search

MagnetForensics / SwishDbgExt

Incident Response & Digital Forensics Debugging Extension
https://www.comae.com
GNU General Public License v3.0
364 stars 96 forks source link

how different ms_callbacks command compare with k* ? #13

Closed matakk closed 4 years ago

matakk commented 4 years ago

this ms_callbacks can display more infomation?

thanks!

msuiche commented 4 years ago

Compared to what? I need more information.

But you can check by yourself here the functions it covers: https://github.com/comaeio/SwishDbgExt/blob/master/SwishDbgExt/SwishDbgExt.cpp#L629

matakk commented 4 years ago

here is my usage:

0:000> kv

ChildEBP RetAddr Args to Child

00 0034c104 76f4c585 000003d0 000003d0 0034c124 ntdll!ZwGetContextThread+0x12 (FPO: [2,0,0]) 01 0034c114 74d91408 000003d0 00000000 0034c2bc KERNELBASE!CloseHandle+0x2d (FPO: [Non-Fpo]) 02 0034c124 7194c127 000003d0 07b6c348 0034c940 kernel32!CloseHandleImplementation+0x3f (FPO: [Non-Fpo]) 03 0034c2bc 06ed0000 07b6c348 0034c940 0034c424 dbghelp!Win32LiveSystemProvider::OpenMapping+0x1fe (FPO: [Non-Fpo]) WARNING: Frame IP not in any known module. Following frames may be wrong. 04 0034c30c 77463011 098f0138 77462fed 77aa39fe 0x6ed0000 05 0034c3fc 77462be5 00000000 098f0a00 098f0904 ntdll!RtlpFreeHeap+0xbb1 (FPO: [SEH]) 06 0034c418 76f4c585 000003f0 000003f0 0034c438 ntdll!RtlFreeHeap+0x142 (FPO: [Non-Fpo]) 07 7744fa02 0db80004 33000000 24548dc9 15ff6404 KERNELBASE!CloseHandle+0x2d (FPO: [Non-Fpo]) 08 7744fa0a 24548dc9 15ff6404 000000c0 c204c483 0xdb80004 09 7744fa0e 15ff6404 000000c0 c204c483 0eb80014 0x24548dc9 0a 7744fa12 00000000 c204c483 0eb80014 33000000 0x15ff6404 0:000> !ms_callbacks

command "!ms_callbacks" output nothing。

msuiche commented 4 years ago

kv just shows the stack not the callback. They have nothing to do with each other.

image

0: kd> !load SwishDbgExt.dll
       SwishDbgExt 3.0.20181226.2 - Incident Response & Digital Forensics Debugging Extension
       SwishDbgExt Copyright (C) 2018 Comae Technologies DMCC - www.comae.com
       SwishDbgExt Copyright (C) 2014-2018 Matthieu Suiche (@msuiche)

       This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
       This is free software, and you are welcome to redistribute it
       under certain conditions; type `show c' for details.
0: kd> !ms_callbacks

[*] IopFsNotifyChangeQueueHead:
     Object: 0xFFFFE68DB6D169B0 Driver Object: 0xFFFFB80D3F385D20 Procedure: 0xFFFFF80635118CF0 (FLTMGR!FltpFsNotification) 

[*] PnpProfileNotifyList:
     Object: 0xFFFFE68DB8265D10 Driver Object: 0xFFFFB80D3F6F2DC0 Session: 0x0 Procedure: 0xFFFFF804406A5740 (dxgkrnl!DpiAcpiDockEventCallback) 
     Object: 0xFFFFE68DE8366F10 Driver Object: 0xFFFFB80D456689F0 Session: 0x0 Procedure: 0xFFFFF80486D07AC0 (HDAudBus!HdAudBusProfileChangeCallback) 
     Object: 0xFFFFE68DDA59A4B0 Driver Object: 0xFFFFB80D456689F0 Session: 0x0 Procedure: 0xFFFFF80486D07AC0 (HDAudBus!HdAudBusProfileChangeCallback) 

