Monthly Archives: January 2009

Windows 7 and Windows Server 2008 R2 djoin (Offline Domain Join) utility.


Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Offline domain join is a new process that joins computers running Windows® 7 or Windows Server 2008 R2 to a domain in Active Directory Domain Services (AD DS)—without any network connectivity. This process includes a new command-line tool, Djoin.exe, which you can use to complete an offline domain join.

Run Djoin.exe to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a .txt file that you specify as part of the command. After you run the provisioning command, you can either run Djoin.exe again to request the computer account metadata and insert it into the Windows directory of the destination computer.

Following section covers the content of these computer account metadata files.

Here is what we see when we open the output file into an hexadecimal editor.

We ignore two first bytes, and the following sequence of bytes is an unicode base64 encoded string.

Decoded base64 string is a DATA_BLOB encrypted by NetpEncodeProvisioningBlob / NetpDecodeProvisioningBlob private APIs from netjoin.dll which is new toWindows 7/Windows Server 2008 R2. Both functions calls NdrMesTypeDecode2 / NdrMesTypeEncode2 from RPCRT4.dll to perferm the encryption/decryption process.

This dll is pretty interesting because of NetpLogPrintHelper() calls, e.g. the following in NetpDumpBlobToLog() function:

  1. span class=”st0″>"\tlpMachinePassword: %s\n", "omitted from log");
  2. []

As you can see, sensitive information are removed from debug log (netsetup.log).

Decoded blob file contains a structure I called “PROVISION_DATA” which is composed of information about Domain Dns Policy, Domain Controller, miscelleneous information about the machine and so on.

  1. #define NETSETUP_PROVISION_DOWNLEVEL_PRIV_SUPPORT 0x1
  2. #define NETSETUP_PROVISION_REUSE_ACCOUNT 0x2
  3. #define NETSETUP_PROVISION_USE_DEFAULT_PASSWORD 0x4
  4. #define NETSETUP_PROVISION_SKIP_ACCOUNT_SEARCH 0x8
  5. #define NETSETUP_PROVISION_ONLINE_CALLER 0x40000000
  6. #define NETSETUP_PROVISION_CHECK_PWD_ONLY 0x80000000
  7. // sizeof = 0x2C
  8. // 0x000
  9. // 0x008
  10. // 0x010
  11. // 0x018
  12.     PSID Sid; // 0x028
  13. // size of = 0x30
  14. // 0x000
  15. // 0x004
  16. // 0x008
  17. // 0x00C
  18. // 0x01C
  19. // 0x020
  20. // 0x024
  21. // 0x28
  22. // 0x2C
  23. //
  24.     // Global Information
  25.     //
  26. // 0x008
  27. // 0x00C
  28. // 0x010
  29.  
  30.     //
  31.     // Domain Policy
  32.     //
  33. // 0x014
  34.  
  35.     //
  36.     // Domain Controller
  37.     //
  38. // 0x048
  39.  
  40.     //
  41.     // Options – NETSETUP_PROVISION
  42.     //
  43. // 0x078
  44. //
  45.     // ODJ Blob
  46.     //
  47. // 0x000
  48. // 0x004

I wrote a tool called “dinfo” for “Domain Information” to read these files, this tool works with user rights only under Windows 7 and Windows Server 2008 R2 because of dependency to netjoin.dll

Now it’s time to introduce dinfo.exe! Here is a screenshot of the tool in action.



PS1. Encoded data blob can also be retrived in the registry at the following magic key : “Software\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Microsoft-Windows-UnattendedJoin\Identification”.

PS2. Thomas aime les nouilles.


Download dinfo version 1.0.20090128

KPRCB structure modified in Win7. Another thing to fix into win32dd.


Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

If you’re generating a Microsoft Crash Dump file under Windows Seven you might noticied that DirectoryTableBase field in the crash dump header is set to zero. The reason is the current version of win32dd choosed to retrieve cr3 register through the PROCESSOR_STATE structure stored into KPRCB. But since KPRCB had been updated in Windows 7 the following ugly piece of code doesn’t return a correct cr3 value.

  1.  

If you take a look at these two structures, you can see SetMember 32bits ULONG had been removed. But don’t worry this value is still present in KPCR structure, I guess Microsoft kernel developpers removed it from KPRCB to clean the structure and avoid duplicated field.

Anyway, I’ll publish an update soon for win32dd. :-)

For people interested into technical details of these structures here is output of KPRCB structure under Windows Vista and Seven.

This is how look KPCRB structure under Windows Vista:

typedef struct _KPRCB      // 129 elements, 0xEC0 bytes (sizeof) 
{    
/*0x000*/     UINT16       MinorVersion;
/*0x002*/     UINT16       MajorVersion;
/*0x004*/     struct _KTHREAD* CurrentThread;
/*0x008*/     struct _KTHREAD* NextThread;
/*0x00C*/     struct _KTHREAD* IdleThread;
/*0x010*/     CHAR         Number;
/*0x011*/     CHAR         Reserved;
/*0x012*/     UINT16       BuildType;
/*0x014*/     ULONG32      SetMember; 
/*0x018*/     CHAR         CpuType;
/*0x019*/     CHAR         CpuID;
/*0x01A*/     UINT16       CpuStep;
/*0x01C*/     struct _KPROCESSOR_STATE ProcessorState;  
/*0x33C*/     ULONG32      KernelReserved[16];
/*0x37C*/     ULONG32      HalReserved[16];
/*0x3BC*/     UINT8        PrcbPad0[92];
/*0x418*/     struct _KSPIN_LOCK_QUEUE LockQueue[33];
/*0x520*/     struct _KTHREAD* NpxThread;
/*0x524*/     ULONG32      InterruptCount;
/*0x528*/     ULONG32      KernelTime;
/*0x52C*/     ULONG32      UserTime;
/*0x530*/     ULONG32      DpcTime;
/*0x534*/     ULONG32      DebugDpcTime;
/*0x538*/     ULONG32      InterruptTime;
/*0x53C*/     ULONG32      AdjustDpcThreshold;
/*0x540*/     ULONG32      PageColor;
/*0x544*/     UINT8        SkipTick;
/*0x545*/     UINT8        DebuggerSavedIRQL;
/*0x546*/     UINT8        NodeColor;
/*0x547*/     UINT8        Spare1;
/*0x548*/     ULONG32      NodeShiftedColor;
/*0x54C*/     struct _KNODE* ParentNode;
/*0x550*/     ULONG32      MultiThreadProcessorSet;
/*0x554*/     struct _KPRCB* MultiThreadSetMaster;
/*0x558*/     ULONG32      SecondaryColorMask;
/*0x55C*/     LONG32       Sleeping;
/*0x560*/     ULONG32      CcFastReadNoWait;
/*0x564*/     ULONG32      CcFastReadWait;
/*0x568*/     ULONG32      CcFastReadNotPossible;
/*0x56C*/     ULONG32      CcCopyReadNoWait;
/*0x570*/     ULONG32      CcCopyReadWait;
/*0x574*/     ULONG32      CcCopyReadNoWaitMiss;
/*0x578*/     ULONG32      KeAlignmentFixupCount;
/*0x57C*/     ULONG32      SpareCounter0;
/*0x580*/     ULONG32      KeDcacheFlushCount;
/*0x584*/     ULONG32      KeExceptionDispatchCount;
/*0x588*/     ULONG32      KeFirstLevelTbFills;
/*0x58C*/     ULONG32      KeFloatingEmulationCount;
/*0x590*/     ULONG32      KeIcacheFlushCount;
/*0x594*/     ULONG32      KeSecondLevelTbFills;
/*0x598*/     ULONG32      KeSystemCalls;
/*0x59C*/     LONG32       IoReadOperationCount;
/*0x5A0*/     LONG32       IoWriteOperationCount;
/*0x5A4*/     LONG32       IoOtherOperationCount;
/*0x5A8*/     union _LARGE_INTEGER IoReadTransferCount;    
/*0x5B0*/     union _LARGE_INTEGER IoWriteTransferCount;     
/*0x5B8*/     union _LARGE_INTEGER IoOtherTransferCount;     
/*0x5C0*/     ULONG32      SpareCounter1[8];
/*0x5E0*/     struct _PP_LOOKASIDE_LIST PPLookasideList[16];
/*0x660*/     struct _PP_LOOKASIDE_LIST PPNPagedLookasideList[32];
/*0x760*/     struct _PP_LOOKASIDE_LIST PPPagedLookasideList[32];
/*0x860*/     ULONG32      PacketBarrier;
/*0x864*/     ULONG32      ReverseStall;
/*0x868*/     VOID*        IpiFrame;
