среда, 25 мая 2016 г.

KiServiceTable from w10 build 14342 x64

In healthy windows (for example w10 build 14332) KiServiceTable looks like:
.rdata:00000001402DE4C0 KiServiceTable  dq offset NtAccessCheck ; DATA XREF: KiInitializeKernel+5EF o
.rdata:00000001402DE4C8        dq offset NtWorkerFactoryWorkerReady
.rdata:00000001402DE4D0        dq offset NtAcceptConnectPort
.rdata:00000001402DE4D8        dq offset NtMapUserPhysicalPagesScatter


And in w10 build 14342 like:
.rdata:00000001402E1380 KiServiceTable  dd 0DECCCh              ; DATA XREF: KiInitializeKernel+600 o
.rdata:00000001402E1384        dd 0E44ECh
.rdata:00000001402E1388        dd 4E3470h
.rdata:00000001402E138C        db  20h
.rdata:00000001402E138D        db 0AFh ; ï
.rdata:00000001402E138E        db  64h ; d
.rdata:00000001402E138F        db    0


so I had to write a IDC script to convert this offsets to normal view:
#include <idc.idc>

static get_pe_base()
{
  auto addr, segm;
  addr = GetLongPrm(INF_MIN_EA);
  segm = SegByName("HEADER");
  if ( segm != BADADDR )
    return addr;
  return addr - 0x1000; // ditry hack
}

static main(void)
{
  auto base, cnt, addr, tab, i;
  base = get_pe_base();
  addr = LocByName("KiServiceLimit");
  if ( addr == BADADDR )
  {
    Warn("Cannot find KiServiceLimit");
    return;
  }
  cnt = Dword(addr);
  tab = LocByName("KiServiceTable");
  if ( tab == BADADDR )
  {
    Warn("Cannot find KiServiceTable");
    return;
  }
  for ( i = 0; i < cnt; i++, tab = tab + 4 )
  {
    MakeDword(tab);
    addr = Dword(tab);
    MakeComm(tab, sprintf("%x", addr + base));
    add_dref(tab, addr + base, dr_O);
  }
}

KiServiceLimit .eq. 0x1c2