TextOutput& operator<<(TextOutput& to, const HexDump& val)
{
printHexData(0, val.buffer(), val.size(), val.bytesPerLine(),
val.singleLineCutoff(), val.alignment(), val.carrayStyle(),
textOutputPrinter, (void*)&to);
return to;
}
void setContextApiCallBack(DBGKD_MANIPULATE_STATE64* request){
uint8_t buffer[MAX_KDNET_PKTLEN];
memset(buffer, 0, MAX_KDNET_PKTLEN);
uint16_t pkt_size = 8+16+16+sizeof(DBGKD_SET_CONTEXT);
KDNET_POST_HEADER* tmp = (KDNET_POST_HEADER*)buffer;
tmp->PacketPadding = roundup16(pkt_size)-pkt_size;
KD_PACKET_HEADER* tmp_kdnet_pkt = (KD_PACKET_HEADER*)(buffer+sizeof(KDNET_POST_HEADER));
tmp_kdnet_pkt->Signature = 0x30303030;
tmp_kdnet_pkt->PacketType = 0x0002;
tmp_kdnet_pkt->DataSize = pkt_size-16-8; //-header(KDNET_POST_HEADER)-header(KD_PACKET_HEADER)
tmp_kdnet_pkt->PacketID = tmpID;
tmpID++;
tmpID++;
DBGKD_MANIPULATE_STATE64* tmp_manipulate_state = (DBGKD_MANIPULATE_STATE64*)&tmp_kdnet_pkt->PacketBody[0];
tmp_manipulate_state->ApiNumber = DbgKdReadControlSpaceApi;
tmp_manipulate_state->ProcessorLevel = request->ProcessorLevel;
tmp_manipulate_state->Processor = request->Processor;
tmp_manipulate_state->ReturnStatus = 0x0;
DBGKD_SET_CONTEXT* tmp_set_context = &tmp_manipulate_state->u.SetContext;
tmp_set_context->ContextFlags = 0x00000002;
//Compute checksum
tmp_kdnet_pkt->Checksum = checksumKD_PACKET(tmp_kdnet_pkt, pkt_size-8); //header(KD_PACKET_HEADER)+header(DBGKD_MANIPULATE_STATE64)+header(DBGKD_READ_MEMORY64)+count
printf("\n\n[!] Send Packet size %d!\n", roundup16(pkt_size));
printHexData((uint8_t*)tmp, roundup16(pkt_size));
printKD_PACKET(tmp_kdnet_pkt);
sendDataPkt((uint8_t*)tmp, roundup16(pkt_size)); //header(KDNET_POST_HEADER)+header(KD_PACKET_HEADER)+header(DBGKD_MANIPULATE_STATE64)+header(DBGKD_READ_MEMORY64)+count
}
//TODO: NO COPY !
void sendDataPkt(uint8_t *data, int dataLen){
#if DEBUG
printf("[!] sendDataPkt %d\n", pkt_number);
#endif
//Replace pkt number...
KDNET_POST_HEADER* tmp = (KDNET_POST_HEADER*)data;
tmp->PacketNumber = __builtin_bswap32(pkt_number++);
int i;
//Add header
KDNET_PACKET_HEADER finalPkt; //TODO: no static !
finalPkt.Signature = 0x4742444d;//TODO: define !
finalPkt.ProtocolVersion = 0x02;
finalPkt.Canal = 0x0; //TODO: define !
for(i=0; i<dataLen; i++){
finalPkt.CipheredData[i] = data[i];
}
#if DEBUG
printf("----------SENT CLEAR DATA WITHOUT HMAC---------\n");
printHexData((uint8_t*)&finalPkt, dataLen+6);
printf("-----------------------------------------------\n");
#endif
//Compute checksum whith hmachKey
uint8_t tmpHMACSHA256[32];
hmachSHA256((uint8_t*)&finalPkt, dataLen+6, hmacKey, tmpHMACSHA256);
#if DEBUG
printf("------------------HMAC-------------------------\n");
printHexData(tmpHMACSHA256, 32);
printf("-----------------------------------------------\n");
#endif
//Ciphered with KEY:dataW IV:tmpHMACSHA256
uint8_t* tmpData = cbc_encrypt(data, dataLen, dataW, tmpHMACSHA256);
//Replace to cleartext with the ciphertext
for(i=0; i<dataLen; i++){
finalPkt.CipheredData[i] = tmpData[i];
}
//Add IV/HMAC
for(i=0; i<16; i++){
finalPkt.CipheredData[dataLen+i] = tmpHMACSHA256[i];
}
//Send on socket !
sendto(socket_fd, &finalPkt, dataLen+6+16, MSG_DONTWAIT, (struct sockaddr *)&sa,sizeof(sa));
}
void readMemoryCallBack(DBGKD_MANIPULATE_STATE64* request){
uint64_t base = request->u.ReadMemory.TargetBaseAddress;
uint32_t count = request->u.ReadMemory.TransferCount;
uint8_t buffer[MAX_KDNET_PKTLEN];
memset(buffer, 0, MAX_KDNET_PKTLEN);
uint16_t pkt_size = 8+16+16+(sizeof(DBGKD_READ_MEMORY64)-1)+count;
KDNET_POST_HEADER* tmp = (KDNET_POST_HEADER*)buffer;
tmp->PacketPadding = roundup16(pkt_size)-pkt_size;
KD_PACKET_HEADER* tmp_kdnet_pkt = (KD_PACKET_HEADER*)(buffer+sizeof(KDNET_POST_HEADER));
tmp_kdnet_pkt->Signature = 0x30303030;
tmp_kdnet_pkt->PacketType = 0x0002;
tmp_kdnet_pkt->DataSize = pkt_size-16-8; //-header(KDNET_POST_HEADER)-header(KD_PACKET_HEADER)
tmp_kdnet_pkt->PacketID = tmpID;
tmpID++;
tmpID++;
DBGKD_MANIPULATE_STATE64* tmp_manipulate_state = (DBGKD_MANIPULATE_STATE64*)&tmp_kdnet_pkt->PacketBody[0];
tmp_manipulate_state->ApiNumber = DbgKdReadVirtualMemoryApi;
tmp_manipulate_state->ProcessorLevel = request->ProcessorLevel;
tmp_manipulate_state->Processor = request->Processor;
tmp_manipulate_state->ReturnStatus = 0x0;
tmp_manipulate_state->Padding = 0x0;
DBGKD_READ_MEMORY64* tmp_read_memory = &tmp_manipulate_state->u.ReadMemory;
tmp_read_memory->TargetBaseAddress = base;
tmp_read_memory->TransferCount = count;
tmp_read_memory->ActualBytesRead = count;
tmp_read_memory->Unknown1 = request->u.ReadMemory.Unknown1; //TODO: hu ?
tmp_read_memory->Unknown2 = request->u.ReadMemory.Unknown2; //TODO: hu ?
tmp_read_memory->Unknown3 = request->u.ReadMemory.Unknown3; //TODO: hu ?
tmp_read_memory->Unknown4 = request->u.ReadMemory.Unknown4; //TODO: hu ?
tmp_read_memory->Unknown5 = request->u.ReadMemory.Unknown5; //TODO: hu ?
tmp_read_memory->Unknown6 = request->u.ReadMemory.Unknown6; //TODO: hu ?
//TODO: callback !
readVirtualMemory(base, count, tmp_read_memory->Data);
//Compute checksum
tmp_kdnet_pkt->Checksum = checksumKD_PACKET(tmp_kdnet_pkt, pkt_size-8);
printf("\n\n[!] Send Packet !\n");
printHexData(buffer, roundup16(pkt_size));
printKD_PACKET(tmp_kdnet_pkt);
sendDataPkt(buffer, roundup16(pkt_size));
}
//TODO: request
void getRegisterCallBack(){
uint8_t buffer[MAX_KDNET_PKTLEN];
memset(buffer, 0, MAX_KDNET_PKTLEN);
uint16_t pkt_size = 8+16+16+sizeof(DBGKD_GET_REGISTER64);
KDNET_POST_HEADER* tmp = (KDNET_POST_HEADER*)buffer;
tmp->PacketPadding = roundup16(pkt_size)-pkt_size;
KD_PACKET_HEADER* tmp_kdnet_pkt = (KD_PACKET_HEADER*)(buffer+sizeof(KDNET_POST_HEADER));
tmp_kdnet_pkt->Signature = 0x30303030;
tmp_kdnet_pkt->PacketType = 0x0002;
tmp_kdnet_pkt->DataSize = pkt_size-16-8; //-header(KDNET_POST_HEADER)-header(KD_PACKET_HEADER)
tmp_kdnet_pkt->PacketID = tmpID;
tmpID++;
tmpID++;
DBGKD_MANIPULATE_STATE64* tmp_manipulate_state = (DBGKD_MANIPULATE_STATE64*)&tmp_kdnet_pkt->PacketBody[0];
tmp_manipulate_state->ApiNumber = DbgKdGetRegister;
tmp_manipulate_state->ProcessorLevel = 0x0; //TODO: Hu ? //TODO: request !
tmp_manipulate_state->Processor = 0x0; //TODO: Hu ?
