пятница, 21 декабря 2012 г.

wincheck rc8.35

Download mirror
  • add -t option to show all process threads
  • add checking of some fields of TEB (and TEB32)
  • -st option now works on w2k
  • some other bugs were fixed

среда, 19 декабря 2012 г.

teb32 of wow64 process

It seems that internet is full of wrong recipes how to get subj (like this one - true anal surgery IMHO)
Actually answer is very simple - TEB32 is always located at offset 0x2000 after TEB

Lets see for example function NtSetInformationThread in kernel for THREADINFOCLASS .eq. ThreadZeroTlsCell:
  mov   rcx, [r8+0F0h]           ; load _KTHREAD.Teb in rcx
  test  rcx, rcx
  jz    loc_1403E521A
  mov   rax, [rbx+418h]          ; EPROCESS.Wow64Process
  test  rax, rax
  jz    short loc_1403E5178      ; not wow64 process
  lea   r9, [rcx+2000h]          ; wow64 process - load TEB32

  mov   edx, [rsp+118h+var_AC]
  cmp   edx, 40h
  jnb   short loc_1403E519F
  test  rax, rax                 ; again check for wow64 process
  jnz   short loc_1403E5190
  mov   [rcx+rdx*8+1480h], rsi   ; store to TEB.TlsSlots[rdx]
  test  r9, r9
  jz    short loc_1403E520A
  mov   [r9+rdx*4+0E10h], esi    ; store to TEB32.TlsSlots[rdx]

Next lets check MmCreateTeb function:   
  mov   ebx, 1820h            ; sizeof(TEB)
  mov   rax, [rcx+418h]       ; EPROCESS.Wow64Process
  mov   [rsp+98h+var_78], rax
  mov   ecx, 2FE8h            ; sizeof(TEB) rounded to page size + sizeof(TEB32)
  test  rax, rax              ; check if this process is wow64
  cmovnz ebx, ecx             ; if yes apply size for both TEBs
  lea   rdx, [rsp+98h+var_60]
  mov   rcx, r12
  call  KeStackAttachProcess
  lea   r9, [rsp+98h+var_70]
  mov   r8d, ebx              ; use this size as 3rd argument to
  mov   rdx, rdi
  mov   rcx, r12
  call  MiCreatePebOrTeb

воскресенье, 9 декабря 2012 г.

A Primer on Scientific Programming with Python

I started reading subj and really enjoy even with acknowledgments:
Ståle Zerener Haugnæss, Kristian Hiorth, Arve Knudsen, Tobias Vidarssønn Langhoff, Martin Vonheim Larsen, Kine Veronica Lund, Solveig Masvie, Håkon Møller, Rebekka Mørken,
Mathias Nedrebø
IMHO all this names sound like norvegian true-black metal bands album titles. I have a strong hope that there will be at least a chapter how to burn wooden church using results maded with sci-python, he-he

среда, 5 декабря 2012 г.

WdfFunctions.idc 64bit

Made supplement for WdfFunctions.idc for 64bit versions of KMDF. It seems that my windows server 2012 build 9200 has old Wdf01000.sys so this version of script supports WDFFUNCTIONS with size up to 0x18C only

вторник, 4 декабря 2012 г.


I am tired to manually add _WDFFUNCTIONS structure from Wdf01000.sys to any KMDF based driver IDB so I wrote today simple IDC script to automate this activity
Script just try to find WdfFunctions in loaded IDB, extract size and add appropriate version of WDFFUNCTIONS structure. Supported following 32bit versions:
  • vista (size 0x183)
  • w7 (size 0x18c)
  • w8 (size 0x1b0)

четверг, 29 ноября 2012 г.

wincheck rc8.32

Download mirror
  • add dumping some internals of ci.dll (like g_CiOptions & g_CiKernelApis). Thanks to Alex Ionescu for this idea
  • add dumping of BootEnvironmentInformation (5th dword from ExpBootEnvironmentInformation used in many interesting functions like SepIsMinTCB, he-he)
  • add dumping of EPROCESS.SignatureLevel & EPROCESS.SectionSignatureLevel (w8 only)
  • some bugs were fixed

суббота, 24 ноября 2012 г.

wincheck rc8.31

Download mirror
  • fixed all places where -nopads option gave false positives (f.e. when need to check table/data instead of function address)
  • fixed bad definition of NDIS_MINIPORT_INTERRUPT on w7 64bit
  • fixed message "Unknown kernel ntoskrnl.exe, StartAddress 390, IrpList 3F0, StackLimit 30, StackBase 278". It seems that in w7 sp1 64bit somewhere between 6.1.7601.17514 & 6.1.7601.17944 structure ETHREAD was changed
  • some bugs were fixed

пятница, 23 ноября 2012 г.

Algorithms Sequential and Parallel

This book is standard of "strategy of default". Some real quotes (page 211):
It should be noted that the running time of this algorithm can be reduced to O(log n log log n) by applying some techniques that are outside the scope of this text. In addition, the problem can also be solved by first sorting the elements in Θ(log n) time and then selecting the required element in Θ(1) time. This Θ(log n) time sorting routine is also outside the scope of this book. In fact, Θ(n) optimal-cost algorithms for the selection problem on a PRAM are known. These algorithms are also outside the scope of this text.
What I must do if I really need this out of scope algos & techniques ?

вторник, 20 ноября 2012 г.

wincheck rc8.30

Download mirror
  • add -nopads option to not include section padding for addresses analysis. Thanks to Cr4sh for this idea
  • add shortcut option -full to make all kernel checks with one option
  • fixed some wrong function names for W32pServiceTable
  • some bugs were fixed

четверг, 15 ноября 2012 г.

wincheck rc8.29

Download mirror
  • add g_CiEnabled & g_CiCallbacks checking
  • add dumping of ole32.dll security info (gAuthnLevel etc) - works only for 32bit processes
  • some bugs where fixed

How to Design Programs

I finished reading of this book today
IMHO it`s totally useless book in the same row with Design Patterns and Clean Code
  • The book about recursive functions even does not refer to master theorem ! Epic fail
  • It seems that functional style of thinking has some serious problems. For example task from chapter 41.3 can be easily solved without incapsulating list of cards inside closure - you just need to swap old first card to the second position:
    (local ((define old-card (make-hand (hand-rank a-hand) (hand-suite a-hand) (hand-next a-hand))))
    (begin (set-hand-rank! a-hand rank)
           (set-hand-suite! a-hand suite)
           (set-hand-next! a-hand old-card))) 
Also this books won`t teach you how to program with scheme bcs it doesn't describe
  • macros
  • lazyness
  • errors processing
  • continuation
  • hash tables
  • etc etc

четверг, 25 октября 2012 г.

wincheck rc8.28

Download mirror
  • add -pp option for printer providers checking. Also add dumping of spoolss!pSpoolSvForwards & spoolss!pWinSpoolForwards (since windows 7)
  • some bugs where fixed

понедельник, 22 октября 2012 г.

AVX/XOP instructions processor extender for IDA Pro

It was very surprising (for me) but even latest IDA Pro 6.3 advanced still does not support AVX and XOP instructions (just try to disasm bytes C5 F1 58 CA for example)
So I wrote a very simple processor extender plugin for decoding this instructions
Sources can be downloaded here

IDA Pro 6.X with SDK. I think this plugin also can be built on v5.X
Visual Studio 2008

Since I am too lazy I ripped all disasm tables from Bochs. I added a perl script parse.pl in data directory to generate bochs.inc file. You can generate bochs.inc with commands like
cd bochs-2.6\disasm
grep IA_AVX opcodes.inc > my
grep IA_XOP opcodes.inc >> my
grep IA_BMI opcodes.inc >> my
grep IA_FMA4 opcodes.inc >> my
grep IA_TBM opcodes.inc >> my
perl parse.pl -c my >bochs.inc

Plugin just registers hook_to_notification_point(HT_IDP, ...) and handles the following event_id:
  • custom_ana - uses bochs disasm to fill IDA Pro cmd structure
  • custom_mnem - to supply instruction name
  • custom_outop - it looks like currently IDA Pro doesn't have support for YMM registers, so I made a dirty hack - although comments in intel.hpp claims that XMM stored in op.o_idpspec5 actually they stored like any ordinal register in op->reg. So I added YMM to op->reg too but with op->dtyp == dt_ldbl
Known problems 
  • fourth operand cannot be displayed. I don`t know if this is some internal IDA restriction or I made a mistake somewhere in my code
  • ModRM is being displayed incorrectly sometimes
  • no segment registers support
  • debug version cannot be built
  • vzeroupper & vzeroall both have instruction vzeroupper. Perhaps this is a bug in Bochs disasm
  • probably over 9000 issues were left unnoticed yet

воскресенье, 21 октября 2012 г.

