Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The problem is to skip out of a kernel driver that we don't have symbols for - what's the best way to break on calls out of that driver.
If you used pc (step until the next call instruction), you would hit calls that are inside that driver.
Here's another approach (using an example from Pavel Lebedynskiy) - step until the ip address moves outside that module:
.while (@eip > fee50000 & @eip < feef1000) { t; reip }
If you want to skip the output, you can use setting the instruction pointer instead like we did in the last post using a .while trick.
All postings are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm