bool ParseKDPkt(KD_PACKET_T* pkt)
{
printf("------------RAW--------------\n");
dumpHexData((char*)pkt, pkt->Length + 16);
printf("-----------------------------\n");
printf("---------KD_HEADER-----------\n");
printf("Leader: %08x\n", pkt->Leader);
printf("PacketType: %04x\n", pkt->Type);
printf("DataSize: %d\n", pkt->Length);
printf("PacketID: %08x\n", pkt->Id);
printf("Checksum: %08x\n", pkt->Checksum);
printf("Checksum(check): %08x\n", ChecksumKD(pkt));
if (pkt->Length > 0){
printf("\t---------KD_CONTENT-----------\n");
printf("\tApiNumber %08x\n", pkt->ApiNumber);
if (pkt->Type == KD_PACKET_TYPE_MANIP){
printf("\t\t---------KD_MANIP-----------\n");
printf("\t\tProcessorLevel: %04x\n", pkt->ManipulateState64.ProcessorLevel);
printf("\t\tProcessor: %04x\n", pkt->ManipulateState64.Processor);
printf("\t\tProcessor: %04x\n", pkt->ManipulateState64.Processor);
printf("\t\tReturnStatus: %08x\n", pkt->ManipulateState64.ReturnStatus);
dumpHexData((char*)pkt->ManipulateState64.data, pkt->Length - 12);
printf("\t\t----------------------------\n");
}
switch (pkt->ApiNumber){
case DbgKdGetVersionApi:
printf("\t[DbgKdGetVersionApi]\n");
printf("\tMajorVersion %04x\n", pkt->ManipulateState64.DbgGetVersion.MajorVersion);
printf("\tMinorVersion %04x\n", pkt->ManipulateState64.DbgGetVersion.MinorVersion);
printf("\tProtocolVersion %04x\n", pkt->ManipulateState64.DbgGetVersion.ProtocolVersion);
printf("\tFlags %04x\n", pkt->ManipulateState64.DbgGetVersion.Flags);
printf("\tMachineType %04x\n", pkt->ManipulateState64.DbgGetVersion.MachineType);
printf("\tMaxPacketType %02x\n", pkt->ManipulateState64.DbgGetVersion.MaxPacketType);
printf("\tMaxStateChange %02x\n", pkt->ManipulateState64.DbgGetVersion.MaxStateChange);
printf("\tMaxManipulate %02x\n", pkt->ManipulateState64.DbgGetVersion.MaxManipulate);
printf("\tSimulation %02x\n", pkt->ManipulateState64.DbgGetVersion.Simulation);
printf("\tUnknown1 %04x\n", pkt->ManipulateState64.DbgGetVersion.Unknown1);
printf("\tKernelImageBase %llx\n", pkt->ManipulateState64.DbgGetVersion.KernelImageBase);
printf("\tPsLoadedModuleList %llx\n", pkt->ManipulateState64.DbgGetVersion.PsLoadedModuleList);
printf("\tDebuggerDataList %llx\n", pkt->ManipulateState64.DbgGetVersion.DebuggerDataList);
printf("\tUnknown2 %llx\n", pkt->ManipulateState64.DbgGetVersion.Unknown2);
printf("\tUnknown3 %llx\n", pkt->ManipulateState64.DbgGetVersion.Unknown3);
break;
case DbgKdReadVirtualMemoryApi:
printf("\t[DbgKdReadVirtualMemoryApi]\n");
printf("\tTargetBaseAddress %llx\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->Length > 56){
printHexData((char*)pkt->ManipulateState64.ReadMemory.Data, pkt->ManipulateState64.ReadMemory.TransferCount);
}
break;
case DbgKdWriteVirtualMemoryApi:
printf("\t[DbgKdWriteVirtualMemoryApi]\n");
printf("\tTargetBaseAddress %llx\n", pkt->ManipulateState64.WriteMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.WriteMemory.TransferCount);
printf("\tActualBytesWritten %08x\n", pkt->ManipulateState64.WriteMemory.ActualBytesWritten);
//printf("\tUnknown1 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown1);
//printf("\tUnknown2 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown2);
//printf("\tUnknown3 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown3);
if (pkt->Length > 56){
printHexData((char*)pkt->ManipulateState64.WriteMemory.Data, pkt->ManipulateState64.WriteMemory.TransferCount);
}
break;
case DbgKdReadPhysicalMemoryApi:
printf("\t[DbgKdReadPhysicalMemoryApi]\n");
printf("\tTargetBaseAddress %llx\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->Length > 56){
printHexData((char*)pkt->ManipulateState64.ReadMemory.Data, pkt->ManipulateState64.ReadMemory.TransferCount);
}
break;
case DbgKdWritePhysicalMemoryApi:
printf("\t[DbgKdWritePhysicalMemoryApi]\n");
printf("\tTargetBaseAddress %llx\n", pkt->ManipulateState64.WriteMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.WriteMemory.TransferCount);
printf("\tActualBytesWritten %08x\n", pkt->ManipulateState64.WriteMemory.ActualBytesWritten);
//printf("\tUnknown1 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown1);