tmp_manipulate_state->ReturnStatus = 0x0;
tmp_manipulate_state->Padding = 0x0;
DBGKD_GET_REGISTER64* tmp_get_registers = &tmp_manipulate_state->u.GetRegisters;
tmp_get_registers->rax = 0x0123456789ABCDEF;
tmp_get_registers->rbx = 0x0123456789ABCDEF;
tmp_get_registers->rcx = 0x0123456789ABCDEF;
tmp_get_registers->rdx = 0x0123456789ABCDEF;
tmp_get_registers->r8 = 0x0123456789ABCDEF;
tmp_get_registers->r9 = 0x0123456789ABCDEF;
tmp_get_registers->rip = 0x0123456789ABCDEF;
int i;
for(i=0; i<122; i++){
tmp_get_registers->UnknownRegisters[i] = 0x0123456789ABCDEF;
}
//Compute checksum
tmp_kdnet_pkt->Checksum = checksumKD_PACKET(tmp_kdnet_pkt, pkt_size-8); //header(KD_PACKET_HEADER)+header(DBGKD_MANIPULATE_STATE64)+header(DBGKD_READ_MEMORY64)+count
printf("\n\n[!] Send Packet size %d!\n", roundup16(pkt_size));
printHexData((uint8_t*)tmp, roundup16(pkt_size));
printKD_PACKET(tmp_kdnet_pkt);
sendDataPkt((uint8_t*)tmp, roundup16(pkt_size)); //header(KDNET_POST_HEADER)+header(KD_PACKET_HEADER)+header(DBGKD_MANIPULATE_STATE64)+header(DBGKD_READ_MEMORY64)+count
}
//TODO (DBGKD_MANIPULATE_STATE64* request){
void restoreBreakPointCallBack(DBGKD_RESTORE_BREAKPOINT* request){
uint8_t buffer[MAX_KDNET_PKTLEN];
memset(buffer, 0, MAX_KDNET_PKTLEN);
uint16_t pkt_size = 8+16+16+sizeof(DBGKD_RESTORE_BREAKPOINT);
KDNET_POST_HEADER* tmp = (KDNET_POST_HEADER*)buffer;
tmp->PacketPadding = roundup16(pkt_size)-pkt_size;
KD_PACKET_HEADER* tmp_kdnet_pkt = (KD_PACKET_HEADER*)(buffer+sizeof(KDNET_POST_HEADER));
tmp_kdnet_pkt->Signature = 0x30303030;
tmp_kdnet_pkt->PacketType = 0x0002;
tmp_kdnet_pkt->DataSize = pkt_size-16-8; //-header(KDNET_POST_HEADER)-header(KD_PACKET_HEADER)
tmp_kdnet_pkt->PacketID = tmpID;
tmpID++;
tmpID++;
DBGKD_MANIPULATE_STATE64* tmp_manipulate_state = (DBGKD_MANIPULATE_STATE64*)&tmp_kdnet_pkt->PacketBody[0];
tmp_manipulate_state->ApiNumber = DbgKdRestoreBreakPointApi;
tmp_manipulate_state->ProcessorLevel = 0xf802; //TODO: Hu ?
tmp_manipulate_state->Processor = 0xffff; //TODO: Hu ?
tmp_manipulate_state->ReturnStatus = 0xc0000001;
tmp_manipulate_state->Padding = 0x0;
DBGKD_RESTORE_BREAKPOINT* tmp_restore_breakpoint = &tmp_manipulate_state->u.RestoreBreakPoint;
tmp_restore_breakpoint->BreakPointHandle = request->BreakPointHandle;
int i;
for(i=0; i<32; i++){
tmp_restore_breakpoint->Unknown[i] = request->Unknown[i];
}
//Compute checksum
tmp_kdnet_pkt->Checksum = checksumKD_PACKET(tmp_kdnet_pkt, pkt_size-8); //header(KD_PACKET_HEADER)+header(DBGKD_MANIPULATE_STATE64)+header(DBGKD_READ_MEMORY64)+count
printf("\n\n[!] Send Packet size %d!\n", roundup16(pkt_size));
printHexData((uint8_t*)tmp, roundup16(pkt_size));
printKD_PACKET(tmp_kdnet_pkt);
sendDataPkt((uint8_t*)tmp, roundup16(pkt_size)); //header(KDNET_POST_HEADER)+header(KD_PACKET_HEADER)+header(DBGKD_MANIPULATE_STATE64)+header(DBGKD_READ_MEMORY64)+count
}
void GetVersionApiCallBack(DBGKD_MANIPULATE_STATE64* request){
uint8_t buffer[MAX_KDNET_PKTLEN];
memset(buffer, 0, MAX_KDNET_PKTLEN);
uint16_t pkt_size = 8+16+16+sizeof(DBGKD_GET_VERSION_API64);
KDNET_POST_HEADER* tmp = (KDNET_POST_HEADER*)buffer;
tmp->PacketPadding = roundup16(pkt_size)-pkt_size;
KD_PACKET_HEADER* tmp_kdnet_pkt = (KD_PACKET_HEADER*)(buffer+sizeof(KDNET_POST_HEADER));
tmp_kdnet_pkt->Signature = 0x30303030;
tmp_kdnet_pkt->PacketType = 0x0002;
tmp_kdnet_pkt->DataSize = pkt_size-16-8; //-header(KDNET_POST_HEADER)-header(KD_PACKET_HEADER)
tmp_kdnet_pkt->PacketID = tmpID;
tmpID++;
tmpID++;
DBGKD_MANIPULATE_STATE64* tmp_manipulate_state = (DBGKD_MANIPULATE_STATE64*)&tmp_kdnet_pkt->PacketBody[0];
tmp_manipulate_state->ApiNumber = DbgKdGetVersionApi;
tmp_manipulate_state->ProcessorLevel = request->ProcessorLevel;
tmp_manipulate_state->Processor = request->Processor;
tmp_manipulate_state->ReturnStatus = 0x0;
tmp_manipulate_state->Padding = 0x0;
DBGKD_GET_VERSION_API64* tmp_get_version = &tmp_manipulate_state->u.GetVersion;
tmp_get_version->Unknown1 = 0x000702062580000f;
tmp_get_version->Unknown2 = 0x00000031030c8664;
tmp_get_version->KernelImageBase = 0xfffff8026bc18000;
tmp_get_version->PsLoadedModuleList = 0xfffff8026bee22d0;
tmp_get_version->DebuggerDataList = 0xfffff8026bef91f0;
//Compute checksum
tmp_kdnet_pkt->Checksum = checksumKD_PACKET(tmp_kdnet_pkt, pkt_size-8);
printf("\n\n[!] Send Packet !\n");
printHexData(buffer, roundup16(pkt_size));
printKD_PACKET(tmp_kdnet_pkt);
sendDataPkt(buffer, roundup16(pkt_size));
}
//http://articles.sysprogs.org/kdvmware/kdcom.shtml
//http://j00ru.vexillium.org/?p=405
//http://visi.kenshoto.com/static/apidocs/vstruct.defs.kdcom-module.html
//https://code.google.com/p/reactos-mirror/source/browse/trunk/reactos/include/reactos/windbgkd.h
int main(int argc, char* argv[]){
//printKD_PACKET((KD_PACKET_HEADER*)(unciphered_go+8));
//exit(0);
//TODO: move this !
initCallBack();
int i;
#if DEBUG
printf("controlKey :\n");
for(i=0; i<32; i++){
printf("%02x ", controlKey[i]);
}
printf("\n");
#endif
//Expand controlKey
aes_key_setup(controlKey, controlW, 256);
#if DEBUG
printf("hmacKey :\n");
for(i=0; i<32; i++){
printf("%02x ", hmacKey[i]);
}
printf("\n");
#endif
//Generate hmacKey from controlKey
for(i=0; i<32; i++){
hmacKey[i] = controlKey[i]^0xFF;
}
if(argc == 2){
kd_server();
}
//
//
//All my tests !
//---------------------
printf("\nPoke :\n");
//KDNET_PACKET_HEADER* poke_pkt = (KDNET_PACKET_HEADER*)poke;
//printKDNET_PACKET(poke_pkt);
BYTE* tmp = cbc_decrypt(poke+6, 0x160, controlW, poke+sizeof(poke)-16);
uint8_t arf[2096];
memset(arf, 0, 2096);
for(i=0; i<6; i++){
arf[i] = poke[i];
};
for(i=0; i<0x160-16; i++){
arf[i+6] = tmp[i];
}
printf("\n\n");
for(i=0; i<0x166; i++){
printf("%02x ", arf[i]);
if(i%16 == 15){
printf("\n");
}
}
printf("\n");
BYTE tmpSHA[32];
hmacSHA256Context myHmacSHA256Context;
hmacSHA256Init(&myHmacSHA256Context, hmacKey, 32);
hmacSHA256Update(&myHmacSHA256Context, arf, 0x166);
hmacSHA256Final(&myHmacSHA256Context, tmpSHA);
printf("\nChecksum:\n");
for(i=0; i<16; i++){
printf("%02x ", tmpSHA[i]);
}
printf("\n\n");
printf("\nPoke response :\n");
BYTE* unciphered_poke_resp = cbc_decrypt(poke_resp+6, sizeof(poke_resp)-6-16, controlW, poke_resp+sizeof(poke_resp)-16);
BYTE dataKey[32];
SHA256Context mySHA256Context;
SHA256Init(&mySHA256Context);
SHA256Update(&mySHA256Context, controlKey, 32);
SHA256Update(&mySHA256Context, unciphered_poke_resp+8, 322);
SHA256Final(&mySHA256Context, dataKey);
aes_key_setup(dataKey, dataW, 256);
printf("\ndataKey :\n");
for(i=0; i<32; i++){
printf("%02x ", dataKey[i]);
}
printf("\n");
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE]; //not sure what to do with this, oh well
handle = pcap_open_offline("/home/arfarf/git/samples/debug_trace.pcap", errbuf); //call pcap library function
const u_char *packet; // The actual packet
struct pcap_pkthdr header; // The header that pcap gives us
int pkt_num = 1;
while ((packet = pcap_next(handle,&header))) {
u_char *debug_pkt = (u_char *)packet+42; //cast a pointer to the packet data
int debug_pkt_len = header.caplen-42;
if(debug_pkt[5] == 0){//Only Data Packet
BYTE *unciphered_debug_pkt = cbc_decrypt(debug_pkt+6, debug_pkt_len-6-16, dataW, debug_pkt+debug_pkt_len-16);
KD_PACKET_HEADER* tmp = (KD_PACKET_HEADER*)(unciphered_debug_pkt+8);
//if(tmp->ApiNumber == DbgKdContinueApi2){
if(pkt_num == 680 || pkt_num == 681){
printf("%d.\n", pkt_num);
printHexData(unciphered_debug_pkt, debug_pkt_len-6-16);
printKD_PACKET(tmp);
printf("\n");
}
}
pkt_num++;
}
exit(0);
printf("\nConnection Check :\n");
cbc_decrypt(conncheck+6, sizeof(conncheck)-6-16, dataW, conncheck+sizeof(conncheck)-16);
printf("\nConnection Check response:\n");
cbc_decrypt(conncheck_resp+6, sizeof(conncheck_resp)-6-16, dataW, conncheck_resp+sizeof(conncheck_resp)-16);
//...
printf("\nPOKE (repeat):\n");
cbc_decrypt(poke_repeat+6, 0x160, controlW, poke_repeat+sizeof(poke_repeat)-16);
//...
