Just small perl script to parse dumpbin /imports output and make .dot file for graphviz
пятница, 28 декабря 2012 г.
среда, 26 декабря 2012 г.
пятница, 21 декабря 2012 г.
wincheck rc8.35
среда, 19 декабря 2012 г.
teb32 of wow64 process
It seems that internet is full of wrong recipes how to get subj (like this one - true anal surgery IMHO)
Actually answer is very simple - TEB32 is always located at offset 0x2000 after TEB
Proofs
Lets see for example function NtSetInformationThread in kernel for THREADINFOCLASS .eq. ThreadZeroTlsCell:
Next lets check MmCreateTeb function:
Actually answer is very simple - TEB32 is always located at offset 0x2000 after TEB
Proofs
Lets see for example function NtSetInformationThread in kernel for THREADINFOCLASS .eq. ThreadZeroTlsCell:
mov rcx, [r8+0F0h] ; load _KTHREAD.Teb in rcx
test rcx, rcx
jz loc_1403E521A
mov rax, [rbx+418h] ; EPROCESS.Wow64Process
test rax, rax
jz short loc_1403E5178 ; not wow64 process
lea r9, [rcx+2000h] ; wow64 process - load TEB32
loc_1403E5178:
mov edx, [rsp+118h+var_AC]
cmp edx, 40h
jnb short loc_1403E519F
test rax, rax ; again check for wow64 process
jnz short loc_1403E5190
mov [rcx+rdx*8+1480h], rsi ; store to TEB.TlsSlots[rdx]
loc_1403E5190:
test r9, r9
jz short loc_1403E520A
mov [r9+rdx*4+0E10h], esi ; store to TEB32.TlsSlots[rdx]
Next lets check MmCreateTeb function:
mov ebx, 1820h ; sizeof(TEB)
mov rax, [rcx+418h] ; EPROCESS.Wow64Process
mov [rsp+98h+var_78], rax
mov ecx, 2FE8h ; sizeof(TEB) rounded to page size + sizeof(TEB32)
test rax, rax ; check if this process is wow64
cmovnz ebx, ecx ; if yes apply size for both TEBs
lea rdx, [rsp+98h+var_60]
mov rcx, r12
call KeStackAttachProcess
lea r9, [rsp+98h+var_70]
mov r8d, ebx ; use this size as 3rd argument to
MiCreatePebOrTeb
mov rdx, rdi
mov rcx, r12
call MiCreatePebOrTeb
среда, 12 декабря 2012 г.
wincheck rc8.34
Download mirror
Changelog:
Changelog:
- add -usbport option for USB_CONTROLLER_INTERFACE checking
- some bugs were fixed
воскресенье, 9 декабря 2012 г.
A Primer on Scientific Programming with Python
I started reading subj and really enjoy even with acknowledgments:
Ståle Zerener Haugnæss, Kristian Hiorth, Arve Knudsen, Tobias Vidarssønn Langhoff, Martin Vonheim Larsen, Kine Veronica Lund, Solveig Masvie, Håkon Møller, Rebekka Mørken,IMHO all this names sound like norvegian true-black metal bands album titles. I have a strong hope that there will be at least a chapter how to burn wooden church using results maded with sci-python, he-he
Mathias Nedrebø
четверг, 6 декабря 2012 г.
wincheck rc8.33
Download mirror
Changelog:
Changelog:
- add -wdf option for checking of WdfFunctions for KMDF-based drivers
- some bugs were fixed
среда, 5 декабря 2012 г.
WdfFunctions.idc 64bit
Made supplement for WdfFunctions.idc for 64bit versions of KMDF. It seems that my windows server 2012 build 9200 has old Wdf01000.sys so this version of script supports WDFFUNCTIONS with size up to 0x18C only
вторник, 4 декабря 2012 г.
