What is this?:
GDIObjDump is a debugger extension (WinDbg/Kd) to aid in the process
of exploiting SessionPool overflows. It can extract information for
all GDI Objects listed in either PEB.GdiSharedHandleTable or WIN32K!gpentHmgr.
GDIObjDump can output information in either text (console/logfile)
or binary format (GDIObjView).
GDIObjView is a stand alone application that displays binary output
from GDIObjDump in a graphical way. Instead of having to dig through
thousands of lines of text, it displays the gdi table visually as a
grid of cells, each cell representing a GDI object.
It also allows the user to filter and/or sort the grid by object address,
type, handle or pid.
To "install", copy gdiobjdump.dll to the winext folder for x64 WinDbg/Kd.
The path to the winext folder usually looks something like
"<Program Files>Debugging Tools for Windows (x64)\winext"
After that, you can issue "!load gdiobjdump" to load the extension into
WinDbg/Kd.
NOTE: Only x64 Windbg/Kd is supported. Use the x64 debugger versions even
for x86 targets.
!gdiobjdump -[uk] -[ab][filename] -filter
-u dumps PEB.GdiSharedHandleTable (default)
-k dumps WIN32K!gpentHmgr
-a [filename] - text output
-b [filename] - binary output
Filter options (matches only):
-h <hex> specific handle
-p <hex> specific pid
-t <hex> specific type
If neither -b or -a switches are used, default output is printed on to debugger console.
If -a switch is used, a filename is required and text output is written there.
If -b switch is used, a filename is required and binary output is written there.
Parse PEB.GdiSharedHandleTable and output text to the debugger console.
!gdiobjdump -u
Parse WIN32K!gpentHmgr and write binary output to "c:\temp\out.gdidump"
!gdiobjdump -k -b c:\temp\out.gdidump
Parse PEB.GdiSharedHandleTable, output text to "c:\temp\out.log", log file will only include information about GDI objects matching Pid:0x644 and Type:0x0a (GDIObjType_LFONT_TYPE) and Handle:0x150a02dc
!gdiobjdump -a c:\temp\out.log -p 644 -t a -h 150a02dc