printf("\n[!] Break :\n");
BYTE *unciphered_break = cbc_decrypt(break_data+6, sizeof(break_data)-6-16, dataW, break_data+sizeof(break_data)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_break+8));
printf("\n[!] Wait State :\n");
BYTE *unciphered_wait_state = cbc_decrypt(wait_state+6, sizeof(wait_state)-6-16, dataW, wait_state+sizeof(wait_state)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_wait_state+8));
printf("\n[!] Reset:\n");
BYTE *unciphered_reset = cbc_decrypt(reset+6, sizeof(reset)-6-16, dataW, reset+sizeof(reset)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_reset+8));
printf("\n[!] Reset ACK:\n");
BYTE *unciphered_reset_ack = cbc_decrypt(reset_ack+6, sizeof(reset_ack)-6-16, dataW, reset_ack+sizeof(reset_ack)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_reset_ack+8));
printf("\n[!] Wait State 2:\n");
BYTE *unciphered_wait_state2 = cbc_decrypt(wait_state2+6, sizeof(wait_state2)-6-16, dataW, wait_state2+sizeof(wait_state2)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_wait_state2+8));
printf("\n[!] Get Version API REQ :\n");
BYTE *unciphered_get_version_api_req = cbc_decrypt(get_version_api_req+6, sizeof(get_version_api_req)-6-16, dataW, get_version_api_req+sizeof(get_version_api_req)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_get_version_api_req+8));
printf("\n[!] Get Version API RESP :\n");
BYTE *unciphered_get_version_api_resp = cbc_decrypt(get_version_api_resp+6, sizeof(get_version_api_resp)-6-16, dataW, get_version_api_resp+sizeof(get_version_api_resp)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_get_version_api_resp+8));
exit(0);
printf("\n[!] Read Virtual Memory API REQ\n");
BYTE *unciphered_read_virtual_memory_api_req = cbc_decrypt(read_virtual_memory_api_req+6, sizeof(read_virtual_memory_api_req)-6-16, dataW, read_virtual_memory_api_req+sizeof(read_virtual_memory_api_req)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_read_virtual_memory_api_req+8));
printf("\n[!] Read Virtual Memory API REQ ACK\n");
BYTE *unciphered_read_virtual_memory_api_req_ack = cbc_decrypt(read_virtual_memory_api_req_ack+6, sizeof(read_virtual_memory_api_req_ack)-6-16, dataW, read_virtual_memory_api_req_ack+sizeof(read_virtual_memory_api_req_ack)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_read_virtual_memory_api_req_ack+8));
printf("\n[!] Read Virtual Memory API RESP\n");
BYTE *unciphered_read_virtual_memory_api_resp = cbc_decrypt(read_virtual_memory_api_resp+6, sizeof(read_virtual_memory_api_resp)-6-16, dataW, read_virtual_memory_api_resp+sizeof(read_virtual_memory_api_resp)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_read_virtual_memory_api_resp+8));
uint32_t tmp_checksum = checksumKD_PACKET((KD_PACKET_HEADER*)(unciphered_read_virtual_memory_api_resp+8), sizeof(read_virtual_memory_api_resp)-6-16);
printf("Checksum test : 00001ce3 %08x\n", tmp_checksum);
printf("\n[!] Read Virtual Memory API RESP ACK\n");
BYTE *unciphered_read_virtual_memory_api_resp_ack = cbc_decrypt(read_virtual_memory_api_resp_ack+6, sizeof(read_virtual_memory_api_resp_ack)-6-16, dataW, read_virtual_memory_api_resp_ack+sizeof(read_virtual_memory_api_resp_ack)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_read_virtual_memory_api_resp_ack+8));
printf("\n[!] Next\n");
BYTE *unciphered_next = cbc_decrypt(next+6, sizeof(next)-6-16, dataW, next+sizeof(next)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_next+8));
exit(0);
printf("Get Register RESP\n");
BYTE* unciphered_get_register_resp = cbc_decrypt(get_register_resp+6, sizeof(get_register_resp)-6-16, dataW, get_register_resp+sizeof(get_register_resp)-16);
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_get_register_resp+8));
//unciphered_break_ack = cbc_decrypt(cmd_data+6, sizeof(cmd_data)-6-16, dataW, cmd_data+sizeof(cmd_data)-16);
//printKD_PACKET((KD_PACKET_HEADER*)(unciphered_break_ack+8));
return 0;
}
/**
*
* Main KDNET server main
*
*/
void kd_server(){
//struct sockaddr_in Debuggee_sa;
socket_fd = socket(PF_INET, SOCK_DGRAM, 0);
if(socket_fd < 0){
printf("socket call failed");
exit(0);
}
memset(&sa, 0, sizeof(struct sockaddr_in));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr("192.168.0.11");
sa.sin_port = htons(50000);
//TODO: create poke from scratch !
//Send POKE
pkt_number++;
sendto(socket_fd, poke, sizeof(poke), 0, (struct sockaddr *)&sa,sizeof(sa));
//Receive POKE_RESP
uint8_t buffer[2048];
int n=recvfrom(socket_fd, buffer, sizeof(buffer), 0, NULL, NULL);
BYTE *unciphered_poke_resp = cbc_decrypt(buffer+6, n-6-16, controlW, buffer+n-16);
//Compute the data canal key with POKE_RESP
BYTE dataKey[32];
SHA256Context mySHA256Context;
SHA256Init(&mySHA256Context);
SHA256Update(&mySHA256Context, controlKey, 32);
SHA256Update(&mySHA256Context, unciphered_poke_resp+8, 322);
SHA256Final(&mySHA256Context, dataKey);
aes_key_setup(dataKey, dataW, 256);
//TODO: create conn_check from scratch !
uint8_t connection_check[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0b, 0x00, 0xa8, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
sendDataPkt(connection_check, sizeof(connection_check));
//Get CONN_RESP_PACKET !
n=recvfrom(socket_fd, buffer, sizeof(buffer), 0, NULL, NULL);
printf("Packet received : %d bytes \n", n);
//Here the connection is established !
//Get next_packet !
while(1){
n=recvfrom(socket_fd, buffer, sizeof(buffer), 0, NULL, NULL);
printf("\n\n[!] Packet received : %d bytes >>>>>>\n", n);
BYTE *unciphered_pkt = cbc_decrypt(buffer+6, n-6-16, dataW, buffer+n-16);
printHexData(unciphered_pkt, n-6-16);
printf("<<<<\n");
printKD_PACKET((KD_PACKET_HEADER*)(unciphered_pkt+8));
handleKD_PACKET((KD_PACKET_HEADER*)(unciphered_pkt+8));
}
exit(0);
}
void printKD_PACKET(KD_PACKET_HEADER* pkt){
printf("Leader: %08x\n", pkt->Signature);
printf("PacketType: %04x\n", pkt->PacketType);
printf("DataSize: %d\n", pkt->DataSize);
printf("PacketID: %08x\n", pkt->PacketID);
printf("Checksum: %08x\n", pkt->Checksum);
if(pkt->Signature == 0x00000000){
printf("POKE\n");
return;
}
if(pkt->Signature == 0x00000062){
printf("BREAKIN\n");
return;
}
if(pkt->Signature == 0x69696969){
if(pkt->PacketType == 0x0005){
//TODO: !!
printf("TODO\n");
return;
} else if(pkt->PacketType == 0x0006){
printf("RESET\n");
return;
}else if(pkt->PacketType == 0x0004){
printf("ACK\n");
return;
}
}
printf("ApiNumber: %08x\n", pkt->ApiNumber);
printHexData(pkt->PacketBody, pkt->DataSize);
switch(pkt->ApiNumber){
case DbgKdExceptionStateChange:
{
DBGKD_WAIT_STATE_CHANGE64* tmp = (DBGKD_WAIT_STATE_CHANGE64*)&pkt->PacketBody[4];
printf("NewState %08x\n", tmp->NewState);
printf("ProcessorLevel %04x\n", tmp->ProcessorLevel);
printf("Processor %04x\n", tmp->Processor);
printf("NumberProcessors %08x\n", tmp->NumberProcessors);
printf("Thread %16lx\n", tmp->Thread);
printf("ProgramCounter %16lx\n", tmp->ProgramCounter);
//TODO: printExceptionRecord
printf("FirstChance %08x\n", tmp->u.Exception.FirstChance);
printf("ExceptionCode %08x\n", tmp->u.Exception.ExceptionRecord.ExceptionCode);
printf("ExceptionFlags %08x\n", tmp->u.Exception.ExceptionRecord.ExceptionFlags);
printf("ExceptionRecord %016lx\n", tmp->u.Exception.ExceptionRecord.ExceptionRecord);
printf("ExceptionAddress %016lx\n", tmp->u.Exception.ExceptionRecord.ExceptionAddress);
printf("NumberParameters %08x\n", tmp->u.Exception.ExceptionRecord.NumberParameters);
int i;
for(i=0; i<15; i++){
