Quick Navigation and Some New Windows
Since I have already told you that Wilderland.EXE was written in C#, the above should come as no surprise. After returning to the main execution path by stepping through the jump statement, slide the display down a little bit until you find the call to LdrpInitializeProcess (note that the default color for call statements is blue, but this can be changed to suit your preference in Tools/Configure/Disassembly.) Select this line and with the popup menu display choose Run to Selection. We now will Debug/Step Into (or F11) this routine and trace the initialization of the process a bit more. Carefully watching the activity in the next several hundred instructions or so will teach you a lot about how a Windows executable (even a managed one) begins life. I want to skip instead to another feature of PEBrowse Interactive; with the disassembly window active, select Edit/Find, enter "ZwOpenDirectoryObject", and press the enter key. A call statement should now be highlighted at which we wish execution to halt; so using the popup menu, select Run to Selection. From the main menu, select View/Process Information (or alternately find the button in the toolbar with the popup text, "View process information." and press it.) A new window with several tab sheets has been created (see Figure 5)
Figure 5
with the caption, "Process Information: Threads." There is a lot of good stuff here, but for now select the Kernel Objects tab sheet. Depending on the version of the operating system you have, you may already see something in the display. In any case single-step (F10) over the ZwOpenDirectoryObject call and reactivate the process information display and, if necessary, select Edit/Refresh. (Note: There is a Refresh tab sheet in Tools/Configure that specifies what one wants refreshed with each statement's execution.) A new item now appears in the display! Continuing on to the ZwOpenSymbolicLinkObject call, after stepping over this statement with another refresh of the kernel object display, the same thing happens, only this time the newly minted object is a SymbolicLink. Another dozen or so statements should bring the code to a ZwClose statement that after stepping over results in the disappearance of the SymbolicLink item from the list. With PEBrowse Interactive you have a mechanism to track the creation and destruction of kernel objects and a fighting chance at detecting a nasty type of resource leak.
The next events will we examine in the birth of a Windows program are the creation of the module load and initialization lists that can be found by using the PEB as a starting point. Once again from the disassembly window, access Edit/Find and enter the search string, "LdrpAllocateDataTableEntry", and press the enter key. Allow the program to run to the call and then double-click the instruction in the disassembly window. You will see the window changing to contain the statements comprising this routine. Press the Back key or from the popup menu, "Back to LdrpInitializeProcess@20", and you will return to where you started. You have now seen what the target of the call statement contains. If the popup item, "Jump/Call Target Popups" is selected, you will also see in a "bubble" display these statements while the call statement is selected.
Now, step over this call instruction and note the contents of the EAX register. We have already seen that double-clicking on the EAX item will bring up a memory dump window. But, would it not be nice to have some structure overlay the display and add some context to this piece of memory? From the File menu, select Open UDS File -- UDS is an acronym for User-Defined Structures. Navigate through the open file dialog box to find and open the "Templates.TXT" file located in the same directory where you installed my debugger. Directions for adding to and modifying structures are contained inside of the templates file. For now, activate the registers window, select the EAX line, and with the popup menu select Structure. You are now prompted to select the structure you wish to apply at the address contained in EAX (see Figure6);
Figure 6
select "ModuleItem" and a new display appears. Some of the fields in the structure have actually been filled in by the call to LdrpAllocateDataTableEntry. Bring up the configuration display and under the Refresh tab sheet make certain that the "Structure" checkbox is checked. As you step through the next two dozen or so instructions you will see the remainder of the fields being filled in and the structure for the Wilderland.EXE module item added to the module lists. A little further on you will see the process being repeated for NTDLL. Repeat the above and see for yourself if you are not clear here about what is going on.
 prev page | 1st page | next page  |