пятница, 1 сентября 2017 г.

ETW private loggers

as you know ordinary etw loggers can be checked in compmgmt.msc\performance\data collector sets\event trace sessions
But private etw sessions cannot be showed in compmgmt.msc
Actually all private sessions stored in ntdll!EtwpLoggerArray. This array has size of 0x40 items (see allocation in function EtwpGetNextAvailableLoggerId) and looks like:

EtwpLoggerArray: 000000000524D380
00000000  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000010  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000020  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000030  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000040  80 6D 2B 05-01 00 00 00|01 00 00 00-00 00 00 00  Ђm+.............
00000050  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000060  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000070  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000080  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
00000090  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................
000000A0  01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00  ................


среда, 9 августа 2017 г.

wincheck rc8.58

download
mirror
Changelog:
  • add support of numerous versions of windows 10 insider preview - up to 16257
  • add -j option to dump jobs
  • add -dwf option to dump win32k filtering bitmaps
  • add support of DelegatedNtdll
  • add dumping of kprocess.LdtBaseAddress &LdtTableLength (based on this paper)

четверг, 13 июля 2017 г.

win32k calls filtering on w10

Lets see on some functions from W32pServiceTableFilter on w10 build 16215:
stub_UserSetSensorPresence:
  push    ebp
  mov     ebp, esp
  push    2 ; call index
  call    _IsWin32KSyscallFiltered@4    ; IsWin32KSyscallFiltered(x)
  test    al, al
  jz      short loc_1361D
  lea     ecx, aNtusersetsenso          ; "NtUserSetSensorPresence"
  mov     edx, 2
  call    @NtUserWin32kSysCallFilterStub@8 ; NtUserWin32kSysCallFilterStub(x,x)
  call    _PsIsWin32KFilterEnabled@0    ; PsIsWin32KFilterEnabled()
  test    al, al
  jz      short loc_1361D
  lea     edx, _W32pServiceTableFilter
  mov     ecx, cs:_W32pServiceLimitFilter
  mov     eax, 2 ; call index
  lea     edx, [edx+ecx*4]
  movsx   eax, byte ptr [eax+edx]
  or      eax, eax
  jle     short loc_13619
  mov     eax, 0C000001Ch ;
STATUS_INVALID_SYSTEM_SERVICE
loc_13619:
  mov     esp, ebp
  pop     ebp
  retn
loc_1361D: ; call original function
  mov     esp, ebp
  pop     ebp
  jmp     _NtUserSetSensorPresence@4    ; NtUserSetSensorPresence(x)


In some case this stub just pass control to original function (NtUserSetSensorPresence in this case) if IsWin32KSyscallFiltered or PsIsWin32KFilterEnabled returned 0, returns STATUS_INVALID_SYSTEM_SERVICE or just do nothing. Last condition depends from byte stored with call index behind W32pServiceTableFilter, so we can write simple idc script to dump all functions which will return STATUS_INVALID_SYSTEM_SERVICE:
#include

static main(void)
{
  auto  cnt, addr, tab, ftab, i, fp, name;
  addr = LocByName("_W32pServiceLimitFilter");
  if ( addr == BADADDR )
  {
    Warn("Cannot find W32pServiceLimitFilter");
    return;
  }
  cnt = Dword(addr);
  tab = LocByName("_W32pServiceTableFilter");
  if ( tab == BADADDR )
  {
    Warn("Cannot find W32pServiceTableFilter");
    return;
  }
  ftab = cnt * 4 + tab;
  fp = fopen("wf32.dmp", "w");
  for ( i = 0; i < cnt; i++, tab = tab + 4, ftab = ftab + 1 )
  {
    if ( Byte(ftab) )
    {
      addr = Dword(tab);
      name = Name(addr);
      fprintf(fp, "[%d] \"%s\",\n", i, name);
    }
  }
  fclose(fp);
}


четверг, 6 июля 2017 г.

