суббота, 31 марта 2012 г.


This poorly documented function can serves as silently communication channel between UM & KM. Let see how it works (code was borrowed from w8 dev preview 64bit)

  cmp     r15d, 17h ; check
  jnb     loc_1405C73D5 ; return STATUS_INVALID_PARAMETER_1
  mov     r14, r15
  lea     rcx, PlugPlayHandlerTable ; located in writable PAGEDATA section
  shl     r14, 4        ; PnPControlClass << 4
  add     r14, rcx      ; get record describing this
  cmp     [r14], r15d   ; field at offset 0 - PnPControlClass
  jnz     loc_1405C73CB ; return STATUS_INTERNAL_ERROR
  test    r14, r14      ; I don`t know for what this paranoid check
  jz      loc_1405C73D5 ; return STATUS_INVALID_PARAMETER_1
  cmp     qword ptr [r14+8], 0 ; Gotcha ! This is pointer to function
  jz      loc_1405C7304 ; return STATUS_NOT_IMPLEMENTED
  cmp     [r14+4], ebp    ; field at offset 4 - PnPControlDataLength
  jnz     loc_1405C730E ; return STATUS_INVALID_PARAMETER_MIX
  mov     r8d, ebp  ; PnPControlDataLength
  mov     rdx, rbx  ; PnPControlData
  mov     ecx, r15d ; PnPControlClass
  call    qword ptr [r14+8] ; call handler by pointer

The main problem with this code is that it calls function by pointer which located in writable PAGEDATA section. Also this section is not checking by PatchGuard. So you can rewrite some unused handler (and perhaps length of PnPControlDataLength) and call PnPControlClass with patched PnPControlClass to pass some data to code in KM.
Actually there is a lot of unused entries in PlugPlayHandlerTable - on w8 dev preview it contains only 8 handlers:
  • PiControlStartDevice for code 4
  • PiControlQueryAndRemoveDevice for code 6
  • PiControlGetPropertyData for code 0xA
  • PiControlGetRelatedDevice for code 0xC
  • PiControlGetSetDeviceStatus for code 0xE
  • PiControlGetDeviceDepth for code 0xF
  • PiControlQueryDeviceRelations for code 0x10
  • PiControlQueryConflictList for code 0x12
Only drawback of this hole - your usermode code must held SeTcbPrivilege before calling NtPlugPlayControl

wincheck rc8.11

Download mirror
  • -wmi option now works on w8 consumer preview (both 32/64)
  • lots names of wmi guids was added
  • added checking of PEB.PostProcessInitRoutine
  • some bugs was fixed

среда, 28 марта 2012 г.

EtwEventRegister on w8 consumer preview

I described already organization of internal data structures for this function on vista/windows 7
Unfortunately on windows 8 consumer preview all was changed.
Now all registered items storing in red-black tree whose root placed in EtwpRegistrationTable

Some excerpts from ntdll.pdb:
struct _RTL_RB_TREE {
  struct _RTL_BALANCED_NODE* Root;
  struct _RTL_BALANCED_NODE* Min;

Node of this tree looks like
  struct _RTL_BALANCED_NODE* Left;
  struct _RTL_BALANCED_NODE* Right;
  unsigned long ParentValue;

As usually we can partially recover event registrations structure from function EtwpAllocateRegistration.I intentionally omitted unimportant details:
struct EtwRegEntry_w8cons
/* Win32 Win64 - offsets */
/*   0x0   0x0 */ struct _RTL_BALANCED_NODE Node;

/* Etw reg entry  */
/*   0xC  0x20 */ GUID  ProviderId;
/*  0x28  0x48 */ PVOID InternalCallback;
/*  0x2C  0x50 */ PVOID CallbackContext;
/*  0x34  0x5C */ WORD  Index;
/*  0x36  0x5E */ WORD  Type;

As before Type eq 3 if this item was allocated from function EtwEventRegister and 2 if from EtwRegisterTraceGuids[AW]
All operations on EtwpRegistrationTable must be synchronized with SRW lock EtwpProvLock
Sample of output on w8 64bit (deep-first traversing of tree was used):

Ancient wisdom

Insanity: doing the same thing over and over again and expecting different results.
(C) Albert Einstein
I am sure that he just never tested multithread programs, he-he

воскресенье, 25 марта 2012 г.

visual studio 2011

wdk8 now doesn`t contain c/c++ compilers/linkers and requires visual studio c++ 2011 to work:

