понедельник, 30 апреля 2012 г.

process token hijaqing

I was asked yesterday - wincheck now is able to detect only process token hijaqed from system process but what if somebody want to steal token of some other privileged process ?
I think it`s easy to detect from wincheck log with some simple perl script like this one:
#!perl -w
# Lame script to check processes token hijaq
# 30 Apr 2012 (C) RedPlait 
use strict;
use warnings;

sub parse
  my $fname = shift;
  my %hdb;
  my($fh, $str, $pid, $token);
  open($fh, '<', $fname) or die("Cannot open $fname, error $!");
  while( $str = <$fh> )
    chomp $str;
    next if ( $str !~ /Process PID (\d+) token: (.*)$/ );
    $pid = int($1);
    $token = $2;
    if ( exists $hdb{$token} )
      printf("Process %d has the same token as %d !\n", $pid, $hdb{$token});
    } else {
      $hdb{$token} = $pid;
  close $fh;

parse $_ foreach @ARGV;

среда, 25 апреля 2012 г.


wincheck can (with -dump_patched option) dump patched sections of loaded drivers. You get two files for each section. Lets assume that there are patched bytes in section PAGE inside driver evildrv.sys. In this case your dump includes these files:
  • evildrv.sysPAGE.kmem - actual content of PAGE section from memory
  • evildrv.sysPAGE.orig - relocated content of PAGE section from disk
So you can always do "fc /b  evildrv.sysPAGE.kmem evildrv.sysPAGE.orig" to get list of patched bytes. But this list is really huge sometimes, so you might want to load this section in IDA Pro and check what happened. But there can be a problem - both dump files contain data relocated to some address in kernel memory and probably you have idb for you driver evildrv.sys at base 0x10000. Sure you can manually rebase your idb - Edit menu -> Segments -> Rebase program
Since I am too lazy so I wrote simple plugin lpdm for IDA Pro (for 5.x version) which
  • load .kmem file
  • relocates it to image base currently used in your .idb. You'll need original PE file (evildrv.sys in this case) of course, not only .idb
  • load only patched bytes
You must point address of your driver in memory, for example from wincheck log:
FFFFF880070EA000:70000 flags 49104000 LoadCount 1 \SystemRoot\system32\drivers\evildrv.sys

You can download lpdm plugin (for idag & idag64) from here

понедельник, 23 апреля 2012 г.

wincheck rc8.14

Download mirror
  • Add -ext option for dumping of tables registered with ExRegisterExtension function (since windows 7)
  • Fixed format of NDIS_M_DRIVER_BLOCK for vista, windows 7 & windows 8. Also now in dump presents non-empty structure NDIS_CO_CALL_MANAGER_OPTIONAL_HANDLERS
  • Fixed format of WFP callouts on windows 7 32bit
  • Fixed bug in processing of bad PE files
  • Some other bugs was also fixed

четверг, 19 апреля 2012 г.


assemblage of incredibly stupid morons
I am highly disappointed

вторник, 17 апреля 2012 г.


wincheck -ndis said:

OpenBlock [1] 8AB7D868
RootName: \DEVICE\{ABEB65C6-0636-48CF-81DC-4C0282FB061A}
BindName: \DEVICE\{ABEB65C6-0636-48CF-81DC-4C0282FB061A}
Flags:    1
SendHandler:                 8A7A74F0 UNKNOWN
WanSendHandler:              8A1A0398 UNKNOWN
TransferDataHandler:         8A3259E0 UNKNOWN
SendCompleteHandler:         8A1BA3C0 UNKNOWN
TransferDataCompleteHandler: 8A2B4458 UNKNOWN
ReceiveHandler:              A8B68AC6 \SystemRoot\system32\DRIVERS\ndisuio.sys
ReceiveCompleteHandler:      00000000
WanReceiveHandler:           A8B689A6 \SystemRoot\system32\DRIVERS\ndisuio.sys
RequestCompleteHandler:      8A672880 UNKNOWN
ReceivePacketHandler:        8A331340 UNKNOWN
SendPacketsHandler:          B9E20B65 NDIS.sys
ResetHandler:                B9E1D8C7 NDIS.sys
RequestHandler:              A8B6899E \SystemRoot\system32\DRIVERS\ndisuio.sys
ResetCompleteHandler:        A8B689C8 \SystemRoot\system32\DRIVERS\ndisuio.sys
StatusHandler:               A8B68AC6 \SystemRoot\system32\DRIVERS\ndisuio.sys
StatusCompleteHandler:       00000000

on 7 of 19 OpenBlocks.

Btw MS Forefront was unable to cure infected machine - it just completely removed acpi.sys and windows didn`t boot anymore, he-he

wincheck rc8.13

Download mirror
  • Add some support of windows 8 server
  • Add -alldrv option to scan & check all (known to me) loaded drivers
  • Fix NDIS_COMMON_OPEN_BLOCK structure for vista/w2008/w7/w8
  • Add detect of ole32!IMallocSpy installed
  • Some bugs was fixed

воскресенье, 15 апреля 2012 г.

Installed windows 8 server build 8250

You can get it here
Good news:
  • It can be installed on Virtual Box with 1Gb RAM & 32Gb of disk
  • It has less crazy GUI (not metro useless panes)
  • wincheck works on it sometimes
  • you can still install windbg from wdk7 on it
Bad news:
  • no "start" button anyway
  • IE10 cons preview with paranoid "server" settings
  • I am unable to open its install.wim image

среда, 4 апреля 2012 г.

reactos sources lie

Let`s see for example RPC_RegisterChannelHook function code. We have to look at channel_hook_entry undocumented structure:
/* offset 0x0 */ struct list entry;
/* offset 0x4 */ GUID id;
/* offset 0x14 */ IChannelHook hook;
/* Size 0x18 */

O`k, lets check its disasm code (it was taken from xp sp2 32bit):
  push    18h             ; dwBytes
  push    0               ; dwFlags
  push    ?g_hHeap@@3PAXA ; int
  call    ?pfnHeapAlloc@@3P6GPAXPAXKK@ZA ; PrivHeapAlloc(void *,ulong,ulong)

Looks good so far - the size of channel_hook_entry is really 0x18 bytes.
  mov     esi, [ebp+ExtensionUuid]
  mov     eax, [ebp+pChannelHook]
  lea     edi, [ebx+8] ; GUID located at offset 0x8
  mov     [ebx+4], eax ; store
pChannelHook at offset 0x4
  mov     eax, ?gHookList@@3USHookList@@A
  [ebx], eax ; put ptr to prev list item

As you can see the real channel_hook_entry has completely different layout:
/* offset 0x0 */ struct list entry;
/* offset 0x4 */ IChannelHook hook;
/* offset 0x8 */ GUID id;
/* Size 0x18 */

I am sure that all code of reactos was made using reversing engeneering so this misrepresentations was introduced intentionally. Believe me it is not first time when reactos sources lie. Actually any undocumented internal structures in reactos either have wrong fields layout or monstrously incomplete

вторник, 3 апреля 2012 г.

Hex-Rays Newsletter

Promised features in version 6.3:
  • source-level debugging (experimental, requires PDB with private symbols)
  • trace replayer
  • page-level breakpoints (arbitrarily-sized memory breakpoints implemented using page permissions) for Win32 and Linux
  • .net file loader for Linux and OS X
  • improved FLIRT signatures
  • new processor modules: M16C, TMS320C1, unSP; new instructions for PPC, MIPS
  • WinCE debugger over TCP/IP with debugging possible from Linux/OS X
  • decompiler: more intrinsics, cached decompilation results, data initializers, and more...