WdfFunctions.idc
I am tired to manually add _WDFFUNCTIONS structure from Wdf01000.sys to any KMDF based driver IDB so I wrote today simple IDC script to automate this activity
Script just try to find WdfFunctions in loaded IDB, extract size and add appropriate version of WDFFUNCTIONS structure. Supported following 32bit versions:
Script just try to find WdfFunctions in loaded IDB, extract size and add appropriate version of WDFFUNCTIONS structure. Supported following 32bit versions:
- vista (size 0x183)
- w7 (size 0x18c)
- w8 (size 0x1b0)
четверг, 29 ноября 2012 г.
wincheck rc8.32
Download mirror
Changelog:
Changelog:
- add dumping some internals of ci.dll (like g_CiOptions & g_CiKernelApis). Thanks to Alex Ionescu for this idea
- add dumping of BootEnvironmentInformation (5th dword from ExpBootEnvironmentInformation used in many interesting functions like SepIsMinTCB, he-he)
- add dumping of EPROCESS.SignatureLevel & EPROCESS.SectionSignatureLevel (w8 only)
- some bugs were fixed
суббота, 24 ноября 2012 г.
wincheck rc8.31
Download mirror
Changelog:
Changelog:
- fixed all places where -nopads option gave false positives (f.e. when need to check table/data instead of function address)
- fixed bad definition of NDIS_MINIPORT_INTERRUPT on w7 64bit
- fixed message "Unknown kernel ntoskrnl.exe, StartAddress 390, IrpList 3F0, StackLimit 30, StackBase 278". It seems that in w7 sp1 64bit somewhere between 6.1.7601.17514 & 6.1.7601.17944 structure ETHREAD was changed
- some bugs were fixed
пятница, 23 ноября 2012 г.
Algorithms Sequential and Parallel
This book is standard of "strategy of default". Some real quotes (page 211):
It should be noted that the running time of this algorithm can be reduced to O(log n log log n) by applying some techniques that are outside the scope of this text. In addition, the problem can also be solved by first sorting the elements in Θ(log n) time and then selecting the required element in Θ(1) time. This Θ(log n) time sorting routine is also outside the scope of this book. In fact, Θ(n) optimal-cost algorithms for the selection problem on a PRAM are known. These algorithms are also outside the scope of this text.What I must do if I really need this out of scope algos & techniques ?
вторник, 20 ноября 2012 г.
wincheck rc8.30
четверг, 15 ноября 2012 г.
wincheck rc8.29
Changelog:
- add g_CiEnabled & g_CiCallbacks checking
- add dumping of ole32.dll security info (gAuthnLevel etc) - works only for 32bit processes
- some bugs where fixed
How to Design Programs
I finished reading of this book today
IMHO it`s totally useless book in the same row with Design Patterns and Clean Code
IMHO it`s totally useless book in the same row with Design Patterns and Clean Code
- The book about recursive functions even does not refer to master theorem ! Epic fail
- It seems that functional style of thinking has some serious problems. For example task from chapter 41.3 can be easily solved without incapsulating list of cards inside closure - you just need to swap old first card to the second position:
(local ((define old-card (make-hand (hand-rank a-hand) (hand-suite a-hand) (hand-next a-hand))))
(begin (set-hand-rank! a-hand rank)
(set-hand-suite! a-hand suite)
(set-hand-next! a-hand old-card)))
- macros
- lazyness
- errors processing
- continuation
- hash tables
- etc etc
суббота, 3 ноября 2012 г.
вторник, 30 октября 2012 г.
четверг, 25 октября 2012 г.
wincheck rc8.28
понедельник, 22 октября 2012 г.
