W32pServiceLimit .eq. 0x498
пятница, 8 сентября 2017 г.
пятница, 1 сентября 2017 г.
ETW private loggers
as you know ordinary etw loggers can be checked in compmgmt.msc\performance\data collector sets\event trace sessions
But private etw sessions cannot be showed in compmgmt.msc
Actually all private sessions stored in ntdll!EtwpLoggerArray. This array has size of 0x40 items (see allocation in function EtwpGetNextAvailableLoggerId) and looks like:
But private etw sessions cannot be showed in compmgmt.msc
Actually all private sessions stored in ntdll!EtwpLoggerArray. This array has size of 0x40 items (see allocation in function EtwpGetNextAvailableLoggerId) and looks like:
EtwpLoggerArray: 000000000524D380
00000000 01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00 ................
00000010 01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00 ................
00000020 01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00 ................
00000030 01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00 ................
00000040 80 6D 2B 05-01 00 00 00|01 00 00 00-00 00 00 00 Ђm+.............
00000050 01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00 ................
00000060 01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00 ................
00000070 01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00 ................
00000080 01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00 ................
00000090 01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00 ................
000000A0 01 00 00 00-00 00 00 00|01 00 00 00-00 00 00 00 ................пятница, 18 августа 2017 г.
среда, 9 августа 2017 г.
wincheck rc8.58
четверг, 13 июля 2017 г.
win32k calls filtering on w10
Lets see on some functions from W32pServiceTableFilter on w10 build 16215:
stub_UserSetSensorPresence:
In some case this stub just pass control to original function (NtUserSetSensorPresence in this case) if IsWin32KSyscallFiltered or PsIsWin32KFilterEnabled returned 0, returns STATUS_INVALID_SYSTEM_SERVICE or just do nothing. Last condition depends from byte stored with call index behind W32pServiceTableFilter, so we can write simple idc script to dump all functions which will return STATUS_INVALID_SYSTEM_SERVICE:
stub_UserSetSensorPresence:
push ebp
mov ebp, esp
push 2 ; call index
call _IsWin32KSyscallFiltered@4 ; IsWin32KSyscallFiltered(x)
test al, al
jz short loc_1361D
lea ecx, aNtusersetsenso ; "NtUserSetSensorPresence"
mov edx, 2
call @NtUserWin32kSysCallFilterStub@8 ; NtUserWin32kSysCallFilterStub(x,x)
call _PsIsWin32KFilterEnabled@0 ; PsIsWin32KFilterEnabled()
test al, al
jz short loc_1361D
lea edx, _W32pServiceTableFilter
mov ecx, cs:_W32pServiceLimitFilter
mov eax, 2 ; call index
lea edx, [edx+ecx*4]
movsx eax, byte ptr [eax+edx]
or eax, eax
jle short loc_13619
mov eax, 0C000001Ch ; STATUS_INVALID_SYSTEM_SERVICE
loc_13619:
mov esp, ebp
pop ebp
retn
loc_1361D: ; call original function
mov esp, ebp
pop ebp
jmp _NtUserSetSensorPresence@4 ; NtUserSetSensorPresence(x)In some case this stub just pass control to original function (NtUserSetSensorPresence in this case) if IsWin32KSyscallFiltered or PsIsWin32KFilterEnabled returned 0, returns STATUS_INVALID_SYSTEM_SERVICE or just do nothing. Last condition depends from byte stored with call index behind W32pServiceTableFilter, so we can write simple idc script to dump all functions which will return STATUS_INVALID_SYSTEM_SERVICE:
#include
static main(void)
{
auto cnt, addr, tab, ftab, i, fp, name;
addr = LocByName("_W32pServiceLimitFilter");
if ( addr == BADADDR )
{
Warn("Cannot find W32pServiceLimitFilter");
return;
}
cnt = Dword(addr);
tab = LocByName("_W32pServiceTableFilter");
if ( tab == BADADDR )
{
Warn("Cannot find W32pServiceTableFilter");
return;
}
ftab = cnt * 4 + tab;
fp = fopen("wf32.dmp", "w");
for ( i = 0; i < cnt; i++, tab = tab + 4, ftab = ftab + 1 )
{
if ( Byte(ftab) )
{
addr = Dword(tab);
name = Name(addr);
fprintf(fp, "[%d] \"%s\",\n", i, name);
}
}
fclose(fp);
}четверг, 6 июля 2017 г.
