kernel shims in w8

It seems that windows 8 kernel now has some support for driver shims.
Exported functions to provide this functionality are:

• KseRegisterShim
• KseRegisterShimEx
• KseUnregisterShim

Shim descriptor has structure like this one:

struct shim_descriptor
{
  DWORD Size;
  GUID *guid;
  wchar_t *Name;
  PVOID unk1;
  PVOID HookDriverUntargeted; // func ptr
  PVOID HookDriverTargeted;   // func ptr
  PVOID HookTab;              // ptr to hooks descriptor table
};


KseRegisterShim called twice in ntoskrnl.exe with two shim descriptors:

Win7VersionLieShim
GUID: 3E28B2D1-E633-408C-8E9B-2AFA6F47FCC3
Hooks RtlGetVersion & PsGetVersion functions

KseDsShim
GUID: BC04AB45-EA7E-4A11-A7BB-977615F4CAAE
Hooks:

• IoCreateDevice
• PoRequestPowerIrp
• ExAllocatePoolWithTag
• ExFreePoolWithTag
• ExAllocatePool
• ExFreePool

Sims apply in MiDriverLoadSucceeded function (by IAT hooking in KsepApplyShimsToDriver):

wincheck rc8.19

Download mirror
Changelog:

• Add -pofx option to dump & check plugins registered with PoFxRegisterPluginEx
• Add dumping w8 specific ETW trace callbacks (with -wmi option)
• ole32 channel hooks checking again works on w8 release preview
• Add checking of ole32!NdrOleExportForwardTable & ole32!NdrOleExportForwardTable
• Add checking of ntdll!RtlpDebugPageHeapXXX handlers (works only on 32bit processes)
• some other bugs was fixed

CoRegisterChannelHook in w8 consumer preview

Declared in ole32.dll as forwarded export to COMBASE.CoRegisterChannelHook
But combase.dll does not have such exported name, he-he
So wincheck cannot find some COM-related structures on w8 consumer preview. On w8 dev preview all work fine

binary tree for multithread access

Task
I need some binary tree structure for concurrent access from multiple threads where some threads do searching and some other perform insert/delete operations. This structure must work both in kernel and user mode

Solutions
Lets add some sync primitive to each tree node -  it is going to be SRWLock in user mode and EX_PUSH_LOCK in kernel mode. It`s clear that reader can acquire shared lock while writer will use exclusive one. Bcs order of locks always have to be the same - we need tree structure with top-down rebalancing (I hope this is right assumption). So lets see which kinds of trees allow such operations

1. weight-balanced tree. Drawbacks: need to use floating point, so in kernel mode we must care about FPU context saving/restoring
2. classical B-tree. I think there may be a problem with granularity - when node contains a big number of keys and we need to lock it exclusively - all search operations will be blocked from this node till the lowest level of its children
3. red-black tree. Looks like it is a good candidate but sadly I cannot find implementation in plain C with top-down rebalancing :-(

Do I miss something important ?

generic access rights mapping in w8

Name	ObjectType	Read	Write	Execute	All
AlpcpPortMapping	AlpcPortObjectType	20001	10001	0	1F0001
EtwpGenericMappingg	EtwpRealTimeConnectionObjectType	2000D	20062	20E90	20EFF
ExpCallbackMapping	ExCallbackObjectType	20000	20001	120000	1F0001
ExpCompositionSurfaceMapping	ExCompositionSurfaceObjectType	20000	20000	20000	F0000
ExpDesktopMapping	ExDesktopObjectType	20000	20000	20000	F0000
ExpEventMapping	ExEventObjectType	20001	20002	120000	1F0003
ExpEventPairMapping	ExEventPairObjectType	120000	120000	120000	1F0000
ExpMutantMapping	ExMutantObjectType	20001	20000	120000	1F0001
ExpProfileMapping	ExProfileObjectType	20001	20001	20001	F0001
ExpSemaphoreMapping	ExSemaphoreObjectType	20001	20002	120000	1F0003
ExpTimerMapping	ExTimerObjectType	20001	20002	120000	1F0003
ExpWindowStationMapping	ExWindowStationObjectType	20000	20000	20000	F0000
ExpWnfNotificationMapping		120001	2	1F0000	1F0013
ExpWorkerFactoryMapping	ExpWorkerFactoryObjectType	20008	20004	20003	F00FF
IopCompletionMapping	IoCompletionObjectType	20001	20002	120000	1F0003
IopFileMapping	IoFileObjectType	120089	120116	1200A0	1F01FF
IopWaitCompletionMapping	IopWaitCompletionPacketObjectType	20001	20001	20001	F0001
MiSectionMapping	MmSectionObjectType	20005	20002	20008	F001F
MiSessionMapping	MmSessionObjectType	20001	20002	120001	F0003
ObpDirectoryMapping	ObpDirectoryObjectType	20003	2000C	20003	F000F
ObpSymbolicLinkMapping	ObpSymbolicLinkObjectType	20001	20000	20001	F0001
ObpTypeMapping	ObpTypeObjectType	20000	20000	20000	F0001
PiAuLocalSystemSecurityMapping		20000	20000	20000	F0000
PiAuSecurityObjectMapping		20001	20042	20024	F00FF
PopPowerRequestMapping	PopPowerRequestObjectType	20000	20000	20000	1F0000
PspJobMapping	PsJobType	20004	2000B	120000	1F001F
PspMemReserveMapping		20001	20002	20000	F0003
PspProcessMapping	PsProcessType	20410	20BEA	121001	1FFFFF
PspThreadMapping	PsThreadType	20048	20437	120800	1FFFFF
SepTokenMapping	SeTokenObjectType	2001A	201E0	20005	F01FF
StandardBitMapping		20000	10D0000	100000	11F0000
SystemContextGenericMapping		20001	20000	20000	1F0001
WmipGenericMapping	WmipGuidObjectType	1	2	10	120FFF

new TRACE_INFORMATION_CLASS in w8

The official documentation for WmiQueryTraceInformation says that TRACE_INFORMATION_CLASS has only 10 values. Although build date of this documentation is 6/11/2012 in reality there are some more values