AVX/XOP instructions processor extender for IDA Pro
It was very surprising (for me) but even latest IDA Pro 6.3 advanced still does not support AVX and XOP instructions (just try to disasm bytes C5 F1 58 CA for example)
So I wrote a very simple processor extender plugin for decoding this instructions
Sources can be downloaded here
Prerequisites
IDA Pro 6.X with SDK. I think this plugin also can be built on v5.X
Visual Studio 2008
Details
Since I am too lazy I ripped all disasm tables from Bochs. I added a perl script parse.pl in data directory to generate bochs.inc file. You can generate bochs.inc with commands like
cd bochs-2.6\disasm
grep IA_AVX opcodes.inc > my
grep IA_XOP opcodes.inc >> my
grep IA_BMI opcodes.inc >> my
grep IA_FMA4 opcodes.inc >> my
grep IA_TBM opcodes.inc >> my
perl parse.pl -c my >bochs.inc
Plugin just registers hook_to_notification_point(HT_IDP, ...) and handles the following event_id:
So I wrote a very simple processor extender plugin for decoding this instructions
Sources can be downloaded here
Prerequisites
IDA Pro 6.X with SDK. I think this plugin also can be built on v5.X
Visual Studio 2008
Details
Since I am too lazy I ripped all disasm tables from Bochs. I added a perl script parse.pl in data directory to generate bochs.inc file. You can generate bochs.inc with commands like
cd bochs-2.6\disasm
grep IA_AVX opcodes.inc > my
grep IA_XOP opcodes.inc >> my
grep IA_BMI opcodes.inc >> my
grep IA_FMA4 opcodes.inc >> my
grep IA_TBM opcodes.inc >> my
perl parse.pl -c my >bochs.inc
Plugin just registers hook_to_notification_point(HT_IDP, ...) and handles the following event_id:
- custom_ana - uses bochs disasm to fill IDA Pro cmd structure
- custom_mnem - to supply instruction name
- custom_outop - it looks like currently IDA Pro doesn't have support for YMM registers, so I made a dirty hack - although comments in intel.hpp claims that XMM stored in op.o_idpspec5 actually they stored like any ordinal register in op->reg. So I added YMM to op->reg too but with op->dtyp == dt_ldbl
- fourth operand cannot be displayed. I don`t know if this is some internal IDA restriction or I made a mistake somewhere in my code
- ModRM is being displayed incorrectly sometimes
- no segment registers support
- debug version cannot be built
- vzeroupper & vzeroall both have instruction vzeroupper. Perhaps this is a bug in Bochs disasm
- probably over 9000 issues were left unnoticed yet
воскресенье, 21 октября 2012 г.
IDA Pro 6.3 SDK is broken ?
I try to build debug version of someplugin.plw and got following from Visual Studio 2008:
Linking...Btw release version building sucessfull
someplugin.obj : error LNK2001: unresolved external symbol _cmd
someplugin.obj : error LNK2001: unresolved external symbol _callui
someplugin.obj : error LNK2001: unresolved external symbol _ph
среда, 17 октября 2012 г.
pyside for ida pro 6.3
We evaluated both PySide and PyQt and found that both bindings work fine with IDA Pro 6.0Well, it`s good news
Bad news is that fresh versions of shiboken and pyside from git cannot be built for ida 6.3 and qt-4.8.1 anymore
Assume that we have open-source edition of qt-4.8.1 built using recommended options
I was able to build shiboken (see my patch below) but pyside just don`t work - see my reportconfigure -release -platform win32-msvc2008 -no-qt3support -qtnamespace QT
Patch for building of shiboken:
понедельник, 15 октября 2012 г.
wincheck rc8.27
Download mirror
Changelog:
Changelog:
- add PoRegisterPowerSettingCallback callbacks dumping (-pofx option)
- add checking of storport!StorportExtensionTable
- add dumping clients of \PowerPort & \PowerMonitorPort ALPC ports (-alpc option, since windows 7)
- some bugs were fixed
четверг, 11 октября 2012 г.
