суббота, 30 июня 2012 г.

kernel shims in w8

It seems that windows 8 kernel now has some support for driver shims.
Exported functions to provide this functionality are:
  • KseRegisterShim
  • KseRegisterShimEx
  • KseUnregisterShim
Shim descriptor has structure like this one:

struct shim_descriptor
{
  DWORD Size;
  GUID *guid;
  wchar_t *Name;
  PVOID unk1;
  PVOID HookDriverUntargeted; // func ptr
  PVOID HookDriverTargeted;   // func ptr
  PVOID HookTab;              // ptr to hooks descriptor table
};


KseRegisterShim called twice in ntoskrnl.exe with two shim descriptors:

Win7VersionLieShim
GUID: 3E28B2D1-E633-408C-8E9B-2AFA6F47FCC3
Hooks RtlGetVersion & PsGetVersion functions

KseDsShim
GUID: BC04AB45-EA7E-4A11-A7BB-977615F4CAAE
Hooks:
  • IoCreateDevice
  • PoRequestPowerIrp
  • ExAllocatePoolWithTag
  • ExFreePoolWithTag
  • ExAllocatePool
  • ExFreePool
Sims apply in MiDriverLoadSucceeded function (by IAT hooking in KsepApplyShimsToDriver):

среда, 27 июня 2012 г.

wincheck rc8.19

Download mirror
Changelog:
  • Add -pofx option to dump & check plugins registered with PoFxRegisterPluginEx
  • Add dumping w8 specific ETW trace callbacks (with -wmi option)
  • ole32 channel hooks checking again works on w8 release preview
  • Add checking of ole32!NdrOleExportForwardTable & ole32!NdrOleExportForwardTable
  • Add checking of ntdll!RtlpDebugPageHeapXXX handlers (works only on 32bit processes)
  • some other bugs was fixed

вторник, 26 июня 2012 г.

CoRegisterChannelHook in w8 consumer preview

Declared in ole32.dll as forwarded export to COMBASE.CoRegisterChannelHook
But combase.dll does not have such exported name, he-he
So wincheck cannot find some COM-related structures on w8 consumer preview. On w8 dev preview all work fine

воскресенье, 24 июня 2012 г.

binary tree for multithread access

Task
I need some binary tree structure for concurrent access from multiple threads where some threads do searching and some other perform insert/delete operations. This structure must work both in kernel and user mode

Solutions
Lets add some sync primitive to each tree node -  it is going to be SRWLock in user mode and EX_PUSH_LOCK in kernel mode. It`s clear that reader can acquire shared lock while writer will use exclusive one. Bcs order of locks always have to be the same - we need tree structure with top-down rebalancing (I hope this is right assumption). So lets see which kinds of trees allow such operations
  1. weight-balanced tree. Drawbacks: need to use floating point, so in kernel mode we must care about FPU context saving/restoring
  2. classical B-tree. I think there may be a problem with granularity - when node contains a big number of keys and we need to lock it exclusively - all search operations will be blocked from this node till the lowest level of its children
  3. red-black tree. Looks like it is a good candidate but sadly I cannot find implementation in plain C with top-down rebalancing :-(
Do I miss something important ?

    generic access rights mapping in w8

    NameObjectTypeReadWriteExecuteAll
    AlpcpPortMappingAlpcPortObjectType200011000101F0001
    EtwpGenericMappinggEtwpRealTimeConnectionObjectType2000D2006220E9020EFF
    ExpCallbackMappingExCallbackObjectType20000200011200001F0001
    ExpCompositionSurfaceMappingExCompositionSurfaceObjectType200002000020000F0000
    ExpDesktopMappingExDesktopObjectType200002000020000F0000
    ExpEventMappingExEventObjectType20001200021200001F0003
    ExpEventPairMappingExEventPairObjectType1200001200001200001F0000
    ExpMutantMappingExMutantObjectType20001200001200001F0001
    ExpProfileMappingExProfileObjectType200012000120001F0001
    ExpSemaphoreMappingExSemaphoreObjectType20001200021200001F0003
    ExpTimerMappingExTimerObjectType20001200021200001F0003
    ExpWindowStationMappingExWindowStationObjectType200002000020000F0000
    ExpWnfNotificationMapping12000121F00001F0013
    ExpWorkerFactoryMappingExpWorkerFactoryObjectType200082000420003F00FF
    IopCompletionMappingIoCompletionObjectType20001200021200001F0003
    IopFileMappingIoFileObjectType1200891201161200A01F01FF
    IopWaitCompletionMappingIopWaitCompletionPacketObjectType200012000120001F0001
    MiSectionMappingMmSectionObjectType200052000220008F001F
    MiSessionMappingMmSessionObjectType2000120002120001F0003
    ObpDirectoryMappingObpDirectoryObjectType200032000C20003F000F
    ObpSymbolicLinkMappingObpSymbolicLinkObjectType200012000020001F0001
    ObpTypeMappingObpTypeObjectType200002000020000F0001
    PiAuLocalSystemSecurityMapping200002000020000F0000
    PiAuSecurityObjectMapping200012004220024F00FF
    PopPowerRequestMappingPopPowerRequestObjectType2000020000200001F0000
    PspJobMappingPsJobType200042000B1200001F001F
    PspMemReserveMapping200012000220000F0003
    PspProcessMappingPsProcessType2041020BEA1210011FFFFF
    PspThreadMappingPsThreadType20048204371208001FFFFF
    SepTokenMappingSeTokenObjectType2001A201E020005F01FF
    StandardBitMapping2000010D000010000011F0000
    SystemContextGenericMapping2000120000200001F0001
    WmipGenericMappingWmipGuidObjectType1210120FFF