//printf("\tUnknown2 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown2);
//printf("\tUnknown3 %llx\n", pkt->ManipulateState64.WriteMemory.Unknown3);
if (pkt->Length > 56){
printHexData((char*)pkt->ManipulateState64.WriteMemory.Data, pkt->ManipulateState64.WriteMemory.TransferCount);
}
break;
case DbgKdReadControlSpaceApi:
printf("\t[DbgKdReadControlSpaceApi]\n");
//TODO: 0 @KPCR, 1 @KPRCB, 2 @SpecialReagister, 3 @KTHREAD
printf("\tTargetBaseAddress(index) %llx\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %llx\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->Length > 56){
switch (pkt->ManipulateState64.ReadMemory.TargetBaseAddress){
case 0: //@v_KPCR
break;
case 1: //@v_KPRCB
break;
case 2:{ //@SpecialRegisters
KSPECIAL_REGISTERS64_T *tmpSpecialRegisters = (KSPECIAL_REGISTERS64_T*)pkt->ManipulateState64.WriteMemory.Data;
printf("\tKernelDr0 : 0x%llx\n", tmpSpecialRegisters->KernelDr0);
printf("\tKernelDr1 : 0x%llx\n", tmpSpecialRegisters->KernelDr1);
printf("\tKernelDr2 : 0x%llx\n", tmpSpecialRegisters->KernelDr2);
printf("\tKernelDr3 : 0x%llx\n", tmpSpecialRegisters->KernelDr3);
printf("\tKernelDr6 : 0x%llx\n", tmpSpecialRegisters->KernelDr6);
printf("\tKernelDr7 : 0x%llx\n", tmpSpecialRegisters->KernelDr7);
printf("\tGdtr.Limit : 0x%04x\n", tmpSpecialRegisters->Gdtr.Limit);
printf("\tGdtr.Base : 0x%llx\n", tmpSpecialRegisters->Gdtr.Base);
printf("\tIdtr.Limit : 0x%04x\n", tmpSpecialRegisters->Idtr.Limit);
printf("\tIdtr.Base : 0x%llx\n", tmpSpecialRegisters->Idtr.Base);
printf("\tTr : 0x%04x\n", tmpSpecialRegisters->Tr);
printf("\tLdtr : 0x%04x\n", tmpSpecialRegisters->Ldtr);
printf("\tMxCsr : 0x%08x\n", tmpSpecialRegisters->MxCsr);
printf("\tDebugControl : 0x%llx\n", tmpSpecialRegisters->DebugControl);
printf("\tLastBranchToRip : 0x%llx\n", tmpSpecialRegisters->LastBranchToRip);
printf("\tLastBranchFromRip : 0x%llx\n", tmpSpecialRegisters->LastBranchFromRip);
printf("\tLastExceptionToRip : 0x%llx\n", tmpSpecialRegisters->LastExceptionToRip);
printf("\tLastExceptionFromRip : 0x%llx\n", tmpSpecialRegisters->LastExceptionFromRip);
printf("\tCr8 : 0x%llx\n", tmpSpecialRegisters->Cr8);
printf("\tMsrGsBase : 0x%llx\n", tmpSpecialRegisters->MsrGsBase);
printf("\tMsrGsSwap : 0x%llx\n", tmpSpecialRegisters->MsrGsSwap);
printf("\tMsrStar : 0x%llx\n", tmpSpecialRegisters->MsrStar);
printf("\tMsrLStar : 0x%llx\n", tmpSpecialRegisters->MsrLStar);
printf("\tMsrCStar : 0x%llx\n", tmpSpecialRegisters->MsrCStar);
printf("\tMsrSyscallMask : 0x%llx\n", tmpSpecialRegisters->MsrSyscallMask);
printf("\tXcr0 : 0x%llx\n", tmpSpecialRegisters->Xcr0);
break;
}
case 3: //@v_KTHREAD
break;
default:
break;
};
}
break;
case DbgKdWriteControlSpaceApi:
printf("\t[DbgKdWriteControlSpaceApi]\n");
printf("\tTargetBaseAddress(index) %llx\n", pkt->ManipulateState64.WriteMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.WriteMemory.TransferCount);
printf("\tActualBytesWritten %08x\n", pkt->ManipulateState64.WriteMemory.ActualBytesWritten);
switch (pkt->ManipulateState64.ReadMemory.TargetBaseAddress){
case 0: //@v_KPCR
break;
case 1: //@v_KPRCB
break;
case 2:{ //@SpecialRegisters
KSPECIAL_REGISTERS64_T *tmpSpecialRegisters = (KSPECIAL_REGISTERS64_T*)pkt->ManipulateState64.WriteMemory.Data;
printf("\tKernelDr0 : 0x%llx\n", tmpSpecialRegisters->KernelDr0);
printf("\tKernelDr1 : 0x%llx\n", tmpSpecialRegisters->KernelDr1);
printf("\tKernelDr2 : 0x%llx\n", tmpSpecialRegisters->KernelDr2);
printf("\tKernelDr3 : 0x%llx\n", tmpSpecialRegisters->KernelDr3);
printf("\tKernelDr6 : 0x%llx\n", tmpSpecialRegisters->KernelDr6);
printf("\tKernelDr7 : 0x%llx\n", tmpSpecialRegisters->KernelDr7);
printf("\tGdtr.Limit : 0x%04x\n", tmpSpecialRegisters->Gdtr.Limit);
printf("\tGdtr.Base : 0x%llx\n", tmpSpecialRegisters->Gdtr.Base);
printf("\tIdtr.Limit : 0x%04x\n", tmpSpecialRegisters->Idtr.Limit);
printf("\tIdtr.Base : 0x%llx\n", tmpSpecialRegisters->Idtr.Base);
printf("\tTr : 0x%04x\n", tmpSpecialRegisters->Tr);
printf("\tLdtr : 0x%04x\n", tmpSpecialRegisters->Ldtr);
printf("\tMxCsr : 0x%08x\n", tmpSpecialRegisters->MxCsr);