building dynamorio
Prerequisites
Visual Studio 2008
Cmake 2.8.9
WDK 7.1
Details
It seems that cmake support is broken in SVN source tree so I decided to describe how to build it with Visual Studio 2008 under windows xp 32bit
First you need to change NTDLL_LIBPATH in cmake to %WDKROOT%\lib\wxp\i386
Next you must add CMAKE_ASM_SUPPORTS_INTEL_SYNTAX boolean var to cmake and set it to TRUE
Now you can generate project for vs2008 but it will be broken anyway. So next you must add path to ntdll.lib to your visual studio. Open Tools->Options menu and add path to %WDKROOT%\lib\wxp\i386 in VC++ Directories->Library files
This is not end of story - it seems that custom rules for building .obj files from .s also broken, so you must compile it manually. Run Visual Studio 2008 command prompt and type
Visual Studio 2008
Cmake 2.8.9
WDK 7.1
Details
It seems that cmake support is broken in SVN source tree so I decided to describe how to build it with Visual Studio 2008 under windows xp 32bit
First you need to change NTDLL_LIBPATH in cmake to %WDKROOT%\lib\wxp\i386
Next you must add CMAKE_ASM_SUPPORTS_INTEL_SYNTAX boolean var to cmake and set it to TRUE
Now you can generate project for vs2008 but it will be broken anyway. So next you must add path to ntdll.lib to your visual studio. Open Tools->Options menu and add path to %WDKROOT%\lib\wxp\i386 in VC++ Directories->Library files
This is not end of story - it seems that custom rules for building .obj files from .s also broken, so you must compile it manually. Run Visual Studio 2008 command prompt and type
cd %dynamorio%\core
ml pre_inject_asm.s
ml x86_core.s
ml x86_noncore.s
copy pre_inject_asm.obj dynamorio.dir\Release
copy x86_core.obj drdecode.dir\Release
copy x86_core.obj dynamorio.dir\Release
copy x86_noncore.obj dynamorio.dir\Release
среда, 10 октября 2012 г.
PoRegisterPowerSettingCallback callbacks
This documented functions was introduced in Vista. Lets check how we can enum all registered callbacks
It seems that all callbacks are stored in linked list PopRegisteredPowerSettingCallbacks and synchronized with fast mutex PopSettingLock
Structure of callback record can be easy recovered from this code (ripped from vista):
It seems that all callbacks are stored in linked list PopRegisteredPowerSettingCallbacks and synchronized with fast mutex PopSettingLock
Structure of callback record can be easy recovered from this code (ripped from vista):
push 34h ; size_t
push 0 ; int
push ebx ; void *
call _memset
mov eax, [ebp+Callback]
mov [ebx+8], esi
mov esi, [ebp+SettingGuid]
lea edi, [ebx+14h] ; 0x14 IID
movsd
movsd
movsd
movsd
mov esi, [ebp+SettingGuid]
mov [ebx+28h], eax ; 0x28 Callback
mov eax, [ebp+Context]
add esp, 0Ch
mov [ebx+2Ch], eax ; 0x2C Context
mov eax, [ebp+DeviceObject]
push esi
mov [ebx+30h], eax ; 0x30 DeviceObject
вторник, 2 октября 2012 г.
wincheck rc8.26
Download mirror
Changelog:
Changelog:
- add -emp option to show EmProviderRegister/EmpProviderRegister callbacks
- add checking of PNP & Power dispatch tables in pci.sys
- more support for windows server 2012
- some bugs was fixed
среда, 26 сентября 2012 г.
EmProviderRegister/EmpProviderRegister callbacks
This two exported functions were introduces in vista and totally undocumented. I`ll show how to dump all installed Emp callbacks here.
Check first how they used - for example in apci.sys:
Clear enough - arg1 is pointer to some EmpEntries, arg2 is size of EmpEntries, arg3 is pointer to EmpCallbacks and arg4 is size of EmpCallbacks. Last arg returns registered HANDLE. Lets check how EmpEntries & EmpCallbacks look:
Check first how they used - for example in apci.sys:
push offset _AcpiEmProviderHandle
push 2 ; arg4
push offset _CallbackReg ; arg3
push 2 ; arg2
push offset _EntryReg ; arg1
push [ebp+arg_0]
call _EmProviderRegister
Clear enough - arg1 is pointer to some EmpEntries, arg2 is size of EmpEntries, arg3 is pointer to EmpCallbacks and arg4 is size of EmpCallbacks. Last arg returns registered HANDLE. Lets check how EmpEntries & EmpCallbacks look:
вторник, 25 сентября 2012 г.