DelegatedNtdll
It seems that since est. w10 build 15007 you can have more than one loaded 32bit ntdll.dll
Function LdrpLoadDelegatedNtdll query key DelegatedNtdll via LdrQueryImageFileKeyOption then appends this value to \\SystemRoot\\system32\\ and loads it. Sure this required changes in callbacks propagation logic
There is table LdrpDelegatedNtdllExports which just hold pairs of exported symbol and offset to it "delegated" ptr:
Lets see how this "delegated" pfns works
Function LdrpLoadDelegatedNtdll query key DelegatedNtdll via LdrQueryImageFileKeyOption then appends this value to \\SystemRoot\\system32\\ and loads it. Sure this required changes in callbacks propagation logic
There is table LdrpDelegatedNtdllExports which just hold pairs of exported symbol and offset to it "delegated" ptr:
- LdrInitializeThunk -> LdrDelegatedLdrInitializeThunk
- RtlUserThreadStart -> LdrDelegatedRtlUserThreadStart
- RtlDispatchAPC -> LdrDelegatedRtlDispatchAPC
- KiUserExceptionDispatcher -> LdrDelegatedKiUserExceptionDispatcher
- KiUserApcDispatcher -> LdrDelegatedKiUserApcDispatcher
- KiUserCallbackDispatcher -> LdrDelegatedKiUserCallbackDispatcher
- KiRaiseUserExceptionDispatcher -> LdrDelegatedKiRaiseUserExceptionDispatcher
- LdrSystemDllInitBlock -> LdrDelegatedSystemDllInitBlock
- LdrpChildNtdll -> LdrpChildNtdllPointer
- LdrParentInterlockedPopEntrySList -> LdrpParentInterlockedPopEntrySListPointer
- LdrParentRtlInitializeNtUserPfn -> LdrpParentRtlInitializeNtUserPfnPointer
- LdrParentRtlResetNtUserPfn -> LdrpParentRtlResetNtUserPfnPointer
- LdrParentRtlRetrieveNtUserPfn -> LdrpParentRtlRetrieveNtUserPfnPointer
Lets see how this "delegated" pfns works
пятница, 16 июня 2017 г.
EPROCESS.MitigationFlags in w10 build 16215
Lets see EPROCESS.Flags3 in w10 build 16193:
and compare it with EPROCESS.Flags3 in w10 build 16215:
dramatic difference
unsigned long Flags3;
unsigned long Minimal:0:1;
unsigned long ReplacingPageRoot:1:1;
unsigned long DisableNonSystemFonts:2:1;
unsigned long AuditNonSystemFontLoading:3:1;
unsigned long Crashed:4:1;
unsigned long JobVadsAreTracked:5:1;
unsigned long VadTrackingDisabled:6:1;
unsigned long AuxiliaryProcess:7:1;
unsigned long SubsystemProcess:8:1;
unsigned long IndirectCpuSets:9:1;
unsigned long InPrivate:a:1;
unsigned long ProhibitRemoteImageMap:b:1;
unsigned long ProhibitLowILImageMap:c:1;
unsigned long SignatureMitigationOptIn:d:1;
unsigned long DisableDynamicCodeAllowOptOut:e:1;
unsigned long EnableFilteredWin32kAPIs:f:1;
unsigned long AuditFilteredWin32kAPIs:10:1;
unsigned long PreferSystem32Images:11:1;
unsigned long RelinquishedCommit:12:1;
unsigned long Reserved:13:1;
unsigned long HighGraphicsPriority:14:1;
unsigned long CommitFailLogged:15:1;
unsigned long ReserveFailLogged:16:1;
unsigned long DisableDynamicCodeAllowRemoteDowngrade:17:1;
unsigned long LoaderIntegrityContinuityEnabled:18:1;
unsigned long LoaderIntegrityContinuityAudit:19:1;
unsigned long ControlFlowGuardExportSuppressionEnabled:1a:1;
unsigned long FatalAccessTerminationRequested:1b:1;
unsigned long DisableSystemAllowedCpuSet:1c:1;
unsigned long ControlFlowGuardStrict:1d:1;and compare it with EPROCESS.Flags3 in w10 build 16215:
unsigned long Flags3;
unsigned long Minimal:0:1;
unsigned long ReplacingPageRoot:1:1;
unsigned long Crashed:2:1;
unsigned long JobVadsAreTracked:3:1;
unsigned long VadTrackingDisabled:4:1;
unsigned long AuxiliaryProcess:5:1;
unsigned long SubsystemProcess:6:1;
unsigned long IndirectCpuSets:7:1;
unsigned long RelinquishedCommit:8:1;
unsigned long HighGraphicsPriority:9:1;
unsigned long CommitFailLogged:a:1;
unsigned long ReserveFailLogged:b:1;
unsigned long SystemProcess:c:1;dramatic difference
Подписаться на:
Сообщения (Atom)