пятница, 14 сентября 2012 г.

WNF notifiers

It seems that windows 8 has some new (undocumented as usually) mechanism to call user-mode code from kernel - WNF
There are several new exported functions in ntdll.dll related to it:
  • RtlAllocateWnfSerializationGroup
  • RtlEqualWnfChangeStamps
  • RtlPublishWnfStateData
  • RtlQueryWnfMetaNotification
  • RtlQueryWnfStateData
  • RtlQueryWnfStateDataWithExplicitScope
  • RtlRegisterForWnfMetaNotification
  • RtlSubscribeWnfStateChangeNotification
  • RtlTestAndPublishWnfStateData
  • RtlUnsubscribeWnfNotificationWaitForCompletion
  • RtlUnsubscribeWnfNotificationWithCompletionCallback
  • RtlUnsubscribeWnfStateChangeNotification
  • RtlWaitForWnfMetaNotification
  • RtlWnfCompareChangeStamp
  • RtlWnfDllUnloadCallback
  • RtlpWnfNotificationThread - this one really called from kernel mode
Also several new functions in SSDT:
  • NtWaitForWnfNotifications
  • NtUnsubscribeWnfStateChange
  • NtUpdateWnfStateData
  • NtSubscribeWnfStateChange
  • NtQueryWnfStateData
  • NtQueryWnfStateNameInformation 
  • NtDeleteWnfStateName
  • NtDeleteWnfStateData
  • NtCreateWnfStateName
I`ll describe here only user-mode structure which holds pointers to notifiers
Root structure stored in some unnamed pointer. Code from function RtlpWnfNotificationThread:
    lea eax, [ebp+var_10]
    mov large fs:0, eax
    mov [ebp+var_18], esp
    mov eax, 1
    mov [ebp+var_28], eax
    mov [ebp+var_30], eax
    call _RtlRegisterThreadWithCsrss@0 
    mov [ebp+var_3C], 0
    xor ebx, ebx
    mov [ebp+var_24], ebx
    mov [ebp+var_38], ebx
    cmp wnf_root, ebx ; look here
    jz  loc_6A291998
    ...
loc_6A291998:
    push 0
    call _RtlExitUserThread@4
 
I named this pointer wnf_root. It initialized in function RtlpInitializeWnf and it`s structure can be partially recovered as
struct my_wnf_root
{
  PVOID signature; // X00911
  PVOID lock1;     // srw lock
  LIST_ENTRY List; // list of wnf_tier
  PVOID lock2;     // srw lock
  LIST_ENTRY List2;
  ...
};

Next structures in linked list my_wnf_root.List is my_wnf_tier:
struct my_wnf_tier
{
  LIST_ENTRY List; // list of my_wnf_tiers
  PVOID unk1;
  PVOID unk2;
  LIST_ENTRY Items; // list of wnf_item
};


And final struct we need to see notifiers is my_wnf_item - it can be recovered from function RtlSubscribeWnfStateChangeNotificationInternal:
struct my_wnf_item
{
  LIST_ENTRY List; // list of my_wnf_items
  IID *iid;        // ptr to registration GUID
  PBYTE notify;    // ptr to function
};

Traversing on this structures is easy - from wnf_root->List on each wnf_tier and from wnf_tier->Items on each my_wnf_item