printf("ExceptionInformation[%d] %016lx\n", i, tmp->u.Exception.ExceptionRecord.ExceptionInformation[i]);
}
printf("DR6 %016lx\n", tmp->ControlReport.Dr6);
printf("DR7 %016lx\n", tmp->ControlReport.Dr7);
printf("EFlags %08x\n", tmp->ControlReport.EFlags);
printf("InstructionCount %04x\n", tmp->ControlReport.InstructionCount);
printf("ReportFlags %04x\n", tmp->ControlReport.ReportFlags);
for(i=0; i<DBGKD_MAXSTREAM; i++){
printf("InstructionStream[%d] %02x\n", i, tmp->ControlReport.InstructionStream[i]);
}
printf("SegCs %04x\n", tmp->ControlReport.SegCs);
printf("SegDs %04x\n", tmp->ControlReport.SegDs);
printf("SegEs %04x\n", tmp->ControlReport.SegEs);
printf("SegFs %04x\n", tmp->ControlReport.SegFs);
break;
}
case DbgKdReadControlSpaceApi:
//http://svn.reactos.org/svn/reactos/branches/ros-amd64-bringup/reactos/ntoskrnl/kd64/kdapi.c?view=diff&r1=39004&r2=39005&pathrev=39005
case DbgKdReadVirtualMemoryApi:
{
DBGKD_MANIPULATE_STATE64* tmp = (DBGKD_MANIPULATE_STATE64*)&pkt->PacketBody[0];
printf("ApiNumber %08x\n", tmp->ApiNumber);
printf("ProcessorLevel %04x\n", tmp->ProcessorLevel);
printf("Processor %04x\n", tmp->Processor);
printf("ReturnStatus %08x\n", tmp->ReturnStatus);
//printf("Unknown %08x\n", tmp->Unknown);
printf("TargetBaseAddress %016lx\n", tmp->u.ReadMemory.TargetBaseAddress);
printf("TransferCount %08x\n", tmp->u.ReadMemory.TransferCount);
printf("ActualBytesRead %08x\n", tmp->u.ReadMemory.ActualBytesRead);
printf("Unknown1 %08x\n", tmp->u.ReadMemory.Unknown1);
printf("Unknown2 %08x\n", tmp->u.ReadMemory.Unknown2);
printf("Unknown3 %08x\n", tmp->u.ReadMemory.Unknown3);
printf("Unknown4 %08x\n", tmp->u.ReadMemory.Unknown4);
printf("Unknown5 %08x\n", tmp->u.ReadMemory.Unknown5);
printf("Unknown6 %08x\n", tmp->u.ReadMemory.Unknown6);
//printf("Data[]:\n");
//printHexData(tmp->u.ReadMemory.Data,
break;
}
case DbgKdGetRegister:
{
DBGKD_MANIPULATE_STATE64* tmp = (DBGKD_MANIPULATE_STATE64*)&pkt->PacketBody[0];
printf("ApiNumber %08x\n", tmp->ApiNumber);
printf("ProcessorLevel %04x\n", tmp->ProcessorLevel);
printf("Processor %04x\n", tmp->Processor);
printf("ReturnStatus %08x\n", tmp->ReturnStatus);
if(pkt->DataSize < 1288){
return;
}
printf("RAX %016lx\n", tmp->u.GetRegisters.rax);
printf("RBX %016lx\n", tmp->u.GetRegisters.rbx);
printf("RCX %016lx\n", tmp->u.GetRegisters.rcx);
printf("RDX %016lx\n", tmp->u.GetRegisters.rdx);
printf("RSP %016lx\n", tmp->u.GetRegisters.rsp);
printf("RBP %016lx\n", tmp->u.GetRegisters.rbp);
printf("R8 %016lx\n", tmp->u.GetRegisters.r8);
printf("R9 %016lx\n", tmp->u.GetRegisters.r9);
printf("R10 %016lx\n", tmp->u.GetRegisters.r10);
printf("R11 %016lx\n", tmp->u.GetRegisters.r11);
printf("R12 %016lx\n", tmp->u.GetRegisters.r12);
printf("R13 %016lx\n", tmp->u.GetRegisters.r13);
printf("R14 %016lx\n", tmp->u.GetRegisters.r14);
printf("R15 %016lx\n", tmp->u.GetRegisters.r15);
int i;
for(i=0; i<122; i++){
printf("UnknownRegisters[%d] %016lx\n", i, tmp->u.GetRegisters.UnknownRegisters[i]);
}
break;
}
case DbgKdGetVersionApi:
{
DBGKD_MANIPULATE_STATE64* tmp = (DBGKD_MANIPULATE_STATE64*)&pkt->PacketBody[0];
printf("Unknown1 0x%016lx\n", tmp->u.GetVersion.Unknown1);
printf("Unknown2 0x%016lx\n", tmp->u.GetVersion.Unknown2);
printf("KernelImageBase 0x%016lx\n", tmp->u.GetVersion.KernelImageBase);
printf("PsLoadedModuleList 0x%016lx\n", tmp->u.GetVersion.PsLoadedModuleList);
printf("DebuggerDataList 0x%016lx\n", tmp->u.GetVersion.DebuggerDataList);
break;
}
case DbgKdRestoreBreakPointApi:
{
DBGKD_MANIPULATE_STATE64* tmp = (DBGKD_MANIPULATE_STATE64*)&pkt->PacketBody[0];
printf("ApiNumber %08x\n", tmp->ApiNumber);
printf("ProcessorLevel %04x\n", tmp->ProcessorLevel);
printf("Processor %04x\n", tmp->Processor);
printf("ReturnStatus %08x\n", tmp->ReturnStatus);
//printf("Unknown %08x\n", tmp->Unknown);
printf("BreakPointHandle %08x\n", tmp->u.RestoreBreakPoint.BreakPointHandle);
break;
}
case DbgKdClearAllInternalBreakpointsApi:
{
printf("DbgKdClearAllInternalBreakpointsApi\n");
break;
}
case DbgKdSetContextApi:
{
DBGKD_MANIPULATE_STATE64* tmp = (DBGKD_MANIPULATE_STATE64*)&pkt->PacketBody[0];
printf("ApiNumber %08x\n", tmp->ApiNumber);
printf("ProcessorLevel %04x\n", tmp->ProcessorLevel);
printf("Processor %04x\n", tmp->Processor);
printf("ReturnStatus %08x\n", tmp->ReturnStatus);
printf("ContextFlags %08x\n", tmp->u.SetContext.ContextFlags);
break;
}
case DbgKdContinueApi2:
{
DBGKD_MANIPULATE_STATE64* tmp = (DBGKD_MANIPULATE_STATE64*)&pkt->PacketBody[0];
printf("ApiNumber %08x\n", tmp->ApiNumber);
printf("ProcessorLevel %04x\n", tmp->ProcessorLevel);
printf("Processor %04x\n", tmp->Processor);
printf("ReturnStatus %08x\n", tmp->ReturnStatus);
printf("ContinueStatus %08x\n", tmp->u.Continue2.ContinueStatus);
printf("TraceFlag %08x\n", tmp->u.Continue2.ControlSet.TraceFlag);
printf("Dr7 0x%016lx\n", tmp->u.Continue2.ControlSet.Dr7);
printf("CurrentSymbolStart 0x%016lx\n", tmp->u.Continue2.ControlSet.CurrentSymbolStart);
printf("CurrentSymbolEnd 0x%016lx\n", tmp->u.Continue2.ControlSet.CurrentSymbolEnd);
break;
}
case DbgKdQueryMemoryApi:
{
DBGKD_MANIPULATE_STATE64* tmp = (DBGKD_MANIPULATE_STATE64*)&pkt->PacketBody[0];
printf("ApiNumber %08x\n", tmp->ApiNumber);
printf("ProcessorLevel %04x\n", tmp->ProcessorLevel);
printf("Processor %04x\n", tmp->Processor);
printf("ReturnStatus %08x\n", tmp->ReturnStatus);
printf("Address 0x%016lx\n", tmp->u.QueryMemory.Address);
printf("Reserved 0x%016lx\n", tmp->u.QueryMemory.Reserved);
printf("AddressSpace %08x\n", tmp->u.QueryMemory.AddressSpace);
printf("Flags %08x\n", tmp->u.QueryMemory.Flags);
}
default:
{
printf("Unknown packet\n");
//exit(0);
break;
}
}
}
void readControlSpaceCallBack(DBGKD_MANIPULATE_STATE64* request){
uint64_t base = request->u.ReadMemory.TargetBaseAddress;
uint32_t count = request->u.ReadMemory.TransferCount;
uint8_t read_memory_resp[MAX_KDNET_PKTLEN];
memset(read_memory_resp, 0, MAX_KDNET_PKTLEN);
uint16_t pkt_size = 8+16+16+(sizeof(DBGKD_READ_MEMORY64)-1)+count;
KDNET_POST_HEADER* tmp = (KDNET_POST_HEADER*)read_memory_resp;
tmp->PacketPadding = roundup16(pkt_size)-pkt_size;
KD_PACKET_HEADER* tmp_kdnet_pkt = (KD_PACKET_HEADER*)(read_memory_resp+sizeof(KDNET_POST_HEADER));
tmp_kdnet_pkt->Signature = 0x30303030;
tmp_kdnet_pkt->PacketType = 0x0002;
tmp_kdnet_pkt->DataSize = pkt_size-16-8; //-header(KDNET_POST_HEADER)-header(KD_PACKET_HEADER)
printf("PLOP %d %d\n", pkt_size, tmp_kdnet_pkt->DataSize);
tmp_kdnet_pkt->PacketID = tmpID;
tmpID++;
tmpID++;
DBGKD_MANIPULATE_STATE64* tmp_manipulate_state = (DBGKD_MANIPULATE_STATE64*)&tmp_kdnet_pkt->PacketBody[0];
tmp_manipulate_state->ApiNumber = DbgKdReadControlSpaceApi;
tmp_manipulate_state->ProcessorLevel = request->ProcessorLevel;
tmp_manipulate_state->Processor = request->Processor;
tmp_manipulate_state->ReturnStatus = 0x0;
DBGKD_READ_MEMORY64* tmp_read_memory = &tmp_manipulate_state->u.ReadMemory;
tmp_read_memory->TargetBaseAddress = base;
tmp_read_memory->TransferCount = count;
tmp_read_memory->ActualBytesRead = count;
tmp_read_memory->Unknown1 = request->u.ReadMemory.Unknown1; //TODO: hu ?
tmp_read_memory->Unknown2 = request->u.ReadMemory.Unknown2; //TODO: hu ?
tmp_read_memory->Unknown3 = request->u.ReadMemory.Unknown3; //TODO: hu ?
tmp_read_memory->Unknown4 = request->u.ReadMemory.Unknown4; //TODO: hu ?
tmp_read_memory->Unknown5 = request->u.ReadMemory.Unknown5; //TODO: hu ?
tmp_read_memory->Unknown6 = request->u.ReadMemory.Unknown6; //TODO: hu ?
//TODO: callback !
