I'm using windbg to debug windows kernel files. The problem is that I know which function to set break point but I don't know the module the function belongs. I use windows server 2019 and the module should be ntoskrnl from the import in IDA. I didn't find the module in windbg somehow(maybe there is a alias). How do I know which module imports the function or the address of the function? The loaded modules are as follows
start end module name
ffffaa98`27400000 ffffaa98`2778b000 win32kfull (pdb symbols) C:\ProgramData\Dbg\sym\win32kfull.pdb\BD15EC0EDD344DABCC32F9C2E347B97B1\win32kfull.pdb
ffffaa98`27790000 ffffaa98`279ec000 win32kbase (deferred)
ffffaa98`279f0000 ffffaa98`27a38000 cdd (deferred)
ffffaa98`28300000 ffffaa98`2838b000 win32k (deferred)
fffff801`19c0e000 fffff801`19cab000 hal (deferred)
fffff801`19cac000 fffff801`1a71c000 nt (pdb symbols) C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\45C12C294F739481AC5E8E014C068FB61\ntkrnlmp.pdb
fffff801`1a800000 fffff801`1a80e000 kdcom (deferred)
fffff80f`e7c00000 fffff80f`e7c70000 FLTMGR (deferred)
fffff80f`e7c80000 fffff80f`e7d8a000 clipsp (deferred)
fffff80f`e7d90000 fffff80f`e7d9e000 cmimcext (deferred)
fffff80f`e7da0000 fffff80f`e7dac000 ntosext (deferred)
fffff80f`e7db0000 fffff80f`e7e83000 CI (deferred)
fffff80f`e7e90000 fffff80f`e7f48000 cng (deferred)
fffff80f`e7f50000 fffff80f`e8021000 Wdf01000 (deferred)
fffff80f`e8030000 fffff80f`e8043000 WDFLDR (deferred)
fffff80f`e8050000 fffff80f`e8060000 WppRecorder (deferred)
fffff80f`e8070000 fffff80f`e807f000 SleepStudyHelper (deferred)
fffff80f`e8080000 fffff80f`e80a4000 acpiex (deferred)
fffff80f`e80b0000 fffff80f`e8101000 mssecflt (deferred)
fffff80f`e8110000 fffff80f`e812a000 SgrmAgent (deferred)
fffff80f`e8130000 fffff80f`e81f8000 ACPI (deferred)
fffff80f`e8200000 fffff80f`e8220000 mcupdate_AuthenticAMD (deferred)
fffff80f`e8230000 fffff80f`e8292000 msrpc (deferred)
fffff80f`e82a0000 fffff80f`e82cb000 ksecdd (deferred)
fffff80f`e82d0000 fffff80f`e82e1000 werkernel (deferred)
fffff80f`e82f0000 fffff80f`e835a000 CLFS (deferred)
fffff80f`e8360000 fffff80f`e8387000 tm (deferred)
fffff80f`e8390000 fffff80f`e83a8000 PSHED (deferred)
fffff80f`e83b0000 fffff80f`e83bb000 BOOTVID (deferred)
fffff80f`e83c0000 fffff80f`e83cc000 WMILIB (deferred)
fffff80f`e8400000 fffff80f`e8443000 intelpep (deferred)
fffff80f`e8450000 fffff80f`e845b000 WindowsTrustedRTProxy (deferred)
fffff80f`e8460000 fffff80f`e8474000 pcw (deferred)
fffff80f`e84a0000 fffff80f`e85f3000 NDIS (deferred)
fffff80f`e8600000 fffff80f`e8695000 NETIO (pdb symbols) C:\ProgramData\Dbg\sym\netio.pdb\C34301C2DC7F81959A5EF6C03D4BA3871\netio.pdb
fffff80f`e86a0000 fffff80f`e86ab000 msisadrv (deferred)
fffff80f`e86b0000 fffff80f`e86c2000 vdrvroot (deferred)
fffff80f`e86d0000 fffff80f`e873b000 pci (deferred)
fffff80f`e8740000 fffff80f`e876e000 pdc (deferred)