So a week ago I installed subj

Good news
  • It can be installed on machine where already visual studio 2010 lives
  • It partially works sometimes
  • It`s even able to compile wincheck
Bad news
  • Installation is very reticent and you cannot select things which you really want to install. So it installed whole pile of trash -  vb.net, f#, silverlight (so I have a couple now - one from vs2010 and one from vs2011), arm libraries etc etc
  • It doesn`t have platform sdk ("going native", yep). Luckily it can use previous version of platform sdk from visual studio 2010 but what if I want to install it on fresh machine ?
  • It cannot be installed on windows xp anymore. Perhaps on vista too - I didn`t check
  • Support of C++11 is still very incompleted (you can compare it with gcc 4.7)
  • C99 isn`t supported at all
  • Most terrible thing - it cannot produce native modules for windows xp !

суббота, 24 марта 2012 г.

updated perl binding for IDA Pro

It seems that even IDA 6.2 hasn`t functions in IDC for getting functions count and start addr of function by index
So I add in my perl for IDA Pro today two new function - func_qty & func_n

пятница, 23 марта 2012 г.

PsIsProtectedProcess on w8

Now code for PsIsProtectedProcess looks like:

  mov     edi, edi
  push    ebp
  mov     ebp, esp
  mov     eax, [ebp+arg_0] ; PEPROCESS
  movzx   eax, byte ptr [eax+2D0h] ;
  and     eax, 1
  pop     ebp
  retn    4

So under w8 there is no more ProtectedProcess flag

понедельник, 19 марта 2012 г.

ids files for recent MFC versions

I uploaded archive of IDS files for both 32 & 64bit MFC dll modules:
  • mfc9 (from vs2008)
  • mfc10 (from vs2010)
  • mfc11 (from vs2011)
This archive also contains IDT files used for building

"embeddable" cl

I started to use ecl some time ago but can state already that this specific implementation gives really bad impression. It is really disappointing for such old and mature language as lisp.
  1. This implementation was named 'embeddable' by mistake. It is really hard to integrate it into other software. For example, if you try to initialize ecl from .dll it crashes in cl_boot() call. The complete stack trace:
           ecl.dll!_GC_init_thread_local()  + 0x20 bytes   C
           ecl.dll!_GC_new_thread()  + 0x17c bytes C
           ecl.dll!_GC_register_my_thread()  + 0x30 bytes  C
           ecl.dll!_GC_thr_init()  + 0x32 bytes    C
           ecl.dll!_GC_init_inner()  + 0x2f0 bytes C
           ecl.dll!init_alloc()  Line 757  C
           ecl.dll!cl_boot(int argc=0x00000001, char * * argv=0x003d6160)  Line 464        C
  2. Lispers are so proud of its famous REPL but in the fact it is really crippled. For example, ecl is missing even trivial autocomplete feature! Sure I know about ecl-readline module existence. It requires libreadline to work that failed to build on Windows even with fresh mingw with gcc 4.6.1
  3. Looks like ecl debugger brought its modern features straight from 50ieth. Before I tried it I was sure that the most horrible debugger is gdb and it is not possible to imagine something worse. But ecl proved that I was terribly wrong.
  4. C/C++ binding is not easy to do as well. Swig can generate more or less correct CFFI (which is missing from ECL distribution and it needs to be installed separately) for C code only. The author writes:
    This feature to SWIG (for CFFI) is very new and still far from complete
    Thus it doesn't work for C++ objects that contain virtual methods.
  5. I just can't believe that they came into XXI century without having central package repository (the one similar to CPAN/rubyforge). So new package installation became an infernal quest to find and download unknown quality package, try to install it and make a voodoo dance in vain attempt to force it working. It is so disgusting. 
  6. As I understood ecl implements non-сosher lisp. Multiple mail list topics like "xxx build failed", "Building yyy with ecl failed", "cannot build zzz using ecl" and their varieties prove that.
  7. ecl doesn't support many simple Windows-specific features like registry access and OLE automation.
  8. Integration into Visual Studio is completely missing. But it is expected after all previous drawbacks and I need to be completely stupid to expect it.