//readVirtualMemory(base, count, tmp_read_memory->Data);
if(base == 1){ //&Prcb
printf("TODO: GetPrcb\n"); //TODO:
tmp_read_memory->Data[0] = 0x80;
tmp_read_memory->Data[1] = 0xe1;
tmp_read_memory->Data[2] = 0xef;
tmp_read_memory->Data[3] = 0x6b;
tmp_read_memory->Data[4] = 0x02;
tmp_read_memory->Data[5] = 0xf8;
tmp_read_memory->Data[6] = 0xff;
tmp_read_memory->Data[7] = 0xff; //XXX: 0xfffff8026befe180 in my tests
}else if(base == 2){ //TODO: &KiProcessorBlock[State->Processor]->ProcessorState.SpecialRegisters;
uint8_t mySpecialRegisters[] = {
0x00, 0x00, 0x00, 0x31, 0x00, 0x05, 0x80, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x6d, 0x40, 0x01, 0xf9, 0xff, 0xff, 0x00, 0x70, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x50, 0x6e, 0x6d, 0x02, 0xf8, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x0f, 0x80, 0x50, 0x6e, 0x6d, 0x02, 0xf8, 0xff, 0xff, 0x40, 0x00, 0x00, 0x00, 0x80, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
int i;
for(i=0; i<sizeof(mySpecialRegisters); i++){
tmp_read_memory->Data[i] = mySpecialRegisters[i];
}
}else{
printf("WTF !\n");
exit(0);
}
//Compute checksum
tmp_kdnet_pkt->Checksum = checksumKD_PACKET(tmp_kdnet_pkt, pkt_size-8);
printf("\n\n[!] Send Packet !\n");
printHexData((uint8_t*)tmp, roundup16(pkt_size));
printKD_PACKET(tmp_kdnet_pkt);
sendDataPkt((uint8_t*)tmp, roundup16(pkt_size));
}
bool ParseKDPkt(KD_PACKET_T* pkt)
{
printf("------------RAW--------------\n");
dumpHexData((char*)pkt, pkt->Length + 16);
printf("-----------------------------\n");
printf("---------KD_HEADER-----------\n");
printf("Leader: %08x\n", pkt->Leader);
printf("PacketType: %04x\n", pkt->Type);
printf("DataSize: %d\n", pkt->Length);
printf("PacketID: %08x\n", pkt->Id);
printf("Checksum: %08x\n", pkt->Checksum);
printf("Checksum(check): %08x\n", ChecksumKD(pkt));
if (pkt->Length > 0){
printf("\t---------KD_CONTENT-----------\n");
printf("\tApiNumber %08x\n", pkt->ApiNumber);
if (pkt->Type == KD_PACKET_TYPE_MANIP){
printf("\t\t---------KD_MANIP-----------\n");
printf("\t\tProcessorLevel: %04x\n", pkt->ManipulateState64.ProcessorLevel);
printf("\t\tProcessor: %04x\n", pkt->ManipulateState64.Processor);
printf("\t\tProcessor: %04x\n", pkt->ManipulateState64.Processor);
printf("\t\tReturnStatus: %08x\n", pkt->ManipulateState64.ReturnStatus);
dumpHexData((char*)pkt->ManipulateState64.data, pkt->Length - 12);
printf("\t\t----------------------------\n");
}
switch (pkt->ApiNumber){
case DbgKdGetVersionApi:
printf("\t[DbgKdGetVersionApi]\n");
printf("\tMajorVersion %04x\n", pkt->ManipulateState64.DbgGetVersion.MajorVersion);
printf("\tMinorVersion %04x\n", pkt->ManipulateState64.DbgGetVersion.MinorVersion);
printf("\tProtocolVersion %04x\n", pkt->ManipulateState64.DbgGetVersion.ProtocolVersion);
printf("\tFlags %04x\n", pkt->ManipulateState64.DbgGetVersion.Flags);
printf("\tMachineType %04x\n", pkt->ManipulateState64.DbgGetVersion.MachineType);
printf("\tMaxPacketType %02x\n", pkt->ManipulateState64.DbgGetVersion.MaxPacketType);
printf("\tMaxStateChange %02x\n", pkt->ManipulateState64.DbgGetVersion.MaxStateChange);
printf("\tMaxManipulate %02x\n", pkt->ManipulateState64.DbgGetVersion.MaxManipulate);
printf("\tSimulation %02x\n", pkt->ManipulateState64.DbgGetVersion.Simulation);
printf("\tUnknown1 %04x\n", pkt->ManipulateState64.DbgGetVersion.Unknown1);
printf("\tKernelImageBase %llx\n", pkt->ManipulateState64.DbgGetVersion.KernelImageBase);
printf("\tPsLoadedModuleList %llx\n", pkt->ManipulateState64.DbgGetVersion.PsLoadedModuleList);
printf("\tDebuggerDataList %llx\n", pkt->ManipulateState64.DbgGetVersion.DebuggerDataList);
printf("\tUnknown2 %llx\n", pkt->ManipulateState64.DbgGetVersion.Unknown2);
printf("\tUnknown3 %llx\n", pkt->ManipulateState64.DbgGetVersion.Unknown3);
break;
case DbgKdReadVirtualMemoryApi:
printf("\t[DbgKdReadVirtualMemoryApi]\n");
printf("\tTargetBaseAddress %llx\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->Length > 56){
printHexData((char*)pkt->ManipulateState64.ReadMemory.Data, pkt->ManipulateState64.ReadMemory.TransferCount);
}
break;
case DbgKdWriteVirtualMemoryApi:
printf("\t[DbgKdWriteVirtualMemoryApi]\n");
printf("\tTargetBaseAddress %llx\n", pkt->ManipulateState64.WriteMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.WriteMemory.TransferCount);
printf("\tActualBytesWritten %08x\n", pkt->ManipulateState64.WriteMemory.ActualBytesWritten);
//printf("\tUnknown1 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown1);
//printf("\tUnknown2 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown2);
//printf("\tUnknown3 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown3);
if (pkt->Length > 56){
printHexData((char*)pkt->ManipulateState64.WriteMemory.Data, pkt->ManipulateState64.WriteMemory.TransferCount);
}
break;
case DbgKdReadPhysicalMemoryApi:
printf("\t[DbgKdReadPhysicalMemoryApi]\n");
printf("\tTargetBaseAddress %llx\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->Length > 56){
printHexData((char*)pkt->ManipulateState64.ReadMemory.Data, pkt->ManipulateState64.ReadMemory.TransferCount);
}
break;
case DbgKdWritePhysicalMemoryApi:
printf("\t[DbgKdWritePhysicalMemoryApi]\n");
printf("\tTargetBaseAddress %llx\n", pkt->ManipulateState64.WriteMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.WriteMemory.TransferCount);
printf("\tActualBytesWritten %08x\n", pkt->ManipulateState64.WriteMemory.ActualBytesWritten);
//printf("\tUnknown1 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown1);
//printf("\tUnknown2 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown2);
//printf("\tUnknown3 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown3);
if (pkt->Length > 56){
printHexData((char*)pkt->ManipulateState64.WriteMemory.Data, pkt->ManipulateState64.WriteMemory.TransferCount);
}
break;
case DbgKdReadControlSpaceApi:
printf("\t[DbgKdReadControlSpaceApi]\n");
//TODO: 0 @KPCR, 1 @KPRCB, 2 @SpecialReagister, 3 @KTHREAD
printf("\tTargetBaseAddress(index) %llx\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->Length > 56){
switch (pkt->ManipulateState64.ReadMemory.TargetBaseAddress){
case 0: //@v_KPCR
break;
case 1: //@v_KPRCB
break;
case 2:{ //@SpecialRegisters
KSPECIAL_REGISTERS64_T *tmpSpecialRegisters = (KSPECIAL_REGISTERS64_T*)pkt->ManipulateState64.WriteMemory.Data;
printf("\tKernelDr0 : 0x%llx\n", tmpSpecialRegisters->KernelDr0);
printf("\tKernelDr1 : 0x%llx\n", tmpSpecialRegisters->KernelDr1);
printf("\tKernelDr2 : 0x%llx\n", tmpSpecialRegisters->KernelDr2);
printf("\tKernelDr3 : 0x%llx\n", tmpSpecialRegisters->KernelDr3);
printf("\tKernelDr6 : 0x%llx\n", tmpSpecialRegisters->KernelDr6);
printf("\tKernelDr7 : 0x%llx\n", tmpSpecialRegisters->KernelDr7);
printf("\tGdtr.Limit : 0x%04x\n", tmpSpecialRegisters->Gdtr.Limit);
printf("\tGdtr.Base : 0x%llx\n", tmpSpecialRegisters->Gdtr.Base);
printf("\tIdtr.Limit : 0x%04x\n", tmpSpecialRegisters->Idtr.Limit);
printf("\tIdtr.Base : 0x%llx\n", tmpSpecialRegisters->Idtr.Base);
printf("\tTr : 0x%04x\n", tmpSpecialRegisters->Tr);
printf("\tLdtr : 0x%04x\n", tmpSpecialRegisters->Ldtr);
printf("\tMxCsr : 0x%08x\n", tmpSpecialRegisters->MxCsr);
printf("\tDebugControl : 0x%llx\n", tmpSpecialRegisters->DebugControl);
printf("\tLastBranchToRip : 0x%llx\n", tmpSpecialRegisters->LastBranchToRip);
printf("\tLastBranchFromRip : 0x%llx\n", tmpSpecialRegisters->LastBranchFromRip);
printf("\tLastExceptionToRip : 0x%llx\n", tmpSpecialRegisters->LastExceptionToRip);
printf("\tLastExceptionFromRip : 0x%llx\n", tmpSpecialRegisters->LastExceptionFromRip);
printf("\tCr8 : 0x%llx\n", tmpSpecialRegisters->Cr8);
printf("\tMsrGsBase : 0x%llx\n", tmpSpecialRegisters->MsrGsBase);
printf("\tMsrGsSwap : 0x%llx\n", tmpSpecialRegisters->MsrGsSwap);
printf("\tMsrStar : 0x%llx\n", tmpSpecialRegisters->MsrStar);
printf("\tMsrLStar : 0x%llx\n", tmpSpecialRegisters->MsrLStar);
printf("\tMsrCStar : 0x%llx\n", tmpSpecialRegisters->MsrCStar);
printf("\tMsrSyscallMask : 0x%llx\n", tmpSpecialRegisters->MsrSyscallMask);
printf("\tXcr0 : 0x%llx\n", tmpSpecialRegisters->Xcr0);
break;
}
case 3: //@v_KTHREAD
break;
default:
break;
};
}
break;
case DbgKdWriteControlSpaceApi:
printf("\t[DbgKdWriteControlSpaceApi]\n");
printf("\tTargetBaseAddress(index) %llx\n", pkt->ManipulateState64.WriteMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.WriteMemory.TransferCount);
printf("\tActualBytesWritten %08x\n", pkt->ManipulateState64.WriteMemory.ActualBytesWritten);
switch (pkt->ManipulateState64.ReadMemory.TargetBaseAddress){
case 0: //@v_KPCR
break;
case 1: //@v_KPRCB
break;
case 2:{ //@SpecialRegisters
KSPECIAL_REGISTERS64_T *tmpSpecialRegisters = (KSPECIAL_REGISTERS64_T*)pkt->ManipulateState64.WriteMemory.Data;
printf("\tKernelDr0 : 0x%llx\n", tmpSpecialRegisters->KernelDr0);
printf("\tKernelDr1 : 0x%llx\n", tmpSpecialRegisters->KernelDr1);
printf("\tKernelDr2 : 0x%llx\n", tmpSpecialRegisters->KernelDr2);
