[SOLVED] windbg help missing kernel32 function

windbg help missing kernel32 function

I am trying to follow this tutorial here https://www.microsoftpressstore.com/articles/article.aspx?p=2201303 specifically the part where it mentions x kernel32!writeprocessmemory

I am unable to find the method kernel32!WriteProcessMemory = even though documentation mentions it but i can find kernel32!_imp__WriteProcessMemory and kernel32!WriteProcessMemoryStub. I am new to windbg and trying to follow the tutorial so i am not sure if this method has been deprecated and if so, what is it's substitute and how do we achieve similar functionality.

Thanks

Solution

The exported WriteProcessMemory function in fact points to the kernel32!WriteProcessMemoryStub stub which itself jumps onto the kernel32!__imp_WriteProcessMemory which redirects to the kernelbase DLL which is the "real" location for this function.

Let's check with a link dump:

C:>link /dump /exports c:\windows\system32\kernel32.dll | findstr /I WriteProcess
       1579  62A 00036C50 WriteProcessMemory

0x36C50 is the RVA where the function "WriteProcessMemory" resides in kernel32 (as given by the export table). Now in windbg:

0:007> ln kernel32 + 0x36c50
Browse module
Set bu breakpoint

(00007ff9`4a6e6c50)   KERNEL32!WriteProcessMemoryStub   |  (00007ff9`4a6e6c60)   KERNEL32!ZombifyActCtxStub

We have an exact match which is in fact the KERNEL32!WriteProcessMemoryStub function. If we look at it:

0:007> u KERNEL32!WriteProcessMemoryStub
KERNEL32!WriteProcessMemoryStub:
00007ff9`4a6e6c50 48ff2599150400  jmp     qword ptr [KERNEL32!_imp_WriteProcessMemory (00007ff9`4a7281f0)]
00007ff9`4a6e6c57 cc              int     3

We can see it's just a jump to KERNEL32!_imp_WriteProcessMemory (located somewhere in the .idata section of kernel32).

Now if we look at what is contained at this location, we have a pointer:

0:007> dp KERNEL32!_imp_WriteProcessMemory L1
00007ff9`4a7281f0  00007ff9`496f0ca0

If we ask windbg what is this pointer:

0:007> ln 00007ff9`496f0ca0
Browse module
Set bu breakpoint

(00007ff9`496f0ca0)   KERNELBASE!WriteProcessMemory   |  (00007ff9`496f0dc4)   KERNELBASE!OpenWow64CrossProcessWorkConnection
Exact matches:
    KERNELBASE!WriteProcessMemory (void)

We can see that in fact the "real" location for the WriteProcessMemory is in fact in kernelbase.dll.

note: you can actually do the last two commands in one with dps:

0:007> dps KERNEL32!_imp_WriteProcessMemory L1
00007ff9`4a7281f0  00007ff9`496f0ca0 KERNELBASE!WriteProcessMemory

Windbg command used:

ln (List Nearest Symbols): given an address, find the nearest symbol.
u (unassemble): used to disassemble a function
dp (display memory): display memory (pointer sized).
- dps(Display Words and Symbols): as dp but with symbolic information.