How to view the GDTR's value?

Question

In the book "Rootkit Arsenal" page 84 (Chapter 3) mentions:

..., we can view the contents of the target machine's descriptor registers using the command with the 0x100 mask: kd> rM 0x100

and a paragraph below:

Note that the same task can be accomplished by specifying the GDTR components explicitly: kd> r gdtr ....

I run Windbg on my Win XP (inside VMWare) and choose the Kernel Debug -> Local. My problem is in case of first command, windbg errors with:

lkd> rM 0x100 ^ Operation not supported in current debug session 'rM 0x100'

and in the second command:

lkd> r gdtr ^ Bad register error in 'r gdtr'

Can anyone guide me ?

Please view the following stackoverflow article http://stackoverflow.com/questions/28263624/can-i-print-the-gdtr-and-gdt-descriptor-under-gdb — qstack, Feb 25 '16 at 03:26

score 2 · Accepted Answer · answered May 13 '10 at 15:29

2

Right, you can't look at registers in a local kernel debug session. LiveKD works and you can also get the address indirectly through the PCR (!pcr).

-scott

answered May 13 '10 at 15:29

snoone

5,409
18
19

score 1 · Answer 2 · answered May 05 '10 at 11:44

1

I think I've found the solution: Use two computers for kernel debugging instead of Local Kernel Debug. (I used VMWare and am debugging through the COM port/named pipe) I am thinking why this facility/feature (Local Kernel Debugging) is there if it's not complete ?

answered May 05 '10 at 11:44

Mehdi Asgari

2,111
3
17
18

1

I found a solution for Local Kernel Debugging that actually WORKS LiveKd from Mark Russinowich: http://technet.microsoft.com/en-us/sysinternals/bb897415.aspx – Mehdi Asgari May 05 '10 at 12:01

How to view the GDTR's value?

2 Answers2