Driver: fixed debugger block initialization

DarthTon · DarthTon · commit f0b9bc97b153 · 2019-03-06T02:16:13.000+02:00
diff --git a/src/BlackBoneDrv/BlackBoneDrv.c b/src/BlackBoneDrv/BlackBoneDrv.c
@@ -453,16 +453,22 @@ NTSTATUS BBInitDynamicData( IN OUT PDYNAMIC_DATA pData )
         if (pData->ExRemoveTable != 0)
             pData->correctBuild = TRUE;
 
-        DPRINT( "BlackBone: Dynamic search status: SSDT - %s, ExRemoveTable - %s\n",
+        DPRINT( 
+            "BlackBone: Dynamic search status: SSDT - %s, ExRemoveTable - %s\n",
             GetSSDTBase() != NULL ? "SUCCESS" : "FAIL",
             pData->ExRemoveTable != 0 ? "SUCCESS" : "FAIL" 
             );
 
         if (pData->ver >= WINVER_10_RS1)
         {
+            DPRINT( 
+                "BlackBone: %s: g_KdBlock->KernBase: %p, GetKernelBase() = 0x%p \n", 
+                __FUNCTION__, g_KdBlock.KernBase, GetKernelBase( NULL ) 
+                );
+
             ULONGLONG mask = (1ll << (PHYSICAL_ADDRESS_BITS - 1)) - 1;
-            dynData.DYN_PTE_BASE = (ULONG_PTR)g_KdBlock->PteBase;
-            dynData.DYN_PDE_BASE = (ULONG_PTR)((g_KdBlock->PteBase & ~mask) | ((g_KdBlock->PteBase >> 9) & mask));
+            dynData.DYN_PTE_BASE = (ULONG_PTR)g_KdBlock.PteBase;
+            dynData.DYN_PDE_BASE = (ULONG_PTR)((g_KdBlock.PteBase & ~mask) | ((g_KdBlock.PteBase >> 9) & mask));
         }
 
         DPRINT( "BlackBone: PDE_BASE: %p, PTE_BASE: %p\n", pData->DYN_PDE_BASE, pData->DYN_PTE_BASE );
diff --git a/src/BlackBoneDrv/NativeStructs.h b/src/BlackBoneDrv/NativeStructs.h
@@ -962,4 +962,4 @@ C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter3 ) == 0x50 );
 C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter4 ) == 0x58 );
 C_ASSERT( FIELD_OFFSET( DUMP_HEADER, KdDebuggerDataBlock ) == 0x80 );
 
-extern PKDDEBUGGER_DATA64 g_KdBlock;
+extern KDDEBUGGER_DATA64 g_KdBlock;
diff --git a/src/BlackBoneDrv/Private.c b/src/BlackBoneDrv/Private.c
@@ -17,7 +17,7 @@ extern DYNAMIC_DATA dynData;
 PVOID g_KernelBase = NULL;
 ULONG g_KernelSize = 0;
 PSYSTEM_SERVICE_DESCRIPTOR_TABLE g_SSDT = NULL;
-PKDDEBUGGER_DATA64 g_KdBlock = NULL;
+KDDEBUGGER_DATA64 g_KdBlock = {0};
 
 MMPTE ValidKernelPte =
 {
@@ -32,20 +32,19 @@ MMPTE ValidKernelPte =
 /// Initialize debugger block g_KdBlock
 /// </summary>
 VOID InitializeDebuggerBlock()
-{   
+{
     CONTEXT context = { 0 };
     context.ContextFlags = CONTEXT_FULL;
     RtlCaptureContext( &context );
-
-    PDUMP_HEADER pHeader = ExAllocatePool( NonPagedPool, DUMP_BLOCK_SIZE );
-    if (pHeader)
+    
+    PDUMP_HEADER dumpHeader = ExAllocatePool( NonPagedPool, DUMP_BLOCK_SIZE );
+    if (dumpHeader)
     {
-        KeCapturePersistentThreadState( &context, NULL, 0, 0, 0, 0, 0, pHeader );
-        g_KdBlock = pHeader->KdDebuggerDataBlock;
-        ExFreePool( pHeader );
-    }
+        KeCapturePersistentThreadState( &context, NULL, 0, 0, 0, 0, 0, dumpHeader );
+        RtlCopyMemory( &g_KdBlock, (PUCHAR)dumpHeader + KDDEBUGGER_DATA_OFFSET, sizeof( g_KdBlock ) );
 
-    DPRINT( "BlackBone: %s: g_KdBlock = 0x%p\n", __FUNCTION__, g_KdBlock );
+        ExFreePool( dumpHeader );
+    }
 }
 
 /// <summary>
diff --git a/src/BlackBoneDrv/Private.h b/src/BlackBoneDrv/Private.h
@@ -85,6 +85,11 @@
 #define PTE_BASE    0xFFFFF68000000000UI64
 #endif
 
+#ifndef _WIN64
+#define KDDEBUGGER_DATA_OFFSET 0x1068
+#else
+#define KDDEBUGGER_DATA_OFFSET 0x2080
+#endif
 
 #ifndef _WIN64
 #define DUMP_BLOCK_SIZE 0x20000