IDA Pro 6.3 SDK is broken ?

I try to build debug version of someplugin.plw and got following from Visual Studio 2008:
someplugin.obj : error LNK2001: unresolved external symbol _cmd
someplugin.obj : error LNK2001: unresolved external symbol _callui
someplugin.obj : error LNK2001: unresolved external symbol _ph
Btw release version building sucessfull

среда, 17 октября 2012 г.

pyside for ida pro 6.3

We evaluated both PySide and PyQt and found that both bindings work fine with IDA Pro 6.0
Well, it`s good news
Bad news is that fresh versions of shiboken and pyside from git cannot be built for ida 6.3 and qt-4.8.1 anymore
Assume that we have open-source edition of qt-4.8.1 built using recommended options
configure -release -platform win32-msvc2008 -no-qt3support -qtnamespace QT
I was able to build shiboken (see my patch below) but pyside just don`t work - see my report
Patch for building of shiboken:

понедельник, 15 октября 2012 г.

wincheck rc8.27

Download mirror
  • add PoRegisterPowerSettingCallback callbacks dumping (-pofx option)
  • add checking of storport!StorportExtensionTable
  • add dumping clients of \PowerPort & \PowerMonitorPort ALPC ports (-alpc option, since windows 7)
  • some bugs were fixed

четверг, 11 октября 2012 г.

building dynamorio

Visual Studio 2008
Cmake 2.8.9
WDK 7.1

It seems that cmake support is broken in SVN source tree so I decided to describe how to build it with Visual Studio 2008 under windows xp 32bit

First you need to change NTDLL_LIBPATH in cmake to %WDKROOT%\lib\wxp\i386
Next you must add CMAKE_ASM_SUPPORTS_INTEL_SYNTAX boolean var to cmake and set it to TRUE
Now you can generate project for vs2008 but it will be broken anyway. So next you must add path to ntdll.lib to your visual studio. Open Tools->Options menu and add path to %WDKROOT%\lib\wxp\i386 in VC++ Directories->Library files

This is not end of story - it seems that custom rules for building .obj files from .s also broken, so you must compile it manually. Run Visual Studio 2008 command prompt and type
cd %dynamorio%\core
ml pre_inject_asm.s
ml x86_core.s
ml x86_noncore.s
copy pre_inject_asm.obj dynamorio.dir\Release
copy x86_core.obj drdecode.dir\Release
copy x86_core.obj dynamorio.dir\Release
copy x86_noncore.obj dynamorio.dir\Release

среда, 10 октября 2012 г.

PoRegisterPowerSettingCallback callbacks

This documented functions was introduced in Vista. Lets check how we can enum all registered callbacks
It seems that all callbacks are stored in linked list PopRegisteredPowerSettingCallbacks and synchronized with fast mutex PopSettingLock
Structure of callback record can be easy recovered from this code (ripped from vista):
  push  34h                             ; size_t
  push  0                               ; int
  push  ebx                             ; void *
  call  _memset
  mov   eax, [ebp+Callback]
  mov   [ebx+8], esi
  mov   esi, [ebp+SettingGuid]
  lea   edi, [ebx+14h]                  ; 0x14 IID
  mov   esi, [ebp+SettingGuid]
  mov   [ebx+28h], eax                  ; 0x28 Callback
  mov   eax, [ebp+Context]
  add   esp, 0Ch
  mov   [ebx+2Ch], eax                  ; 0x2C Context
  mov   eax, [ebp+DeviceObject]
  push  esi
  mov   [ebx+30h], eax                  ; 0x30 DeviceObject

вторник, 2 октября 2012 г.

среда, 26 сентября 2012 г.

EmProviderRegister/EmpProviderRegister callbacks

This two exported functions were introduces in vista and totally undocumented. I`ll show how to dump all installed Emp callbacks here.

Check first how they used - for example in apci.sys:

    push offset _AcpiEmProviderHandle
    push 2 ; arg4
    push offset _CallbackReg ; arg3
    push 2 ; arg2
    push offset _EntryReg ; arg1
    push [ebp+arg_0]
    call _EmProviderRegister

Clear enough - arg1 is pointer to some EmpEntries, arg2 is size of EmpEntries, arg3 is pointer to EmpCallbacks and arg4 is size of EmpCallbacks. Last arg returns registered HANDLE. Lets check how EmpEntries & EmpCallbacks look:

вторник, 25 сентября 2012 г.

wincheck rc8.25

Download mirror
  • add some initial support of windows server 2012 rtm
  • add -wnf option to show WNF notifiers
  • some bugs was fixed

Common Lisp: A Gentle Introduction to Symbolic Computation

I finished reading this old (1989 !) but still cool book today. It is not so funny as "Land of Lisp" but it  has code to play tic-tac-toe ! And I am really impressed bcs "classical" recursive factorial function was introduced only in the middle of books at page 237

I am not crazy enough to use emacs so for all code samples and exercises I used LispIDE and ecl. It seems that this combination is not officially supported but it works fine - you just need to choose right ecl2.exe in Settings->Set Lisp path menu. The only drawback is that DOCUMENTATION function doesn`t work in my ecl version

суббота, 22 сентября 2012 г.

IDA loader of .dcu files from XE3

Download mirror
It seems that xe3 has only minor changes - when I just add correct signatures I got only 352 badly parsed .dcu files from total 1521 !
x64 debug versions are not supported
Also it would be cool if next version of delphi has version ΧΞΣ, he-he

среда, 19 сентября 2012 г.

C++ Programming Language (4th Edition) - wtf ?

March 25, 2013
 Extensively rewritten to present the C++11 language
1040 pages. prooflink.
Previous edition also had 1040 pages. I just cannot imagine how it is possibly.

bug in "The Algorithm Design Manual", Second Edition ?

Сitation from subchapter 8.7.2 When are Dynamic Programming Algorithms Efficient? on page 315:
Let LP' [i, j, S] denote the longest simple path from i to j, where the intermediate vertices on this path are exactly those in the subset S. Thus, if S = {a, b, c}, there are exactly six paths
consistent with S: iabcj, iacbj, ibacj, ibcaj, icabj, and icbaj. This state space is at most 2**n, and thus smaller than enumerating the paths
Wait, if this is exponent we must have 2 ** 3 = 8 paths. But actually this is factorial ! Why Skiena claims that this is exponent ?

пятница, 14 сентября 2012 г.

