Add highlighting for a modified table entry

AndreyBazhan · Jun 27, 2015 · daf85a4 · daf85a4
1 parent a5ac67d
commit daf85a4
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 7 deletions.
diff --git a/KD/dllmain.cpp b/KD/dllmain.cpp
@@ -9,7 +9,7 @@ Copyright (c) Andrey Bazhan
 
 PDEBUG_CONTROL DebugControl;
 PDEBUG_SYMBOLS DebugSymbols;
-PDEBUG_DATA_SPACES DebugDataSpaces;
+PDEBUG_DATA_SPACES4 DebugDataSpaces;
 PDEBUG_REGISTERS DebugRegisters;
 
 

diff --git a/KD/dllmain.h b/KD/dllmain.h
@@ -5,7 +5,7 @@
 
 extern PDEBUG_CONTROL DebugControl;
 extern PDEBUG_SYMBOLS DebugSymbols;
-extern PDEBUG_DATA_SPACES DebugDataSpaces;
+extern PDEBUG_DATA_SPACES4 DebugDataSpaces;
 extern PDEBUG_REGISTERS DebugRegisters;
 
 

diff --git a/KD/st.cpp b/KD/st.cpp
@@ -41,13 +41,17 @@ Return Value:
  ULONG64 KeServiceDescriptorTable;
  ULONG64 KiServiceLimit;
  ULONG64 ServiceTableBase;
- ULONG Limit;
  ULONG64 Address;
  ULONG64 ServiceAddress;
+ ULONG64 PsNtosImageBase;
+ ULONG64 NtosImageBase;
+ ULONG64 NtosImageEnd;
+ ULONG Limit;
  ULONG i;
  LONG Offset;
  ULONG BytesRead;
  CHAR ServiceName[MAX_PATH];
+ IMAGE_NT_HEADERS64 ImageNtHeaders;
 
  UNREFERENCED_PARAMETER(args);
 
@@ -72,13 +76,13 @@ Return Value:
 
  if ((Status = DebugSymbols->GetOffsetByName("nt!KeServiceDescriptorTable", &KeServiceDescriptorTable)) != S_OK) {
 
- DebugControl->Output(DEBUG_OUTPUT_NORMAL, "Couldn't read nt!KeServiceDescriptorTable.\n");
+ DebugControl->Output(DEBUG_OUTPUT_NORMAL, "Couldn't read offset of the nt!KeServiceDescriptorTable.\n");
  __leave;
  }
 
  if ((Status = DebugSymbols->GetOffsetByName("nt!KiServiceLimit", &KiServiceLimit)) != S_OK) {
 
- DebugControl->Output(DEBUG_OUTPUT_NORMAL, "Couldn't read nt!KiServiceLimit.\n");
+ DebugControl->Output(DEBUG_OUTPUT_NORMAL, "Couldn't read offset of the nt!KiServiceLimit.\n");
  __leave;
  }
 
@@ -94,6 +98,26 @@ Return Value:
  __leave;
  }
 
+ if ((Status = DebugSymbols->GetOffsetByName("nt!PsNtosImageBase", &PsNtosImageBase)) != S_OK) {
+
+ DebugControl->Output(DEBUG_OUTPUT_NORMAL, "Couldn't read offset of the nt!PsNtosImageBase.\n");
+ __leave;
+ }
+
+ if (DebugDataSpaces->ReadPointersVirtual(1, PsNtosImageBase, &NtosImageBase) != S_OK) {
+
+ DebugControl->Output(DEBUG_OUTPUT_NORMAL, "Couldn't read nt!PsNtosImageBase.\n");
+ __leave;
+ }
+
+ if (DebugDataSpaces->ReadImageNtHeaders(NtosImageBase, &ImageNtHeaders) != S_OK) {
+
+ DebugControl->Output(DEBUG_OUTPUT_NORMAL, "Couldn't read nt image headers.\n");
+ __leave;
+ }
+
+ NtosImageEnd = NtosImageBase + ImageNtHeaders.OptionalHeader.SizeOfImage;
+
  Address = ServiceTableBase;
 
  DebugControl->Output(DEBUG_OUTPUT_NORMAL, "\n");
@@ -112,7 +136,12 @@ Return Value:
 
  DebugSymbols->GetNameByOffset(ServiceAddress, (PSTR)ServiceName, _countof(ServiceName), &BytesRead, NULL);
 
- DebugControl->Output(DEBUG_OUTPUT_NORMAL, "%03lx:\t%p\t%s\n", i, ServiceAddress, ServiceName);
+ DebugControl->ControlledOutput(DEBUG_OUTCTL_DML,
+ DEBUG_OUTPUT_NORMAL,
+ (ServiceAddress >= NtosImageBase && ServiceAddress < NtosImageEnd) ? "%03lx:\t%p\t%s\n" : "%03lx:<col fg=\"changed\">\t%p\t%s</col>\n",
+ i,
+ ServiceAddress,
+ ServiceName);
  }
  }
  else if (IMAGE_FILE_MACHINE_AMD64 == ProcessorType) {
@@ -140,7 +169,12 @@ Return Value:
 
  DebugSymbols->GetNameByOffset(ServiceAddress, (PSTR)ServiceName, _countof(ServiceName), &BytesRead, NULL);
 
- DebugControl->Output(DEBUG_OUTPUT_NORMAL, "%03lx:\t%p\t%s\n", i, ServiceAddress, ServiceName);
+ DebugControl->ControlledOutput(DEBUG_OUTCTL_DML,
+ DEBUG_OUTPUT_NORMAL,
+ (ServiceAddress >= NtosImageBase && ServiceAddress < NtosImageEnd) ? "%03lx:\t%p\t%s\n" : "%03lx:<col fg=\"changed\">\t%p\t%s</col>\n",
+ i,
+ ServiceAddress,
+ ServiceName);
  }
  }