Home

Awesome

findpg

This is an Windbg extension to find kernel pages allocated by PatchGuard. This program allows us to know how many PatchGuard contexts are running on a target environment and will help security researchers who want to analyze PatchGuard on their own.

Installation

  1. Make sure that Visual C++ Redistributable Packages for Visual Studio 2013 has already been installed.

  2. Start WinDbg (only x64 version of WinDbg is supported)

  3. Either attach a target kernel, open a crash dump file or start local kernel debugging session using livekd.

  4. Load the extension by the following command.

    .load <fullpath_to_the_DLL_file>

    If you copied findpg.dll into a <WINDBG_DIR>/winext folder, you can omit a path.

    .load findpg

  5. Use !findpg to display base addresses of pages allocated for PatchGuard. or !help to display usage of this extension.

    !findpg

Sample Output

sample_output

Supported Platforms

Host:

Target:

License

This software is released under the MIT License, see LICENSE.