printf("\tDebugControl : 0x%llx\n", tmpSpecialRegisters->DebugControl);
printf("\tLastBranchToRip : 0x%llx\n", tmpSpecialRegisters->LastBranchToRip);
printf("\tLastBranchFromRip : 0x%llx\n", tmpSpecialRegisters->LastBranchFromRip);
printf("\tLastExceptionToRip : 0x%llx\n", tmpSpecialRegisters->LastExceptionToRip);
printf("\tLastExceptionFromRip : 0x%llx\n", tmpSpecialRegisters->LastExceptionFromRip);
printf("\tCr8 : 0x%llx\n", tmpSpecialRegisters->Cr8);
printf("\tMsrGsBase : 0x%llx\n", tmpSpecialRegisters->MsrGsBase);
printf("\tMsrGsSwap : 0x%llx\n", tmpSpecialRegisters->MsrGsSwap);
printf("\tMsrStar : 0x%llx\n", tmpSpecialRegisters->MsrStar);
printf("\tMsrLStar : 0x%llx\n", tmpSpecialRegisters->MsrLStar);
printf("\tMsrCStar : 0x%llx\n", tmpSpecialRegisters->MsrCStar);
printf("\tMsrSyscallMask : 0x%llx\n", tmpSpecialRegisters->MsrSyscallMask);
printf("\tXcr0 : 0x%llx\n", tmpSpecialRegisters->Xcr0);
}
case 3: //@v_KTHREAD
break;
default:
break;
};
break;
case DbgKdRestoreBreakPointApi:
printf("\t[DbgKdRestoreBreakPointApi]\n");
printf("\tBreakPointHandle %08x\n", pkt->ManipulateState64.RestoreBreakPoint.BreakPointHandle);
break;
case DbgKdClearAllInternalBreakpointsApi:
printf("\t[DbgKdClearAllInternalBreakpointsApi]\n");
break;
case DbgKdWriteBreakPointApi:
printf("\t[DbgKdWriteBreakPointApi]\n");
printf("\tBreakPointAddress %llx\n", pkt->ManipulateState64.WriteBreakPoint.BreakPointAddress);
printf("\tBreakPointHandle %08x\n", pkt->ManipulateState64.WriteBreakPoint.BreakPointHandle);
break;
case DbgKdGetRegisterApi:
printf("\t[DbgKdGetRegister]\n");
for (int i = 0; i < 12; i++){
printf("pkt->ManipulateState64.GetRegisters.u[%d] = 0x%llx;\n", i, pkt->ManipulateState64.GetRegisters.u[i]);
}
if (pkt->Length > 56){
printf("SegCs %04x\n", pkt->ManipulateState64.GetRegisters.SegCs);
printf("SegDs %04x\n", pkt->ManipulateState64.GetRegisters.SegDs);
printf("SegEs %04x\n", pkt->ManipulateState64.GetRegisters.SegEs);
printf("SegFs %04x\n", pkt->ManipulateState64.GetRegisters.SegFs);
printf("SegGs %04x\n", pkt->ManipulateState64.GetRegisters.SegGs);
printf("SegSs %04x\n", pkt->ManipulateState64.GetRegisters.SegSs);
printf("EFlags %08x\n", pkt->ManipulateState64.GetRegisters.EFlags);
printf("Dr0 %llx\n", pkt->ManipulateState64.GetRegisters.Dr0);
printf("Dr1 %llx\n", pkt->ManipulateState64.GetRegisters.Dr1);
printf("Dr2 %llx\n", pkt->ManipulateState64.GetRegisters.Dr2);
printf("Dr3 %llx\n", pkt->ManipulateState64.GetRegisters.Dr3);
printf("Dr6 %llx\n", pkt->ManipulateState64.GetRegisters.Dr6);
printf("Dr7 %llx\n", pkt->ManipulateState64.GetRegisters.Dr7);
printf("Rax %llx\n", pkt->ManipulateState64.GetRegisters.Rax);
printf("Rcx %llx\n", pkt->ManipulateState64.GetRegisters.Rcx);
printf("Rdx %llx\n", pkt->ManipulateState64.GetRegisters.Rdx);
printf("Rbx %llx\n", pkt->ManipulateState64.GetRegisters.Rbx);
printf("Rsp %llx\n", pkt->ManipulateState64.GetRegisters.Rsp);
printf("Rbp %llx\n", pkt->ManipulateState64.GetRegisters.Rbp);
printf("Rsi %llx\n", pkt->ManipulateState64.GetRegisters.Rsi);
printf("Rdi %llx\n", pkt->ManipulateState64.GetRegisters.Rdi);
printf("R8 %llx\n", pkt->ManipulateState64.GetRegisters.R8);
printf("R9 %llx\n", pkt->ManipulateState64.GetRegisters.R9);
printf("R10 %llx\n", pkt->ManipulateState64.GetRegisters.R10);
printf("R11 %llx\n", pkt->ManipulateState64.GetRegisters.R11);
printf("R12 %llx\n", pkt->ManipulateState64.GetRegisters.R12);
printf("R13 %llx\n", pkt->ManipulateState64.GetRegisters.R13);
printf("R14 %llx\n", pkt->ManipulateState64.GetRegisters.R14);
printf("R15 %llx\n", pkt->ManipulateState64.GetRegisters.R15);
printf("Rip %llx\n", pkt->ManipulateState64.GetRegisters.Rip);
for (int i = 0; i < 122; i++){
//printf("tmpKDRespPkt->ManipulateState64.GetRegisters.fpu.DATA[%d] = 0x%llx;\n", i, pkt->ManipulateState64.GetRegisters.fpu.DATA[i]);
}
}
break;
case DbgKdGetContextApi:
printf("\t[DbgKdGetContextApi]\n");
printf("CS %04x\n", pkt->ManipulateState64.GetContext.Context.SegCs);
printf("DS %04x\n", pkt->ManipulateState64.GetContext.Context.SegDs);
printf("ES %04x\n", pkt->ManipulateState64.GetContext.Context.SegEs);
