Reverse Engineering Citrix ThinWire

Crash dump 불펌스페샬 2007. 5. 13. 23:32 posted by CecilDeSK
반응형

Reverse Engineering Citrix ThinWire

Crash dumps (and live debugging) can be very usefulfor reverse engineering component dependencies. Let’s look at MS Video Driver Architecture UML component diagram (synthesized after reading various articles from OSRand DDK):

Coupled with this understanding and armed with Citrix symbol files (which are freely downloadable from Citrix supportand you don’t really need them tosee component dependencies)Iwas able totransform this thread stack below and other similar stacks into the following UML component diagram (some functions are shown as module!xxx and offsets are removed for clarity):

nt!KiSwapContext
nt!KiSwapThread
nt!KeWaitForSingleObject
tcpip!xxx
tcpip!TCPDispatch
nt!IofCallDriver
nt!xxx
nt!xxx
TDTCP!xxx
TDTCP!xxx
TDTCP!TdIoctl
termdd!_IcaCallSd
termdd!IcaCallNextDriver
pdrframe!xxx
pdrframe!PdIoctl
termdd!_IcaCallSd
termdd!IcaCallNextDriver
pdcrypt1!xxx
pdcrypt1!PdIoctl
termdd!_IcaCallSd
termdd!IcaCallNextDriver
WDICA!xxx
WDICA!xxx
WDICA!xxx
WDICA!xxx
WDICA!xxx
WDICA!xxx
WDICA!WdIoctl
termdd!IcaCallStack
termdd!IcaCallDriver
termdd!IcaDeviceControlChannel
termdd!IcaDeviceControl
termdd!IcaDispatch
win32k!GreDeviceIoControl
win32k!EngDeviceIoControl
vdtw30!xxx
vdtw30!xxx
win32k!vMovePointer
win32k!GreMovePointer
win32k!xxxMoveEventAbsolute
win32k!ProcessMouseInput
win32k!InputApc
nt!KiDeliverApc
nt!KiSwapThread
nt!KeWaitForMultipleObjects
win32k!xxxMsgWaitForMultipleObjects
win32k!xxxDesktopThread
win32k!xxxCreateSystemThreads
win32k!NtUserCallOneParam
nt!KiSystemServiceCopyEnd
nt!KiSwapThread
nt!KeWaitForSingleObject
win32k!EngWaitForSingleObject
vdtw30!xxx
vdtw30!xxx
vdtw30!xxx
vdtw30!DrvTw2SaveScreenBits
win32k!GreSaveScreenBits
win32k!CreateSpb
win32k!zzzChangeStates
win32k!zzzBltValidBits
win32k!xxxEndDeferWindowPosEx
win32k!xxxSetWindowPos
win32k!xxxShowWindow
win32k!NtUserShowWindow
nt!KiSystemService
USER32!NtUserShowWindow
USER32!InternalDialogBox
USER32!DialogBoxIndirectParamAorW
USER32!DialogBoxParamW

We replace MS components with Citrix ones:

  • Video Displaywith vdtw30.dll
  • Video Miniportwith icacdd.sys
  • Hardware andHALwithTerminal Services stack components (MS termdd.sys, Citrix wdica.sys, etc)

twarchitecture.JPG

- Dmitry Vostokov -

This entry was posted on Tuesday, October 24th, 2006 at 5:43 am and is filed under Crash Dump Analysis, Software Architecture, Kernel Development. You can follow any responses to this entry through the RSS 2.0feed. You can leave a response, or trackbackfrom your own site.

4 Responses to “Reverse Engineering Citrix ThinWire”

  1. Toby Opferman Says:
    November 5th, 2006 at 11:00 am

    The diagram is slightly inaccurate. The video driver only ever directly links against WIN32K and would not call VideoPort.Sys directly without going through WIN32K. There is also another Citrix related path missing which I would not be able to mention in a public forum.

  2. Dmitry Vostokov Says:
    November 5th, 2006 at 2:45 pm

    Thanks for pointing this out! This was adopted from the picture in OSR article:

    “From Andy’s Bookshelf: So you Wanna Write a Video Driver”
    Figure 2 - DDI and Miniport Drivers

    http://www.osronline.com/article.cfm?id=66

    I’ll add a label to that link: “via win32k!EngDeviceIoControl” similar I’ve done for vdtw30.dll and termdd.sys interaction

    Thanks,
    Dmitry

반응형

'Crash dump 불펌스페샬' 카테고리의 다른 글

Using scripts to process hundreds of user dumps  (0) 2007.05.13
Automated Crash Dump Analysis Part1  (0) 2007.05.13
New SystemDump tool  (2) 2007.05.13
UML and Device drivers  (3) 2007.05.13
IRQL_NOT_LESS_OR_EQUAL  (1) 2007.05.13
,

티스토리툴바