Press "Enter" to skip to content

Posts published in “Kernel Mode”

Inside Windows Page Frame Number (PFN) – Part 1

Sinaei 0

Introduction (Page Frame Number) Windows and almost all the OSs use Page Frame Number Database in order to have a track of virtually allocated pages to know which page must be freed or evicted or if a page needs to be cached and etc. All of these kinds of stuff manages through a list, called Page Frame Number (PFN). A long list of explanation about the states of every physically and virtually allocated pages and its corresponding attributes. In the rest…

PyKD Tutorial – part 2

Sinaei 0

The content of this post is the second part of PyKD Tutorials, so make sure to read this topic first, then continue reading this topic. Breakpoints Breakpoints are such useful things and can give you the power of analyzing programs in a better and easier way by using PyKD. In the API Reference they introduce setBp function in the following way : [crayon-5c99feda4eb1e523426250/] As you can see, setBp can give a pointer as its first argument and a python function as the second…

PyKD Tutorial – part 1

Sinaei 0

Using windbg script syntax is such annoying thing that almost all reverse engineers have problems dealing with it but automating debugging gives such a power that can’t be easily ignored. A good solution to solve this problem is using the power and simplicity of Python and Windbg together. If you aware, Windbg also supports c-like binaries as extensions so there is a praiseworthy tool called PyKD which does the hard thing and connects Python and Windbg together in a straight and usable…

A partial survey among non-general purpose registers

Sinaei 0

Hi guys, In the past few days, I was searching about non-general purpose register then I saw the following pictures that give me a new idea of posting about the non-general purpose registers. These pieces of information might have some fault because of my misunderstandings about some of them, if you see any fault then please tell me in the comments! You can also download the PDF version of the above picture here! I don’t know if there are other…

Assembly Challenge : Jump to a non-relative address without using registers

Sinaei 0

During developing a dispatch table for some instructions in binaries, one of the challenging problem which I faced, was changing the registers state in a way that doesn’t affect the program flow! So it might seem simple at first glance but what makes it complex is that I can’t use relative jumps or relative calls because, in some situation, I might be far away from .text segment of my binary. It causes me to explore the solutions about far jumps…