wincheck rc8.25
Download mirror
Changelog:
Changelog:
- add some initial support of windows server 2012 rtm
- add -wnf option to show WNF notifiers
- some bugs was fixed
Common Lisp: A Gentle Introduction to Symbolic Computation
I finished reading this old (1989 !) but still cool book today. It is not so funny as "Land of Lisp" but it has code to play tic-tac-toe ! And I am really impressed bcs "classical" recursive factorial function was introduced only in the middle of books at page 237
I am not crazy enough to use emacs so for all code samples and exercises I used LispIDE and ecl. It seems that this combination is not officially supported but it works fine - you just need to choose right ecl2.exe in Settings->Set Lisp path menu. The only drawback is that DOCUMENTATION function doesn`t work in my ecl version
I am not crazy enough to use emacs so for all code samples and exercises I used LispIDE and ecl. It seems that this combination is not officially supported but it works fine - you just need to choose right ecl2.exe in Settings->Set Lisp path menu. The only drawback is that DOCUMENTATION function doesn`t work in my ecl version
суббота, 22 сентября 2012 г.
IDA loader of .dcu files from XE3
среда, 19 сентября 2012 г.
C++ Programming Language (4th Edition) - wtf ?
bug in "The Algorithm Design Manual", Second Edition ?
Сitation from subchapter 8.7.2 When are Dynamic Programming Algorithms Efficient? on page 315:
Let LP' [i, j, S] denote the longest simple path from i to j, where the intermediate vertices on this path are exactly those in the subset S. Thus, if S = {a, b, c}, there are exactly six pathsWait, if this is exponent we must have 2 ** 3 = 8 paths. But actually this is factorial ! Why Skiena claims that this is exponent ?
consistent with S: iabcj, iacbj, ibacj, ibcaj, icabj, and icbaj. This state space is at most 2**n, and thus smaller than enumerating the paths
пятница, 14 сентября 2012 г.
WNF notifiers
It seems that windows 8 has some new (undocumented as usually) mechanism to call user-mode code from kernel - WNF
There are several new exported functions in ntdll.dll related to it:
There are several new exported functions in ntdll.dll related to it:
- RtlAllocateWnfSerializationGroup
- RtlEqualWnfChangeStamps
- RtlPublishWnfStateData
- RtlQueryWnfMetaNotification
- RtlQueryWnfStateData
- RtlQueryWnfStateDataWithExplicitScope
- RtlRegisterForWnfMetaNotification
- RtlSubscribeWnfStateChangeNotification
- RtlTestAndPublishWnfStateData
- RtlUnsubscribeWnfNotificationWaitForCompletion
- RtlUnsubscribeWnfNotificationWithCompletionCallback
- RtlUnsubscribeWnfStateChangeNotification
- RtlWaitForWnfMetaNotification
- RtlWnfCompareChangeStamp
- RtlWnfDllUnloadCallback
- RtlpWnfNotificationThread - this one really called from kernel mode
- NtWaitForWnfNotifications
- NtUnsubscribeWnfStateChange
- NtUpdateWnfStateData
- NtSubscribeWnfStateChange
- NtQueryWnfStateData
- NtQueryWnfStateNameInformation
- NtDeleteWnfStateName
- NtDeleteWnfStateData
- NtCreateWnfStateName
понедельник, 10 сентября 2012 г.
wincheck rc8.24
суббота, 8 сентября 2012 г.
AVX structure
It seems that AVX has crazy structure. Obvious first step is order on opcode byte. Then for each opcode we need yet 4 tables for pp. Next for 66 prefix we need yet 3 tables for 0f, 0f38 & 0f3a. And anyway we have ambiguity:
- for W field: vmovd - 128.W0 vs vmovq - 128.W1
- for vvvv field: vmovss - NDS.LIG.WIG vs vmovss - LIG.WIG
- for L field: vzeroall - 256.WIG vs vzeroupper - 128.WIG
пятница, 7 сентября 2012 г.
AVX instructions
List was ripped from "Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 2". AMD extensions and instructions with XOP prefix are not included
среда, 5 сентября 2012 г.
Gray Hat Python
I have finished reading of this slim book and I am really disappointed:
Why we still don`t have excellent books like "gray hat assembler", "bloody and dirty perl" or "haskell quantum physics lean and mean for dummies in 24 hours" ?
[sarcasm mode off]
- python sucks. The only reasons why I am still using it are NetworkX and PyKd
- CreateRemoteThread doesn`t work since vista times and I am sure this was known in 2009. Actually whole book is full of such little irritating things which just don`t work
- Immunity debugger & idapython were described very laconically
- PyEmu is sooooo sloooooow...
Why we still don`t have excellent books like "gray hat assembler", "bloody and dirty perl" or "
[sarcasm mode off]
вторник, 4 сентября 2012 г.
udis86 update
четверг, 30 августа 2012 г.
Inside Windows Debugging
Finished reading of this excellent book. A very good introduction for using windbg/appverifier/xperf. Although author don`t know about commands .pagein & !pool this books still contains lots of usefull debugging tricks:
- for wow64 debugging
- for .net debugging (like setting COMPLUS_HeapVerify & COMPLUS_GCStress environment vars)
- ntdll!g_dwLastErrorToBreakOn
- using xperf to capture stack traces (sadly works only since windows 7)
- and many others !
вторник, 21 августа 2012 г.
sprintf_s - wtf ?
Lets assume that we set some handler with LdrRegisterDllNotification and just dump all (un)loaded modules to log file. Access to this log is synchronized with critical section - lets name it LogFileCSection. Today I discovered that this simple scheme can lead to unpredictable deadlocks:
thread 1:
thread 1:
02fbd09c 77c88dd4 ntdll_77c50000!ZwWaitForSingleObject+0x15
02fbd100 77c88cb8 ntdll_77c50000!RtlpWaitOnCriticalSection+0x13e
02fbd128 6c4d6144 ntdll_77c50000!RtlEnterCriticalSection+0x150 ; waits on
LogFileCSection 02fbd1e0 6c4baf66 xxx!log_with_time+0x22
02fbd210 77cb76b8 xxx!my_notifier+0x36
02fbd240 77c8c74a ntdll_77c50000!LdrpSendDllNotifications+0x45
02fbd328 77c8c389 ntdll_77c50000!LdrpFindOrMapDll+0x735
02fbd4a8 77c8c4b5 ntdll_77c50000!LdrpLoadDll+0x2b2
02fbd4e0 759a1d2a ntdll_77c50000!LdrLoadDll+0xaa ; LdrpLoaderLock acquired
02fbd518 7741493c KERNELBASE!LoadLibraryExW+0x178
02fbd52c 6b268546 KERNEL32!LoadLibraryW+0x11
02fbd540 6b261404 IEFRAME!GetDloadFunction+0x20
02fbd55c 6b261623 IEFRAME!DwmSetWindowAttribute+0x2f
02fbd580 6b2615bd IEFRAME!CTabThumbnailHandler::_OnCreate+0x45
02fbd59c 6b2d7e17 IEFRAME!CTabThumbnailHandler::v_WndProc+0xa0
02fbd5c0 766c62fa IEFRAME!CImpWndProc::s_WndProc+0x65
02fbd5ec 766c6d3a USER32!InternalCallWinProc+0x23
02fbd664 766c6de8 USER32!UserCallWinProcCheckWow+0x109
02fbd6c0 766ca740 USER32!DispatchClientMessage+0xe0
02fbd700 77c6011a USER32!__fnINLPCREATESTRUCT+0x91
02fbd780 766ca8e8 ntdll_77c50000!KiUserCallbackDispatcher+0x2e
02fbda2c 766caa3c USER32!VerNtUserCreateWindowEx+0x1a9
02fbdae0 766c8a5c USER32!_CreateWindowEx+0x210
02fbdb1c 6b293892 USER32!CreateWindowExW+0x33
02fbdb5c 6b24ad22 IEFRAME!Detour_CreateWindowExW+0x6a
02fbdb9c 6b261adb IEFRAME!SHFusionCreateWindowEx+0x47
02fbdcec 6b2619f6 IEFRAME!CTabThumbnailHandler::_Initialize+0xc6
02fbdcfc 6b261118 IEFRAME!CTabThumbnailHandler::CreateInstance+0x3f
02fbdd2c 6b284a68 IEFRAME!CShellBrowser2::AfterWindowCreated+0x9c
02fbfe40 6b294f7a IEFRAME!CTabWindow::_TabWindowThreadProc+0x23c
02fbfef8 76215c2b IEFRAME!LCIETab_ThreadProc+0x2c1
02fbff08 774133ca iertutil!CIsoScope::RegisterThread+0xab
02fbff14 77c89ed2 KERNEL32!BaseThreadInitThunk+0xe
среда, 15 августа 2012 г.