/*0x86C*/     UINT8        PrcbPad2[52];
/*0x8A0*/     VOID*        CurrentPacket[3];
/*0x8AC*/     ULONG32      TargetSet;
/*0x8B0*/     FUNCT_014C_02D2_WorkerRoutine* WorkerRoutine;
/*0x8B4*/     ULONG32      IpiFrozen;
/*0x8B8*/     UINT8        PrcbPad3[40];
/*0x8E0*/     ULONG32      RequestSummary;
/*0x8E4*/     struct _KPRCB* SignalDone;
/*0x8E8*/     UINT8        PrcbPad4[56];
/*0x920*/     struct _KDPC_DATA DpcData[2];
/*0x948*/     VOID*        DpcStack;
/*0x94C*/     ULONG32      MaximumDpcQueueDepth;
/*0x950*/     ULONG32      DpcRequestRate;
/*0x954*/     ULONG32      MinimumDpcRate;
/*0x958*/     UINT8        DpcInterruptRequested;
/*0x959*/     UINT8        DpcThreadRequested;
/*0x95A*/     UINT8        DpcRoutineActive;
/*0x95B*/     UINT8        DpcThreadActive;
/*0x95C*/     ULONG32      PrcbLock;
/*0x960*/     ULONG32      DpcLastCount;
/*0x964*/     ULONG32      TimerHand;
/*0x968*/     ULONG32      TimerRequest;
/*0x96C*/     VOID*        DpcThread;
/*0x970*/     struct _KEVENT DpcEvent;    
/*0x980*/     UINT8        ThreadDpcEnable;
/*0x981*/     UINT8        QuantumEnd;
/*0x982*/     UINT8        PrcbPad50;
/*0x983*/     UINT8        IdleSchedule;
/*0x984*/     LONG32       DpcSetEventRequest;
/*0x988*/     UINT8        PrcbPad5[18];
/*0x99A*/     UINT8        _PADDING0_[0x2];
/*0x99C*/     LONG32       TickOffset;
/*0x9A0*/     struct _KDPC CallDpc;   
/*0x9C0*/     ULONG32      PrcbPad7[8];
/*0x9E0*/     struct _LIST_ENTRY WaitListHead;      
/*0x9E8*/     ULONG32      ReadySummary;
/*0x9EC*/     ULONG32      QueueIndex;
/*0x9F0*/     struct _LIST_ENTRY DispatcherReadyListHead[32];
/*0xAF0*/     struct _SINGLE_LIST_ENTRY DeferredReadyListHead;
/*0xAF4*/     ULONG32      PrcbPad72[11];
/*0xB20*/     VOID*        ChainedInterruptList;
/*0xB24*/     LONG32       LookasideIrpFloat;
/*0xB28*/     LONG32       MmPageFaultCount;
/*0xB2C*/     LONG32       MmCopyOnWriteCount;
/*0xB30*/     LONG32       MmTransitionCount;
/*0xB34*/     LONG32       MmCacheTransitionCount;
/*0xB38*/     LONG32       MmDemandZeroCount;
/*0xB3C*/     LONG32       MmPageReadCount;
/*0xB40*/     LONG32       MmPageReadIoCount;
/*0xB44*/     LONG32       MmCacheReadCount;
/*0xB48*/     LONG32       MmCacheIoCount;
/*0xB4C*/     LONG32       MmDirtyPagesWriteCount;
/*0xB50*/     LONG32       MmDirtyWriteIoCount;
/*0xB54*/     LONG32       MmMappedPagesWriteCount;
/*0xB58*/     LONG32       MmMappedWriteIoCount;
/*0xB5C*/     ULONG32      SpareFields0[1];
/*0xB60*/     UINT8        VendorString[13];
/*0xB6D*/     UINT8        InitialApicId;
/*0xB6E*/     UINT8        LogicalProcessorsPerPhysicalProcessor;
/*0xB6F*/     UINT8        _PADDING1_[0x1];
/*0xB70*/     ULONG32      MHz;
/*0xB74*/     ULONG32      FeatureBits;
/*0xB78*/     union _LARGE_INTEGER UpdateSignature;     
/*0xB80*/     UINT64       IsrTime;
/*0xB88*/     UINT64       SpareField1;
/*0xB90*/     struct _FX_SAVE_AREA NpxSaveArea;   
/*0xDA0*/     struct _PROCESSOR_POWER_STATE PowerState; 
}KPRCB, *PKPRCB;

