Last active
September 21, 2017 18:58
-
-
Save mgeeky/0be059d9395721865b3dcb5d5a96cbed to your computer and use it in GitHub Desktop.
Windbg script that dumps Structured Exception Handlers linked-list from Kernel Mode KPCR structure. Useful while working on Kernel-Mode SEH-based exploitation.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$$ | |
$$ kernel_dump_seh.wds | |
$$ Windbg script that dumps Structured Exception Handlers linked-list from Kernel Mode KPCR structure. | |
$$ Useful while working on Kernel-Mode SEH-based exploitation (e.g. during GS cookies bypass). | |
$$ | |
$$ Usage: | |
$$ $$><C:\kernel_dump_seh.wds | |
$$ | |
$$ Mariusz B., '17 | |
$$ | |
.block | |
{ | |
aS FS @$t0; | |
aS GDT_FS @$t1; | |
aS KPCR @$t5; | |
aS NextPtr @$t6; | |
aS cnt @$t7; | |
$$ FS register's selector. | |
r ${FS} = 0x30; | |
r ${GDT_FS} = (@gdtr + ${FS}); | |
$$ Getting FS register's base bytes out from GDT | |
r $t2 = wo(${GDT_FS} + 2); | |
r $t3 = by(${GDT_FS} + 4); | |
r $t4 = by(${GDT_FS} + 7); | |
$$ Construct full FS selector's base address | |
aS /x KPCR @@c++((@$t2) | (@$t3 << 16) | (@$t4 << 24)); | |
r? ${NextPtr} = (nt!_EXCEPTION_REGISTRATION_RECORD*)(*(unsigned long*)(${KPCR})); | |
.printf "KPCR. = 0x%p\n", ${KPCR}; | |
.printf "KPCR.NtTib.ExceptionList = 0x%p\n\n", ${NextPtr}; | |
r ${cnt} = 0; | |
.while (${cnt} < 30) | |
{ | |
.if ($vvalid(${NextPtr}, 8) != 1) | |
{ | |
.printf "\t^-- Broken Handler.\n" | |
.break; | |
} | |
.if (@@c++(${NextPtr}->Next) == 0xffffffff) | |
{ | |
.printf "%02d. Reached end of SEH list.", ${cnt}; | |
.break; | |
} | |
.printf "SEH[%02d]: Next: 0x%p, Handler: 0x%p\n", ${cnt}, @@c++(${NextPtr}->Next), @@c++(${NextPtr}->Handler); | |
r ${cnt} = ${cnt} + 1; | |
r? ${NextPtr} = @@c++(${NextPtr}->Next); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment