huntpig / gdiobjdump Goto Github PK

GDIObjDump is a debugger extension (WinDbg/Kd) to aid in the process 
of exploiting SessionPool overflows. It can extract information for 
all GDI Objects listed in either PEB.GdiSharedHandleTable or WIN32K!gpentHmgr.

GDIObjDump can output information in either text (console/logfile) 
or binary format (GDIObjView).

GDIObjView is a stand alone application that displays binary output 
from GDIObjDump in a graphical way. Instead of having to dig through 
thousands of lines of text, it displays the gdi table visually as a 
grid of cells, each cell representing a GDI object.

It also allows the user to filter and/or sort the grid by object address, 
type, handle or pid.

To "install", copy gdiobjdump.dll to the winext folder for x64 WinDbg/Kd. 
The path to the winext folder usually looks something like 
"<Program Files>Debugging Tools for Windows (x64)\winext"

After that, you can issue "!load gdiobjdump" to load the extension into 
WinDbg/Kd. 

NOTE: Only x64 Windbg/Kd is supported. Use the x64 debugger versions even 
for x86 targets.

!gdiobjdump -[uk] -[ab][filename] -filter

-u dumps PEB.GdiSharedHandleTable (default)
-k dumps WIN32K!gpentHmgr
-a [filename] - text output
-b [filename] - binary output

Filter options (matches only):
    -h <hex> specific handle
    -p <hex> specific pid
    -t <hex> specific type

If neither -b or -a switches are used, default output is printed on to debugger console.
If -a switch is used, a filename is required and text output is written there.
If -b switch is used, a filename is required and binary output is written there.

!gdiobjdump -u

!gdiobjdump -k -b c:\temp\out.gdidump                   

!gdiobjdump -a c:\temp\out.log -p 644 -t a -h 150a02dc