And under Windows 7

typedef struct _KPRCB // 244 elements, 0x1EE8 bytes (sizeof)
{     
/*0x000*/      UINT16       MinorVersion;
/*0x002*/      UINT16       MajorVersion;
/*0x004*/      struct _KTHREAD* CurrentThread;
/*0x008*/      struct _KTHREAD* NextThread;
/*0x00C*/      struct _KTHREAD* IdleThread;
/*0x010*/      UINT8        LegacyNumber;
/*0x011*/      UINT8        NestingLevel;
/*0x012*/      UINT16       BuildType;
/*0x014*/      CHAR         CpuType;
/*0x015*/      CHAR         CpuID;
/*0x016*/UINT16       CpuStep;
/*0x018*/      struct _KPROCESSOR_STATE ProcessorState;   
/*0x338*/      ULONG32      KernelReserved[16];
/*0x378*/      ULONG32      HalReserved[16];
/*0x3B8*/      ULONG32      CFlushSize;
/*0x3BC*/      UINT8        CoresPerPhysicalProcessor;
/*0x3BD*/      UINT8        LogicalProcessorsPerCore;
/*0x3BE*/      UINT8        PrcbPad0[2];
/*0x3C0*/      ULONG32      MHz;
/*0x3C4*/      UINT8        CpuVendor;
/*0x3C5*/      UINT8        GroupIndex;
/*0x3C6*/      UINT16       Group;
/*0x3C8*/      ULONG32      GroupSetMember;
/*0x3CC*/      ULONG32      Number;
/*0x3D0*/      UINT8        PrcbPad1[72];
/*0x418*/      struct _KSPIN_LOCK_QUEUE LockQueue[49];
/*0x5A0*/      struct _KTHREAD* NpxThread;
/*0x5A4*/      ULONG32      InterruptCount;
/*0x5A8*/      ULONG32      KernelTime;
/*0x5AC*/      ULONG32      UserTime;
/*0x5B0*/      ULONG32      DpcTime;
/*0x5B4*/      ULONG32      DpcTimeCount;
/*0x5B8*/      ULONG32      InterruptTime;
/*0x5BC*/      ULONG32      AdjustDpcThreshold;
/*0x5C0*/      ULONG32      PageColor;
/*0x5C4*/      UINT8        DebuggerSavedIRQL;
/*0x5C5*/      UINT8        NodeColor;
/*0x5C6*/      UINT8        PrcbPad20[2];
/*0x5C8*/      ULONG32      NodeShiftedColor;
/*0x5CC*/      struct _KNODE* ParentNode;
/*0x5D0*/      ULONG32      SecondaryColorMask;
/*0x5D4*/      ULONG32      DpcTimeLimit;
/*0x5D8*/      ULONG32      PrcbPad21[2];
/*0x5E0*/      ULONG32      CcFastReadNoWait;
/*0x5E4*/      ULONG32      CcFastReadWait;
/*0x5E8*/      ULONG32      CcFastReadNotPossible;
/*0x5EC*/      ULONG32      CcCopyReadNoWait;
/*0x5F0*/      ULONG32      CcCopyReadWait;
/*0x5F4*/      ULONG32      CcCopyReadNoWaitMiss;
/*0x5F8*/      LONG32       MmSpinLockOrdering;
/*0x5FC*/      LONG32       IoReadOperationCount;
/*0x600*/      LONG32       IoWriteOperationCount;
/*0x604*/      LONG32       IoOtherOperationCount;
/*0x608*/      union _LARGE_INTEGER IoReadTransferCount;      
/*0x610*/      union _LARGE_INTEGER IoWriteTransferCount;     
/*0x618*/      union _LARGE_INTEGER IoOtherTransferCount;      
/*0x620*/      ULONG32      CcFastMdlReadNoWait;
/*0x624*/      ULONG32      CcFastMdlReadWait;
/*0x628*/      ULONG32      CcFastMdlReadNotPossible;
/*0x62C*/      ULONG32      CcMapDataNoWait;
/*0x630*/      ULONG32      CcMapDataWait;
/*0x634*/      ULONG32      CcPinMappedDataCount;
/*0x638*/      ULONG32      CcPinReadNoWait;
/*0x63C*/      ULONG32      CcPinReadWait;
/*0x640*/      ULONG32      CcMdlReadNoWait;
/*0x644*/      ULONG32      CcMdlReadWait;
/*0x648*/      ULONG32      CcLazyWriteHotSpots;
/*0x64C*/      ULONG32      CcLazyWriteIos;
/*0x650*/      ULONG32      CcLazyWritePages;