printf("FS %04x\n", pkt->ManipulateState64.GetContext.Context.SegFs);
printf("Gs %04x\n", pkt->ManipulateState64.GetContext.Context.SegGs);
printf("Ss %04x\n", pkt->ManipulateState64.GetContext.Context.SegSs);
printf("Rip %llx\n", pkt->ManipulateState64.GetContext.Context.Rip);
printf("Rbp %llx\n", pkt->ManipulateState64.GetContext.Context.Rbp);
printf("Rsp %llx\n", pkt->ManipulateState64.GetContext.Context.Rsp);
printf("Rax %llx\n", pkt->ManipulateState64.GetContext.Context.Rax);
printf("Rbx %llx\n", pkt->ManipulateState64.GetContext.Context.Rbx);
printf("Rcx %llx\n", pkt->ManipulateState64.GetContext.Context.Rcx);
printf("Rdx %llx\n", pkt->ManipulateState64.GetContext.Context.Rdx);
printf("Rsi %llx\n", pkt->ManipulateState64.GetContext.Context.Rsi);
printf("Rdi %llx\n", pkt->ManipulateState64.GetContext.Context.Rdi);
printf("R8 %llx\n", pkt->ManipulateState64.GetContext.Context.R8);
printf("R9 %llx\n", pkt->ManipulateState64.GetContext.Context.R9);
printf("R10 %llx\n", pkt->ManipulateState64.GetContext.Context.R10);
printf("R11 %llx\n", pkt->ManipulateState64.GetContext.Context.R11);
printf("R12 %llx\n", pkt->ManipulateState64.GetContext.Context.R12);
printf("R13 %llx\n", pkt->ManipulateState64.GetContext.Context.R13);
printf("R14 %llx\n", pkt->ManipulateState64.GetContext.Context.R14);
printf("R15 %llx\n", pkt->ManipulateState64.GetContext.Context.R15);
printf("EFlags %08x\n", pkt->ManipulateState64.GetContext.Context.EFlags);
printf("Dr0 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr0);
printf("Dr1 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr1);
printf("Dr2 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr2);
printf("Dr3 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr3);
printf("Dr6 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr6);
printf("Dr7 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr7);
break;
case DbgKdSetContextApi:
printf("\t[DbgKdSetContextApi]\n");
printf("CS %04x\n", pkt->ManipulateState64.GetContext.Context.SegCs);
printf("DS %04x\n", pkt->ManipulateState64.GetContext.Context.SegDs);
printf("ES %04x\n", pkt->ManipulateState64.GetContext.Context.SegEs);
printf("FS %04x\n", pkt->ManipulateState64.GetContext.Context.SegFs);
printf("Gs %04x\n", pkt->ManipulateState64.GetContext.Context.SegGs);
printf("Ss %04x\n", pkt->ManipulateState64.GetContext.Context.SegSs);
printf("Rip %llx\n", pkt->ManipulateState64.GetContext.Context.Rip);
printf("Rbp %llx\n", pkt->ManipulateState64.GetContext.Context.Rbp);
printf("Rsp %llx\n", pkt->ManipulateState64.GetContext.Context.Rsp);
printf("Rax %llx\n", pkt->ManipulateState64.GetContext.Context.Rax);
printf("Rbx %llx\n", pkt->ManipulateState64.GetContext.Context.Rbx);
printf("Rcx %llx\n", pkt->ManipulateState64.GetContext.Context.Rcx);
printf("Rdx %llx\n", pkt->ManipulateState64.GetContext.Context.Rdx);
printf("Rsi %llx\n", pkt->ManipulateState64.GetContext.Context.Rsi);
printf("Rdi %llx\n", pkt->ManipulateState64.GetContext.Context.Rdi);
printf("R8 %llx\n", pkt->ManipulateState64.GetContext.Context.R8);
printf("R9 %llx\n", pkt->ManipulateState64.GetContext.Context.R9);
printf("R10 %llx\n", pkt->ManipulateState64.GetContext.Context.R10);
printf("R11 %llx\n", pkt->ManipulateState64.GetContext.Context.R11);
printf("R12 %llx\n", pkt->ManipulateState64.GetContext.Context.R12);
printf("R13 %llx\n", pkt->ManipulateState64.GetContext.Context.R13);
printf("R14 %llx\n", pkt->ManipulateState64.GetContext.Context.R14);
printf("R15 %llx\n", pkt->ManipulateState64.GetContext.Context.R15);
printf("EFlags %08x\n", pkt->ManipulateState64.GetContext.Context.EFlags);
printf("Dr0 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr0);
printf("Dr1 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr1);
printf("Dr2 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr2);
printf("Dr3 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr3);
printf("Dr6 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr6);
printf("Dr7 %llx\n", pkt->ManipulateState64.GetContext.Context.Dr7);
break;
case DbgKdContinueApi:
printf("\t[DbgKdContinueApi]\n");
break;
case DbgKdContinueApi2: //Go !
