суббота, 30 июня 2012 г.

kernel shims in w8

It seems that windows 8 kernel now has some support for driver shims.
Exported functions to provide this functionality are:
  • KseRegisterShim
  • KseRegisterShimEx
  • KseUnregisterShim
Shim descriptor has structure like this one:

struct shim_descriptor
  DWORD Size;
  GUID *guid;
  wchar_t *Name;
  PVOID unk1;
  PVOID HookDriverUntargeted; // func ptr
  PVOID HookDriverTargeted;   // func ptr
  PVOID HookTab;              // ptr to hooks descriptor table

KseRegisterShim called twice in ntoskrnl.exe with two shim descriptors:

GUID: 3E28B2D1-E633-408C-8E9B-2AFA6F47FCC3
Hooks RtlGetVersion & PsGetVersion functions

GUID: BC04AB45-EA7E-4A11-A7BB-977615F4CAAE
  • IoCreateDevice
  • PoRequestPowerIrp
  • ExAllocatePoolWithTag
  • ExFreePoolWithTag
  • ExAllocatePool
  • ExFreePool
Sims apply in MiDriverLoadSucceeded function (by IAT hooking in KsepApplyShimsToDriver):

    call _VfDriverLoadImage@16  ; install driver verifier hooks
    push 0
    push edi
    call _KseDriverLoadImage@8  ; install shim hooks

Shims receive notifications after driver loading in IopLoadDriver function:
    push ebx
    push esi
    call dword ptr [esi+2Ch] ; DRIVER_OBJECT.DriverInit
    mov edi, eax
    test edi, edi
    js  short loc_6D531D
    lea eax, [ebp+Destination]
    push eax   

    push esi
    call _VfXdvDriverCaptureIoCallbacks@12 ; notify driver verifier

    lea eax, [ebp+Destination]
    push eax
    mov eax, esi
    call _KseShimDriverIoCallbacks@12   ; notify shim

All registered shims are stored in KseEngine variable. It can be found with static analysis from KseUnregisterShim function:

    mov eax, offset unk_5D5F7C ; pushlock inside KseEngine (offset 0x1C)
    lock bts dword ptr [eax], 0
    jnb short loc_7A6984
    mov ecx, eax
    call @ExfAcquirePushLockExclusive@4
    lea eax, [ebp+P]
    push eax
    push dword ptr [esi+4]
    mov eax, offset _KseEngine ; 0x5D5F60
    call _KsepIsShimRegistered@16

ExfAcquirePushLockExclusive called once in whole KseUnregisterShim function code-flow graph and next ref to .data section gives KseEngine address

Комментариев нет:

Отправить комментарий