суббота, 30 июня 2012 г.

kernel shims in w8

It seems that windows 8 kernel now has some support for driver shims.
Exported functions to provide this functionality are:
  • KseRegisterShim
  • KseRegisterShimEx
  • KseUnregisterShim
Shim descriptor has structure like this one:

struct shim_descriptor
  DWORD Size;
  GUID *guid;
  wchar_t *Name;
  PVOID unk1;
  PVOID HookDriverUntargeted; // func ptr
  PVOID HookDriverTargeted;   // func ptr
  PVOID HookTab;              // ptr to hooks descriptor table

KseRegisterShim called twice in ntoskrnl.exe with two shim descriptors:

GUID: 3E28B2D1-E633-408C-8E9B-2AFA6F47FCC3
Hooks RtlGetVersion & PsGetVersion functions

GUID: BC04AB45-EA7E-4A11-A7BB-977615F4CAAE
  • IoCreateDevice
  • PoRequestPowerIrp
  • ExAllocatePoolWithTag
  • ExFreePoolWithTag
  • ExAllocatePool
  • ExFreePool
Sims apply in MiDriverLoadSucceeded function (by IAT hooking in KsepApplyShimsToDriver):

среда, 27 июня 2012 г.

wincheck rc8.19

Download mirror
  • Add -pofx option to dump & check plugins registered with PoFxRegisterPluginEx
  • Add dumping w8 specific ETW trace callbacks (with -wmi option)
  • ole32 channel hooks checking again works on w8 release preview
  • Add checking of ole32!NdrOleExportForwardTable & ole32!NdrOleExportForwardTable
  • Add checking of ntdll!RtlpDebugPageHeapXXX handlers (works only on 32bit processes)
  • some other bugs was fixed

вторник, 26 июня 2012 г.

CoRegisterChannelHook in w8 consumer preview

Declared in ole32.dll as forwarded export to COMBASE.CoRegisterChannelHook
But combase.dll does not have such exported name, he-he
So wincheck cannot find some COM-related structures on w8 consumer preview. On w8 dev preview all work fine

воскресенье, 24 июня 2012 г.

binary tree for multithread access

I need some binary tree structure for concurrent access from multiple threads where some threads do searching and some other perform insert/delete operations. This structure must work both in kernel and user mode

Lets add some sync primitive to each tree node -  it is going to be SRWLock in user mode and EX_PUSH_LOCK in kernel mode. It`s clear that reader can acquire shared lock while writer will use exclusive one. Bcs order of locks always have to be the same - we need tree structure with top-down rebalancing (I hope this is right assumption). So lets see which kinds of trees allow such operations
  1. weight-balanced tree. Drawbacks: need to use floating point, so in kernel mode we must care about FPU context saving/restoring
  2. classical B-tree. I think there may be a problem with granularity - when node contains a big number of keys and we need to lock it exclusively - all search operations will be blocked from this node till the lowest level of its children
  3. red-black tree. Looks like it is a good candidate but sadly I cannot find implementation in plain C with top-down rebalancing :-(
Do I miss something important ?

    generic access rights mapping in w8


    суббота, 23 июня 2012 г.


    The official documentation for WmiQueryTraceInformation says that TRACE_INFORMATION_CLASS has only 10 values. Although build date of this documentation is 6/11/2012 in reality there are some more values
    • 0xB - return address of EtwpDiskIoNotifyRoutines. TraceInformationLength eq sizeof(PVOID)
    • 0xC - copy content of EtwpAllNotifyRoutines. TraceInformationLength eq 0xD * sizeof(PVOID) (on w8 consumer preview size must be 0xE * sizeof(PVOID))
    • 0xD - return address of EtwpFltIoNotifyRoutines. TraceInformationLength eq sizeof(PVOID)
    • 0xE - return address of EtwpTraceHypervisorStackwalk function. TraceInformationLength eq sizeof(PVOID)
    • 0xF - copy address of EtwpWdfNotifyRoutines. TraceInformationLength eq sizeof(PVOID)

    пятница, 22 июня 2012 г.

    How to find IopRootDeviceNode

    using static analysis only ?
    Lets see

    From exported function IoPnPDeliverServicePowerNotification:

         lea     eax, [esp+38h+Object]
         push    eax             ; Object
         call    _KeWaitForSingleObject@20

         cmp     [esp+28h+var_20], ebx
         jge     short loc_64963A
         lea     eax, [esp+28h+var_18]
         push    eax
         push    [esp+2Ch+var_1C]
         mov     eax, _IopRootDeviceNode
         push    dword ptr [eax+0B8h]
         push    [ebp+arg_0]
         call    _PnpSetPowerVetoEvent@24

    KeWaitForSingleObject called only one time in whole code graph of this function

    суббота, 16 июня 2012 г.

    Sublime Text 2

    Installed today this nice editor. One minor problem is that it does not have support of Asm from the box. Google search gives link to x86-assembly-textmate-bundle but it seems that it was made only for 32bit with GAS syntax. So I made patch for it - add more registers, instructions and some keywords from yasm/nasm

    пятница, 15 июня 2012 г.

    wincheck rc8.18

    Download mirror
    • more support of w8 release preview added. win32k.sys related checks now works
    • add -alpc option to show clients of ALPC RPC ports (since vista)
    • add checking of some rpcrt4.dll tables
    • some other bugs (especially w8rp related) was fixed

    суббота, 9 июня 2012 г.

    !alpc /lpc

    First - this command don`t work on vista:

    lkd> !object \Sessions\1\Windows\SbApiPort
    Object: 89c40ed0  Type: (82b6fed0) ALPC Port
        ObjectHeader: 89c40eb8 (old version)
        HandleCount: 1  PointerCount: 4
        Directory Object: 8fe397e0  Name: SbApiPort
    lkd> !alpc /lpc 89c40ed0
    Error querying field CommunicationInfo of structure nt!_ALPC_PORT at 89c40ed0
    Port @89c40ed0 is not a connection port.

    Second - I think it just don`t work

    пятница, 8 июня 2012 г.

    windows internals 6th edition

    page 271:
    Compile-time hotpatching support works by adding 7 additional bytes to the beginning of each function—4 are considered part of the end of the previous function, and 2 are part of the function prolog—that is, the function’s beginning.
    4 + 2 = 6. I double checked with calc.exe, he-he

    page 590:
    In the next chapter, we’ll look at the I/O system.
    Next (7th) chapter has name Networking

    List of other erratas

    среда, 6 июня 2012 г.

    wincheck rc8.17

    Download mirror
    • Add initial support of windows 8 release preview. pdb for 32bit win32k.sys is still unavailable so all win32k related checks do not work. Also I am sure that this version is very far from full support of w8 release preview (although it is much better than rc8.16 which just crashes on w8 rp)
    • Add -acpi option to check some ACPI tables
    • Fixed Etw structures for wow64 apps

    суббота, 2 июня 2012 г.

    w8 release preview W32pServiceTable 64bit

    W32pServiceLimit eq 0x3d2. In consumer preview it was 0x3c6

    w8 release preview _KPROCESS & _EPROCESS 64bit

    to compare with

    w8 release preview _KTHREAD & _ETHREAD 64bit

    to compare with

    w8 release preview KPRCB 64bit

    To compare with

    пятница, 1 июня 2012 г.

    apisetschema.dll from w8 release preview

    to compare with

    w8 release preview _KPROCESS & _EPROCESS

    to compare with

    w8 release preview _KTHREAD & _ETHREAD

    to compare with

    w8 release preview KPRCB

    to compare with

    Windows 8 Release Preview

    ISO images can be downloaded here
    WKD 8 Release Preview

    Update: not all pdb are uploaded yet - for example on win32k.sys I got:
    SYMSRV:  http://msdl.microsoft.com/download/symbols/win32k.pdb/DB9745D3386F4192BB1B0B65936BCD5F2/win32k.pdb not found