fffff80f`e8770000 fffff80f`e8789000 CEA (deferred)
fffff80f`e8790000 fffff80f`e87bf000 partmgr (deferred)
fffff80f`e87c0000 fffff80f`e87cb000 intelide (deferred)
fffff80f`e87d0000 fffff80f`e87e3000 PCIIDEX (deferred)
fffff80f`e87f0000 fffff80f`e8894000 spaceport (deferred)
fffff80f`e88a0000 fffff80f`e88b9000 volmgr (deferred)
fffff80f`e88c0000 fffff80f`e8923000 volmgrx (deferred)
fffff80f`e8930000 fffff80f`e894f000 mountmgr (deferred)
fffff80f`e8950000 fffff80f`e895d000 atapi (deferred)
fffff80f`e8960000 fffff80f`e8996000 ataport (deferred)
fffff80f`e89a0000 fffff80f`e89bc000 EhStorClass (deferred)
fffff80f`e89c0000 fffff80f`e89fe000 Wof (deferred)
fffff80f`e8a00000 fffff80f`e8a15000 dfsrro (deferred)
fffff80f`e8a20000 fffff80f`e8a92000 WdFilter (deferred)
fffff80f`e8aa0000 fffff80f`e8b0d000 volsnap (deferred)
fffff80f`e8b10000 fffff80f`e8b7f000 CLASSPNP (deferred)
fffff80f`e8b80000 fffff80f`e8b95000 filecrypt (deferred)
fffff80f`e8ba0000 fffff80f`e8bb6000 WindowsTrustedRT (deferred)
fffff80f`e8bc0000 fffff80f`e8bd4000 dfs (deferred)
fffff80f`e8be0000 fffff80f`e8bea000 Null (deferred)
fffff80f`e8c20000 fffff80f`e8c4e000 cdrom (deferred)
fffff80f`e8c50000 fffff80f`e8c5e000 tbs (deferred)
fffff80f`e8c60000 fffff80f`e8eed000 Ntfs (deferred)
fffff80f`e8ef0000 fffff80f`e8f48000 VBoxGuest (deferred)
fffff80f`e8f50000 fffff80f`e8f5d000 Fs_Rec (deferred)
fffff80f`e8f60000 fffff80f`e8f92000 ksecpkg (deferred)
fffff80f`e8fa0000 fffff80f`e8fbc000 disk (deferred)
fffff80f`e8fc0000 fffff80f`e8fdc000 crashdmp (deferred)
fffff80f`e9000000 fffff80f`e9078000 fwpkclnt (deferred)
fffff80f`e9080000 fffff80f`e90b0000 wfplwfs (deferred)
fffff80f`e90c0000 fffff80f`e90cb000 volume (deferred)
fffff80f`e90d0000 fffff80f`e90f5000 mup (deferred)
fffff80f`e9120000 fffff80f`e93fa000 tcpip (deferred)
fffff80f`e9a00000 fffff80f`e9a51000 netbt (deferred)
fffff80f`e9a60000 fffff80f`e9a73000 afunix (deferred)
fffff80f`e9a80000 fffff80f`e9b26000 afd (deferred)
fffff80f`e9b30000 fffff80f`e9b5b000 pacer (deferred)
fffff80f`e9b60000 fffff80f`e9b74000 netbios (deferred)
fffff80f`e9bc0000 fffff80f`e9efb000 dxgkrnl (deferred)
fffff80f`e9f00000 fffff80f`e9f16000 watchdog (deferred)
fffff80f`e9f20000 fffff80f`e9f36000 BasicDisplay (deferred)
fffff80f`e9f40000 fffff80f`e9f51000 BasicRender (deferred)
fffff80f`e9f60000 fffff80f`e9f7c000 Npfs (deferred)
fffff80f`e9f80000 fffff80f`e9f91000 Msfs (deferred)
fffff80f`e9fa0000 fffff80f`e9fc7000 tdx (deferred)
fffff80f`e9fd0000 fffff80f`e9fe0000 TDI (deferred)
fffff80f`ea000000 fffff80f`ea04e000 ahcache (deferred)
fffff80f`ea050000 fffff80f`ea061000 CompositeBus (deferred)
fffff80f`ea070000 fffff80f`ea07d000 kdnic (deferred)
fffff80f`ea080000 fffff80f`ea095000 umbus (deferred)
fffff80f`ea0a0000 fffff80f`ea0c1000 i8042prt (deferred)
fffff80f`ea0d0000 fffff80f`ea0e3000 kbdclass (deferred)
fffff80f`ea0f0000 fffff80f`ea13a000 VBoxMouse (deferred)