/*0x654*/      ULONG32      CcDataFlushes;
/*0x658*/      ULONG32      CcDataPages;
/*0x65C*/      ULONG32      CcLostDelayedWrites;
/*0x660*/      ULONG32      CcFastReadResourceMiss;
/*0x664*/      ULONG32      CcCopyReadWaitMiss;
/*0x668*/      ULONG32      CcFastMdlReadResourceMiss;
/*0x66C*/      ULONG32      CcMapDataNoWaitMiss;
/*0x670*/      ULONG32      CcMapDataWaitMiss;
/*0x674*/      ULONG32      CcPinReadNoWaitMiss;
/*0x678*/      ULONG32      CcPinReadWaitMiss;
/*0x67C*/      ULONG32      CcMdlReadNoWaitMiss;
/*0x680*/      ULONG32      CcMdlReadWaitMiss;
/*0x684*/      ULONG32      CcReadAheadIos;
/*0x688*/      ULONG32      KeAlignmentFixupCount;
/*0x68C*/      ULONG32      KeExceptionDispatchCount;
/*0x690*/      ULONG32      KeSystemCalls;
/*0x694*/      ULONG32      AvailableTime;
/*0x698*/      ULONG32      PrcbPad22[2];
/*0x6A0*/      struct _PP_LOOKASIDE_LIST PPLookasideList[16];
/*0x720*/      struct _GENERAL_LOOKASIDE_POOL PPNPagedLookasideList[32];
/*0x1020*/     struct _GENERAL_LOOKASIDE_POOL PPPagedLookasideList[32];
/*0x1920*/     ULONG32      PacketBarrier;
/*0x1924*/     LONG32       ReverseStall;
/*0x1928*/     VOID*        IpiFrame;
/*0x192C*/     UINT8        PrcbPad3[52];
/*0x1960*/     VOID*        CurrentPacket[3];
/*0x196C*/     ULONG32      TargetSet;
/*0x1970*/     FUNCT_009A_0657_WorkerRoutine* WorkerRoutine;
/*0x1974*/     ULONG32      IpiFrozen;
/*0x1978*/     UINT8        PrcbPad4[40];
/*0x19A0*/     ULONG32      RequestSummary;
/*0x19A4*/     struct _KPRCB* SignalDone;
/*0x19A8*/     UINT8        PrcbPad50[56];
/*0x19E0*/     struct _KDPC_DATA DpcData[2];
/*0x1A08*/     VOID*        DpcStack;
/*0x1A0C*/     LONG32       MaximumDpcQueueDepth;
/*0x1A10*/     ULONG32      DpcRequestRate;
/*0x1A14*/     ULONG32      MinimumDpcRate;
/*0x1A18*/     ULONG32      PrcbPad41;
/*0x1A1C*/     ULONG32      PrcbLock;
/*0x1A20*/     ULONG32      DpcLastCount;
/*0x1A24*/     ULONG32      TimerHand;
/*0x1A28*/     ULONG32      TimerRequest;
/*0x1A2C*/     struct _KTIMER** TimerExpiry;
/*0x1A30*/     struct _KGATE DpcGate;     
/*0x1A40*/     UINT8        ThreadDpcEnable;
/*0x1A41*/     UINT8        QuantumEnd;
/*0x1A42*/     UINT8        DpcRoutineActive;
/*0x1A43*/     UINT8        IdleSchedule;
union   // 3 elements, 0x4 bytes (sizeof)      
{ 
/*0x1A44*/         LONG32       DpcRequestSummary;
/*0x1A44*/         INT16        DpcRequestSlot[2];
    struct// 2 elements, 0x4 bytes (sizeof)      
    {  
/*0x1A44*/INT16        NormalDpcState;
        union// 2 elements, 0x2 bytes (sizeof)      
        {        
/*0x1A46*/  UINT16       DpcThreadActive : 1; // 0 BitPosition        
/*0x1A46*/  INT16        ThreadDpcState;
        };
    };
};
/*0x1A48*/     ULONG32      PrcbPad42;
/*0x1A4C*/     ULONG32      PeriodicCount;
/*0x1A50*/     ULONG32      PeriodicBias;
/*0x1A54*/     UINT8        _PADDING0_[0x4];
/*0x1A58*/     UINT64       TickOffset;
/*0x1A60*/     struct _KDPC CallDpc; // 9 elements, 0x20 bytes (sizeof)     
/*0x1A80*/     LONG32       ClockKeepAlive;
/*0x1A84*/     UINT8        ClockCheckSlot;
/*0x1A85*/     UINT8        ClockPollCycle;
/*0x1A86*/     UINT8        PrcbPad6[2];