WNF notifiers

It seems that windows 8 has some new (undocumented as usually) mechanism to call user-mode code from kernel - WNF
There are several new exported functions in ntdll.dll related to it:
  • RtlAllocateWnfSerializationGroup
  • RtlEqualWnfChangeStamps
  • RtlPublishWnfStateData
  • RtlQueryWnfMetaNotification
  • RtlQueryWnfStateData
  • RtlQueryWnfStateDataWithExplicitScope
  • RtlRegisterForWnfMetaNotification
  • RtlSubscribeWnfStateChangeNotification
  • RtlTestAndPublishWnfStateData
  • RtlUnsubscribeWnfNotificationWaitForCompletion
  • RtlUnsubscribeWnfNotificationWithCompletionCallback
  • RtlUnsubscribeWnfStateChangeNotification
  • RtlWaitForWnfMetaNotification
  • RtlWnfCompareChangeStamp
  • RtlWnfDllUnloadCallback
  • RtlpWnfNotificationThread - this one really called from kernel mode
Also several new functions in SSDT:
  • NtWaitForWnfNotifications
  • NtUnsubscribeWnfStateChange
  • NtUpdateWnfStateData
  • NtSubscribeWnfStateChange
  • NtQueryWnfStateData
  • NtQueryWnfStateNameInformation 
  • NtDeleteWnfStateName
  • NtDeleteWnfStateData
  • NtCreateWnfStateName
I`ll describe here only user-mode structure which holds pointers to notifiers

понедельник, 10 сентября 2012 г.

wincheck rc8.24

  • update udis86 with lots of new intructions
  • -k option now able to correctly kill "critical processes" (there are too many smarties around who use RtlSetProcessIsCritical)
  • add dumping of debug port for each process
  • add dumping of ntdll!g_dwLastErrorToBreakOn
  • some bugs was fixed

суббота, 8 сентября 2012 г.

AVX structure

It seems that AVX has crazy structure. Obvious first step is order on opcode byte. Then for each opcode we need yet 4 tables for pp. Next for 66 prefix we need yet 3 tables for 0f, 0f38 & 0f3a. And anyway we have ambiguity:
  • for W field: vmovd - 128.W0 vs vmovq - 128.W1
  • for vvvv field: vmovss - NDS.LIG.WIG vs vmovss - LIG.WIG
  • for L field: vzeroall - 256.WIG vs vzeroupper - 128.WIG
Wrote simple perl script for instructions parsing and simple ordering

среда, 5 сентября 2012 г.

Gray Hat Python

I have finished reading of this slim book and I am really disappointed:
  • python sucks. The only reasons why I am still using it are NetworkX and PyKd
  • CreateRemoteThread doesn`t work since vista times and I am sure this was known in 2009. Actually whole book is full of such little irritating things which just don`t work
  • Immunity debugger & idapython were described very laconically
  • PyEmu is sooooo sloooooow...
[sarcasm mode on]
Why we still don`t have excellent books like "gray hat assembler", "bloody and dirty perl" or "haskell quantum physics lean and mean for dummies in 24 hours" ?
[sarcasm mode off]

    вторник, 4 сентября 2012 г.

    udis86 update

    I added today support for tzcnt + new code page for 0f 7a opcodes from sse5a:
    • frczps
    • frczpd
    • frczss
    • frczsd
    • cvtph2ps
    • cvtps2ph
    • phaddbw
    • phaddbd
    • phaddbq
    • phaddwd
    • phaddwq
    • phadddq
    • phaddubw
    • phaddubd
    • phaddubq
    • phadduwd
    • phadduwq
    • phaddudq
    • phsubbw
    • phsubwd
    • phsubdq
    New version can be downloaded here

    четверг, 30 августа 2012 г.

    Inside Windows Debugging

    Finished reading of this excellent book. A very good introduction for using windbg/appverifier/xperf. Although author don`t know about commands .pagein & !pool this books still contains lots of usefull debugging tricks:
    • for wow64 debugging
    • for .net debugging (like setting COMPLUS_HeapVerify & COMPLUS_GCStress environment vars)
    • ntdll!g_dwLastErrorToBreakOn 
    • using xperf to capture stack traces (sadly works only since windows 7)
    • and many others !

    вторник, 21 августа 2012 г.

    sprintf_s - wtf ?

    Lets assume that we set some handler with LdrRegisterDllNotification and just dump all (un)loaded modules to log file. Access to this log is synchronized with critical section - lets name it LogFileCSection. Today I discovered that this simple scheme can lead to unpredictable deadlocks:
    thread 1:

    02fbd09c 77c88dd4 ntdll_77c50000!ZwWaitForSingleObject+0x15
    02fbd100 77c88cb8 ntdll_77c50000!RtlpWaitOnCriticalSection+0x13e
    02fbd128 6c4d6144 ntdll_77c50000!RtlEnterCriticalSection+0x150 ; waits on
    02fbd1e0 6c4baf66 xxx!log_with_time+0x22
    02fbd210 77cb76b8 xxx!my_notifier+0x36
    02fbd240 77c8c74a ntdll_77c50000!LdrpSendDllNotifications+0x45
    02fbd328 77c8c389 ntdll_77c50000!LdrpFindOrMapDll+0x735
    02fbd4a8 77c8c4b5 ntdll_77c50000!LdrpLoadDll+0x2b2
    02fbd4e0 759a1d2a ntdll_77c50000!LdrLoadDll+0xaa ; LdrpLoaderLock acquired
    02fbd518 7741493c KERNELBASE!LoadLibraryExW+0x178
    02fbd52c 6b268546 KERNEL32!LoadLibraryW+0x11
    02fbd540 6b261404 IEFRAME!GetDloadFunction+0x20
    02fbd55c 6b261623 IEFRAME!DwmSetWindowAttribute+0x2f
    02fbd580 6b2615bd IEFRAME!CTabThumbnailHandler::_OnCreate+0x45
    02fbd59c 6b2d7e17 IEFRAME!CTabThumbnailHandler::v_WndProc+0xa0
    02fbd5c0 766c62fa IEFRAME!CImpWndProc::s_WndProc+0x65
    02fbd5ec 766c6d3a USER32!InternalCallWinProc+0x23
    02fbd664 766c6de8 USER32!UserCallWinProcCheckWow+0x109
    02fbd6c0 766ca740 USER32!DispatchClientMessage+0xe0
    02fbd700 77c6011a USER32!__fnINLPCREATESTRUCT+0x91
    02fbd780 766ca8e8 ntdll_77c50000!KiUserCallbackDispatcher+0x2e
    02fbda2c 766caa3c USER32!VerNtUserCreateWindowEx+0x1a9
    02fbdae0 766c8a5c USER32!_CreateWindowEx+0x210
    02fbdb1c 6b293892 USER32!CreateWindowExW+0x33
    02fbdb5c 6b24ad22 IEFRAME!Detour_CreateWindowExW+0x6a
    02fbdb9c 6b261adb IEFRAME!SHFusionCreateWindowEx+0x47
    02fbdcec 6b2619f6 IEFRAME!CTabThumbnailHandler::_Initialize+0xc6
    02fbdcfc 6b261118 IEFRAME!CTabThumbnailHandler::CreateInstance+0x3f
    02fbdd2c 6b284a68 IEFRAME!CShellBrowser2::AfterWindowCreated+0x9c
    02fbfe40 6b294f7a IEFRAME!CTabWindow::_TabWindowThreadProc+0x23c
    02fbfef8 76215c2b IEFRAME!LCIETab_ThreadProc+0x2c1
    02fbff08 774133ca iertutil!CIsoScope::RegisterThread+0xab
    02fbff14 77c89ed2 KERNEL32!BaseThreadInitThunk+0xe

    суббота, 4 августа 2012 г.


    Very cool tool to show windows hooks - with source code !
    It seems that it using dbghelp.dll to download win32k.pdb and extract following symbols:
    • ValidateHwnd
    • gpresUser
    • UserGetAtomName - why not NtUserGetAtomName ?
    • aatomSysLoaded
    • grpWinStaList
    I already described how to get aatomSysLoaded. It seems that most hard part is how to find grpWinStaList

    пятница, 27 июля 2012 г.

    Ocaml 4.00

    • Microsoft-based native Win32 port. No binary distribution available yet; download the source distribution and compile it.
    • Microsoft-based native Win64 port. Same features as the Microsoft-based native Win32 port, but generates 64-bit code. No binary distribution available yet; download the source distribution and compile it.