Sample from windows server 2012:
CheckProcess PID 3300 (C:\Windows\explorer.exe):
WnfRoot: 0000000000E4DCA0
 Wnf[0] at 000000000689BA78: iid 00700912-9845-A3BE-6D4E-C64108000000 - 000007FC7F7C5420 (C:\Windows\SYSTEM32\sechost.dll)
 Wnf[1] at 0000000008820558: iid 00700912-A845-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[2] at 00000000088203F8: iid 00700912-A045-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[3] at 000000000881F168: iid 00700912-9845-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[4] at 00000000088206B8: iid 00700912-1075-A3BC-201B-944100000000 - 000007FC72345C00 (C:\Windows\System32\pnidui.dll)
 Wnf[5] at 000000000881F008: iid 00700912-0875-A3BC-201B-944100000000 - 000007FC72345C00 (C:\Windows\System32\pnidui.dll)
 Wnf[6] at 00000000087E0038: iid 00700912-C045-A3BD-6D4E-C64104000000 - 000007FC7F7C4DB0 (C:\Windows\SYSTEM32\sechost.dll)
 Wnf[7] at 000000000881F378: iid 00700912-C045-A3BD-6D4E-C64104000000 - 000007FC7F7C4DB0 (C:\Windows\SYSTEM32\sechost.dll)
 Wnf[8] at 00000000087DFB68: iid 00700912-0875-A3BC-3A0D-8B4100000000 - 000007FC79EC31D4 (C:\Windows\system32\NetworkStatus.dll)
 Wnf[9] at 00000000087E0A88: iid 00700912-0835-A3BC-3905-840F00000000 - 000007FC711C0F20 (C:\Windows\System32\twinui.dll)
 Wnf[10] at 00000000087E0718: iid 00700912-9045-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[11] at 00000000087E09D8: iid 00700912-8845-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[12] at 00000000087DFAB8: iid 00700912-8045-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[13] at 00000000087E05B8: iid 00700912-4845-A3BC-6D4E-C64101000000 - 000007FC7F7C4DB0 (C:\Windows\SYSTEM32\sechost.dll)
 Wnf[14] at 00000000087DF538: iid 00700912-4845-A3BC-6D4E-C64101000000 - 000007FC7F7C5420 (C:\Windows\SYSTEM32\sechost.dll)
 Wnf[15] at 00000000087E03A8: iid 00700912-7845-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[16] at 00000000087DF958: iid 00700912-7045-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[17] at 00000000087DF118: iid 00700912-6845-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[18] at 00000000087DFF88: iid 00700912-6045-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[19] at 00000000087E0D48: iid 00700912-4845-A3BA-6D4E-C64100000000 - 000007FC7970A2F4 (C:\Windows\System32\wpncore.dll)
 Wnf[20] at 000000000689AE18: iid 00700912-5845-A3BA-6D4E-C64101000000 - 000007FC7D0F20A0 (C:\Windows\SYSTEM32\powrprof.dll)
 Wnf[21] at 0000000004585508: iid 00700912-0875-A3BC-3E1C-854100000000 - 000007FC713F4B30 (C:\Windows\System32\twinui.dll)
 Wnf[22] at 00000000087DF7F8: iid 00700912-0875-A3BC-3E1C-854100000000 - 000007FC79ECCC1C (C:\Windows\system32\NetworkStatus.dll)
 Wnf[23] at 0000000000EE1218: iid 00700912-0875-A3BC-3D1D-C64100000000 - 000007FC71134304 (C:\Windows\System32\twinui.dll)
 Wnf[24] at 0000000000EE10B8: iid 00700912-0875-A3BC-3D00-960300000000 - 000007FC71134304 (C:\Windows\System32\twinui.dll)
 Wnf[25] at 0000000000EDFAB8: iid 00700912-2835-A3BC-2403-950F01000000 - 000007FC711FD1D4 (C:\Windows\System32\twinui.dll)
 Wnf[26] at 0000000000EE0198: iid 00700912-1835-A3BC-2916-C64108000000 - 000007FC710C179C (C:\Windows\System32\twinui.dll)
 Wnf[27] at 0000000000EE05B8: iid 00700912-1035-A3BC-2916-C64103000000 - 000007FC7B6861B0 (C:\Windows\SYSTEM32\SHCORE.dll)
 Wnf[28] at 0000000000EE1168: iid 00700912-1835-A3BC-2403-950F01000000 - 000007FC7B6861B0 (C:\Windows\SYSTEM32\SHCORE.dll)