printf("\tKernelDr3 : 0x%llx\n", tmpSpecialRegisters->KernelDr3);
printf("\tKernelDr6 : 0x%llx\n", tmpSpecialRegisters->KernelDr6);
printf("\tKernelDr7 : 0x%llx\n", tmpSpecialRegisters->KernelDr7);
printf("\tGdtr.Limit : 0x%04x\n", tmpSpecialRegisters->Gdtr.Limit);
printf("\tGdtr.Base : 0x%llx\n", tmpSpecialRegisters->Gdtr.Base);
printf("\tIdtr.Limit : 0x%04x\n", tmpSpecialRegisters->Idtr.Limit);
printf("\tIdtr.Base : 0x%llx\n", tmpSpecialRegisters->Idtr.Base);
printf("\tTr : 0x%04x\n", tmpSpecialRegisters->Tr);
printf("\tLdtr : 0x%04x\n", tmpSpecialRegisters->Ldtr);
printf("\tMxCsr : 0x%08x\n", tmpSpecialRegisters->MxCsr);
printf("\tDebugControl : 0x%llx\n", tmpSpecialRegisters->DebugControl);
printf("\tLastBranchToRip : 0x%llx\n", tmpSpecialRegisters->LastBranchToRip);
printf("\tLastBranchFromRip : 0x%llx\n", tmpSpecialRegisters->LastBranchFromRip);
printf("\tLastExceptionToRip : 0x%llx\n", tmpSpecialRegisters->LastExceptionToRip);
printf("\tLastExceptionFromRip : 0x%llx\n", tmpSpecialRegisters->LastExceptionFromRip);
printf("\tCr8 : 0x%llx\n", tmpSpecialRegisters->Cr8);
printf("\tMsrGsBase : 0x%llx\n", tmpSpecialRegisters->MsrGsBase);
printf("\tMsrGsSwap : 0x%llx\n", tmpSpecialRegisters->MsrGsSwap);
printf("\tMsrStar : 0x%llx\n", tmpSpecialRegisters->MsrStar);
printf("\tMsrLStar : 0x%llx\n", tmpSpecialRegisters->MsrLStar);
printf("\tMsrCStar : 0x%llx\n", tmpSpecialRegisters->MsrCStar);
printf("\tMsrSyscallMask : 0x%llx\n", tmpSpecialRegisters->MsrSyscallMask);
printf("\tXcr0 : 0x%llx\n", tmpSpecialRegisters->Xcr0);
}
case 3: //@v_KTHREAD
break;
default:
break;
};
break;
case DbgKdRestoreBreakPointApi:
printf("\t[DbgKdRestoreBreakPointApi]\n");
printf("\tBreakPointHandle %08x\n", pkt->ManipulateState64.RestoreBreakPoint.BreakPointHandle);
break;
case DbgKdClearAllInternalBreakpointsApi:
printf("\t[DbgKdClearAllInternalBreakpointsApi]\n");
break;
case DbgKdWriteBreakPointApi:
printf("\t[DbgKdWriteBreakPointApi]\n");
printf("\tBreakPointAddress %llx\n", pkt->ManipulateState64.WriteBreakPoint.BreakPointAddress);
printf("\tBreakPointHandle %08x\n", pkt->ManipulateState64.WriteBreakPoint.BreakPointHandle);
break;
case DbgKdGetRegisterApi:
printf("\t[DbgKdGetRegister]\n");
for (int i = 0; i < 12; i++){
printf("pkt->ManipulateState64.GetRegisters.u[%d] = 0x%llx;\n", i, pkt->ManipulateState64.GetRegisters.u[i]);
}
if (pkt->Length > 56){
printf("SegCs %04x\n", pkt->ManipulateState64.GetRegisters.SegCs);
printf("SegDs %04x\n", pkt->ManipulateState64.GetRegisters.SegDs);
printf("SegEs %04x\n", pkt->ManipulateState64.GetRegisters.SegEs);
printf("SegFs %04x\n", pkt->ManipulateState64.GetRegisters.SegFs);
printf("SegGs %04x\n", pkt->ManipulateState64.GetRegisters.SegGs);
printf("SegSs %04x\n", pkt->ManipulateState64.GetRegisters.SegSs);
printf("EFlags %08x\n", pkt->ManipulateState64.GetRegisters.EFlags);
printf("Dr0 %llx\n", pkt->ManipulateState64.GetRegisters.Dr0);
printf("Dr1 %llx\n", pkt->ManipulateState64.GetRegisters.Dr1);
printf("Dr2 %llx\n", pkt->ManipulateState64.GetRegisters.Dr2);
printf("Dr3 %llx\n", pkt->ManipulateState64.GetRegisters.Dr3);
printf("Dr6 %llx\n", pkt->ManipulateState64.GetRegisters.Dr6);
printf("Dr7 %llx\n", pkt->ManipulateState64.GetRegisters.Dr7);
printf("Rax %llx\n", pkt->ManipulateState64.GetRegisters.Rax);
printf("Rcx %llx\n", pkt->ManipulateState64.GetRegisters.Rcx);
printf("Rdx %llx\n", pkt->ManipulateState64.GetRegisters.Rdx);
printf("Rbx %llx\n", pkt->ManipulateState64.GetRegisters.Rbx);
printf("Rsp %llx\n", pkt->ManipulateState64.GetRegisters.Rsp);
printf("Rbp %llx\n", pkt->ManipulateState64.GetRegisters.Rbp);
printf("Rsi %llx\n", pkt->ManipulateState64.GetRegisters.Rsi);
printf("Rdi %llx\n", pkt->ManipulateState64.GetRegisters.Rdi);
printf("R8 %llx\n", pkt->ManipulateState64.GetRegisters.R8);
printf("R9 %llx\n", pkt->ManipulateState64.GetRegisters.R9);
printf("R10 %llx\n", pkt->ManipulateState64.GetRegisters.R10);
printf("R11 %llx\n", pkt->ManipulateState64.GetRegisters.R11);
printf("R12 %llx\n", pkt->ManipulateState64.GetRegisters.R12);
printf("R13 %llx\n", pkt->ManipulateState64.GetRegisters.R13);
printf("R14 %llx\n", pkt->ManipulateState64.GetRegisters.R14);
printf("R15 %llx\n", pkt->ManipulateState64.GetRegisters.R15);
printf("Rip %llx\n", pkt->ManipulateState64.GetRegisters.Rip);
for (int i = 0; i < 122; i++){
//printf("tmpKDRespPkt->ManipulateState64.GetRegisters.fpu.DATA[%d] = 0x%llx;\n", i, pkt->ManipulateState64.GetRegisters.fpu.DATA[i]);
}
}
break;
case DbgKdGetContextApi:
printf("\t[DbgKdGetContextApi]\n");
printf("CS %04x\n", pkt->ManipulateState64.GetContext.Context.SegCs);
printf("DS %04x\n", pkt->ManipulateState64.GetContext.Context.SegDs);
printf("ES %04x\n", pkt->ManipulateState64.GetContext.Context.SegEs);
printf("FS %04x\n", pkt->ManipulateState64.GetContext.Context.SegFs);
printf("Gs %04x\n", pkt->ManipulateState64.GetContext.Context.SegGs);
printf("Ss %04x\n", pkt->ManipulateState64.GetContext.Context.SegSs);
printf("Rip %llx\n", pkt->ManipulateState64.GetContext.Context.Rip);
printf("Rbp %llx\n", pkt->ManipulateState64.GetContext.Context.Rbp);
printf("Rsp %llx\n", pkt->ManipulateState64.GetContext.Context.Rsp);
printf("Rax %llx\n", pkt->ManipulateState64.GetContext.Context.Rax);
printf("Rbx %llx\n", pkt->ManipulateState64.GetContext.Context.Rbx);
printf("Rcx %llx\n", pkt->ManipulateState64.GetContext.Context.Rcx);
printf("Rdx %llx\n", pkt->ManipulateState64.GetContext.Context.Rdx);
printf("Rsi %llx\n", pkt->ManipulateState64.GetContext.Context.Rsi);
printf("Rdi %llx\n", pkt->ManipulateState64.GetContext.Context.Rdi);
printf("R8 %llx\n", pkt->ManipulateState64.GetContext.Context.R8);
printf("R9 %llx\n", pkt->ManipulateState64.GetContext.Context.R9);
printf("R10 %llx\n", pkt->ManipulateState64.GetContext.Context.R10);
printf("R11 %llx\n", pkt->ManipulateState64.GetContext.Context.R11);
printf("R12 %llx\n", pkt->ManipulateState64.GetContext.Context.R12);
printf("R13 %llx\n", pkt->ManipulateState64.GetContext.Context.R13);
printf("R14 %llx\n", pkt->ManipulateState64.GetContext.Context.R14);
printf("R15 %llx\n", pkt->ManipulateState64.GetContext.Context.R15);
printf("EFlags %08x\n", pkt->ManipulateState64.GetContext.Context.EFlags);
printf("Dr0 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr0);
printf("Dr1 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr1);
printf("Dr2 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr2);
printf("Dr3 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr3);
printf("Dr6 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr6);
printf("Dr7 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr7);
break;
case DbgKdSetContextApi:
printf("\t[DbgKdSetContextApi]\n");
printf("CS %04x\n", pkt->ManipulateState64.GetContext.Context.SegCs);
printf("DS %04x\n", pkt->ManipulateState64.GetContext.Context.SegDs);
printf("ES %04x\n", pkt->ManipulateState64.GetContext.Context.SegEs);
printf("FS %04x\n", pkt->ManipulateState64.GetContext.Context.SegFs);
printf("Gs %04x\n", pkt->ManipulateState64.GetContext.Context.SegGs);
printf("Ss %04x\n", pkt->ManipulateState64.GetContext.Context.SegSs);
printf("Rip %llx\n", pkt->ManipulateState64.GetContext.Context.Rip);
printf("Rbp %llx\n", pkt->ManipulateState64.GetContext.Context.Rbp);
printf("Rsp %llx\n", pkt->ManipulateState64.GetContext.Context.Rsp);
printf("Rax %llx\n", pkt->ManipulateState64.GetContext.Context.Rax);
printf("Rbx %llx\n", pkt->ManipulateState64.GetContext.Context.Rbx);
printf("Rcx %llx\n", pkt->ManipulateState64.GetContext.Context.Rcx);
printf("Rdx %llx\n", pkt->ManipulateState64.GetContext.Context.Rdx);
printf("Rsi %llx\n", pkt->ManipulateState64.GetContext.Context.Rsi);
printf("Rdi %llx\n", pkt->ManipulateState64.GetContext.Context.Rdi);
printf("R8 %llx\n", pkt->ManipulateState64.GetContext.Context.R8);
printf("R9 %llx\n", pkt->ManipulateState64.GetContext.Context.R9);
printf("R10 %llx\n", pkt->ManipulateState64.GetContext.Context.R10);
printf("R11 %llx\n", pkt->ManipulateState64.GetContext.Context.R11);
printf("R12 %llx\n", pkt->ManipulateState64.GetContext.Context.R12);
printf("R13 %llx\n", pkt->ManipulateState64.GetContext.Context.R13);
printf("R14 %llx\n", pkt->ManipulateState64.GetContext.Context.R14);
printf("R15 %llx\n", pkt->ManipulateState64.GetContext.Context.R15);
printf("EFlags %08x\n", pkt->ManipulateState64.GetContext.Context.EFlags);
printf("Dr0 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr0);
printf("Dr1 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr1);
printf("Dr2 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr2);
printf("Dr3 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr3);
printf("Dr6 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr6);
printf("Dr7 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr7);
break;
case DbgKdContinueApi:
printf("\t[DbgKdContinueApi]\n");
break;
case DbgKdContinueApi2: //Go !
