Press "Enter" to skip to content

Posts published in “Kernel Mode”

Inside Windows Page Frame Number (PFN) – Part 2

Sinaei 0

Hey there, In the previous part, I’d explained about Page Frame Number and its importance in the OSs architecture. In this part, I’ll trace PFN more practically. I strongly recommend to read the first part, to make sure you didn’t miss anything about basic concepts. As I described in the previous part, the PFN database is located at nt!MmPFNDatabase, in the previous versions of Windows (<Windows 10) it was statically located at 0xFFFFFA8000000000 but in Windows 10, it’s subject to ASLR.…

Inside Windows Page Frame Number (PFN) – Part 1

Sinaei 0

Introduction (Page Frame Number) Windows and almost all the OSs use Page Frame Number Database in order to have a track of virtually allocated pages to know which page must be freed or evicted or if a page needs to be cached and etc. All of these kinds of stuff manages through a list, called Page Frame Number (PFN). A long list of explanation about the states of every physically and virtually allocated pages and its corresponding attributes. In the rest…

PyKD Tutorial – part 2

Sinaei 0

The content of this post is the second part of PyKD Tutorials, so make sure to read this topic first, then continue reading this topic. Breakpoints Breakpoints are such useful things and can give you the power of analyzing programs in a better and easier way by using PyKD. In the API Reference they introduce setBp function in the following way : [crayon-5d0aa95c40029579128230/] As you can see, setBp can give a pointer as its first argument and a python function as the second…

PyKD Tutorial – part 1

Sinaei 0

Using windbg script syntax is such annoying thing that almost all reverse engineers have problems dealing with it but automating debugging gives such a power that can’t be easily ignored. A good solution to solve this problem is using the power and simplicity of Python and Windbg together. If you aware, Windbg also supports c-like binaries as extensions so there is a praiseworthy tool called PyKD which does the hard thing and connects Python and Windbg together in a straight and usable…

A partial survey among non-general purpose registers

Sinaei 0

Hi guys, In the past few days, I was searching about non-general purpose register then I saw the following pictures that give me a new idea of posting about the non-general purpose registers. These pieces of information might have some fault because of my misunderstandings about some of them, if you see any fault then please tell me in the comments! You can also download the PDF version of the above picture here! I don’t know if there are other…