September 21, 2008 at 12:52 pmCrash dumps and KeCapturePersistentThreadState
I found here a very interesting undocumented function exported by the kernel, which is not referenced within the kernel, but which does a very interesting thing. Namely, it writes to the transferred piece of memory a full minidump at a given time.
Very useful given that there (in the dump) there are offsets of non-exported structures such as PsLoadedModuleList, which can come in handy.
Thanks to Freeman for help) Input parameters: Context - current context (possible from the bulldozer, you just need to fill in EIP & ESP) Thread - current thread. you can specify NULL, then she herself will take the current BugCheckCode, ParametersX - the bug code and the arguments that she writes to the dump.
VirtualAddress - the address of the allocated 16 pages of memory (64kb), where it will put a neatly prepared crash dump.
Example:
Dump header: Using the function: www.everfall.com/paste/id.php?mkgmkfg1a057 The code receives a dump, shows the address MmPfnDatabase, PsActiveProcessHead, PsLoadedModuleList and dumps the dump to disk. You can safely dump the dump into WinDbg and study it. In general, a very interesting thing ... I will have to rewrite my gr8lkd (http://gr8lkd.googlecode.com/) using this function.
Very useful given that there (in the dump) there are offsets of non-exported structures such as PsLoadedModuleList, which can come in handy.
Thanks to Freeman for help) Input parameters: Context - current context (possible from the bulldozer, you just need to fill in EIP & ESP) Thread - current thread. you can specify NULL, then she herself will take the current BugCheckCode, ParametersX - the bug code and the arguments that she writes to the dump.
ULONG
NTAPI
KeCapturePersistentThreadState(
PCONTEXT Context,
PKTHREAD Thread,
ULONG BugCheckCode,
ULONG BugCheckParameter1,
ULONG BugCheckParameter2,
ULONG BugCheckParameter3,
ULONG BugCheckParameter4,
PVOID VirtualAddress
);VirtualAddress - the address of the allocated 16 pages of memory (64kb), where it will put a neatly prepared crash dump.
Example:
Dump header: Using the function: www.everfall.com/paste/id.php?mkgmkfg1a057 The code receives a dump, shows the address MmPfnDatabase, PsActiveProcessHead, PsLoadedModuleList and dumps the dump to disk. You can safely dump the dump into WinDbg and study it. In general, a very interesting thing ... I will have to rewrite my gr8lkd (http://gr8lkd.googlecode.com/) using this function.
typedef struct _DUMP_HEADER {
/* 00 */ ULONG Signature;
/* 04 */ ULONG ValidDump;
/* 08 */ ULONG MajorVersion;
/* 0c */ ULONG MinorVersion;
/* 10 */ ULONG DirectoryTableBase;
/* 14 */ PULONG PfnDataBase;
/* 18 */ PLIST_ENTRY PsLoadedModuleList;
/* 1c */ PLIST_ENTRY PsActiveProcessHead;
/* 20 */ ULONG MachineImageType;
/* 24 */ ULONG NumberProcessors;
/* 28 */ ULONG BugCheckCode;
/* 2c */ ULONG BugCheckParameter1;
/* 30 */ ULONG BugCheckParameter2;
/* 34 */ ULONG BugCheckParameter3;
/* 38 */ ULONG BugCheckParameter4;
/* 3c */ CHAR VersionUser[32];
/* 5c */ UCHAR PaeEnabled;
UCHAR NotUsed[3];
/* 60 */ PVOID KdDebuggerDataBlock;
} DUMP_HEADER, *PDUMP_HEADER;