printf("\t[DbgKdContinueApi2]\n");
printf("\tContinueStatus %08x\n", pkt->ManipulateState64.Continue2.ContinueStatus);
printf("\tTraceFlag %08x\n", pkt->ManipulateState64.Continue2.TraceFlag);
printf("\tDr7 %llx\n", pkt->ManipulateState64.Continue2.Dr7);
printf("\tCurrentSymbolStart %llx\n", pkt->ManipulateState64.Continue2.CurrentSymbolStart);
printf("\tCurrentSymbolEnd %llx\n", pkt->ManipulateState64.Continue2.CurrentSymbolEnd);
break;
//VM->Windbg
case DbgKdExceptionStateChange:
printf("\t[DbgKdExceptionStateChange]\n");
printf("\tNewState %08x\n", pkt->StateChange.NewState);
printf("\tProcessorLevel %04x\n", pkt->StateChange.ProcessorLevel);
printf("\tProcessor %04x\n", pkt->StateChange.Processor);
printf("\tNumberProcessors %08x\n", pkt->StateChange.NumberProcessors);
printf("\tThread %llx\n", pkt->StateChange.Thread);
printf("\tProgramCounter %llx\n", pkt->StateChange.ProgramCounter);
//TODO: printExceptionRecord
printf("ExceptionCode %08x\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionCode);
printf("ExceptionFlags %08x\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionFlags);
printf("ExceptionRecord %llx\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionRecord);
printf("ExceptionAddress %llx\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionAddress);
printf("NumberParameters %08x\n", pkt->StateChange.Exception.ExceptionRecord.NumberParameters);
printf("u1 %08x\n", pkt->StateChange.Exception.ExceptionRecord.u1);
for (int i = 0; i<EXCEPTION_MAXIMUM_PARAMETERS; i++){
printf("ExceptionInformation[%d] %llx\n", i, pkt->StateChange.Exception.ExceptionRecord.ExceptionInformation[i]);
}
printf("FirstChance %08x\n", pkt->StateChange.Exception.FirstChance);
printf("\tDR6 %llx\n", pkt->StateChange.ControlReport.Dr6);
printf("\tDR7 %llx\n", pkt->StateChange.ControlReport.Dr7);
printf("\tEFlags %08x\n", pkt->StateChange.ControlReport.EFlags);
printf("\tInstructionCount %04x\n", pkt->StateChange.ControlReport.InstructionCount);
printf("\tReportFlags %04x\n", pkt->StateChange.ControlReport.ReportFlags);
for (int i = 0; i<min(DBGKD_MAXSTREAM, pkt->StateChange.ControlReport.InstructionCount); i++){
printf("\tInstructionStream[%d] %02x\n", i, pkt->StateChange.ControlReport.InstructionStream[i]);
}
printf("\tSegCs %04x\n", pkt->StateChange.ControlReport.SegCs);
printf("\tSegDs %04x\n", pkt->StateChange.ControlReport.SegDs);
printf("\tSegEs %04x\n", pkt->StateChange.ControlReport.SegEs);
printf("\tSegFs %04x\n", pkt->StateChange.ControlReport.SegFs);
printf("\tSegSs %04x\n", pkt->StateChange.ControlReport.SegSs);
break;
case DbgKdLoadSymbolsStateChange:
printf("\t[DbgKdLoadSymbolsStateChange]\n");
//THE F**K ?
break;
case DbgKdSwitchProcessor:
printf("\t[DbgKdSwitchProcessor]\n");
break;
case DbgKdQueryMemoryApi:
printf("\t[DbgKdQueryMemoryApi]\n");
printf("\tAddress 0x%llx\n", pkt->ManipulateState64.QueryMemory.Address);
printf("\tReserved 0x%llx\n", pkt->ManipulateState64.QueryMemory.Reserved);
printf("\tAddressSpace 0x%08X\n", pkt->ManipulateState64.QueryMemory.AddressSpace);
printf("\tFlags 0x%08X\n", pkt->ManipulateState64.QueryMemory.Flags);
break;
case DbgKdSearchMemoryApi:
printf("\t[DbgKdSearchMemoryApi]\n");
printf("\tSearchAddress 0x%llx\n", pkt->ManipulateState64.SearchMemory.SearchAddress);
printf("\tSearchLength 0x%llx\n", pkt->ManipulateState64.SearchMemory.SearchLength);
printf("\tPatternLength 0x%08x\n", pkt->ManipulateState64.SearchMemory.PatternLength);
if (pkt->Length > 56){
printf("\tData :\n");
printHexData((char*)pkt->ManipulateState64.SearchMemory.Data, pkt->ManipulateState64.SearchMemory.PatternLength);
}
break;
case DbgKdReadMachineSpecificRegister:
printf("\t[DbgKdReadMachineSpecificRegister]\n");
printf("\tMsr %08x\n", pkt->ManipulateState64.ReadWriteMsr.Msr);
printf("\tDataValueHigh %08x\n", pkt->ManipulateState64.ReadWriteMsr.DataValueHigh);
printf("\tDataValueLow %08x\n", pkt->ManipulateState64.ReadWriteMsr.DataValueLow);
break;
default: //Stop ALL !
printf("\t[UNKNOWN]\n");
//stopKDServer();
//printHexData((char*)pkt->data, pkt->Length);
//system("pause");
}
printf("\t---------KD_CONTENT-----------\n");
}
printf("---------KD_HEADER-----------\n");
printf("\n\n");
return true;
}
bool ParseKDPkt(kd_packet_t* pkt){
printf("------------RAW--------------\n");
dumpHexData((char*)pkt, pkt->length + 16);
printf("-----------------------------\n");
printf("---------KD_HEADER-----------\n");
printf("Leader: %08x\n", pkt->leader);
printf("PacketType: %04x\n", pkt->type);
printf("DataSize: %d\n", pkt->length);
printf("PacketID: %08x\n", pkt->id);
printf("Checksum: %08x\n", pkt->checksum);
printf("Checksum(check): %08x\n", ChecksumKD(pkt));
if (pkt->length > 0){
printf("\t---------KD_CONTENT-----------\n");
printf("\tApiNumber %08x\n", pkt->ApiNumber);
if (pkt->type == KD_PACKET_TYPE_MANIP){
printf("\t\t---------KD_MANIP-----------\n");
printf("\t\tProcessorLevel: %04x\n", pkt->ManipulateState64.ProcessorLevel);
printf("\t\tProcessor: %04x\n", pkt->ManipulateState64.Processor);
printf("\t\tReturnStatus: %08x\n", pkt->ManipulateState64.ReturnStatus);
dumpHexData((char*)pkt->ManipulateState64.data, pkt->length - 12);
printf("\t\t----------------------------\n");
}
switch (pkt->ApiNumber){
case DbgKdGetVersionApi:
printf("\t[DbgKdGetVersionApi]\n");
printf("\tMajorVersion %04x\n", pkt->ManipulateState64.GetVersion.MajorVersion);
printf("\tMinorVersion %04x\n", pkt->ManipulateState64.GetVersion.MinorVersion);
printf("\tProtocolVersion %04x\n", pkt->ManipulateState64.GetVersion.ProtocolVersion);
printf("\tFlags %04x\n", pkt->ManipulateState64.GetVersion.Flags);
printf("\tMachineType %04x\n", pkt->ManipulateState64.GetVersion.MachineType);
printf("\tMaxPacketType %02x\n", pkt->ManipulateState64.GetVersion.MaxPacketType);
printf("\tMaxStateChange %02x\n", pkt->ManipulateState64.GetVersion.MaxStateChange);
printf("\tMaxManipulate %02x\n", pkt->ManipulateState64.GetVersion.MaxManipulate);
printf("\tSimulation %02x\n", pkt->ManipulateState64.GetVersion.Simulation);
printf("\tUnknown1 %04x\n", pkt->ManipulateState64.GetVersion.Unknown1);
printf("\tKernelImageBase %p\n", pkt->ManipulateState64.GetVersion.KernelImageBase);
printf("\tPsLoadedModuleList %p\n", pkt->ManipulateState64.GetVersion.PsLoadedModuleList);
printf("\tDebuggerDataList %p\n", pkt->ManipulateState64.GetVersion.DebuggerDataList);
printf("\tUnknown2 %p\n", pkt->ManipulateState64.GetVersion.Unknown2);
printf("\tUnknown3 %p\n", pkt->ManipulateState64.GetVersion.Unknown3);
break;
case DbgKdReadVirtualMemoryApi:
printf("\t[DbgKdReadVirtualMemoryApi]\n");
printf("\tTargetBaseAddress %p\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %p\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %p\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %p\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->length > 56){
printHexData((char*)pkt->ManipulateState64.ReadMemory.Data, pkt->ManipulateState64.ReadMemory.TransferCount);
}
break;
case DbgKdReadPhysicalMemoryApi:
printf("\t[DbgKdReadPhysicalMemoryApi]\n");
printf("\tTargetBaseAddress %p\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %p\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %p\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %p\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->length > 56){
printHexData((char*)pkt->ManipulateState64.ReadMemory.Data, pkt->ManipulateState64.ReadMemory.TransferCount);
}
break;
case DbgKdReadControlSpaceApi:
printf("\t[DbgKdReadControlSpaceApi]\n");
//TODO: 0 @KPCR, 1 @KPRCB, 2 @SpecialReagister, 3 @KTHREAD
printf("\tTargetBaseAddress(index) %p\n", pkt->ManipulateState64.ReadMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.ReadMemory.TransferCount);
printf("\tActualBytesRead %08x\n", pkt->ManipulateState64.ReadMemory.ActualBytesRead);
//printf("\tUnknown1 %p\n", pkt->ManipulateState64.ReadMemory.Unknown1);
