqueId =
> (804e26a8) nt!KiServiceTable+0x3c | (804e2b18)
> nt!KiCallUserMode
> (80624efd) nt!NtAllocateUserPhysicalPages | (806252b2)
> nt!NtFreeUserPhysicalPages
> Exact matches:
> nt!NtAllocateUserPhysicalPages =
>
> — You are currently subscribed to windbg as:
> xxxxx@winse.microsoft.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag
> argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com</mailto:xxxxx></mailto:xxxxx>

7

Alias names must either be surrounded by whitespace or contained

within ${}. In the below if you put a space between , and
> place the alias will replaced (or use ${place}).

Thanks I will remember that space now for ever

in the meantime i did some thing like this to get the out put

r $t0 = poi(nt!keservicedescriptortable+8)
r $t1 = 0

.while($t1<$t0)
{
.printf “%y\t=\t”,(poi(nt!keservicedescriptortable) + $t1)
.printf “%y\n”,(poi(poi(nt!keservicedescriptortable) + $t1))
r $t1 = @$t1 + 4

}

resulting in this display

lkd> $$>< d:\borland\ssdt.txt
nt!KiServiceTable (804e26a8) = nt!NtAcceptConnectPort (805862de)
nt!KiServiceTable+0x4 (804e26ac) = nt!NtAccessCheck (8056fded)
nt!KiServiceTable+0x8 (804e26b0) = nt!NtAccessCheckAndAuditAlarm (8058945b)
nt!KiServiceTable+0xc (804e26b4) = nt!NtAccessCheckByType (80587080)
nt!KiServiceTable+0x10 (804e26b8) = nt!NtAccessCheckByTypeAndAuditAlarm
(80592a37)
nt!KiServiceTable+0x14 (804e26bc) = nt!NtAccessCheckByTypeResultList
(806364d0)
nt!KiServiceTable+0x18
(804e26c0) = nt!NtAccessCheckByTypeResultListAndAuditAlarm (8063866

Chris Carr ,

Thanks a lot nice explanations and examples will come in handy