воскресенье, 18 марта 2012 г.

script for .idt/.ids files making

Suddenly™ I discovered that even recent version of IDA Pro hasn`t ids files for fresh MFC modules (for example mfc100.dll/mfc110.dll from Visual Studio 2010/2011). Running dll2idt.exe produces nothing:
Convert DLL to IDT file. Copyright 1997 by Yury Haron. Version 1.5
File: mfc100.dll     ... illegal structure or has no export names
So I decided to make needed .ids files by myself. But I am too lazy to make .idt/.ids files manually so I wrote simple perl script for this boring task

Main idea is very simple - we can run dumpbin /exports on some .dll module and then read all ordinal/VA pairs. Next we can download from MS corresponding .pdb file for this .dll module and dump it with pdbdump (I already posted script for downloading pdb files). Next you can parse this dump and find VA/names pairs. Finally with all of this info you can produce .idt file (or even .ids file with -z option if you have idsutils installed)

new DEVICE_TYPEs in WDK 8 Consumer Preview

from Include\shared\devioctl.h:

#define FILE_DEVICE_EHSTOR              0x00000046
#define FILE_DEVICE_DEVAPI              0x00000047
#define FILE_DEVICE_GPIO                0x00000048
#define FILE_DEVICE_USBEX               0x00000049
#define FILE_DEVICE_CONSOLE             0x00000050
#define FILE_DEVICE_NFP                 0x00000051
#define FILE_DEVICE_SYSENV              0x00000052

hresult.idc for WDK 8 Consumer Preview

Fresh HRESULT enums values generated in hresult.idc

oids.idc for WDK 8 Consumer Preview

Fresh NDIS OID enums values generated in oids.idc

ntstatus.idc for WDK 8 Consumer Preview

Fresh NTSTATUS enums values generated in ntstatus.idc

суббота, 17 марта 2012 г.

wincheck rc8.10

Download mirror
  • add checking of wow64 service tables
  • fixed processing of apisetschema.dll on w8 64bit
  • -sdt option now works on w8 dev preview 32bit
As usually some other bugs was also added fixed

Update: it seems that under w8 don`t work opening of protected processes

Azure failure

Leap day bug as usually (29 feb, yeah)
Full description can be found here

среда, 14 марта 2012 г.

New SYSTEMINFOCLASSes on w8 consumer preview

Names I got here
  • 7D - SystemSessionBigPoolInformation. Length >= 0xC
  • 7E - SystemBootGraphicsInformation. Length == 0x20
  • 7F - SystemScrubPhysicalMemoryInformation
  • 80 - SystemBadPageInformation. Variable length, can be zero
  • 81 - SystemProcessorProfileControlArea
  • 82 - SystemCombinePhysicalMemoryInformation
  • 83 - SystemEntropyInterruptTimingCallback
  • 84 - SystemConsoleInformation
  • 85 - SystemPlatformBinaryInformation. Checks SeTcbPrivilege
  • 86 - SystemThrottleNotificationInformation
  • 87 - SystemHypervisorProcessorCountInformation. Length >=8
  • 88 - SystemDeviceDataInformation. Length == 0x1C
  • 89 - SystemDeviceDataEnumerationInformation. Length == 0x1C
  • 8A - SystemMemoryTopologyInformation. Variable length, can be zero
  • 8B - SystemMemoryChannelInformation. Variable length, can be zero
  • 8C - SystemBootLogoInformation. Length >=8
  • 8D - SystemProcessorPerformanceInformationEx
  • 8E - SystemTimeZoneCurrentSetting. Length >0x20. Copy ExpTimeZoneCurrentSetting to usermode buffer
  • 8F - SystemSecureBootPolicyInformation. Checks SeTcbPrivilege, length >= 0x14
  • 90 - SystemPageFileInformationEx
  • 91 - SystemSecureBootInformation. Checks SeTcbPrivilege, length == 2, copy some bits from SecureBootPolicyBlobHeader to usermode buffer 
  • 92 - SystemEntropyInterruptTimingRawInformation
  • 93 - SystemPortableWorkspaceEfiLauncherInformation. Call ExpQueryPortableWorkspaceEfiLauncherInformation, variable length

понедельник, 12 марта 2012 г.

Breaking news

I am sure that you NEVER guess who is author of this citation:
Binary compatibility is *so* important that I do not want to have anything to do with kernel developers who don't understand that importance
It`s little known Linus Torvalds. Proof
Perhaps he also will discharge totally crazy Ulrich Drepper finally, he-he

суббота, 10 марта 2012 г.

can developers really follow Microsoft?

it’s not like I’m saying that Windows 8 will be the end of Microsoft. Of course not. Probably it will be disliked just like Vista and afterwards things will be re-improved like with Windows 7. The problem is that Microsoft is losing time. A lot of time. Sooner or later operating systems such as OSX and Linux will completely catch up with what really matters in a desktop, which apart from its own features, are the applications which run on it.
IMHO not too convincingly but article have some fresh thoughts

пятница, 9 марта 2012 г.

w8 consumer preview _KTHREAD & _ETHREAD 64bit

Just to compare with dev preview

w8 consumer preview _KPROCESS & _EPROCESS 64bit

Just to compare with dev preview

wincheck rc8.9

download mirror
Add support for windows 8 consumer preview (both 32 and 64 bit). Known problems still unresolved on w8:
  • -wmi option don`t work
  • -traces option don`t work
  • -sdt option don`t work on w8 dev preview 32bit
  • it seems that w8 consumer preview 64bit don`t have 32bit apisetschema.dll so IAT checking of  32bit processes is incomplete
Also add checking and dumping of ACPI dispatch table.
As usually some bugs was also added fixed

понедельник, 5 марта 2012 г.