[*] PspCreateProcessNotifyRoutine:
     Procedure: 0xFFFFF80437F338F0 (nt!ViCreateProcessCallback) 
     Procedure: 0xFFFFF8063536D830 (cng!CngCreateProcessNotifyRoutine) 
     Procedure: 0xFFFFF8043F8E9F40 (WdFilter+0x39f40) 
     Procedure: 0xFFFFF8063579C410 (ksecdd!KsecCreateProcessNotifyRoutine) 
     Procedure: 0xFFFFF80440BD9170 (tcpip!CreateProcessNotifyRoutineEx) 
     Procedure: 0xFFFFF804401FC910 (iorate!IoRateProcessCreateNotify) 
     Procedure: 0xFFFFF806352DEDF0 (CI!I_PEProcessNotify) 
     Procedure: 0xFFFFF8044043A3A0 (dxgkrnl!DxgkProcessNotify) 
     Procedure: 0xFFFFF80443F19B40 (atikmdag+0x89b40) 
     Procedure: 0xFFFFF80441043C90 (peauth+0x43c90) 

[*] PspLoadImageNotifyRoutine:
     Procedure: 0xFFFFF8043F8EA680 (WdFilter+0x3a680) 
     Procedure: 0xFFFFF804397AE980 (ahcache!CitmpLoadImageCallback) 
     Procedure: 0xFFFFF804864D1130 (fortmap+0x1130) 

[*] PspCreateThreadNotifyRoutine:
     Procedure: 0xFFFFF8043F8EAED0 (WdFilter+0x3aed0) 
     Procedure: 0xFFFFF804420E1010 (mmcss!CiThreadNotification) 

[*] CallbackListHead:
     Procedure: 0xFFFFF8043F8DD8F0 (WdFilter+0x2d8f0) 
     Procedure: 0xFFFFF804386A9D60 (nt!VrpRegistryCallback) 

[*] KeBugCheckCallbackListHead:
     Procedure: 0xFFFFF8043FC152B0 (ndis!ndisBugcheckHandler) 
     Procedure: 0xFFFFF8044000B3E0 (fvevol!FveBugcheckHandler) 
     Procedure: 0xFFFFF80437E0F600 (hal!HalpMiscBugCheckCallback) 

[*] KiNmiCallbackListHead:
     Procedure: 0xFFFFF80438117580 (nt!HvlSkCrashdumpCallbackRoutine) 

[*] AlpcpLogCallbackListHead:

[*] EmpCallbackListHead:
     GUID: {BF67CD9D-B8D1-4BED-BFDA-1DEE5963BE6B} Procedure: 0xFFFFF8043817BD60 (nt!PopEmUpdateDeviceConstraintCallback) 
     GUID: {84D99F45-0B07-46CF-BABD-1981C86E3025} Procedure: 0xFFFFF804381865F0 (nt!PopEmModuleAddressMatchCallback) 
     GUID: {13925944-2A6A-4E3C-AC97-37735C19393D} Procedure: 0x0000000000000000 () 
     GUID: {C31600A9-8AED-442C-8013-8903D6E89BF8} Procedure: 0xFFFFF80635634270 (ACPI!ACPIDeviceIdMutiStringMatchCallback) 
     GUID: {33204598-9949-4AD1-B41E-A4A0F705DC12} Procedure: 0xFFFFF80635608E00 (ACPI!ACPIDeviceMatchCallback) 
     GUID: {C2569BEF-5980-4120-8582-9D0774DCF86D} Procedure: 0xFFFFF806355E1F70 (ACPI!ACPINsObjMatchCallback) 
     GUID: {1E66F3D7-0FC9-4829-AA45-C430EA96A434} Procedure: 0xFFFFF8043FEEC330 (pci!PciQueryRuleCallback) 
     GUID: {B9EB207B-E0C8-4C01-A575-49DD7D510B46} Procedure: 0xFFFFF8043FEEC430 (pci!PciSetMpsSizeCallback) 
     GUID: {898A8E39-096C-4A25-87E5-5BB0ED1D6704} Procedure: 0xFFFFF8043FEEC3B0 (pci!PciSetD0DelayCallback) 
     GUID: {F79DE8DC-F3D1-4802-9C4B-6BF742D65FBD} Procedure: 0xFFFFF8043FEEC3F0 (pci!PciSetHackflagsCallback) 
     GUID: {DFBFD6FE-435A-419E-8F2C-9B13A3C04C9E} Procedure: 0xFFFFF8043FED56D0 (pci!PciDeviceMatchCallback) 
     GUID: {D2E7862C-B8FA-4274-9BD1-59BA8DA0A7C2} Procedure: 0xFFFFF804385D4680 (nt!EmCpuMatchCallback) 
     GUID: {59229CA6-17A7-4E11-9EDA-DF0E93D7AF3A} Procedure: 0xFFFFF804386B5990 (nt!EmRemoveBadS3PagesCallback) 
     GUID: {24453286-BDE8-46BC-85D1-1982EDF3E212} Procedure: 0xFFFFF804386B5A00 (nt!EmSystemArchitectureCallback) 
     GUID: {9D991181-C86A-4517-9FE7-32290377B564} Procedure: 0xFFFFF80438510FC0 (nt!ArbPreprocessEntry) 
     GUID: {8026FF68-3BD0-4BA4-A1D4-DE724F781B78} Procedure: 0xFFFFF80438559D50 (nt!EmTrueCallback) 
     GUID: {A380467C-D907-4716-8B9B-17584E34256C} Procedure: 0x0000000000000000 () 
     GUID: {182A2B31-D5B8-45EF-BB6D-646EBAEDD8F1} Procedure: 0xFFFFF804386B5910 (nt!EmMatchDate) 
     GUID: {6F8D0C6D-B6FB-4584-8B34-F39422CFA61A} Procedure: 0x0000000000000000 () 
     GUID: {78BC9E89-552A-4AB8-9231-132E09E235B2} Procedure: 0x0000000000000000 () 
     GUID: {7CD2B230-6CEA-4957-B5D7-CFA977C22B18} Procedure: 0xFFFFF80437E20630 (hal!HalMatchAcpiFADTBootArch) 
     GUID: {BF51DEF4-AC9C-44F3-ADE7-26DD13E756D3} Procedure: 0xFFFFF80437E2D320 (hal!HalMatchAcpiRevision) 
     GUID: {BEAE4D5F-2203-4856-94BB-C772A2C7624A} Procedure: 0xFFFFF80437E2D220 (hal!HalMatchAcpiCreatorRevision) 
     GUID: {7E8FAE0F-7591-4EB6-9554-1D0699873111} Procedure: 0xFFFFF80437E2D2A0 (hal!HalMatchAcpiOemRevision) 
     GUID: {E0E45284-F266-4048-9A5E-7D4007C9C5AB} Procedure: 0xFFFFF80437E21BD0 (hal!HalMatchAcpiOemTableId) 
     GUID: {2960716F-B0D8-41C9-9BB4-EE8BA248F86E} Procedure: 0xFFFFF80437E20200 (hal!HalMatchAcpiOemId) 

[*] Tcpip driver IOCTL dispatch table:
   | IPSEC |  DevObj: 0xFFFFB80D3F77AA70 | IoctlDispatch: 0xFFFFF80440DB58C0 | tcpip!IPSecDispatchDevCtl |  
   |   KFD |  DevObj: 0xFFFFB80D3F77ACA0 | IoctlDispatch: 0xFFFFF80440BEA8C0 | tcpip!KfdDispatchDevCtl |  
   |   ALE |  DevObj: 0xFFFFB80D3F688930 | IoctlDispatch: 0xFFFFF80440C3F160 | tcpip!WfpAleDispatchControl |  
   |  EQOS |  DevObj: 0xFFFFB80D3F688D90 | IoctlDispatch: 0xFFFFF80440DAE8D0 | tcpip!EQoSDispatchControl |  
   |   IDP |  DevObj: 0xFFFFB80D3F688B60 | IoctlDispatch: 0xFFFFF80440DD4270 | tcpip!IdpDispatchIoctl |  
ObjectType @ 0xFFFFB80D3C6AF400 Entry = 0xFFFFE68DB83E0480 Type: Desktop