    вторник, 24 июля 2012 г.

    hypervisor callbacks in w8

    There are couple of exported functions to set up some hypervisor related callbacks

    Set WHEA callback into global variable HvlpWheaErrorNotificationCallback

    Set up to 5 (in w8 release preview up to 8) callbacks in global array HvlpInterruptCallback. This callbacks are called in HvlRouteInterrupt:
    • index 0 - from KiHvInterrupt
    • index 1 - from KiVmbusInterrupt0
    • index 2 - from KiVmbusInterrupt1
    • index 3 - from KiVmbusInterrupt2
    • index 4 - from KiVmbusInterrupt3

    понедельник, 16 июля 2012 г.


    In windows 8 there is some another undocumented function to set callback inside netio.sys. Check it in disasm:

        mov edi, _gWfpGlobal
        xor edx, edx
        lea ecx, [edi+2B8h]
        lea esp, [esp+0Ch+var_C]
        cmp dword ptr [ecx], 0
        jnz short loc_32397
        mov eax, [ebp+callback]
        lea ecx, [edx+edx*2] ; * 3
        mov [edi+ecx*4+2B8h], eax ; * 12
        movzx ecx, [ebp+arg_4]
        mov eax, _gWfpGlobal
        lea edx, [edx+edx*2]
        add edx, edx
        add edx, edx
        mov [edx+eax+2B4h], ecx
        mov ecx, [ebp+arg_0]
        mov eax, _gWfpGlobal
        mov [edx+eax+2B0h], ecx

        inc edx
        add ecx, 0Ch
        cmp edx, 5
        jb  loc_32314

    We can see here that gWfpGlobal contains at offset 0x2B8 5 elements with size 0xC (0x10 on x64) where stored pointer to callback function. Both gWfpGlobal and offset can be obtained with static analysis

    пятница, 13 июля 2012 г.

    callback tables in Fwpkclnt.sys on w8

    It seems that under w8 there are couple of undocumented exported functions called to set some callback tables - FwpsL2DispatchTableAndGlobalsSet0 & FwpsTcpIpDispatchTableAndGlobalsSet0:

    Check for example FwpsTcpIpDispatchTableAndGlobalsSet0 in disasm:
        mov edi, edi
        push ebp
        mov ebp, esp
        mov eax, [ebp+arg_4]
        push esi
        mov esi, [ebp+arg_0]
        push edi
        mov edi, TcpIpDispatchTable
        push 2Ah
        pop ecx
        rep movsd

    We see here that arg_0 are copied to some variable which I named as TcpIpDispatchTable. It can easy be obtained with static analysis. FwpsL2DispatchTableAndGlobalsSet0 looks identical

    Sample of output from w8 release preview:

    Fwpkclnt.sys exports on w8

    to compare with

    среда, 11 июля 2012 г.

    вторник, 10 июля 2012 г.

    wincheck rc8.21

    Download mirror


    This undocumented function set some callback for NSI providers. I`ll show how to find this registered callbacks. Quick look in disasm shows that this callbacks are stored somewhere deeply in structures linked in list with head in NsiNmpList, so lets check it with debugger:

    kd> ? netio!NsiNmpList
    Evaluate expression: -6184740751232 = fffffa60`00b97880
    kd> dt _LIST_ENTRY fffffa60`00b97880
     [ 0xfffffa60`00b974e8 - 0xfffffa80`03240408 ]
       +0x000 Flink            : 0xfffffa60`00b974e8 _LIST_ENTRY [ 0xfffffa80`0168e018 - 0xfffffa60`00b97880 ]
       +0x008 Blink            : 0xfffffa80`03240408 _LIST_ENTRY [ 0xfffffa60`00b97880 - 0xfffffa80`018ec738 ]
    kd> dp fffffa60`00b974e8
    fffffa60`00b974e8  fffffa80`0168e018 fffffa60`00b97880
    fffffa60`00b974f8  fffffa60`00b8b530 00000000`00000001
    fffffa60`00b97508  00000000`00000000 fffffa60`00b8ee28
    fffffa60`00b97518  00000000`00000000 00000000`00000000
    fffffa60`00b97528  00000000`00000000 00000001`000e0002
    fffffa60`00b97538  fffffa60`00b97538 fffffa60`00b97538
    fffffa60`00b97548  00000000`00000000 00000000`00000000
    fffffa60`00b97558  00000000`00000000 00000000`00000100
    kd> u fffffa60`00b8b530 l1
    fffffa60`00b8b530 1800            sbb     byte ptr [rax],al
    kd> u fffffa60`00b8ee28 l1
    fffffa60`00b8ee28 0000            add     byte ptr [rax],al

    It seems that first 2 pointers are LIST_ENTRY. Lets see some more samples:

    kd> !pool fffffa80`0168e018 2
    Pool page fffffa800168e018 region is Nonpaged pool
    *fffffa800168e000 size:   d0 previous size:    0  (Allocated) *NMpc
            Owning component : Unknown (update pooltag.txt)

    kd> dp fffffa80`0168e018
    fffffa80`0168e018  fffffa80`0189f3f8 fffffa60`00b974e8
    fffffa80`0168e028  fffffa60`00b8b548 00000000`00000002
    fffffa80`0168e038  fffffa80`0168d270 fffffa60`00b8ffc0
    fffffa80`0168e048  00000000`00000000 fffffa80`0168d30c
    fffffa80`0168e058  00000000`00000000 00000001`000e0002
    fffffa80`0168e068  fffffa80`0168e068 fffffa80`0168e068
    fffffa80`0168e078  00000000`00000000 00000000`00000000
    fffffa80`0168e088  00000000`00000000 00000000`00000100
    kd> u fffffa60`00b8b548 l1
    fffffa60`00b8b548 1800            sbb     byte ptr [rax],al

    kd> !pool fffffa80`0168d270 2
    Pool page fffffa800168d270 region is Nonpaged pool
    *fffffa800168d260 size:   50 previous size:   40  (Allocated) *RMcc
            Owning component : Unknown (update pooltag.txt)
    kd> u fffffa60`00b8ffc0 l1
    fffffa60`00b8ffc0 0000            add     byte ptr [rax],al
    kd> !pool fffffa80`0168d30c 2
    Pool page fffffa800168d30c region is Nonpaged pool
    *fffffa800168d2b0 size:   80 previous size:   50  (Allocated) *NMRb
            Pooltag NMRb : Network Module Registrar Bindings, Binary : tcpip.sys

    kd> dp fffffa80`018d9d48
    fffffa80`018d9d48  fffffa80`018e0cc8 fffffa80`018adde8
    fffffa80`018d9d58  fffffa60`00f26f28 00000000`00000006
    fffffa80`018d9d68  fffffa80`018d9c60 fffffa60`00f2b5f0
    fffffa80`018d9d78  00000000`00000000 fffffa80`018d43fc
    fffffa80`018d9d88  fffffa80`032f2b60 00000001`000e0002
    fffffa80`018d9d98  fffffa80`018d9d98 fffffa80`018d9d98
    fffffa80`018d9da8  fffffa80`029784c0 fffffa80`018d9de0
    fffffa80`018d9db8  00000000`00000000 00000000`00000100
    kd> u fffffa60`00f26f28 l1
    fffffa60`00f26f28 1800            sbb     byte ptr [rax],al
    kd> u fffffa60`00f2b5f0 l1
    fffffa60`00f2b5f0 0000            add     byte ptr [rax],al
    kd> !pool fffffa80`032f2b60 2
    Pool page fffffa80032f2b60 region is Unknown
    *fffffa80032f2b50 size:  280 previous size:  270  (Allocated) *NSIr
            Pooltag NSIr : NSI Generic Buffers, Binary : nsi.dll

    пятница, 6 июля 2012 г.