воскресенье, 4 марта 2012 г.

w8 consumer preview W32pServiceTable 64bit

W32pServiceLimit eq 0x3c6. In dev preview it was 0x3c3

RPat update

I rebuild today RPat with mingw gcc 4.6.1 and binutils 2.20
Fresh version can be downloaded from here
In binutils 2.20 was added support for some new object files formats:
  • elf32-i386-nacl
  • elf32-i386-sol2
  • elf32-rx-be
  • elf32-rx-be-ns
  • elf32-rx-le
  • elf32-shbig-fdpic
  • elf32-sh-fdpic
  • elf32-sparc-sol2
  • elf32-tic6x-be
  • elf32-tic6x-le
  • elf32-tilegx
  • elf32-tilepro
  • elf32-tradbigmips-freebsd
  • elf32-tradlittlemips-freebsd
  • som

w8 consumer preview KiServiceTable 64bit

KiServiceLimit eq 0x1AE
New functions added since dev preview:
  • NtCreateIRTimer
  • NtFilterBootOption
  • NtGetCachedSigningLevel
  • NtSetCachedSigningLevel
  • NtSetIRTimer

суббота, 3 марта 2012 г.

Installing ECL on win32

I describing here how to get, build and setup fresh version of ECL from git repository on MS windows 32bit


You will need
  • Some version of visual studio (2005, 2008 or 2010. I haven't played with 2011 yet)
  • git client for windows
  • nasm or yasm if you want to build GMP for modern processors

Getting sources

It`s easy - just run
git clone git://ecls.git.sourceforge.net/gitroot/ecls/ecl
in some work directory


cd to msvc sub-dir and edit Makefile. You need to decide if you want to support for modern processors for GMP - p3 or p4 for GMP_TYPE option. In this case patch also msvc\gmp\Makefile for rule .asm.obj - put full path to your nasm/yasm executable to it.
If your processor supports SSE2 you can also add to msvc\Makefile string
If you need 64bit integers - you can apply my patch

Run Programs -> Your Visual Studio -> Visual Studio Tools -> Visual Studio Command Prompt. This command gives you console with properly configured environment for calling nmake. cd to ecl\msvc sub-dir and run


In the same sub-dir msvc just run
nmake install prefix=c:\dir\2\install\ecl

After installing you can run
nmake clean
to kill all temporary files used for building


I strictly recommend to download this pre-builded packages for ecl and exract it in directory containing your ecl installation. Then you have to add two new directories to PATH system variable
  • directory in which ecl was installed
  • sub-dir packages\bin
Now you need to create your personal ecl startup file. Usually it must be located somewhere in user home directory (something like c:\Documents and Settings\%USERNAME%. You can also try cd to %HOMEPATH%) and has name .ecl.lisp

w8 preview versions

Btw bcs dev preview differs in many aspects from consumer preview we now must recognize on which preview variant we are running
GetProductInfo returns 0x4A for both
But there is very simple way:
  • dev preview has BuildNumber 8102
  • consumer preview has BuildNumber 8250
  • release preview has BuildNumber 8400
  • rtm has BuildNumber 9200

пятница, 2 марта 2012 г.

apisetschema.dll from w8 consumer preview

It seems that subj has some anomaly - for ms-win-coreui-l1-1-0 offset to mapped name of real dll is zero. I think it`s a bug and so exclude this dll from list

w8 consumer preview _KPROCESS & _EPROCESS

Just to compare with dev preview

w8 consumer preview _KTHREAD & _ETHREAD

Just to compare with dev preview

w8 consumer preview FLTMGR structs

It seems that wincheck cannot dump fltmgr callback nodes on consumer preview version of windows 8

w8 consumer preview NDIS structs

Wincheck falls in BSOD during NDIS checking on consumer preview version of windows 8
The same structs for developer preview version was posted here

KPRCB from w8 consumer preview

Just to compare with dev preview