DelegatedNtdll

It seems that since est. w10 build 15007 you can have more than one loaded 32bit ntdll.dll
Function LdrpLoadDelegatedNtdll query key DelegatedNtdll via LdrQueryImageFileKeyOption then appends this value to \\SystemRoot\\system32\\ and loads it. Sure this required changes in callbacks propagation logic

There is table LdrpDelegatedNtdllExports which just hold pairs of exported symbol and offset to it "delegated" ptr:
  • LdrInitializeThunk -> LdrDelegatedLdrInitializeThunk
  • RtlUserThreadStart -> LdrDelegatedRtlUserThreadStart
  • RtlDispatchAPC -> LdrDelegatedRtlDispatchAPC
  • KiUserExceptionDispatcher -> LdrDelegatedKiUserExceptionDispatcher
  • KiUserApcDispatcher -> LdrDelegatedKiUserApcDispatcher
  • KiUserCallbackDispatcher -> LdrDelegatedKiUserCallbackDispatcher
  • KiRaiseUserExceptionDispatcher -> LdrDelegatedKiRaiseUserExceptionDispatcher
  • LdrSystemDllInitBlock -> LdrDelegatedSystemDllInitBlock
  • LdrpChildNtdll -> LdrpChildNtdllPointer
  • LdrParentInterlockedPopEntrySList -> LdrpParentInterlockedPopEntrySListPointer
  • LdrParentRtlInitializeNtUserPfn -> LdrpParentRtlInitializeNtUserPfnPointer
  • LdrParentRtlResetNtUserPfn -> LdrpParentRtlResetNtUserPfnPointer
  • LdrParentRtlRetrieveNtUserPfn -> LdrpParentRtlRetrieveNtUserPfnPointer

Lets see how this "delegated" pfns works

пятница, 16 июня 2017 г.

EPROCESS.MitigationFlags in w10 build 16215

Lets see EPROCESS.Flags3 in w10 build 16193:
unsigned long Flags3;
unsigned long Minimal:0:1;
unsigned long ReplacingPageRoot:1:1;
unsigned long DisableNonSystemFonts:2:1;
unsigned long AuditNonSystemFontLoading:3:1;
unsigned long Crashed:4:1;
unsigned long JobVadsAreTracked:5:1;
unsigned long VadTrackingDisabled:6:1;
unsigned long AuxiliaryProcess:7:1;
unsigned long SubsystemProcess:8:1;
unsigned long IndirectCpuSets:9:1;
unsigned long InPrivate:a:1;
unsigned long ProhibitRemoteImageMap:b:1;
unsigned long ProhibitLowILImageMap:c:1;
unsigned long SignatureMitigationOptIn:d:1;
unsigned long DisableDynamicCodeAllowOptOut:e:1;
unsigned long EnableFilteredWin32kAPIs:f:1;
unsigned long AuditFilteredWin32kAPIs:10:1;
unsigned long PreferSystem32Images:11:1;
unsigned long RelinquishedCommit:12:1;
unsigned long Reserved:13:1;
unsigned long HighGraphicsPriority:14:1;
unsigned long CommitFailLogged:15:1;
unsigned long ReserveFailLogged:16:1;
unsigned long DisableDynamicCodeAllowRemoteDowngrade:17:1;
unsigned long LoaderIntegrityContinuityEnabled:18:1;
unsigned long LoaderIntegrityContinuityAudit:19:1;
unsigned long ControlFlowGuardExportSuppressionEnabled:1a:1;
unsigned long FatalAccessTerminationRequested:1b:1;
unsigned long DisableSystemAllowedCpuSet:1c:1;
unsigned long ControlFlowGuardStrict:1d:1;


and compare it with EPROCESS.Flags3 in w10 build 16215:
unsigned long Flags3;
unsigned long Minimal:0:1;
unsigned long ReplacingPageRoot:1:1;
unsigned long Crashed:2:1;
unsigned long JobVadsAreTracked:3:1;
unsigned long VadTrackingDisabled:4:1;
unsigned long AuxiliaryProcess:5:1;
unsigned long SubsystemProcess:6:1;
unsigned long IndirectCpuSets:7:1;
unsigned long RelinquishedCommit:8:1;
unsigned long HighGraphicsPriority:9:1;
unsigned long CommitFailLogged:a:1;
unsigned long ReserveFailLogged:b:1;
unsigned long SystemProcess:c:1;


dramatic difference