    NPI clients & providers

    Some good introduction about NPI can be found here
    The main question is how to enumerate all registered NPI clients & providers ? It seems that windbg does not have any plugin for netio.sys support

    Lets check some code in disasm - function NmrpFindOrAddRegisteredNpiId called from NmrpGetModule & NmrpRegisterModuleAndGetBindableCandidates:

        mov esi, [ebp+arg_0]
        mov ebx, [esi]
        and ebx, 1                          ; 2 items
        imul ebx, 30h                       ; with length 0x30
        add ebx, offset _NmrRegisteredNpiIdTable
        push esi
        lea eax, [ebx+4]                    ; offset 4 - NpiId
        push eax
        call _NmrpIsEqualNpiId@8
        test al, al
        jnz short loc_1D6BE
        mov [ebp+arg_0], ebx
        mov ebx, [ebx]
        test ebx, ebx
        jnz short loc_1D65B
        cmp [ebp+arg_4], bl
        jz  short loc_1D6BE
        push 6E524D4Eh                      ; Tag - 'nRMN'
        push 30h                            ; NumberOfBytes
        push ebx                            ; PoolType
        call ds:__imp__ExAllocatePoolWithTag@12
        mov ebx, eax
        test ebx, ebx
        jz  short loc_1D6BE
        push edi
        push 30h                            ; size_t
        push 0                              ; int
        push ebx                            ; void *
        call _memset
        lea edi, [ebx+4]                    ; offset 4 - GUID NpiId
        lea eax, [ebx+14h]                  ; offset 14 - list_entry
        mov [eax+4], eax
        mov [eax], eax
        lea eax, [ebx+1Ch]                  ; offset 1C - list_entry
        mov [eax+4], eax
        mov [eax], eax
        lea eax, [ebx+24h]                  ; offset 24 - list_entry
        mov [eax+4], eax
        mov [eax], eax

    We (o`k, at least I) can see here that non exported data NmrRegisteredNpiIdTable used as hash table with 2 slots and store linked list to some other structure with size 0x30 byte. netio.pdb does not contain any usefull info besides names but recovering of this structure is easy:

    struct NpiIdItem
    /* win32 win64 offsets */
    /*   0x0   0x0 */  NpiIdItem *Next;
    /*   0x4   0x8 */  GUID       Id;
    /*  0x14  0x18 */  LIST_ENTRY clients;
    /*  0x1c  0x28 */  LIST_ENTRY providers;
    /*  0x24  0x38 */  LIST_ENTRY filters;
    /*  0x2c  0x48 */  DWORD      flags;

    So now we can traverse all NpiIdItem from both NmrRegisteredNpiIdTable slots and for each NpiIdItem also traverse clients & providers linked list.
    Example from vista 32bit:

    четверг, 5 июля 2012 г.

    rdbss registered devices

    In exported function rdbss!RxRegisterMinirdr there is such code:

        mov esi, offset mutex
        mov ecx, esi
        call ds:__imp_@ExAcquireFastMutexUnsafe@4
        mov eax, [ebp+DeviceObject]
        mov ecx, dword_23B50
        add eax, 0D4h
        mov dword ptr [eax], offset minidrd_list
        mov [eax+4], ecx
        mov [ecx], eax
        inc minidrd_cnt

    Freshly created device object was inserted in some unnamed LIST_ENTRY minidrd_list at offset 0xd4 and before was obtained fast mutex (also unnamed). All this data can be obtained with static analysis

    Sample on w7 32bit:
    rbdss registered devs count: 3
     [0] DevObj 85248020 DrvObj 8524F458 - \SystemRoot\system32\drivers\csc.sys
     [1] DevObj 851D3A68 DrvObj 85C3D740 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
     [2] DevObj 851D2A68 DrvObj 85C3D740 - \SystemRoot\system32\DRIVERS\mrxsmb.sys

    вторник, 3 июля 2012 г.

    wincheck rc8.20

    Download irusmirror
    • add -kshims option to show registered kernel shims
    • add checking of IoRegisterPriorityCallback callbacks
    • add checking of PoRegisterCoalescingCallback callbacks (with -pofx option)
    • add checking of http.sys!UlIoctlTable
    • Add checking of TLS callbacks (in user mode)
    • some other bugs was fixed

    суббота, 30 июня 2012 г.

    kernel shims in w8

    It seems that windows 8 kernel now has some support for driver shims.
    Exported functions to provide this functionality are:
    • KseRegisterShim
    • KseRegisterShimEx
    • KseUnregisterShim
    Shim descriptor has structure like this one:

    struct shim_descriptor
      DWORD Size;
      GUID *guid;
      wchar_t *Name;
      PVOID unk1;
      PVOID HookDriverUntargeted; // func ptr
      PVOID HookDriverTargeted;   // func ptr
      PVOID HookTab;              // ptr to hooks descriptor table

    KseRegisterShim called twice in ntoskrnl.exe with two shim descriptors:

    GUID: 3E28B2D1-E633-408C-8E9B-2AFA6F47FCC3
    Hooks RtlGetVersion & PsGetVersion functions

    GUID: BC04AB45-EA7E-4A11-A7BB-977615F4CAAE
    • IoCreateDevice
    • PoRequestPowerIrp
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • ExAllocatePool
    • ExFreePool
    Sims apply in MiDriverLoadSucceeded function (by IAT hooking in KsepApplyShimsToDriver):

    среда, 27 июня 2012 г.

    wincheck rc8.19

    Download mirror
    • Add -pofx option to dump & check plugins registered with PoFxRegisterPluginEx
    • Add dumping w8 specific ETW trace callbacks (with -wmi option)
    • ole32 channel hooks checking again works on w8 release preview
    • Add checking of ole32!NdrOleExportForwardTable & ole32!NdrOleExportForwardTable
    • Add checking of ntdll!RtlpDebugPageHeapXXX handlers (works only on 32bit processes)
    • some other bugs was fixed

    вторник, 26 июня 2012 г.

    CoRegisterChannelHook in w8 consumer preview

    Declared in ole32.dll as forwarded export to COMBASE.CoRegisterChannelHook
    But combase.dll does not have such exported name, he-he
    So wincheck cannot find some COM-related structures on w8 consumer preview. On w8 dev preview all work fine

    воскресенье, 24 июня 2012 г.

    binary tree for multithread access

    I need some binary tree structure for concurrent access from multiple threads where some threads do searching and some other perform insert/delete operations. This structure must work both in kernel and user mode

    Lets add some sync primitive to each tree node -  it is going to be SRWLock in user mode and EX_PUSH_LOCK in kernel mode. It`s clear that reader can acquire shared lock while writer will use exclusive one. Bcs order of locks always have to be the same - we need tree structure with top-down rebalancing (I hope this is right assumption). So lets see which kinds of trees allow such operations
    1. weight-balanced tree. Drawbacks: need to use floating point, so in kernel mode we must care about FPU context saving/restoring
    2. classical B-tree. I think there may be a problem with granularity - when node contains a big number of keys and we need to lock it exclusively - all search operations will be blocked from this node till the lowest level of its children
    3. red-black tree. Looks like it is a good candidate but sadly I cannot find implementation in plain C with top-down rebalancing :-(
    Do I miss something important ?

      generic access rights mapping in w8


      суббота, 23 июня 2012 г.


      The official documentation for WmiQueryTraceInformation says that TRACE_INFORMATION_CLASS has only 10 values. Although build date of this documentation is 6/11/2012 in reality there are some more values
      • 0xB - return address of EtwpDiskIoNotifyRoutines. TraceInformationLength eq sizeof(PVOID)
      • 0xC - copy content of EtwpAllNotifyRoutines. TraceInformationLength eq 0xD * sizeof(PVOID) (on w8 consumer preview size must be 0xE * sizeof(PVOID))
      • 0xD - return address of EtwpFltIoNotifyRoutines. TraceInformationLength eq sizeof(PVOID)
      • 0xE - return address of EtwpTraceHypervisorStackwalk function. TraceInformationLength eq sizeof(PVOID)
      • 0xF - copy address of EtwpWdfNotifyRoutines. TraceInformationLength eq sizeof(PVOID)

      пятница, 22 июня 2012 г.

