WinDBG Anti-RootKit Extension
WDBGARK is an extension (dynamic library) for the Microsoft Debugging Tools for Windows. It main purpose is to view and analyze anomalies in Windows kernel using kernel debugger. It is possible to view various system callbacks, system tables, object types and so on. For more user-friendly view extension uses DML. For the most of commands kernel-mode connection is required. Feel free to use extension with live kernel-mode debugging or with kernel-mode crash dump analysis (some commands will not work). Public symbols are required, so use them, force to reload them, ignore checksum problems, prepare them before analysis and you'll be happy.
Multiple targets debugging is not supported!
Windows BETA/RC is supported by design, but read a few notes. First, i don't care about checked builds. Second, i don't care if you don't have symbols (public or private). IA64/ARM is unsupported (and will not).
Sources are organized as a Visual Studio 2017 solution.
Post-build event is enabled for debug build. It automatically copies linked extension into WinDBG's plugins folder (e.g. x64 target:
"copy /B /Y "$(OutDir)$(TargetName)$(TargetExt)" "$(WindowsSdkDir)Debuggers\x64\winext\$(TargetName)$(TargetExt)").
Yeah, it's possible to build all the stuff using simple batch script.
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\
0: kd> .load wdbgark 0: kd> .chain Extension DLL search Path: <...> Extension DLL chain: wdbgark: image 126.96.36.199, API 2.5.0, built Fri Oct 20 17:54:03 2017 [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\wdbgark.dll] dbghelp: image 10.0.16299.15, API 10.0.6, [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll] ext: image 10.0.16299.15, API 1.0.0, [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\ext.dll] exts: image 10.0.16299.15, API 1.0.0, [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\WINXP\exts.dll] kext: image 10.0.16299.15, API 1.0.0, [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\kext.dll] kdexts: image 10.0.16299.15, API 1.0.0, [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\WINXP\kdexts.dll] 0: kd> !wdbgark.help Commands for C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\wdbgark.dll: !help - Displays information on available extension commands !wa_apiset - Output user-mode and/or kernel-mode ApiSet map !wa_callouts - Output kernel-mode win32k callouts !wa_checkmsr - Output system MSRs (live debug only!) !wa_chknirvana - Checks processes for Hooking Nirvana instrumentation !wa_cicallbacks - Output kernel-mode nt!g_CiCallbacks or nt!SeCiCallbacks !wa_ciinfo - Output Code Integrity information !wa_colorize - Adjust WinDBG colors dynamically (prints info with no parameters) !wa_crashdmpcall - Output kernel-mode nt!CrashdmpCallTable !wa_drvmajor - Output driver(s) major table !wa_eop - Checks processes for Elevation of Privilege !wa_gdt - Output processors GDT !wa_haltables - Output kernel-mode HAL tables: nt!HalDispatchTable, nt!HalPrivateDispatchTable, nt!HalIommuDispatchTable !wa_idt - Output processors IDT !wa_lxsdt - Output the Linux Subsystem Service Descriptor Table !wa_objtype - Output kernel-mode object type(s) !wa_objtypecb - Output kernel-mode callbacks registered with ObRegisterCallbacks !wa_objtypeidx - Output kernel-mode nt!ObTypeIndexTable !wa_pnptable - Output kernel-mode nt!PlugPlayHandlerTable !wa_process_anomaly - Checks processes for various anomalies !wa_psppico - Output kernel-mode Pico tables !wa_scan - Scan system (execute all commands) !wa_ssdt - Output the System Service Descriptor Table !wa_systables - Output various kernel-mode system tables !wa_systemcb - Output kernel-mode registered callback(s) !wa_ver - Shows extension version number !wa_w32psdt - Output the Win32k Service Descriptor Table !wa_w32psdtflt - Output the Win32k Service Descriptor Table Filter !wdrce_copyfile - Copy file (live debug only!) !wdrce_cpuid - Execute CPUID instruction (live debug only!) !help will give more information for a particular command
Q: What is the main purpose of the extension?
A: Well, first is educational only. Second, for fun and profit.
Q: Do you know about PyKd? I can script the whole Anti-Rootkit using Python.
A: Yeah, i know, but C++ is much better.
Q: Where is version 1.0?
A: Lost in space of Google Code.
Q: When did the project start?
A: February 2013 on Google Code.
Q: What version should i use?
A: Please use x64 version only. In the era of x64 i dunno why the heck you may need to use x86 version. x64 WinDBG is able to debug both x86 and x64. Host OS bitness is the only limitation.
Q: How can i help?
A: Spread a word. Report issues and feature requests. I'm open for any suggestions. Thanks!
Q: What kind of memory dump is better to use with an extension?
A: Complete memory dump.
Q: How to report an issue?
A: Feel free to report an issue using GitHub or email to me directly, but please, attach complete memory crash dump file.
Wiki can help.