//printf("\tUnknown2 %p\n", pkt->ManipulateState64.ReadMemory.Unknown2);
//printf("\tUnknown3 %p\n", pkt->ManipulateState64.ReadMemory.Unknown3);
if (pkt->length > 56){
printHexData((char*)pkt->ManipulateState64.ReadMemory.Data, pkt->ManipulateState64.ReadMemory.TransferCount);
}
break;
case DbgKdWriteControlSpaceApi:
printf("\t[DbgKdWriteControlSpaceApi]\n");
printf("\tTargetBaseAddress(index) %p\n", pkt->ManipulateState64.WriteMemory.TargetBaseAddress);
printf("\tTransferCount %08x\n", pkt->ManipulateState64.WriteMemory.TransferCount);
printf("\tActualBytesWritten %08x\n", pkt->ManipulateState64.WriteMemory.ActualBytesWritten);
switch (pkt->ManipulateState64.ReadMemory.TargetBaseAddress){
case 0: //@v_KPCR
break;
case 1: //@v_KPRCB
break;
case 2:{ //@SpecialRegisters
KSPECIAL_REGISTERS64 *tmpSpecialRegisters = (KSPECIAL_REGISTERS64*)pkt->ManipulateState64.WriteMemory.Data;
printf("\tKernelDr0 : 0x%p\n", tmpSpecialRegisters->KernelDr0);
printf("\tKernelDr1 : 0x%p\n", tmpSpecialRegisters->KernelDr1);
printf("\tKernelDr2 : 0x%p\n", tmpSpecialRegisters->KernelDr2);
printf("\tKernelDr3 : 0x%p\n", tmpSpecialRegisters->KernelDr3);
printf("\tKernelDr6 : 0x%p\n", tmpSpecialRegisters->KernelDr6);
printf("\tKernelDr7 : 0x%p\n", tmpSpecialRegisters->KernelDr7);
break;
}
case 3: //@v_KTHREAD
break;
default:
break;
};
break;
case DbgKdRestoreBreakPointApi:
printf("\t[DbgKdRestoreBreakPointApi]\n");
printf("\tBreakPointHandle %08x\n", pkt->ManipulateState64.RestoreBreakPoint.BreakPointHandle);
break;
case DbgKdClearAllInternalBreakpointsApi:
printf("\t[DbgKdClearAllInternalBreakpointsApi]\n");
break;
case DbgKdGetRegister:
printf("\t[DbgKdGetRegister]\n");
for (int i = 0; i < 12; i++){
printf("pkt->ManipulateState64.GetRegisters.u[%d] = 0x%p;\n", i, pkt->ManipulateState64.GetRegisters.u[i]);
}
if (pkt->length > 56){
printf("SegCs %04x\n", pkt->ManipulateState64.GetRegisters.SegCs);
printf("SegDs %04x\n", pkt->ManipulateState64.GetRegisters.SegDs);
printf("SegEs %04x\n", pkt->ManipulateState64.GetRegisters.SegEs);
printf("SegFs %04x\n", pkt->ManipulateState64.GetRegisters.SegFs);
printf("SegGs %04x\n", pkt->ManipulateState64.GetRegisters.SegGs);
printf("SegSs %04x\n", pkt->ManipulateState64.GetRegisters.SegSs);
printf("EFlags %08x\n", pkt->ManipulateState64.GetRegisters.EFlags);
printf("Dr0 %p\n", pkt->ManipulateState64.GetRegisters.Dr0);
printf("Dr1 %p\n", pkt->ManipulateState64.GetRegisters.Dr1);
printf("Dr2 %p\n", pkt->ManipulateState64.GetRegisters.Dr2);
printf("Dr3 %p\n", pkt->ManipulateState64.GetRegisters.Dr3);
printf("Dr6 %p\n", pkt->ManipulateState64.GetRegisters.Dr6);
printf("Dr7 %p\n", pkt->ManipulateState64.GetRegisters.Dr7);
printf("Rax %p\n", pkt->ManipulateState64.GetRegisters.Rax);
printf("Rcx %p\n", pkt->ManipulateState64.GetRegisters.Rcx);
printf("Rdx %p\n", pkt->ManipulateState64.GetRegisters.Rdx);
printf("Rbx %p\n", pkt->ManipulateState64.GetRegisters.Rbx);
printf("Rsp %p\n", pkt->ManipulateState64.GetRegisters.Rsp);
printf("Rbp %p\n", pkt->ManipulateState64.GetRegisters.Rbp);
printf("Rsi %p\n", pkt->ManipulateState64.GetRegisters.Rsi);
printf("Rdi %p\n", pkt->ManipulateState64.GetRegisters.Rdi);
printf("R8 %p\n", pkt->ManipulateState64.GetRegisters.R8);
printf("R9 %p\n", pkt->ManipulateState64.GetRegisters.R9);
printf("R10 %p\n", pkt->ManipulateState64.GetRegisters.R10);
printf("R11 %p\n", pkt->ManipulateState64.GetRegisters.R11);
printf("R12 %p\n", pkt->ManipulateState64.GetRegisters.R12);
printf("R13 %p\n", pkt->ManipulateState64.GetRegisters.R13);
printf("R14 %p\n", pkt->ManipulateState64.GetRegisters.R14);
printf("R15 %p\n", pkt->ManipulateState64.GetRegisters.R15);
printf("Rip %p\n", pkt->ManipulateState64.GetRegisters.Rip);
for (int i = 0; i < 122; i++){
printf("tmpKDRespPkt->ManipulateState64.GetRegisters.DATA[%d] = 0x%p;\n", i, pkt->ManipulateState64.GetRegisters.DATA[i]);
}
}
break;
case DbgKdSetContextApi: //Go !