fffff80f`ea140000 fffff80f`ea153000 mouclass (deferred)
fffff80f`ea160000 fffff80f`ea1d6000 VBoxWddm (deferred)
fffff80f`ea1e0000 fffff80f`ea204080 E1G6032E (deferred)
fffff80f`ea210000 fffff80f`ea21f000 usbohci (deferred)
fffff80f`ea220000 fffff80f`ea29b000 USBPORT (deferred)
fffff80f`ea2a0000 fffff80f`ea2af000 CmBatt (deferred)
fffff80f`ea2b0000 fffff80f`ea2c0000 BATTC (deferred)
fffff80f`ea2d0000 fffff80f`ea30a000 amdppm (deferred)
fffff80f`ea310000 fffff80f`ea31d000 NdisVirtualBus (deferred)
fffff80f`ea320000 fffff80f`ea32c000 swenum (deferred)
fffff80f`ea330000 fffff80f`ea3a5000 ks (deferred)
fffff80f`ea3b0000 fffff80f`ea3be000 rdpbus (deferred)
fffff80f`ea3c0000 fffff80f`ea448000 usbhub (deferred)
fffff80f`ea450000 fffff80f`ea45e000 USBD (deferred)
fffff80f`ea460000 fffff80f`ea47f000 cdfs (deferred)
fffff80f`ea490000 fffff80f`ea49f000 dump_dumpata (deferred)
fffff80f`ea4b0000 fffff80f`ea4bd000 dump_atapi (deferred)
fffff80f`ea4c0000 fffff80f`ea4d2000 hidusb (deferred)
fffff80f`ea4e0000 fffff80f`ea51b000 HIDCLASS (deferred)
fffff80f`ea520000 fffff80f`ea533000 HIDPARSE (deferred)
fffff80f`ea540000 fffff80f`ea5c9000 mrxsmb (deferred)
fffff80f`ea5d0000 fffff80f`ea616000 mrxsmb20 (deferred)
fffff80f`ea620000 fffff80f`ea66f000 srvnet (deferred)
fffff80f`ea670000 fffff80f`ea735000 srv2 (deferred)
fffff80f`ea740000 fffff80f`ea76b000 winquic (deferred)
fffff80f`ea770000 fffff80f`ea8aa000 HTTP (deferred)
fffff80f`ea8b0000 fffff80f`ea986000 peauth (deferred)
fffff80f`ea990000 fffff80f`ea9a4000 tcpipreg (deferred)
fffff80f`ea9b0000 fffff80f`ea9cc000 rassstp (deferred)
fffff80f`ea9d0000 fffff80f`ea9e8000 NDProxy (deferred)
fffff80f`ea9f0000 fffff80f`eaa17000 AgileVpn (deferred)
fffff80f`eaa20000 fffff80f`eaa41000 rasl2tp (deferred)
fffff80f`eaa50000 fffff80f`eaa70000 raspptp (deferred)
fffff80f`eaa80000 fffff80f`eaa9c000 raspppoe (deferred)
fffff80f`eaaa0000 fffff80f`eaab5000 rasgre (deferred)
fffff80f`eaac0000 fffff80f`eaacf000 ndistapi (deferred)
fffff80f`eaad0000 fffff80f`eab0b000 ndiswan (deferred)
fffff80f`eab10000 fffff80f`eab23000 condrv (deferred)
fffff80f`eab30000 fffff80f`eab3f000 mouhid (deferred)
fffff80f`eab40000 fffff80f`eab56000 monitor (deferred)
fffff80f`eab60000 fffff80f`eac38000 dxgmms2 (deferred)
fffff80f`eac40000 fffff80f`eac69000 luafv (deferred)
fffff80f`eac70000 fffff80f`eac9d000 wcifs (deferred)
fffff80f`eaca0000 fffff80f`ead16000 cldflt (deferred)
fffff80f`ead20000 fffff80f`ead3b000 storqosflt (deferred)
fffff80f`ead40000 fffff80f`ead58000 lltdio (deferred)
fffff80f`ead60000 fffff80f`ead7a000 mslldp (deferred)
fffff80f`ead80000 fffff80f`ead9b000 rspndr (deferred)
fffff80f`eada0000 fffff80f`eadbc000 wanarp (deferred)
fffff80f`eadc0000 fffff80f`eade5000 bowser (deferred)
fffff80f`eae00000 fffff80f`eae7a000 VBoxSF (deferred)
fffff80f`eae80000 fffff80f`eaefa000 rdbss (deferred)
fffff80f`eaf00000 fffff80f`eaf12000 nsiproxy (deferred)