      How to find IopRootDeviceNode

      using static analysis only ?
      Lets see

      From exported function IoPnPDeliverServicePowerNotification:

           lea     eax, [esp+38h+Object]
           push    eax             ; Object
           call    _KeWaitForSingleObject@20

           cmp     [esp+28h+var_20], ebx
           jge     short loc_64963A
           lea     eax, [esp+28h+var_18]
           push    eax
           push    [esp+2Ch+var_1C]
           mov     eax, _IopRootDeviceNode
           push    dword ptr [eax+0B8h]
           push    [ebp+arg_0]
           call    _PnpSetPowerVetoEvent@24

      KeWaitForSingleObject called only one time in whole code graph of this function

      суббота, 16 июня 2012 г.

      Sublime Text 2

      Installed today this nice editor. One minor problem is that it does not have support of Asm from the box. Google search gives link to x86-assembly-textmate-bundle but it seems that it was made only for 32bit with GAS syntax. So I made patch for it - add more registers, instructions and some keywords from yasm/nasm

      пятница, 15 июня 2012 г.

      wincheck rc8.18

      Download mirror
      • more support of w8 release preview added. win32k.sys related checks now works
      • add -alpc option to show clients of ALPC RPC ports (since vista)
      • add checking of some rpcrt4.dll tables
      • some other bugs (especially w8rp related) was fixed

      суббота, 9 июня 2012 г.

      !alpc /lpc

      First - this command don`t work on vista:

      lkd> !object \Sessions\1\Windows\SbApiPort
      Object: 89c40ed0  Type: (82b6fed0) ALPC Port
          ObjectHeader: 89c40eb8 (old version)
          HandleCount: 1  PointerCount: 4
          Directory Object: 8fe397e0  Name: SbApiPort
      lkd> !alpc /lpc 89c40ed0
      Error querying field CommunicationInfo of structure nt!_ALPC_PORT at 89c40ed0
      Port @89c40ed0 is not a connection port.

      Second - I think it just don`t work

      пятница, 8 июня 2012 г.

      windows internals 6th edition

      page 271:
      Compile-time hotpatching support works by adding 7 additional bytes to the beginning of each function—4 are considered part of the end of the previous function, and 2 are part of the function prolog—that is, the function’s beginning.
      4 + 2 = 6. I double checked with calc.exe, he-he

      page 590:
      In the next chapter, we’ll look at the I/O system.
      Next (7th) chapter has name Networking

      List of other erratas

      среда, 6 июня 2012 г.

      wincheck rc8.17

      Download mirror
      • Add initial support of windows 8 release preview. pdb for 32bit win32k.sys is still unavailable so all win32k related checks do not work. Also I am sure that this version is very far from full support of w8 release preview (although it is much better than rc8.16 which just crashes on w8 rp)
      • Add -acpi option to check some ACPI tables
      • Fixed Etw structures for wow64 apps

      суббота, 2 июня 2012 г.

      w8 release preview W32pServiceTable 64bit

      W32pServiceLimit eq 0x3d2. In consumer preview it was 0x3c6

      w8 release preview _KPROCESS & _EPROCESS 64bit

      to compare with

      w8 release preview _KTHREAD & _ETHREAD 64bit

      to compare with

      w8 release preview KPRCB 64bit

      To compare with

      пятница, 1 июня 2012 г.

      apisetschema.dll from w8 release preview

      to compare with

      w8 release preview _KPROCESS & _EPROCESS

      to compare with

      w8 release preview _KTHREAD & _ETHREAD

      to compare with

      w8 release preview KPRCB

      to compare with

      Windows 8 Release Preview

      ISO images can be downloaded here
      WKD 8 Release Preview

      Update: not all pdb are uploaded yet - for example on win32k.sys I got:
      SYMSRV:  http://msdl.microsoft.com/download/symbols/win32k.pdb/DB9745D3386F4192BB1B0B65936BCD5F2/win32k.pdb not found

      понедельник, 28 мая 2012 г.

      Building ecl 12.5.1 for win64

      It seems that current support of win64 is broken - you can only set GMP_TYPE to gc (although gmp has right project in msvc\gmp\build.vc8\lib_gmp_amd64) and anyway building ends with following error:

              cl -c /EHsc /DGC_DLL /DGC_BUILD /nologo /D_CRT_SECURE_NO_DEPRECATE /DNDEBUG /MD /O2 /arch:SSE2 -DG
      ECL_API="__declspec(dllexport)" -I./ -I../ -I..\..\src\c -I..\..\src/gc/include  -I..\..\src/gc/include/pr
      umber.obj number.c
      cl : Command line warning D9002 : ignoring unknown option '/arch:SSE2'
      ../../src/c/number.d(479) : error C4235: nonstandard extension used : '__asm' keyword not supported on this architecture
      ../../src/c/number.d(479) : error C2065: 'fwait' : undeclared identifier
      ../../src/c/number.d(497) : error C4235: nonstandard extension used : '__asm' keyword not supported on this architecture
      ../../src/c/number.d(497) : error C2065: 'fwait' : undeclared identifier
      NMAKE : fatal error U1077: '"c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\amd64\cl.EXE"' : re

      So I made set of patches to build ecl on win64

      суббота, 26 мая 2012 г.

      dcu files loader for ida pro v2

      • Initial support for 64bit DCU files from XE2 added. dcu64.l64 now can load at least some files, he-he
      • Changed logic that calculates size of .bss section. Now if size of some type is not known (for example it is imported from other .dcu) code just assumes that it has pointer size
      • Reloc type 6 processing (xe2 specific ?) fixed

      пятница, 25 мая 2012 г.

      ecl 12.5.1 on xp64

      I tried today to build subj with vs2008 on xp 64 bit and got error:
      ;;;   Invoking external command:
      ;;;   cl -I. -IC:/src/ecl/msvc/ -DECL_API -IC:/src/ecl/msvc/c /EHsc /DGC_DLL /DGC_BUILD /nRT_SECURE_NO_DEPRECATE /Zi /D_DEBUG /MDd /Od -DGC_BUILD -w -c C:/src/ecl/msvc/lsp/export.c -FoC:/sched/msvc/lsp/export.obj
      Internal or unrecoverable error in:
      illegal stream mode
      Stack trace:

      вторник, 22 мая 2012 г.

      wincheck rc8.16

      Download mirror
      • add -rdata option for checking .rdata sections. These sections must be non-discardable and their names cannot begin with PAGE. Kernel-mode only
      • add checking of kernelbase!KernelBaseGlobalData functions pointers (windows 7 only)
      • add checking of SSPI dispatcher tables (called from SECPKG_FUNCTION_TABLE.CallPackage function)
      • add checking of dxg!gaDxgFuncs table
      • fixed function names in W32pServiceTable for windows 8 64bit

      среда, 16 мая 2012 г.


      I already claimed that ecl.dll crashes when loaded from .dll in ecl.dll!_GC_init_thread_local(). So finally I know why. Short answer - bcs it contains static TLS and so cannot be loaded with LoadLibrary:
      On Windows operating systems before Windows Vista, __declspec( thread ) has some limitations. If a DLL declares any data or object as __declspec( thread ), it can cause a protection fault if dynamically loaded. After the DLL is loaded with LoadLibrary, it causes system failure whenever the code references the __declspec( thread ) data. Because the global variable space for a thread is allocated at run time, the size of this space is based on a calculation of the requirements of the application plus the requirements of all the DLLs that are statically linked. When you use LoadLibrary, you cannot extend this space to allow for the thread local variables declared with __declspec( thread )
      Problem is that thread_local_alloc.c (where located function GC_init_thread_local) MUST be used bcs it required for elc threads. And you just cannot build ECL without threads support - msvc\Makefile contains following astounding lines:
      # Currently it is NOT SUPPORTED to build ECL without threads. The reason
      # is that certain exception handlers in Windows always use new threads.

      воскресенье, 13 мая 2012 г.

      wincheck rc8.15

      Download mirror
      • add -timp option to show threads with some impersonation tokens
      • Add NDIS OID handlers checking
      • Add TcpOffloadHandlers checking
      • Lots of meaningful fields of NDIS protocols/minidrivers/miniports was added to dump (vista/windows 7/windows 8 specific mostly)
      • Add dumping of NDIS interrupts (you must use both -ndis & -idt options)
      • Add dumping of WheapErrorSourceInitializer (vista only)
      • Fixed win32k callout on windows8
      • Some other bugs was also added fixed

      среда, 9 мая 2012 г.

      Dangerously Overinformed

      completed quiz

      You got 18 of 20 correct.
      Yes, I never used Scala & Ada, he-he

      dcu files loader for ida pro

      Supports 32bit dcu files from
      • Delphi 2007 (v12)
      • Delphi 2009 (v14)
      • Delphi 2010 (v15)
      • Delphi XE (v16)
      • Delphi XE2 (v17)
      • perhaps some more necrophilous versions too - I didn`t check
      I never was employee of Borland/CodeGear/Embarcadero Technologies/next loosers who buy this unlucky technology. Also I never saw any sources of delphi compiler, so my loader definitely may
      • work improperly. I know at least 2 files from xe/xe2 debug library which cannot be parsed and loaded
      • harm your computer
      • damage your brain
      • destroy your poor life
      • etc etc
      Loader for ida 4.90 (I think it will works also for 5.X) can be downloaded here
      This is not open source. No warranty. No support. No stupid questions

      суббота, 5 мая 2012 г.

      Programming Windows Security

      Reading this old but still good book I stumbled upon this code sample:

      HANDLE getEffectiveToken(
       DWORD dwDesiredAccess,
       BOOL bWantlmpToken,
       HANDLE htok;

       // Try to get thread token
       if (OpenThreadToken(GetCurrentThread(), dwDesiredAccess, TRUE, &htok))
        return htok;
       else if (ERROR_NO_TOKEN == GetLastError())
        // No thread tokens, we must get process token
        DWORD grfAccess = bWantlmpToken ?
            TOKEN_DUPLICATE : dwDesiredAccess;
        if (OpenProcessToken(GetCurrentProcess(), grfAccess, &htok))   
         if (bWantImpToken)
          // convert primary to impersonation token
          HANDLE htokImp;
          if (!DuplicateTokenEx(htok, dwDesiredAccess, 0,
           impLevel, TokenImpersonation, &htokImp))   
           htokImp = 0;
          return htokImp;
          return htok;
       return 0;

      BOOL WINAPI CheckTokenMembership(HANDLE TokenHandle,
         PSID SidToCheck, PBOOL IsMember)
       // if no token was passed, CTM uses the effective
       // security context (the thread or process token)
       if (!TokenHandle)
        TokenHandle = getEffectiveToken(
           TOKEN_QUERY, TRUE, SecurityIdentification);
       if (!TokenHandle) return FALSE;
       ... // irrelevant code skipped
       return AccessCheck(&sd, TokenHandle, 1, &gm, &ps, &cb, &ga, IsMember);

      Can you see handles leakage here ?

      понедельник, 30 апреля 2012 г.

      process token hijaqing

      I was asked yesterday - wincheck now is able to detect only process token hijaqed from system process but what if somebody want to steal token of some other privileged process ?
      I think it`s easy to detect from wincheck log with some simple perl script like this one:
      #!perl -w
      # Lame script to check processes token hijaq
      # 30 Apr 2012 (C) RedPlait 
      use strict;
      use warnings;
      sub parse
        my $fname = shift;
        my %hdb;
        my($fh, $str, $pid, $token);
        open($fh, '<', $fname) or die("Cannot open $fname, error $!");
        while( $str = <$fh> )
          chomp $str;
          next if ( $str !~ /Process PID (\d+) token: (.*)$/ );
          $pid = int($1);
          $token = $2;
          if ( exists $hdb{$token} )
            printf("Process %d has the same token as %d !\n", $pid, $hdb{$token});
          } else {
            $hdb{$token} = $pid;
        close $fh;
      parse $_ foreach @ARGV;

      среда, 25 апреля 2012 г.


      wincheck can (with -dump_patched option) dump patched sections of loaded drivers. You get two files for each section. Lets assume that there are patched bytes in section PAGE inside driver evildrv.sys. In this case your dump includes these files:
      • evildrv.sysPAGE.kmem - actual content of PAGE section from memory
      • evildrv.sysPAGE.orig - relocated content of PAGE section from disk
      So you can always do "fc /b  evildrv.sysPAGE.kmem evildrv.sysPAGE.orig" to get list of patched bytes. But this list is really huge sometimes, so you might want to load this section in IDA Pro and check what happened. But there can be a problem - both dump files contain data relocated to some address in kernel memory and probably you have idb for you driver evildrv.sys at base 0x10000. Sure you can manually rebase your idb - Edit menu -> Segments -> Rebase program
      Since I am too lazy so I wrote simple plugin lpdm for IDA Pro (for 5.x version) which
      • load .kmem file
      • relocates it to image base currently used in your .idb. You'll need original PE file (evildrv.sys in this case) of course, not only .idb
      • load only patched bytes
      You must point address of your driver in memory, for example from wincheck log:
      FFFFF880070EA000:70000 flags 49104000 LoadCount 1 \SystemRoot\system32\drivers\evildrv.sys

      You can download lpdm plugin (for idag & idag64) from here

      понедельник, 23 апреля 2012 г.

      wincheck rc8.14

      Download mirror
      • Add -ext option for dumping of tables registered with ExRegisterExtension function (since windows 7)
      • Fixed format of NDIS_M_DRIVER_BLOCK for vista, windows 7 & windows 8. Also now in dump presents non-empty structure NDIS_CO_CALL_MANAGER_OPTIONAL_HANDLERS
      • Fixed format of WFP callouts on windows 7 32bit
      • Fixed bug in processing of bad PE files
      • Some other bugs was also fixed

      четверг, 19 апреля 2012 г.


      assemblage of incredibly stupid morons
      I am highly disappointed

      вторник, 17 апреля 2012 г.


      wincheck -ndis said:

      OpenBlock [1] 8AB7D868
      RootName: \DEVICE\{ABEB65C6-0636-48CF-81DC-4C0282FB061A}
      BindName: \DEVICE\{ABEB65C6-0636-48CF-81DC-4C0282FB061A}
      Flags:    1
      SendHandler:                 8A7A74F0 UNKNOWN
      WanSendHandler:              8A1A0398 UNKNOWN
      TransferDataHandler:         8A3259E0 UNKNOWN
      SendCompleteHandler:         8A1BA3C0 UNKNOWN
      TransferDataCompleteHandler: 8A2B4458 UNKNOWN
      ReceiveHandler:              A8B68AC6 \SystemRoot\system32\DRIVERS\ndisuio.sys
      ReceiveCompleteHandler:      00000000
      WanReceiveHandler:           A8B689A6 \SystemRoot\system32\DRIVERS\ndisuio.sys
      RequestCompleteHandler:      8A672880 UNKNOWN
      ReceivePacketHandler:        8A331340 UNKNOWN
      SendPacketsHandler:          B9E20B65 NDIS.sys
      ResetHandler:                B9E1D8C7 NDIS.sys
      RequestHandler:              A8B6899E \SystemRoot\system32\DRIVERS\ndisuio.sys
      ResetCompleteHandler:        A8B689C8 \SystemRoot\system32\DRIVERS\ndisuio.sys
      StatusHandler:               A8B68AC6 \SystemRoot\system32\DRIVERS\ndisuio.sys
      StatusCompleteHandler:       00000000

      on 7 of 19 OpenBlocks.

      Btw MS Forefront was unable to cure infected machine - it just completely removed acpi.sys and windows didn`t boot anymore, he-he

      wincheck rc8.13

      Download mirror
      • Add some support of windows 8 server
      • Add -alldrv option to scan & check all (known to me) loaded drivers
      • Fix NDIS_COMMON_OPEN_BLOCK structure for vista/w2008/w7/w8
      • Add detect of ole32!IMallocSpy installed
      • Some bugs was fixed

      воскресенье, 15 апреля 2012 г.