/*0x1A88*/     LONG32       DpcWatchdogPeriod;
/*0x1A8C*/     LONG32       DpcWatchdogCount;
/*0x1A90*/     LONG32       ThreadWatchdogPeriod;
/*0x1A94*/     LONG32       ThreadWatchdogCount;
/*0x1A98*/     LONG32       KeSpinLockOrdering;
/*0x1A9C*/     ULONG32      PrcbPad70[1];
/*0x1AA0*/     struct _LIST_ENTRY WaitListHead;      
/*0x1AA8*/     ULONG32      WaitLock;
/*0x1AAC*/     ULONG32      ReadySummary;
/*0x1AB0*/     ULONG32      QueueIndex;
/*0x1AB4*/     struct _SINGLE_LIST_ENTRY DeferredReadyListHead; 
/*0x1AB8*/     UINT64       StartCycles;
/*0x1AC0*/     UINT64       CycleTime;
/*0x1AC8*/     ULONG32      HighCycleTime;
/*0x1ACC*/     ULONG32      PrcbPad71;
/*0x1AD0*/     UINT64       PrcbPad72[2];
/*0x1AE0*/     struct _LIST_ENTRY DispatcherReadyListHead[32];
/*0x1BE0*/     VOID*        ChainedInterruptList;
/*0x1BE4*/     LONG32       LookasideIrpFloat;
/*0x1BE8*/     LONG32       MmPageFaultCount;
/*0x1BEC*/     LONG32       MmCopyOnWriteCount;
/*0x1BF0*/     LONG32       MmTransitionCount;
/*0x1BF4*/     LONG32       MmCacheTransitionCount;
/*0x1BF8*/     LONG32       MmDemandZeroCount;
/*0x1BFC*/     LONG32       MmPageReadCount;
/*0x1C00*/     LONG32       MmPageReadIoCount;
/*0x1C04*/     LONG32       MmCacheReadCount;
/*0x1C08*/     LONG32       MmCacheIoCount;
/*0x1C0C*/     LONG32       MmDirtyPagesWriteCount;
/*0x1C10*/     LONG32       MmDirtyWriteIoCount;
/*0x1C14*/     LONG32       MmMappedPagesWriteCount;
/*0x1C18*/     LONG32       MmMappedWriteIoCount;
/*0x1C1C*/     ULONG32      CachedCommit;
/*0x1C20*/     ULONG32      CachedResidentAvailable;
/*0x1C24*/     VOID*        HyperPte;
/*0x1C28*/     UINT8        PrcbPad8[4];
/*0x1C2C*/     UINT8        VendorString[13];
/*0x1C39*/     UINT8        InitialApicId;
/*0x1C3A*/     UINT8        LogicalProcessorsPerPhysicalProcessor;
/*0x1C3B*/     UINT8        PrcbPad9[5];
/*0x1C40*/     ULONG32      FeatureBits;
/*0x1C44*/     UINT8        _PADDING1_[0x4];
/*0x1C48*/     union _LARGE_INTEGER UpdateSignature;   
/*0x1C50*/     UINT64       IsrTime;
/*0x1C58*/     UINT64       RuntimeAccumulation;
/*0x1C60*/     struct _PROCESSOR_POWER_STATE PowerState; 
/*0x1D30*/     struct _KDPC DpcWatchdogDpc;     
/*0x1D50*/     struct _KTIMER DpcWatchdogTimer;   
/*0x1D78*/     VOID*        WheaInfo;
/*0x1D7C*/     VOID*        EtwSupport;
/*0x1D80*/     union _SLIST_HEADER InterruptObjectPool;     
/*0x1D88*/     union _SLIST_HEADER HypercallPageList;     
/*0x1D90*/     VOID*        HypercallPageVirtual;
/*0x1D94*/     VOID*        VirtualApicAssist;
/*0x1D98*/     UINT64*      StatisticsPage;
/*0x1D9C*/     VOID*        RateControl;
/*0x1DA0*/     struct _CACHE_DESCRIPTOR Cache[5];
/*0x1DDC*/     ULONG32      CacheCount;
/*0x1DE0*/     ULONG32      CacheProcessorMask[5];
/*0x1DF4*/     ULONG32      PackageProcessorSet;
/*0x1DF8*/     ULONG32      CoreProcessorSet;
/*0x1DFC*/     UINT8        PrcbPad10[36];
/*0x1E20*/     ULONG32      SpinLockAcquireCount;
/*0x1E24*/     ULONG32      SpinLockContentionCount;
/*0x1E28*/     ULONG32      SpinLockSpinCount;
/*0x1E2C*/     ULONG32      IpiSendRequestBroadcastCount;
/*0x1E30*/     ULONG32      IpiSendRequestRoutineCount;

