Exported functions to provide this functionality are:
- KseRegisterShim
- KseRegisterShimEx
- KseUnregisterShim
struct shim_descriptor
{
DWORD Size;
GUID *guid;
wchar_t *Name;
PVOID unk1;
PVOID HookDriverUntargeted; // func ptr
PVOID HookDriverTargeted; // func ptr
PVOID HookTab; // ptr to hooks descriptor table
};
KseRegisterShim called twice in ntoskrnl.exe with two shim descriptors:
Win7VersionLieShim
GUID: 3E28B2D1-E633-408C-8E9B-2AFA6F47FCC3
Hooks RtlGetVersion & PsGetVersion functions
KseDsShim
GUID: BC04AB45-EA7E-4A11-A7BB-977615F4CAAE
Hooks:
- IoCreateDevice
- PoRequestPowerIrp
- ExAllocatePoolWithTag
- ExFreePoolWithTag
- ExAllocatePool
- ExFreePool
call _VfDriverLoadImage@16 ; install driver verifier hooks
push 0
push edi
call _KseDriverLoadImage@8 ; install shim hooks
Shims receive notifications after driver loading in IopLoadDriver function:
push ebx
push esi
call dword ptr [esi+2Ch] ; DRIVER_OBJECT.DriverInit
mov edi, eax
test edi, edi
js short loc_6D531D
lea eax, [ebp+Destination]
push eax push esi
call _VfXdvDriverCaptureIoCallbacks@12 ; notify driver verifier lea eax, [ebp+Destination]
push eax
mov eax, esi
call _KseShimDriverIoCallbacks@12 ; notify shim
All registered shims are stored in KseEngine variable. It can be found with static analysis from KseUnregisterShim function:
mov eax, offset unk_5D5F7C ; pushlock inside KseEngine (offset 0x1C)
lock bts dword ptr [eax], 0
jnb short loc_7A6984
mov ecx, eax
call @ExfAcquirePushLockExclusive@4
loc_7A6984:
lea eax, [ebp+P]
push eax
push dword ptr [esi+4]
mov eax, offset _KseEngine ; 0x5D5F60
call _KsepIsShimRegistered@16ExfAcquirePushLockExclusive called once in whole KseUnregisterShim function code-flow graph and next ref to .data section gives KseEngine address
Комментариев нет:
Отправить комментарий