printf("\t[DbgKdContinueApi2]\n");
printf("\tContinueStatus %08x\n", pkt->ManipulateState64.Continue2.ContinueStatus);
printf("\tTraceFlag %08x\n", pkt->ManipulateState64.Continue2.TraceFlag);
printf("\tDr7 %llx\n", pkt->ManipulateState64.Continue2.Dr7);
printf("\tCurrentSymbolStart %llx\n", pkt->ManipulateState64.Continue2.CurrentSymbolStart);
printf("\tCurrentSymbolEnd %llx\n", pkt->ManipulateState64.Continue2.CurrentSymbolEnd);
break;
//VM->Windbg
case DbgKdExceptionStateChange:
printf("\t[DbgKdExceptionStateChange]\n");
printf("\tNewState %08x\n", pkt->StateChange.NewState);
printf("\tProcessorLevel %04x\n", pkt->StateChange.ProcessorLevel);
printf("\tProcessor %04x\n", pkt->StateChange.Processor);
printf("\tNumberProcessors %08x\n", pkt->StateChange.NumberProcessors);
printf("\tThread %llx\n", pkt->StateChange.Thread);
printf("\tProgramCounter %llx\n", pkt->StateChange.ProgramCounter);
//TODO: printExceptionRecord
printf("ExceptionCode %08x\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionCode);
printf("ExceptionFlags %08x\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionFlags);
printf("ExceptionRecord %llx\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionRecord);
printf("ExceptionAddress %llx\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionAddress);
printf("NumberParameters %08x\n", pkt->StateChange.Exception.ExceptionRecord.NumberParameters);
printf("u1 %08x\n", pkt->StateChange.Exception.ExceptionRecord.u1);
for (int i = 0; i<EXCEPTION_MAXIMUM_PARAMETERS; i++){
printf("ExceptionInformation[%d] %llx\n", i, pkt->StateChange.Exception.ExceptionRecord.ExceptionInformation[i]);
}
printf("FirstChance %08x\n", pkt->StateChange.Exception.FirstChance);
printf("\tDR6 %llx\n", pkt->StateChange.ControlReport.Dr6);
printf("\tDR7 %llx\n", pkt->StateChange.ControlReport.Dr7);
printf("\tEFlags %08x\n", pkt->StateChange.ControlReport.EFlags);
printf("\tInstructionCount %04x\n", pkt->StateChange.ControlReport.InstructionCount);
printf("\tReportFlags %04x\n", pkt->StateChange.ControlReport.ReportFlags);
for (int i = 0; i<min(DBGKD_MAXSTREAM, pkt->StateChange.ControlReport.InstructionCount); i++){
printf("\tInstructionStream[%d] %02x\n", i, pkt->StateChange.ControlReport.InstructionStream[i]);
}
printf("\tSegCs %04x\n", pkt->StateChange.ControlReport.SegCs);
printf("\tSegDs %04x\n", pkt->StateChange.ControlReport.SegDs);
printf("\tSegEs %04x\n", pkt->StateChange.ControlReport.SegEs);
printf("\tSegFs %04x\n", pkt->StateChange.ControlReport.SegFs);
printf("\tSegSs %04x\n", pkt->StateChange.ControlReport.SegSs);
break;
case DbgKdLoadSymbolsStateChange:
printf("\t[DbgKdLoadSymbolsStateChange]\n");
//THE F**K ?
break;
case DbgKdSwitchProcessor:
printf("\t[DbgKdSwitchProcessor]\n");
break;
case DbgKdQueryMemoryApi:
printf("\t[DbgKdQueryMemoryApi]\n");
printf("\tAddress 0x%llx\n", pkt->ManipulateState64.QueryMemory.Address);
printf("\tReserved 0x%llx\n", pkt->ManipulateState64.QueryMemory.Reserved);
printf("\tAddressSpace 0x%08X\n", pkt->ManipulateState64.QueryMemory.AddressSpace);
printf("\tFlags 0x%08X\n", pkt->ManipulateState64.QueryMemory.Flags);
break;
case DbgKdSearchMemoryApi:
printf("\t[DbgKdSearchMemoryApi]\n");
printf("\tSearchAddress 0x%llx\n", pkt->ManipulateState64.SearchMemory.SearchAddress);
printf("\tSearchLength 0x%llx\n", pkt->ManipulateState64.SearchMemory.SearchLength);
printf("\tPatternLength 0x%08x\n", pkt->ManipulateState64.SearchMemory.PatternLength);
if (pkt->Length > 56){
printf("\tData :\n");
printHexData((char*)pkt->ManipulateState64.SearchMemory.Data, pkt->ManipulateState64.SearchMemory.PatternLength);
}
break;
case DbgKdReadMachineSpecificRegister:
printf("\t[DbgKdReadMachineSpecificRegister]\n");
printf("\tMsr %08x\n", pkt->ManipulateState64.ReadWriteMsr.Msr);
printf("\tDataValueHigh %08x\n", pkt->ManipulateState64.ReadWriteMsr.DataValueHigh);
printf("\tDataValueLow %08x\n", pkt->ManipulateState64.ReadWriteMsr.DataValueLow);
break;
default: //Stop ALL !
printf("\t[UNKNOWN]\n");
//stopKDServer();
//printHexData((char*)pkt->data, pkt->Length);
//system("pause");
}
printf("\t---------KD_CONTENT-----------\n");
}
printf("---------KD_HEADER-----------\n");
printf("\n\n");
return true;
}
bool ParseKDPkt(kd_packet_t* pkt){
printf("------------RAW--------------\n");
dumpHexData((char*)pkt, pkt->length + 16);
printf("-----------------------------\n");
printf("---------KD_HEADER-----------\n");
printf("Leader: %08x\n", pkt->leader);
printf("PacketType: %04x\n", pkt->type);
printf("DataSize: %d\n", pkt->length);
printf("PacketID: %08x\n", pkt->id);
printf("Checksum: %08x\n", pkt->checksum);
printf("Checksum(check): %08x\n", ChecksumKD(pkt));
if (pkt->length > 0){
printf("\t---------KD_CONTENT-----------\n");
printf("\tApiNumber %08x\n", pkt->ApiNumber);
if (pkt->type == KD_PACKET_TYPE_MANIP){
printf("\t\t---------KD_MANIP-----------\n");
printf("\t\tProcessorLevel: %04x\n", pkt->ManipulateState64.ProcessorLevel);
printf("\t\tProcessor: %04x\n", pkt->ManipulateState64.Processor);
printf("\t\tReturnStatus: %08x\n", pkt->ManipulateState64.ReturnStatus);
dumpHexData((char*)pkt->ManipulateState64.data, pkt->length - 12);
printf("\t\t----------------------------\n");
}
switch (pkt->ApiNumber){
case DbgKdGetVersionApi:
printf("\t[DbgKdGetVersionApi]\n");
printf("\tMajorVersion %04x\n", pkt->ManipulateState64.GetVersion.MajorVersion);
printf("\tMinorVersion %04x\n", pkt->ManipulateState64.GetVersion.MinorVersion);
printf("\tProtocolVersion %04x\n", pkt->ManipulateState64.GetVersion.ProtocolVersion);
printf("\tFlags %04x\n", pkt->ManipulateState64.GetVersion.Flags);
printf("\tMachineType %04x\n", pkt->ManipulateState64.GetVersion.MachineType);
printf("\tMaxPacketType %02x\n", pkt->ManipulateState64.GetVersion.MaxPacketType);
printf("\tMaxStateChange %02x\n", pkt->ManipulateState64.GetVersion.MaxStateChange);
printf("\tMaxManipulate %02x\n", pkt->ManipulateState64.GetVersion.MaxManipulate);
printf("\tSimulation %02x\n", pkt->ManipulateState64.GetVersion.Simulation);
printf("\tUnknown1 %04x\n", pkt->ManipulateState64.GetVersion.Unknown1);
printf("\tKernelImageBase %p\n", pkt->ManipulateState64.GetVersion.KernelImageBase);
printf("\tPsLoadedModuleList %p\n", pkt->ManipulateState64.GetVersion.PsLoadedModuleList);
printf("\tDebuggerDataList %p\n", pkt->ManipulateState64.GetVersion.DebuggerDataList);
printf("\tUnknown2 %p\n", pkt->ManipulateState64.GetVersion.Unknown2);
printf("\tUnknown3 %p\n", pkt->ManipulateState64.GetVersion.Unknown3);
break;
case DbgKdReadVirtualMemoryApi:
printf("\t[DbgKdReadVirtualMemoryApi]\n");
printf("\tTargetBaseAddress %p\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %p\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %p\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %p\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->length > 56){
printHexData((char*)pkt->ManipulateState64.ReadMemory.Data, pkt->ManipulateState64.ReadMemory.TransferCount);
}
break;
case DbgKdReadPhysicalMemoryApi:
printf("\t[DbgKdReadPhysicalMemoryApi]\n");
printf("\tTargetBaseAddress %p\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %p\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %p\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %p\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->length > 56){
printHexData((char*)pkt->ManipulateState64.ReadMemory.Data, pkt->ManipulateState64.ReadMemory.TransferCount);
}
break;
case DbgKdReadControlSpaceApi:
printf("\t[DbgKdReadControlSpaceApi]\n");
//TODO: 0 @KPCR, 1 @KPRCB, 2 @SpecialReagister, 3 @KTHREAD