[*] Desktop (ANSI: Desktop) Object Callbacks:
PreCallback Procedure: 0xFFFFF8043F8E7EF0 (WdFilter+0x37ef0) 
ObjectType @ 0xFFFFB80D3C6AB220 Entry = 0xFFFFE68DB83E0440 Type: Process

[*] Process (ANSI: Process) Object Callbacks:
PreCallback Procedure: 0xFFFFF8043F8E7EF0 (WdFilter+0x37ef0) 

[*] PspSiloMonitorList Callbacks:
     [0x0003] CreateCallback  Procedure: 0xFFFFF806352CACA0 (CI!CiCreateSiloNotification) 
     [0x0005] CreateCallback  Procedure: 0xFFFFF8043FD947A0 (NETIO!NsiContainerCreateCallback) 
     [0x0005] DestroyCallback Procedure: 0xFFFFF8043FD94890 (NETIO!NsiContainerTerminateCallback) 
     [0x0006] CreateCallback  Procedure: 0xFFFFF8043FE67110 (pcw!PcwiSiloCreateNotify) 
     [0x0006] DestroyCallback Procedure: 0xFFFFF8043FE671B0 (pcw!PcwiSiloTerminateNotify) 
     [0x0008] CreateCallback  Procedure: 0xFFFFF8063579F570 (ksecdd!KsecdCreateSiloNotification) 
     [0x0008] DestroyCallback Procedure: 0xFFFFF806357A2BF0 (ksecdd!KsecdTerminateSiloNotification) 
     [0x0009] CreateCallback  Procedure: 0xFFFFF804401DAC30 (mup!MupiContainerCreateNotify) 
     [0x0009] DestroyCallback Procedure: 0xFFFFF804401DAE50 (mup!MupiContainerTerminateNotify) 
     [0x000b] CreateCallback  Procedure: 0xFFFFF804408196A0 (Msfs!MsSiloCreateNotify) 
     [0x000b] DestroyCallback Procedure: 0xFFFFF80440819740 (Msfs!MsSiloTerminateNotify) 
     [0x000c] CreateCallback  Procedure: 0xFFFFF804409277F0 (afd!AfdPodSiloCreateCallback) 
     [0x000c] DestroyCallback Procedure: 0xFFFFF80440930760 (afd!AfdPodSiloTerminateCallback) 
     [0x000d] CreateCallback  Procedure: 0xFFFFF80440F6FC90 (rdbss!RxpSiloCreateNotification) 
     [0x000d] DestroyCallback Procedure: 0xFFFFF80440F70080 (rdbss!RxpSiloTerminateNotification) 
     [0x000e] CreateCallback  Procedure: 0xFFFFF804396D6360 (dfsc!DfscpContainerCreateNotify) 
     [0x000e] DestroyCallback Procedure: 0xFFFFF804396D67C0 (dfsc!DfscpContainerTerminateNotify) 
     [0x0010] CreateCallback  Procedure: 0xFFFFF80438A56A70 (hvsocket!VmbusTlSiloCreateCallback) 
     [0x0010] DestroyCallback Procedure: 0xFFFFF80438A56B10 (hvsocket!VmbusTlSiloTerminateCallback) 
     [0x0012] CreateCallback  Procedure: 0xFFFFF80442026FB0 (HTTP!UxPodSiloCreateCallback) 
     [0x0012] DestroyCallback Procedure: 0xFFFFF80442061230 (HTTP!UxPodSiloTerminateCallback)