using of auto-derived state machines

Let`s see what we can do with our auto-derived state-machines. All source code in my github repo

Simple case: KdLocalDebugEnabled

Assume that we want to find address of KdLocalDebugEnabled. On kernel 18345 RVA is 37CC18 and it located in section .data. Run

ldr.exe -se -t 8 -der D:\work\kernel\w10\18346\arm\ntoskrnl.exe 37CC18

to build rules. Option -t sets number of threads. Results:

found at 0076D850 - KdSystemDebugControl

 ldrb exorted KdDebuggerEnabled

 ldrb

apply return 37CC18, must_be 37CC18

This rule say that we must find exported function KdSystemDebugControl, wait for loading of exported symbol KdDebuggerEnabled and next loading operation will give us address of KdLocalDebugEnabled
Now apply this rule for kernel RTM 2004 (with option -T you can specify files on which to test rules):
ldr.exe -se -t 8 -der D:\work\kernel\w10\18346\arm\ntoskrnl.exe 37CC18 -T d:\work\kernel\w10\rtm\2004\arm\ntoskrnl.exe

 ldrb exorted KdDebuggerEnabled

 ldrb

Test[0]: C3F639

Lets check this address
// pubsym <rva 0xc3f639> KdLocalDebugEnabled

Second case: CmpTraceRoutine

IDA Pro shows 106 xrefs on kernel 18345, RVA is 8A8008. Lets see if rule for finding this address can be derived automatically:

Run

ldr.exe -se -t 8 -der D:\work\kernel\w10\18346\arm\ntoskrnl.exe 8A8008

Results:

found at 004E4800 - NtClose

 load exported PsInitialSystemProcess

 call_exp RtlMapGenericMask

 load

apply return 8A8008, must_be 8A8008

found at 005F8BE0 in section PAGE

 call_exp memset

 load exported CmKeyObjectType

 const 2001F count 38

 call_exp ObOpenObjectByName

 load exported CmKeyObjectType

 call_exp ObReferenceObjectByHandle

 call_exp ZwClose

 const 70684D43 count 1

 call_exp ExAllocatePoolWithTag

 load

apply return 8A8008, must_be 8A8008

This time we have two rules - one for exported function NtClose and second for some non-exported function at RVA 5F8BE0 - this is CmpLinkHiveToMaster (I think it was chosen because it contains unique constant 0x70684D43). Apply all this rules for kernel RTM 2004:

ldr.exe -se -t 8 -der D:\work\kernel\w10\18346\arm\ntoskrnl.exe 8A8008 -T d:\work\kernel\w10\rtm\2004\arm\ntoskrnl.exe




found at 005F8BE0 in section PAGE

 call_exp memset

 load exported CmKeyObjectType

 const 2001F count 38

 call_exp ObOpenObjectByName

 load exported CmKeyObjectType

 call_exp ObReferenceObjectByHandle

 call_exp ZwClose

 const 70684D43 count 1

 call_exp ExAllocatePoolWithTag

 load

Test[0]: 1030008

Second rule worked, check in pdbdump:
// pubsym <rva 0x1030008> CmpTraceRoutine