    суббота, 23 июня 2012 г.

    new TRACE_INFORMATION_CLASS in w8

    The official documentation for WmiQueryTraceInformation says that TRACE_INFORMATION_CLASS has only 10 values. Although build date of this documentation is 6/11/2012 in reality there are some more values
    • 0xB - return address of EtwpDiskIoNotifyRoutines. TraceInformationLength eq sizeof(PVOID)
    • 0xC - copy content of EtwpAllNotifyRoutines. TraceInformationLength eq 0xD * sizeof(PVOID) (on w8 consumer preview size must be 0xE * sizeof(PVOID))
    • 0xD - return address of EtwpFltIoNotifyRoutines. TraceInformationLength eq sizeof(PVOID)
    • 0xE - return address of EtwpTraceHypervisorStackwalk function. TraceInformationLength eq sizeof(PVOID)
    • 0xF - copy address of EtwpWdfNotifyRoutines. TraceInformationLength eq sizeof(PVOID)

    пятница, 22 июня 2012 г.

    How to find IopRootDeviceNode

    using static analysis only ?
    Lets see

    xp/w2k3/vista
    From exported function IoPnPDeliverServicePowerNotification:

         lea     eax, [esp+38h+Object]
         push    eax             ; Object
         call    _KeWaitForSingleObject@20

         cmp     [esp+28h+var_20], ebx
         jge     short loc_64963A
         lea     eax, [esp+28h+var_18]
         push    eax
         push    [esp+2Ch+var_1C]
         mov     eax, _IopRootDeviceNode
         push    dword ptr [eax+0B8h]
         push    [ebp+arg_0]
         call    _PnpSetPowerVetoEvent@24


    KeWaitForSingleObject called only one time in whole code graph of this function

    суббота, 16 июня 2012 г.

    Sublime Text 2

    Installed today this nice editor. One minor problem is that it does not have support of Asm from the box. Google search gives link to x86-assembly-textmate-bundle but it seems that it was made only for 32bit with GAS syntax. So I made patch for it - add more registers, instructions and some keywords from yasm/nasm
    Result:
    Patch

    пятница, 15 июня 2012 г.

    wincheck rc8.18

    Download mirror
    Changelog:
    • more support of w8 release preview added. win32k.sys related checks now works
    • add -alpc option to show clients of ALPC RPC ports (since vista)
    • add checking of some rpcrt4.dll tables
    • some other bugs (especially w8rp related) was fixed

    понедельник, 11 июня 2012 г.

    суббота, 9 июня 2012 г.

    !alpc /lpc

    First - this command don`t work on vista:

    lkd> !object \Sessions\1\Windows\SbApiPort
    Object: 89c40ed0  Type: (82b6fed0) ALPC Port
        ObjectHeader: 89c40eb8 (old version)
        HandleCount: 1  PointerCount: 4
        Directory Object: 8fe397e0  Name: SbApiPort
    lkd> !alpc /lpc 89c40ed0
    Error querying field CommunicationInfo of structure nt!_ALPC_PORT at 89c40ed0
    Port @89c40ed0 is not a connection port.


    Second - I think it just don`t work

    пятница, 8 июня 2012 г.

    windows internals 6th edition

    page 271:
    Compile-time hotpatching support works by adding 7 additional bytes to the beginning of each function—4 are considered part of the end of the previous function, and 2 are part of the function prolog—that is, the function’s beginning.
    4 + 2 = 6. I double checked with calc.exe, he-he

    page 590:
    In the next chapter, we’ll look at the I/O system.
    Next (7th) chapter has name Networking

    List of other erratas

    среда, 6 июня 2012 г.

    wincheck rc8.17

    Download mirror
    Changelog:
    • Add initial support of windows 8 release preview. pdb for 32bit win32k.sys is still unavailable so all win32k related checks do not work. Also I am sure that this version is very far from full support of w8 release preview (although it is much better than rc8.16 which just crashes on w8 rp)
    • Add -acpi option to check some ACPI tables
    • Fixed Etw structures for wow64 apps

    вторник, 5 июня 2012 г.

    CmControlVector for w8

    New table for windows8 dev preview, consumer preview & release preview

    ida 6.3

    Changelog
    Most usefull fix:
    PC: added support for "int 29h" (__fastfail call on win8)
    So IDA now w8 aware, he-he

    воскресенье, 3 июня 2012 г.

    суббота, 2 июня 2012 г.

    Windows 8 Release Preview

    ISO images can be downloaded here
    WKD 8 Release Preview

    Update: not all pdb are uploaded yet - for example on win32k.sys I got:
    SYMSRV:  http://msdl.microsoft.com/download/symbols/win32k.pdb/DB9745D3386F4192BB1B0B65936BCD5F2/win32k.pdb not found
    he-he