printf("\t[DbgKdSetContextApi]\n");
//TODO !! Copy KiProcessorBlock[State->Processor]->ProcessorState.ContextFrame;
break;
case DbgKdContinueApi:
printf("\t[DbgKdContinueApi]\n");
break;
case DbgKdContinueApi2: //Go !
printf("\t[DbgKdContinueApi2]\n");
//TODO
printf("\tNTSTATUS %08\n", pkt->ManipulateState64.Continue2.ContinueStatus);
printf("\tTraceFlag %08\n", pkt->ManipulateState64.Continue2.ControlSet.TraceFlag);
printf("\tDr7 %p\n", pkt->ManipulateState64.Continue2.ControlSet.Dr7);
printf("\tCurrentSymbolStart %p\n", pkt->ManipulateState64.Continue2.ControlSet.CurrentSymbolStart);
printf("\tCurrentSymbolEnd %p\n", pkt->ManipulateState64.Continue2.ControlSet.CurrentSymbolEnd);
break;
//VM->Windbg
case DbgKdExceptionStateChange:
printf("\t[DbgKdExceptionStateChange]\n");
printf("\tNewState %08x\n", pkt->StateChange.NewState);
printf("\tProcessorLevel %04x\n", pkt->StateChange.ProcessorLevel);
printf("\tProcessor %04x\n", pkt->StateChange.Processor);
printf("\tNumberProcessors %08x\n", pkt->StateChange.NumberProcessors);
printf("\tThread %p\n", pkt->StateChange.Thread);
printf("\tProgramCounter %p\n", pkt->StateChange.ProgramCounter);
//TODO: printExceptionRecord
printf("ExceptionCode %08x\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionCode);
printf("ExceptionFlags %08x\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionFlags);
printf("ExceptionRecord %016lx\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionRecord);
printf("ExceptionAddress %016lx\n", pkt->StateChange.Exception.ExceptionRecord.ExceptionAddress);
printf("NumberParameters %08x\n", pkt->StateChange.Exception.ExceptionRecord.NumberParameters);
printf("u1 %08x\n", pkt->StateChange.Exception.ExceptionRecord.u1);
for (int i = 0; i<EXCEPTION_MAXIMUM_PARAMETERS; i++){
printf("ExceptionInformation[%d] %016lx\n", i, pkt->StateChange.Exception.ExceptionRecord.ExceptionInformation[i]);
}
printf("FirstChance %08x\n", pkt->StateChange.Exception.FirstChance);
printf("\tDR6 %016lx\n", pkt->StateChange.ControlReport.Dr6);
printf("\tDR7 %016lx\n", pkt->StateChange.ControlReport.Dr7);
printf("\tEFlags %08x\n", pkt->StateChange.ControlReport.EFlags);
printf("\tInstructionCount %04x\n", pkt->StateChange.ControlReport.InstructionCount);
printf("\tReportFlags %04x\n", pkt->StateChange.ControlReport.ReportFlags);
for (int i = 0; i<min(DBGKD_MAXSTREAM, pkt->StateChange.ControlReport.InstructionCount); i++){
printf("\tInstructionStream[%d] %02x\n", i, pkt->StateChange.ControlReport.InstructionStream[i]);
}
printf("\tSegCs %04x\n", pkt->StateChange.ControlReport.SegCs);
printf("\tSegDs %04x\n", pkt->StateChange.ControlReport.SegDs);
printf("\tSegEs %04x\n", pkt->StateChange.ControlReport.SegEs);
printf("\tSegFs %04x\n", pkt->StateChange.ControlReport.SegFs);
break;
case DbgKdLoadSymbolsStateChange:
printf("\t[DbgKdLoadSymbolsStateChange]\n");
//THE F**K ?
break;
case DbgKdSwitchProcessor:
printf("\t[DbgKdSwitchProcessor]\n");
break;
case DbgKdQueryMemoryApi:
printf("\t[DbgKdQueryMemoryApi]\n");
printf("\tAddress 0x%p\n", pkt->ManipulateState64.QueryMemory.Address);
printf("\tReserved 0x%p\n", pkt->ManipulateState64.QueryMemory.Reserved);
printf("\tAddressSpace 0x%08X\n", pkt->ManipulateState64.QueryMemory.AddressSpace);
printf("\tFlags 0x%08X\n", pkt->ManipulateState64.QueryMemory.Flags);
break;
default: //Stop ALL !
printf("\t[UNKNOWN]\n");
//stopKDServer();
//printHexData((char*)pkt->data, pkt->length);
//system("pause");
}
printf("\t---------KD_CONTENT-----------\n");
}
printf("---------KD_HEADER-----------\n");
printf("\n\n");
return true;
}