printf("\tTargetBaseAddress(index) %p\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %p\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %p\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %p\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->length > 56){
printHexData((char*)pkt->ManipulateState64.ReadMemory.Data, pkt->ManipulateState64.ReadMemory.TransferCount);
}
break;
case DbgKdWriteControlSpaceApi:
printf("\t[DbgKdWriteControlSpaceApi]\n");
printf("\tTargetBaseAddress(index) %p\n", pkt->ManipulateState64.WriteMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.WriteMemory.TransferCount);
printf("\tActualBytesWritten %08x\n", pkt->ManipulateState64.WriteMemory.ActualBytesWritten);
switch (pkt->ManipulateState64.ReadMemory.TargetBaseAddress){
case 0: //@v_KPCR
break;
case 1: //@v_KPRCB
break;
case 2:{ //@SpecialRegisters
KSPECIAL_REGISTERS64 *tmpSpecialRegisters = (KSPECIAL_REGISTERS64*)pkt->ManipulateState64.WriteMemory.Data;
printf("\tKernelDr0 : 0x%p\n", tmpSpecialRegisters->KernelDr0);
printf("\tKernelDr1 : 0x%p\n", tmpSpecialRegisters->KernelDr1);
printf("\tKernelDr2 : 0x%p\n", tmpSpecialRegisters->KernelDr2);
printf("\tKernelDr3 : 0x%p\n", tmpSpecialRegisters->KernelDr3);
printf("\tKernelDr6 : 0x%p\n", tmpSpecialRegisters->KernelDr6);
printf("\tKernelDr7 : 0x%p\n", tmpSpecialRegisters->KernelDr7);
break;
}
case 3: //@v_KTHREAD
break;
default:
break;
};
break;
case DbgKdRestoreBreakPointApi:
printf("\t[DbgKdRestoreBreakPointApi]\n");
printf("\tBreakPointHandle %08x\n", pkt->ManipulateState64.RestoreBreakPoint.BreakPointHandle);
break;
case DbgKdClearAllInternalBreakpointsApi:
printf("\t[DbgKdClearAllInternalBreakpointsApi]\n");
break;
case DbgKdGetRegister:
printf("\t[DbgKdGetRegister]\n");
for (int i = 0; i < 12; i++){
printf("pkt->ManipulateState64.GetRegisters.u[%d] = 0x%p;\n", i, pkt->ManipulateState64.GetRegisters.u[i]);
}
if (pkt->length > 56){
printf("SegCs %04x\n", pkt->ManipulateState64.GetRegisters.SegCs);
printf("SegDs %04x\n", pkt->ManipulateState64.GetRegisters.SegDs);
printf("SegEs %04x\n", pkt->ManipulateState64.GetRegisters.SegEs);
printf("SegFs %04x\n", pkt->ManipulateState64.GetRegisters.SegFs);
printf("SegGs %04x\n", pkt->ManipulateState64.GetRegisters.SegGs);
printf("SegSs %04x\n", pkt->ManipulateState64.GetRegisters.SegSs);
printf("EFlags %08x\n", pkt->ManipulateState64.GetRegisters.EFlags);
printf("Dr0 %p\n", pkt->ManipulateState64.GetRegisters.Dr0);
printf("Dr1 %p\n", pkt->ManipulateState64.GetRegisters.Dr1);
printf("Dr2 %p\n", pkt->ManipulateState64.GetRegisters.Dr2);
printf("Dr3 %p\n", pkt->ManipulateState64.GetRegisters.Dr3);
printf("Dr6 %p\n", pkt->ManipulateState64.GetRegisters.Dr6);
printf("Dr7 %p\n", pkt->ManipulateState64.GetRegisters.Dr7);
printf("Rax %p\n", pkt->ManipulateState64.GetRegisters.Rax);
printf("Rcx %p\n", pkt->ManipulateState64.GetRegisters.Rcx);
printf("Rdx %p\n", pkt->ManipulateState64.GetRegisters.Rdx);
printf("Rbx %p\n", pkt->ManipulateState64.GetRegisters.Rbx);
printf("Rsp %p\n", pkt->ManipulateState64.GetRegisters.Rsp);
printf("Rbp %p\n", pkt->ManipulateState64.GetRegisters.Rbp);
printf("Rsi %p\n", pkt->ManipulateState64.GetRegisters.Rsi);
printf("Rdi %p\n", pkt->ManipulateState64.GetRegisters.Rdi);
printf("R8 %p\n", pkt->ManipulateState64.GetRegisters.R8);
printf("R9 %p\n", pkt->ManipulateState64.GetRegisters.R9);
printf("R10 %p\n", pkt->ManipulateState64.GetRegisters.R10);
printf("R11 %p\n", pkt->ManipulateState64.GetRegisters.R11);
printf("R12 %p\n", pkt->ManipulateState64.GetRegisters.R12);
printf("R13 %p\n", pkt->ManipulateState64.GetRegisters.R13);
printf("R14 %p\n", pkt->ManipulateState64.GetRegisters.R14);
printf("R15 %p\n", pkt->ManipulateState64.GetRegisters.R15);
printf("Rip %p\n", pkt->ManipulateState64.GetRegisters.Rip);
for (int i = 0; i < 122; i++){
printf("tmpKDRespPkt->ManipulateState64.GetRegisters.DATA[%d] = 0x%p;\n", i, pkt->ManipulateState64.GetRegisters.DATA[i]);
}
}
break;
case DbgKdSetContextApi: //Go !
printf("\t[DbgKdSetContextApi]\n");
//TODO !! Copy KiProcessorBlock[State->Processor]->ProcessorState.ContextFrame;
break;
case DbgKdContinueApi:
printf("\t[DbgKdContinueApi]\n");
break;
case DbgKdContinueApi2: //Go !
printf("\t[DbgKdContinueApi2]\n");
//TODO
printf("\tNTSTATUS %08\n", pkt->ManipulateState64.Continue2.ContinueStatus);
printf("\tTraceFlag %08\n", pkt->ManipulateState64.Continue2.ControlSet.TraceFlag);
printf("\tDr7 %p\n", pkt->ManipulateState64.Continue2.ControlSet.Dr7);
printf("\tCurrentSymbolStart %p\n", pkt->ManipulateState64.Continue2.ControlSet.CurrentSymbolStart);
printf("\tCurrentSymbolEnd %p\n", pkt->ManipulateState64.Continue2.ControlSet.CurrentSymbolEnd);
break;
//VM->Windbg
case DbgKdExceptionStateChange:
printf("\t[DbgKdExceptionStateChange]\n");
printf("\tNewState %08x\n", pkt->StateChange.NewState);
printf("\tProcessorLevel %04x\n", pkt->StateChange.ProcessorLevel);
printf("\tProcessor %04x\n", pkt->StateChange.Processor);
printf("\tNumberProcessors %08x\n", pkt->StateChange.NumberProcessors);
printf("\tThread %p\n", pkt->StateChange.Thread);
printf("\tProgramCounter %p\n", pkt->StateChange.ProgramCounter);
//TODO: printExceptionRecord
printf("ExceptionCode %08x\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionCode);
printf("ExceptionFlags %08x\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionFlags);
printf("ExceptionRecord %016lx\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionRecord);
printf("ExceptionAddress %016lx\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionAddress);
printf("NumberParameters %08x\n", pkt->StateChange.Exception.ExceptionRecord.NumberParameters);
printf("u1 %08x\n", pkt->StateChange.Exception.ExceptionRecord.u1);
for (int i = 0; i<EXCEPTION_MAXIMUM_PARAMETERS; i++){
printf("ExceptionInformation[%d] %016lx\n", i, pkt->StateChange.Exception.ExceptionRecord.ExceptionInformation[i]);
}
printf("FirstChance %08x\n", pkt->StateChange.Exception.FirstChance);
printf("\tDR6 %016lx\n", pkt->StateChange.ControlReport.Dr6);
printf("\tDR7 %016lx\n", pkt->StateChange.ControlReport.Dr7);
printf("\tEFlags %08x\n", pkt->StateChange.ControlReport.EFlags);
printf("\tInstructionCount %04x\n", pkt->StateChange.ControlReport.InstructionCount);
printf("\tReportFlags %04x\n", pkt->StateChange.ControlReport.ReportFlags);
for (int i = 0; i<min(DBGKD_MAXSTREAM, pkt->StateChange.ControlReport.InstructionCount); i++){
printf("\tInstructionStream[%d] %02x\n", i, pkt->StateChange.ControlReport.InstructionStream[i]);
}
printf("\tSegCs %04x\n", pkt->StateChange.ControlReport.SegCs);
printf("\tSegDs %04x\n", pkt->StateChange.ControlReport.SegDs);
printf("\tSegEs %04x\n", pkt->StateChange.ControlReport.SegEs);
printf("\tSegFs %04x\n", pkt->StateChange.ControlReport.SegFs);
break;
case DbgKdLoadSymbolsStateChange:
printf("\t[DbgKdLoadSymbolsStateChange]\n");
//THE F**K ?
break;
case DbgKdSwitchProcessor:
printf("\t[DbgKdSwitchProcessor]\n");
break;
case DbgKdQueryMemoryApi:
printf("\t[DbgKdQueryMemoryApi]\n");
printf("\tAddress 0x%p\n", pkt->ManipulateState64.QueryMemory.Address);
printf("\tReserved 0x%p\n", pkt->ManipulateState64.QueryMemory.Reserved);
printf("\tAddressSpace 0x%08X\n", pkt->ManipulateState64.QueryMemory.AddressSpace);
printf("\tFlags 0x%08X\n", pkt->ManipulateState64.QueryMemory.Flags);
break;
default: //Stop ALL !
printf("\t[UNKNOWN]\n");
//stopKDServer();
//printHexData((char*)pkt->data, pkt->length);
//system("pause");
}
printf("\t---------KD_CONTENT-----------\n");
}
printf("---------KD_HEADER-----------\n");
printf("\n\n");
return true;
}