/*0x1E34*/     ULONG32      IpiSendSoftwareInterruptCount;
/*0x1E38*/     ULONG32      ExInitializeResourceCount;
/*0x1E3C*/     ULONG32      ExReInitializeResourceCount;
/*0x1E40*/     ULONG32      ExDeleteResourceCount;
/*0x1E44*/     ULONG32      ExecutiveResourceAcquiresCount;
/*0x1E48*/     ULONG32      ExecutiveResourceContentionsCount;
/*0x1E4C*/     ULONG32      ExecutiveResourceReleaseExclusiveCount;
/*0x1E50*/     ULONG32      ExecutiveResourceReleaseSharedCount;
/*0x1E54*/     ULONG32      ExecutiveResourceConvertsCount;
/*0x1E58*/     ULONG32      ExAcqResExclusiveAttempts;
/*0x1E5C*/     ULONG32      ExAcqResExclusiveAcquiresExclusive;
/*0x1E60*/     ULONG32      ExAcqResExclusiveAcquiresExclusiveRecursive;
/*0x1E64*/     ULONG32      ExAcqResExclusiveWaits;
/*0x1E68*/     ULONG32      ExAcqResExclusiveNotAcquires;
/*0x1E6C*/     ULONG32      ExAcqResSharedAttempts;
/*0x1E70*/     ULONG32      ExAcqResSharedAcquiresExclusive;
/*0x1E74*/     ULONG32      ExAcqResSharedAcquiresShared;
/*0x1E78*/     ULONG32      ExAcqResSharedAcquiresSharedRecursive;
/*0x1E7C*/     ULONG32      ExAcqResSharedWaits;
/*0x1E80*/     ULONG32      ExAcqResSharedNotAcquires;
/*0x1E84*/     ULONG32      ExAcqResSharedStarveExclusiveAttempts;
/*0x1E88*/     ULONG32      ExAcqResSharedStarveExclusiveAcquiresExclusive;
/*0x1E8C*/     ULONG32      ExAcqResSharedStarveExclusiveAcquiresShared;
/*0x1E90*/     ULONG32      ExAcqResSharedStarveExclusiveAcquiresSharedRecursive;
/*0x1E94*/     ULONG32      ExAcqResSharedStarveExclusiveWaits;
/*0x1E98*/     ULONG32      ExAcqResSharedStarveExclusiveNotAcquires;
/*0x1E9C*/     ULONG32      ExAcqResSharedWaitForExclusiveAttempts;
/*0x1EA0*/     ULONG32      ExAcqResSharedWaitForExclusiveAcquiresExclusive;
/*0x1EA4*/     ULONG32      ExAcqResSharedWaitForExclusiveAcquiresShared;
/*0x1EA8*/     ULONG32      ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive;
/*0x1EAC*/     ULONG32      ExAcqResSharedWaitForExclusiveWaits;
/*0x1EB0*/     ULONG32      ExAcqResSharedWaitForExclusiveNotAcquires;
/*0x1EB4*/     ULONG32      ExSetResOwnerPointerExclusive;
/*0x1EB8*/     ULONG32      ExSetResOwnerPointerSharedNew;
/*0x1EBC*/     ULONG32      ExSetResOwnerPointerSharedOld;
/*0x1EC0*/     ULONG32      ExTryToAcqExclusiveAttempts;
/*0x1EC4*/     ULONG32      ExTryToAcqExclusiveAcquires;
/*0x1EC8*/     ULONG32      ExBoostExclusiveOwner;
/*0x1ECC*/     ULONG32      ExBoostSharedOwners;
/*0x1ED0*/     ULONG32      ExEtwSynchTrackingNotificationsCount;
/*0x1ED4*/     ULONG32      ExEtwSynchTrackingNotificationsAccountedCount;
/*0x1ED8*/     struct _CONTEXT* Context;
/*0x1EDC*/     ULONG32      ContextFlags;
/*0x1EE0*/     struct _XSAVE_AREA* ExtendedState;
/*0x1EE4*/     UINT8        _PADDING2_[0x4];
 }KPRCB, *PKPRCB;

Update: win32dd 1.2.1

First of all problem reported and explained in my previous blogpost regarding multi-processors computers and Microsoft crash dump generation is fixed. The limitation had been raised from 1 to 32 processors.

KeQueryActiveProcessorCount() API only exist in Vista and later version of Windows, that’s why I wrote xxxKeQueryActiveProcessorCount in driver/private/ke.c because compatibility matter. By the way, about compatibility let me tell you that win32dd is compatible with Microsoft O.S. from Windows 2000 to Windows Seven. :-) Check the screenshot below of win32dd in action under Windows 7.

toto


Download win32dd v1.2.20090106 now!

By the way, I suggest you to read this article if you still wondering about the efficiency and usefulness of win32dd crash dump generation mode. Microsoft Help and Support: Complete memory dumps are not available on computers that have 2 or more gigabytes of RAM

Thanks you all for using win32dd and your feedbacks!

Multi-Processors and KdVersionBlock

Tomorrow, I’ll publish a bugfix for win32dd about the following problem: on multi-processors computers a BSOD occurs when user try to generate a Microsoft Crash dump file through the -d option.

The problem is located inside KdGetDebuggerDataBlock function, when the function try to read KdVersionBlock field an invalid pointer is returned because this field is only valid in the 1st processor KPCR.

lkd> dt nt!_KPCR ffdff000
   +0x000 NtTib            : _NT_TIB
   +0x01c SelfPcr          : 0xffdff000 _KPCR
   +0x020 Prcb             : 0xffdff120 _KPRCB
   +0x024 Irql             : 0 ''
   +0x028 IRR              : 0
   +0x02c IrrActive        : 0
   +0x030 IDR              : 0xffffffff
   +0x034 KdVersionBlock   : 0x805562b8 
   +0x038 IDT              : 0x8003f400 _KIDTENTRY
   +0x03c GDT              : 0x8003f000 _KGDTENTRY
   +0x040 TSS              : 0x80042000 _KTSS
   +0x044 MajorVersion     : 1
   +0x046 MinorVersion     : 1
   +0x048 SetMember        : 1
   +0x04c StallScaleFactor : 0x6bb
   +0x050 DebugActive      : 0 ''
   +0x051 Number           : 0 ''
   +0x052 Spare0           : 0 ''
   +0x053 SecondLevelCacheAssociativity : 0x10 ''
   +0x054 VdmAlert         : 0
   +0x058 KernelReserved   : [14] 0
   +0x090 SecondLevelCacheSize : 0x80000
   +0x094 HalReserved      : [16] 0
   +0x0d4 InterruptMode    : 0
   +0x0d8 Spare1           : 0 ''
   +0x0dc KernelReserved2  : [17] 0
   +0x120 PrcbData         : _KPRCB
lkd> dt nt!_KPCR f9c2c000
   +0x000 NtTib            : _NT_TIB
   +0x01c SelfPcr          : 0xf9c2c000 _KPCR
   +0x020 Prcb             : 0xf9c2c120 _KPRCB
   +0x024 Irql             : 0 ''
   +0x028 IRR              : 0
   +0x02c IrrActive        : 0
   +0x030 IDR              : 0xffffffff
   +0x034 KdVersionBlock   : (null)
   +0x038 IDT              : 0xf9c30590 _KIDTENTRY
   +0x03c GDT              : 0xf9c30190 _KGDTENTRY
   +0x040 TSS              : 0xf9c2cd70 _KTSS
   +0x044 MajorVersion     : 1
   +0x046 MinorVersion     : 1
   +0x048 SetMember        : 2
   +0x04c StallScaleFactor : 0x650
   +0x050 DebugActive      : 0 ''
   +0x051 Number           : 0x1 ''
   +0x052 Spare0           : 0 ''
   +0x053 SecondLevelCacheAssociativity : 0x10 ''
   +0x054 VdmAlert         : 0
   +0x058 KernelReserved   : [14] 0
   +0x090 SecondLevelCacheSize : 0x80000
   +0x094 HalReserved      : [16] 1
   +0x0d4 InterruptMode    : 0
   +0x0d8 Spare1           : 0 ''
   +0x0dc KernelReserved2  : [17] 0
   +0x120 PrcbData         : _KPRCB

This piece of code is your friend if you are also experiencing some problem with it.

    //
    // Multi Processors (MP)
    // To ensure that it's running on a specific processor.
    //
    KeSetSystemAffinityThread(1);
    _asm {
       mov eax, fs:[0x1C]  // SelfPCR
       mov eax, [eax + 0x34] // KdVersionBlock
       mov KdVersionBlock, eax
   }
    //
    // Go back to default affinity.
    //
    KeRevertToUserAffinityThread();

MSDN documentation suggests to Windows Vista and later developpers to use KeSetSystemAffinityThreadEx instead of KeSetSystemAffinityThread and to use KeRevertToUserAffinityThreadEx instead of KeRevertToUserAffinityThread.

Even if there is no entry for KeRevertToUserAffinityThread inside the MSDN there is a blogpost from Windows Driver Kit (WDK) Documentation Blog about Windows Kernel Routine Name Conventions that says

Suffix – Ex – indicates that this is a new version of KeRevertToUserAffinityThread. “Ex” is an abbreviation for extension. It is a common Windows naming convention for new versions of a routine.

Thanks to Sebastien and Martim for reporting the bug.

Hey people ! Happy new year from a lazy man 2.0 :-)

I was looking for the shortest way to wish to people I know happy new year for 2009.

Here is a flowchart to explain what’s going on just after I press the “Publish” wordpress button.

As you can see I use WordPress, Twitter, and Facebook technology — that’s pretty useless but that’s funny :-)

Update will be show as “Blog [new]: #title# ( http://tinyurl.com/xxxxxx )”. It means I’ve free 98 (140 – 42) characters to wish you happy new year!

* Tools/Plugins:
Twitter updater plugin for WordPress
Facebook application to update facebook status from Twitter

PS.I’m not dead and I’ll soonly publish an update(1.2.1) for win32dd to fix a bug with multi-core computers and Microsoft crashdump file generation.