      Installed windows 8 server build 8250

      You can get it here
      Good news:
      • It can be installed on Virtual Box with 1Gb RAM & 32Gb of disk
      • It has less crazy GUI (not metro useless panes)
      • wincheck works on it sometimes
      • you can still install windbg from wdk7 on it
      Bad news:
      • no "start" button anyway
      • IE10 cons preview with paranoid "server" settings
      • I am unable to open its install.wim image

      среда, 4 апреля 2012 г.

      reactos sources lie

      Let`s see for example RPC_RegisterChannelHook function code. We have to look at channel_hook_entry undocumented structure:
      /* offset 0x0 */ struct list entry;
      /* offset 0x4 */ GUID id;
      /* offset 0x14 */ IChannelHook hook;
      /* Size 0x18 */

      O`k, lets check its disasm code (it was taken from xp sp2 32bit):
        push    18h             ; dwBytes
        push    0               ; dwFlags
        push    ?g_hHeap@@3PAXA ; int
        call    ?pfnHeapAlloc@@3P6GPAXPAXKK@ZA ; PrivHeapAlloc(void *,ulong,ulong)

      Looks good so far - the size of channel_hook_entry is really 0x18 bytes.
        mov     esi, [ebp+ExtensionUuid]
        mov     eax, [ebp+pChannelHook]
        lea     edi, [ebx+8] ; GUID located at offset 0x8
        mov     [ebx+4], eax ; store
      pChannelHook at offset 0x4
        mov     eax, ?gHookList@@3USHookList@@A
        [ebx], eax ; put ptr to prev list item

      As you can see the real channel_hook_entry has completely different layout:
      /* offset 0x0 */ struct list entry;
      /* offset 0x4 */ IChannelHook hook;
      /* offset 0x8 */ GUID id;
      /* Size 0x18 */

      I am sure that all code of reactos was made using reversing engeneering so this misrepresentations was introduced intentionally. Believe me it is not first time when reactos sources lie. Actually any undocumented internal structures in reactos either have wrong fields layout or monstrously incomplete

      вторник, 3 апреля 2012 г.

      Hex-Rays Newsletter

      Promised features in version 6.3:
      • source-level debugging (experimental, requires PDB with private symbols)
      • trace replayer
      • page-level breakpoints (arbitrarily-sized memory breakpoints implemented using page permissions) for Win32 and Linux
      • .net file loader for Linux and OS X
      • improved FLIRT signatures
      • new processor modules: M16C, TMS320C1, unSP; new instructions for PPC, MIPS
      • WinCE debugger over TCP/IP with debugging possible from Linux/OS X
      • decompiler: more intrinsics, cached decompilation results, data initializers, and more...

      суббота, 31 марта 2012 г.


      This poorly documented function can serves as silently communication channel between UM & KM. Let see how it works (code was borrowed from w8 dev preview 64bit)

        cmp     r15d, 17h ; check
        jnb     loc_1405C73D5 ; return STATUS_INVALID_PARAMETER_1
        mov     r14, r15
        lea     rcx, PlugPlayHandlerTable ; located in writable PAGEDATA section
        shl     r14, 4        ; PnPControlClass << 4
        add     r14, rcx      ; get record describing this
        cmp     [r14], r15d   ; field at offset 0 - PnPControlClass
        jnz     loc_1405C73CB ; return STATUS_INTERNAL_ERROR
        test    r14, r14      ; I don`t know for what this paranoid check
        jz      loc_1405C73D5 ; return STATUS_INVALID_PARAMETER_1
        cmp     qword ptr [r14+8], 0 ; Gotcha ! This is pointer to function
        jz      loc_1405C7304 ; return STATUS_NOT_IMPLEMENTED
        cmp     [r14+4], ebp    ; field at offset 4 - PnPControlDataLength
        jnz     loc_1405C730E ; return STATUS_INVALID_PARAMETER_MIX
        mov     r8d, ebp  ; PnPControlDataLength
        mov     rdx, rbx  ; PnPControlData
        mov     ecx, r15d ; PnPControlClass
        call    qword ptr [r14+8] ; call handler by pointer

      The main problem with this code is that it calls function by pointer which located in writable PAGEDATA section. Also this section is not checking by PatchGuard. So you can rewrite some unused handler (and perhaps length of PnPControlDataLength) and call PnPControlClass with patched PnPControlClass to pass some data to code in KM.
      Actually there is a lot of unused entries in PlugPlayHandlerTable - on w8 dev preview it contains only 8 handlers:
      • PiControlStartDevice for code 4
      • PiControlQueryAndRemoveDevice for code 6
      • PiControlGetPropertyData for code 0xA
      • PiControlGetRelatedDevice for code 0xC
      • PiControlGetSetDeviceStatus for code 0xE
      • PiControlGetDeviceDepth for code 0xF
      • PiControlQueryDeviceRelations for code 0x10
      • PiControlQueryConflictList for code 0x12
      Only drawback of this hole - your usermode code must held SeTcbPrivilege before calling NtPlugPlayControl

      wincheck rc8.11

      Download mirror
      • -wmi option now works on w8 consumer preview (both 32/64)
      • lots names of wmi guids was added
      • added checking of PEB.PostProcessInitRoutine
      • some bugs was fixed

      среда, 28 марта 2012 г.

      EtwEventRegister on w8 consumer preview

      I described already organization of internal data structures for this function on vista/windows 7
      Unfortunately on windows 8 consumer preview all was changed.
      Now all registered items storing in red-black tree whose root placed in EtwpRegistrationTable

      Some excerpts from ntdll.pdb:
      struct _RTL_RB_TREE {
        struct _RTL_BALANCED_NODE* Root;
        struct _RTL_BALANCED_NODE* Min;

      Node of this tree looks like
      struct _RTL_BALANCED_NODE {
        struct _RTL_BALANCED_NODE* Left;
        struct _RTL_BALANCED_NODE* Right;
        unsigned long ParentValue;

      As usually we can partially recover event registrations structure from function EtwpAllocateRegistration.I intentionally omitted unimportant details:
      struct EtwRegEntry_w8cons
      /* Win32 Win64 - offsets */
      /*   0x0   0x0 */ struct _RTL_BALANCED_NODE Node;

      /* Etw reg entry  */
      /*   0xC  0x20 */ GUID  ProviderId;
      /*  0x28  0x48 */ PVOID InternalCallback;
      /*  0x2C  0x50 */ PVOID CallbackContext;
      /*  0x34  0x5C */ WORD  Index;
      /*  0x36  0x5E */ WORD  Type;

      As before Type eq 3 if this item was allocated from function EtwEventRegister and 2 if from EtwRegisterTraceGuids[AW]
      All operations on EtwpRegistrationTable must be synchronized with SRW lock EtwpProvLock
      Sample of output on w8 64bit (deep-first traversing of tree was used):

      Ancient wisdom

      Insanity: doing the same thing over and over again and expecting different results.
      (C) Albert Einstein
      I am sure that he just never tested multithread programs, he-he

      воскресенье, 25 марта 2012 г.

      visual studio 2011

      wdk8 now doesn`t contain c/c++ compilers/linkers and requires visual studio c++ 2011 to work:

      So a week ago I installed subj

      Good news
      • It can be installed on machine where already visual studio 2010 lives
      • It partially works sometimes
      • It`s even able to compile wincheck
      Bad news
      • Installation is very reticent and you cannot select things which you really want to install. So it installed whole pile of trash -  vb.net, f#, silverlight (so I have a couple now - one from vs2010 and one from vs2011), arm libraries etc etc
      • It doesn`t have platform sdk ("going native", yep). Luckily it can use previous version of platform sdk from visual studio 2010 but what if I want to install it on fresh machine ?
      • It cannot be installed on windows xp anymore. Perhaps on vista too - I didn`t check
      • Support of C++11 is still very incompleted (you can compare it with gcc 4.7)
      • C99 isn`t supported at all
      • Most terrible thing - it cannot produce native modules for windows xp !