fffff80f`eaf20000 fffff80f`eaf2d000 npsvctrig (deferred)
fffff80f`eaf30000 fffff80f`eaf40000 mssmbios (deferred)
fffff80f`eaf50000 fffff80f`eaf7c000 dfsc (deferred)
fffff80f`eaf80000 fffff80f`eaf9a000 mpsdrv (deferred)
fffff80f`eafa0000 fffff80f`eafb4000 bam (deferred)
fffff80f`eafc0000 fffff80f`eafdb000 WdNisDrv (deferred)
CodePudding user response:
I use windows server 2019 and the module should be ntoskrnl from the import in IDA. I didn't find the module in windbg somehow(maybe there is a alias).
That's the Windows' kernel binary, it's symbolic name is nt.
How do I know which module imports the function or the address of the function?
There are multiple ways of doing this, but I think the easiest is probably:
- reload all modules symbolic information.
For this you can use the .reload command and especially the /f and /s switches. Be wary that it can take some time.
Side Note: When you list all modules (using lm) you can see that they are marked as being "deferred":
0: kd> lm
start end module name
ffffea92`71600000 ffffea92`718d3000 win32kbase (deferred)
ffffea92`718e0000 ffffea92`71c95000 win32kfull (deferred)
ffffea92`71ca0000 ffffea92`71ce9000 cdd (deferred)
ffffea92`72200000 ffffea92`7229a000 win32k (deferred)
fffff806`06200000 fffff806`06236000 wcifs (deferred)
fffff806`06240000 fffff806`06254000 mmcss (deferred)
fffff806`06260000 fffff806`062b6000 WUDFRd (deferred)
fffff806`062c0000 fffff806`06341000 cldflt (deferred)
...
This means the symbolic information is loaded only when needed ("lazy sombol loading"; e.g. when setting a breakpoint). If we want to find a symbol we really need that information to be loaded, thus we need .reload /f /s (or just .reload /f).
- Search for the symbol.
Using the "examine symbol" command x. Notice you can use wildcards.
Example
Let say you have the NtCreateFile API and you want to know which module is implementing it:
0: kd> .reload /f
Loading Kernel Symbols
...............................................................
................................................................
......
0: kd> x *!NtCreateFile
fffff806`08e99260 nt!NtCreateFile (NtCreateFile)
0: kd> lmDvm nt
Browse full module list
start end module name
fffff806`08800000 fffff806`09846000 nt (pdb symbols) g:\symbols\ntkrnlmp.pdb\5D6312DA6921E3A4E7F938B88330B0771\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: 73F1C0C4 (This is a reproducible build file hash, not a timestamp)
CheckSum: 00A65799
ImageSize: 01046000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
It's in the nt module (the kernel).
About .reload
Most of the time, you wont need to reload the symbols for the whole kernel space, since theoretically only the kernel binary (nt) provides the APIs that will be called. You should just do x and then if you don't have a proper answer then try to reload the other modules symbolic information with .reload /f.