mgeeky/kernel_dump_seh.wds

## kernel_dump_seh.wds
$$
$$ kernel_dump_seh.wds
$$    Windbg script that dumps Structured Exception Handlers linked-list from Kernel Mode KPCR structure.
$$    Useful while working on Kernel-Mode SEH-based exploitation (e.g. during GS cookies bypass).
$$
$$ Usage:
$$    $$><C:\kernel_dump_seh.wds
$$
$$ Mariusz B., '17
$$

.block
{
	aS FS 		@$t0;
	aS GDT_FS 	@$t1;
	aS KPCR 	@$t5;
	aS NextPtr 	@$t6;
	aS cnt 		@$t7;

	$$ FS register's selector.
	r ${FS} = 0x30;
	r ${GDT_FS} = (@gdtr + ${FS});

	$$ Getting FS register's base bytes out from GDT
	r $t2 = wo(${GDT_FS} + 2);
	r $t3 = by(${GDT_FS} + 4);
	r $t4 = by(${GDT_FS} + 7);

	$$ Construct full FS selector's base address
	aS /x KPCR @@c++((@$t2) | (@$t3 << 16) | (@$t4 << 24));

	r? ${NextPtr} = (nt!_EXCEPTION_REGISTRATION_RECORD*)(*(unsigned long*)(${KPCR}));

	.printf "KPCR. = 0x%p\n", ${KPCR};
	.printf "KPCR.NtTib.ExceptionList = 0x%p\n\n", ${NextPtr};

	r ${cnt} = 0;

	.while (${cnt} < 30)
	{
		.if ($vvalid(${NextPtr}, 8) != 1)
		{
			.printf "\t^-- Broken Handler.\n"
			.break;
		}

		.if (@@c++(${NextPtr}->Next) == 0xffffffff)
		{
			.printf "%02d. Reached end of SEH list.", ${cnt};
			.break;
		}

		.printf "SEH[%02d]: Next: 0x%p, Handler: 0x%p\n", ${cnt}, @@c++(${NextPtr}->Next), @@c++(${NextPtr}->Handler);

		r ${cnt} = ${cnt} + 1;
		r? ${NextPtr} = @@c++(${NextPtr}->Next);
	}
}
	$$
	$$ kernel_dump_seh.wds
	$$ Windbg script that dumps Structured Exception Handlers linked-list from Kernel Mode KPCR structure.
	$$ Useful while working on Kernel-Mode SEH-based exploitation (e.g. during GS cookies bypass).
	$$
	$$ Usage:
	$$ $$><C:\kernel_dump_seh.wds
	$$
	$$ Mariusz B., '17
	$$

	.block
	{
	aS FS @$t0;
	aS GDT_FS @$t1;
	aS KPCR @$t5;
	aS NextPtr @$t6;
	aS cnt @$t7;

	$$ FS register's selector.
	r ${FS} = 0x30;
	r ${GDT_FS} = (@gdtr + ${FS});

	$$ Getting FS register's base bytes out from GDT
	r $t2 = wo(${GDT_FS} + 2);
	r $t3 = by(${GDT_FS} + 4);
	r $t4 = by(${GDT_FS} + 7);

	$$ Construct full FS selector's base address
	aS /x KPCR @@c++((@$t2) \| (@$t3 << 16) \| (@$t4 << 24));

	r? ${NextPtr} = (nt!_EXCEPTION_REGISTRATION_RECORD)((unsigned long*)(${KPCR}));

	.printf "KPCR. = 0x%p\n", ${KPCR};
	.printf "KPCR.NtTib.ExceptionList = 0x%p\n\n", ${NextPtr};

	r ${cnt} = 0;

	.while (${cnt} < 30)
	{
	.if ($vvalid(${NextPtr}, 8) != 1)
	{
	.printf "\t^-- Broken Handler.\n"
	.break;
	}

	.if (@@c++(${NextPtr}->Next) == 0xffffffff)
	{
	.printf "%02d. Reached end of SEH list.", ${cnt};
	.break;
	}

	.printf "SEH[%02d]: Next: 0x%p, Handler: 0x%p\n", ${cnt}, @@c++(${NextPtr}->Next), @@c++(${NextPtr}->Handler);

	r ${cnt} = ${cnt} + 1;
	r? ${NextPtr} = @@c++(${NextPtr}->Next);
	}
	}