 Wnf[29] at 0000000000EE0458: iid 00700912-0835-A3BC-3E1E-8F4100000000 - 000007FC7B6861B0 (C:\Windows\SYSTEM32\SHCORE.dll)
 Wnf[30] at 0000000000EE0C98: iid 00700912-1035-A3BC-2403-950F00000000 - 000007FC7A2A87E0 (C:\Windows\System32\twinapi.dll)
 Wnf[31] at 0000000000EE0EA8: iid 00700912-1035-A3BC-2403-950F00000000 - 000007FC71217840 (C:\Windows\System32\twinui.dll)
 Wnf[32] at 0000000000EE1378: iid 00700912-1035-A3BC-2403-950F00000000 - 000007FC712178C0 (C:\Windows\System32\twinui.dll)
 Wnf[33] at 0000000000EDF8A8: iid 00700912-1035-A3BC-2403-950F00000000 - 000007FC7A2A87E0 (C:\Windows\System32\twinapi.dll)
 Wnf[34] at 0000000000EE07C8: iid 00700912-1035-A3BC-2403-950F00000000 - 000007FC71217890 (C:\Windows\System32\twinui.dll)
 Wnf[35] at 0000000008820818: iid 00700912-1035-A3BC-2403-950F00000000 - 000007F72A4CBE30 (C:\Windows\Explorer.EXE)
 Wnf[36] at 0000000000EE0BE8: iid 00700912-0835-A3BC-2403-950F02000000 - 000007FC7A2A8C80 (C:\Windows\System32\twinapi.dll)
 Wnf[37] at 0000000000EE0718: iid 00700912-0835-A3BC-2403-950F02000000 - 000007FC7A2A8C80 (C:\Windows\System32\twinapi.dll)
 Wnf[38] at 0000000000EE09D8: iid 00700912-0845-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[39] at 0000000000EE12C8: iid 00700912-0045-A3BA-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[40] at 0000000000EE0038: iid 00700912-F845-A3B9-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[41] at 0000000000EE1428: iid 00700912-F045-A3B9-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[42] at 0000000000EE03A8: iid 00700912-E845-A3B9-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[43] at 0000000000EE1588: iid 00700912-E045-A3B9-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[44] at 0000000000EDFF88: iid 00700912-D845-A3B9-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[45] at 0000000000EE02F8: iid 00700912-D045-A3B9-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[46] at 0000000000EDFCC8: iid 00700912-C845-A3B9-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[47] at 0000000000E318B8: iid 00700912-C045-A3B9-6D4E-C64100000000 - 000007FC7D3281A0 (C:\Windows\SYSTEM32\cfgmgr32.dll)
 Wnf[48] at 0000000000E31B78: iid 00700912-0875-A3BC-3F1E-850700000000 - 000007FC7D92C028 (C:\Windows\system32\RPCRT4.dll)
 Wnf[49] at 0000000000E31CD8: iid 00700912-A845-A3B8-6D4E-C64104000000 - 000007FC7D0F20A0 (C:\Windows\SYSTEM32\powrprof.dll)
 Wnf[50] at 0000000000EDFB68: iid 00700912-A845-A3B8-6D4E-C64104000000 - 000007FC7D0F20A0 (C:\Windows\SYSTEM32\powrprof.dll)
 Wnf[51] at 0000000004585F58: iid 00700912-A845-A3B8-6D4E-C64104000000 - 000007FC7D0F20A0 (C:\Windows\SYSTEM32\powrprof.dll)
 Wnf[52] at 000000000689AF78: iid 00700912-A845-A3B8-6D4E-C64104000000 - 000007FC7D0F20A0 (C:\Windows\SYSTEM32\powrprof.dll)
 Wnf[53] at 000000000687C518: iid 00700912-A845-A3B8-6D4E-C64104000000 - 000007FC7D0F20A0 (C:\Windows\SYSTEM32\powrprof.dll)
 Wnf[54] at 00000000087DF278: iid 00700912-A845-A3B8-6D4E-C64104000000 - 000007FC7D0F20A0 (C:\Windows\SYSTEM32\powrprof.dll)
 Wnf[55] at 0000000000E31AC8: iid 00700912-E845-A3BF-6D4E-C64101000000 - 000007FC7D0F25D0 (C:\Windows\SYSTEM32\powrprof.dll)
 Wnf[56] at 00000000045853A8: iid 00700912-E845-A3BF-6D4E-C64101000000 - 000007FC7D0F20A0 (C:\Windows\SYSTEM32\powrprof.dll)
 Wnf[57] at 00000000087DF698: iid 00700912-E845-A3BF-6D4E-C64101000000 - 000007FC7D0F20A0 (C:\Windows\SYSTEM32\powrprof.dll)
на

Комментариев нет:

Отправить комментарий