It’s commonly known that the Windows Kernel uses two standard function prefixes to differentiate externally callable functions (Ke) from private, or internal, functions (Ki). There is, however, a third prefix used in the Kernel that isn’t quite as common: Kx. This prefix is used for internal functions that are processor architecture specific. For example, KxFlushEntireTb […]
Turning a Breakpoint into a Busypoint
During dynamic analysis, I often want to prevent a code path from continuing to execute beyond a certain point. For example, maybe I suspect a race between the read and write paths in a driver. In this case, I may want to allow the write path to proceed up to a point before executing the […]
Using WinDbg to hunt for strings
Oftentimes it’s useful to search images for strings, they can provide clues as to where a module came from or what exactly was running on a machine. However, doing this typically requires extracting an image from a memory dump and running a standalone application. If you want to save yourself some time, you can instead […]
Spice Up Your Debug Output With DML
If you’ve been using WinDbg for any amount of time, you’ve surely come across the Debugger Markup Language (DML). DML is what provides the ability to create hyperlinks in the debugger’s output window. For example, this support is used beautifully within the NDIS debugging extensions. Try running !ndiskd.help and clicking around a bit, even if you’re not […]
OSR Open Systems Resources, Inc.