среда, 3 мая 2017 г.

kernel etw traces in windows 10

In windows 10 there is no good old EtwpGuidHashTable and all registered Etw stored in SILO. Let`s see how we can extract them

Check first function exported function EtwRegister:
  call    _PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
  push    [ebp+arg_C]
  mov     edx, [ebp+arg_0]
  push    dword ptr [ebp+4]
  mov     ecx, [eax+1F0h]               ; ESERVERSILO_GLOBALS.EtwSiloState
  push    [ebp+arg_8]
  push    [ebp+arg_4]
  push    3
  call    _EtwpRegisterProvider@28      ; EtwpRegisterProvider(x,x,x,x,x,x,x)

Function PsGetCurrentServerSiloGlobals returns processes SILO or default SILO PspHostSiloGlobals stored in kernel which has type ESERVERSILO_GLOBALS. Field EtwSiloState has type ETW_SILODRIVERSTATE:
  /*   0x0 */ /*|0x4|*/ struct _ESERVERSILO_GLOBALS* SiloGlobals;
  /*   0x8 */ /*|0x168|*/ struct _ETW_GUID_ENTRY EtwpSecurityProviderGuidEntry;
  /* 0x170 */ /*|0x100|*/ struct _EX_RUNDOWN_REF_CACHE_AWARE* EtwpLoggerRundown[64];
  /* 0x270 */ /*|0x100|*/ struct _WMI_LOGGER_CONTEXT* WmipLoggerContext[64];
  /* 0x370 */ /*|0x700|*/ struct _ETW_HASH_BUCKET EtwpGuidHashTable[64];
  /* 0xa70 */ /*|0x10|*/ unsigned short EtwpSecurityLoggers[8];
  /* 0xa80 */ /*|0x1|*/ unsigned char EtwpSecurityProviderEnableMask;
  /* 0xa84 */ /*|0x4|*/ long EtwpShutdownInProgress;
  /* 0xa88 */ /*|0x4|*/ unsigned long EtwpSecurityProviderPID;
  /* 0xa8c */ /*|0x10|*/ struct _ETW_PRIV_HANDLE_DEMUX_TABLE PrivHandleDemuxTable;
  /* 0xa9c */ /*|0x10|*/ struct _ETW_COUNTERS EtwpCounters;
  /* 0xab0 */ /*|0x8|*/ union _LARGE_INTEGER LogfileBytesWritten;
  /* 0xab8 */ /*|0x4|*/ struct _ETW_SILO_TRACING_BLOCK* ProcessorBlocks;

пятница, 21 апреля 2017 г.

etwex - ida plugin for Etw traces IIDs searching

For example you may need to find which Etw providers located in some module. There are lots of functions can be used to register provider and manual searching is very boring
So I commited today code for Ida Pro plugin for Etw traces IIDs searching. It currently supports only 32bit PE files (much better if you load appropriate PDB file) and processing following functions:
  • TraceLoggingRegister
  • TraceLoggingRegisterEx
  • EtwRegister from import
  • EtwEventRegister from import
  • EventRegister from import
Samples of using:

четверг, 6 апреля 2017 г.

ntdll ProtectedPolicies

It seems that since windows 10 ntdll has security feature called "ProtectedPolicies" - you can query it with RtlQueryProtectedPolicy function. Prototype of this function is:
NTAPI NTSTATUS RtlQueryProtectedPolicy(GUID *, PDWORD out_flag);

Lets see how it works:
loc_6A277EFB:   ; CODE XREF: RtlQueryProtectedPolicy(x,x)+12 j
  push    edi
  mov     edi, offset _RtlpProtectedPoliciesSRWLock
  push    edi
  call    _RtlAcquireSRWLockShared@4    ; RtlAcquireSRWLockShared(x)
  push    offset _RtlpSearchProtectedPolicyEntry ; PtFuncCompare
  push    14h                           ; SizeOfElements
  push    ds:_RtlpProtectedPoliciesActiveCount ; NumOfElements
  push    ds:_RtlpProtectedPolicies     ; Base
  push    [ebp+Key]                     ; Key
  call    _bsearch

That policies stored in array RtlpProtectedPolicies, count located in RtlpProtectedPoliciesActiveCount and size of each policy is 0x14 bytes (0x18 under x64), so each policy looks like struct:
struct protected_policy
  IID guid;
  DWORD flag;

Lets see from where RtlQueryProtectedPolicy called

четверг, 2 марта 2017 г.

ida plugin for RFG fixups processing

I commited today code for Ida Pro plugin for RFG fixups processing - for both version 1 & 2

It seems that by default during automatic loading of pe files Ida don`t load .reloc section (where usually located RFG fixups). In such case I ask if you want to add new segment:
Sure it works only if original input file (you can extract it with get_input_file_path function) is still available. Also I used dirty hack - I am too lazy to parse PE file by hand, and it seems that node "$ PE header" keeps all sections (even not loaded in base !) in supvals


Update: it seems that buggy ida sdk don`t contains doCode function and auto_mark_range actually does not take into account end argument, so body of prologs looks ugly

среда, 1 марта 2017 г.


it seems that around since w10 build 15007 format of rfg relocs was changed and field IMAGE_DYNAMIC_RELOCATION_TABLE.Version now has value 2. So lets install platform SDK for 15003 and see what was changed

First remarkable thing is that IMAGE_LOAD_CONFIG_DIRECTORY now has two additional fields:
    WORD       DynamicValueRelocTableSection;
    WORD       Reserved2;
    // since w10 build 15003 ?
    ULONGLONG  GuardRFVerifyStackPointerFunctionPointer; // VA
    DWORD      HotPatchTableOffset;

so sizeof(IMAGE_LOAD_CONFIG_DIRECTORY64) is now 0xf4

вторник, 7 февраля 2017 г.

apisetschema.dll from windows 10 build 15025

lots of new modules was added:
  • win-core-registry-fromapp
  • win-gaming-expandedresources
  • win-gaming-gamemonitor
  • win-ngc-serialization
  • win-security-isolatedcontainer
  • win-shcore-path
  • onecore-appmodel-tdlmigration 
  • onecore-hcap-svf
  • onecore-hnetcfg
  • onecore-mpc-input
  • onecore-shlwapi
  • onecore-spectrumsyncclient
  • win-adsi-activeds
  • win-appcompat-aepic
  • win-appmodel-restrictedappcontainer-internal
  • win-audiocore-spatial
  • win-base-rstrtmgr
  • win-core-iuri
  • win-core-winsrv
  • win-deployment-productenumerator
  • win-dx-dinput8
  • win-eventing-pdh
  • win-fs-cscapi
  • win-gaming-gamechatoverlay
  • win-gdi-gdiplus
  • win-hyperv-compute
  • win-kernel32-process
  • win-kioskmode-config
  • win-mapi-mapi32
  • win-mininput-inputhost
  • win-mm-wmvcore
  • win-net-netbios
  • win-net-netshell
  • win-net-nfdapi
  • win-nfc-semgr
  • win-ntuser-rawinput
  • win-odbc-odbc32
  • win-parentalcontrols-setup
  • win-resources-deployment
  • win-rtcore-ntuser-winevent
  • win-security-appinfoext
  • win-security-certpoleng
  • win-security-slc
  • win-shell-aclui
  • win-shell-comctl32
  • win-shell-efsadu
  • win-shell-ntshrui
  • win-shell-shdocvw
  • win-wnv