• 0xB - return address of EtwpDiskIoNotifyRoutines. TraceInformationLength eq sizeof(PVOID)
• 0xC - copy content of EtwpAllNotifyRoutines. TraceInformationLength eq 0xD * sizeof(PVOID) (on w8 consumer preview size must be 0xE * sizeof(PVOID))
• 0xD - return address of EtwpFltIoNotifyRoutines. TraceInformationLength eq sizeof(PVOID)
• 0xE - return address of EtwpTraceHypervisorStackwalk function. TraceInformationLength eq sizeof(PVOID)
• 0xF - copy address of EtwpWdfNotifyRoutines. TraceInformationLength eq sizeof(PVOID)

How to find IopRootDeviceNode

using static analysis only ?
Lets see

xp/w2k3/vista
From exported function IoPnPDeliverServicePowerNotification:

     lea     eax, [esp+38h+Object]
     push    eax             ; Object
     call    _KeWaitForSingleObject@20
     cmp     [esp+28h+var_20], ebx
     jge     short loc_64963A
     lea     eax, [esp+28h+var_18]
     push    eax
     push    [esp+2Ch+var_1C]
     mov     eax, _IopRootDeviceNode
     push    dword ptr [eax+0B8h]
     push    [ebp+arg_0]
     call    _PnpSetPowerVetoEvent@24


KeWaitForSingleObject called only one time in whole code graph of this function

Sublime Text 2

Installed today this nice editor. One minor problem is that it does not have support of Asm from the box. Google search gives link to x86-assembly-textmate-bundle but it seems that it was made only for 32bit with GAS syntax. So I made patch for it - add more registers, instructions and some keywords from yasm/nasm
Result:

Patch

wincheck rc8.18

Download mirror
Changelog:

• more support of w8 release preview added. win32k.sys related checks now works
• add -alpc option to show clients of ALPC RPC ports (since vista)
• add checking of some rpcrt4.dll tables
• some other bugs (especially w8rp related) was fixed

pdb files for w8 release preview

Can be downloaded here
This msi cannot be installed on XP although

!alpc /lpc

First - this command don`t work on vista:

lkd> !object \Sessions\1\Windows\SbApiPort
Object: 89c40ed0  Type: (82b6fed0) ALPC Port
    ObjectHeader: 89c40eb8 (old version)
    HandleCount: 1  PointerCount: 4
    Directory Object: 8fe397e0  Name: SbApiPort
lkd> !alpc /lpc 89c40ed0
Error querying field CommunicationInfo of structure nt!_ALPC_PORT at 89c40ed0
Port @89c40ed0 is not a connection port.

Second - I think it just don`t work

windows internals 6th edition

page 271:

Compile-time hotpatching support works by adding 7 additional bytes to the beginning of each function—4 are considered part of the end of the previous function, and 2 are part of the function prolog—that is, the function’s beginning.

4 + 2 = 6. I double checked with calc.exe, he-he

page 590:

In the next chapter, we’ll look at the I/O system.

Next (7th) chapter has name Networking

List of other erratas

wincheck rc8.17

Download mirror
Changelog:

• Add initial support of windows 8 release preview. pdb for 32bit win32k.sys is still unavailable so all win32k related checks do not work. Also I am sure that this version is very far from full support of w8 release preview (although it is much better than rc8.16 which just crashes on w8 rp)
• Add -acpi option to check some ACPI tables
• Fixed Etw structures for wow64 apps

CmControlVector for w8

New table for windows8 dev preview, consumer preview & release preview

ida 6.3

Changelog
Most usefull fix:

PC: added support for "int 29h" (__fastfail call on win8)

So IDA now w8 aware, he-he

errors.idc from WDK 8 Release Preview

Add 14 new ERROR_XXX values

ntstatus.idc for WDK 8 Release Preview

Add 310 new NTSTATUS values

w8 release preview W32pServiceTable 64bit

W32pServiceLimit eq 0x3d2. In consumer preview it was 0x3c6

w8 release preview _KPROCESS & _EPROCESS 64bit

to compare with

w8 release preview _KTHREAD & _ETHREAD 64bit

to compare with

w8 release preview KPRCB 64bit

To compare with

apisetschema.dll from w8 release preview

to compare with

w8 release preview _KPROCESS & _EPROCESS

to compare with

w8 release preview _KTHREAD & _ETHREAD

to compare with

w8 release preview KPRCB

to compare with

Windows 8 Release Preview

ISO images can be downloaded here
WKD 8 Release Preview

Update: not all pdb are uploaded yet - for example on win32k.sys I got:
SYMSRV:  http://msdl.microsoft.com/download/symbols/win32k.pdb/DB9745D3386F4192BB1B0B65936BCD5F2/win32k.pdb not found
he-he