wincheck rc8.23
понедельник, 13 августа 2012 г.
apisetschema.dll from w8 rtm
to compare with
Added modules:
Added modules:
- ms-win-ntuser-ie-caret-l1-1-0
- ms-win-ntuser-ie-gui-l1-1-0
- ms-win-ntuser-ie-keyboard-l1-1-0
- ms-win-ntuser-ie-mouse-l1-1-0
w8 rtm KiServiceTable
KiServiceLimit eq 0x1ad
Function NtSetSystemCodeIntegrityRoots was removed since release preview
Function NtSetSystemCodeIntegrityRoots was removed since release preview
суббота, 4 августа 2012 г.
MsgHookLister
Very cool tool to show windows hooks - with source code !
It seems that it using dbghelp.dll to download win32k.pdb and extract following symbols:
It seems that it using dbghelp.dll to download win32k.pdb and extract following symbols:
- ValidateHwnd
- gpresUser
- UserGetAtomName - why not NtUserGetAtomName ?
- aatomSysLoaded
- grpWinStaList
пятница, 27 июля 2012 г.
Ocaml 4.00
released
- Microsoft-based native Win32 port. No binary distribution available yet; download the source distribution and compile it.
- Microsoft-based native Win64 port. Same features as the Microsoft-based native Win32 port, but generates 64-bit code. No binary distribution available yet; download the source distribution and compile it.
среда, 25 июля 2012 г.
wincheck rc8.22
Download mirror
Changelog:
Changelog:
- add checking of various hypervisor callbacks
- add checking of netio!KfdRegisterLayerEventNotify callbacks (-ndis option)
- add checking of callback tables in Fwpkclnt.sys (-ndis option)
- some bugs was fixed
вторник, 24 июля 2012 г.
hypervisor callbacks in w8
There are couple of exported functions to set up some hypervisor related callbacks
HvlRegisterWheaErrorNotification
Set WHEA callback into global variable HvlpWheaErrorNotificationCallback
HvlRegisterInterruptCallback
Set up to 5 (in w8 release preview up to 8) callbacks in global array HvlpInterruptCallback. This callbacks are called in HvlRouteInterrupt:
HvlRegisterWheaErrorNotification
Set WHEA callback into global variable HvlpWheaErrorNotificationCallback
HvlRegisterInterruptCallback
Set up to 5 (in w8 release preview up to 8) callbacks in global array HvlpInterruptCallback. This callbacks are called in HvlRouteInterrupt:
- index 0 - from KiHvInterrupt
- index 1 - from KiVmbusInterrupt0
- index 2 - from KiVmbusInterrupt1
- index 3 - from KiVmbusInterrupt2
- index 4 - from KiVmbusInterrupt3
понедельник, 16 июля 2012 г.
netio!KfdRegisterLayerEventNotify
In windows 8 there is some another undocumented function to set callback inside netio.sys. Check it in disasm:
We can see here that gWfpGlobal contains at offset 0x2B8 5 elements with size 0xC (0x10 on x64) where stored pointer to callback function. Both gWfpGlobal and offset can be obtained with static analysis
mov edi, _gWfpGlobal
xor edx, edx
lea ecx, [edi+2B8h]
lea esp, [esp+0Ch+var_C]
loc_32314:
cmp dword ptr [ecx], 0
jnz short loc_32397
mov eax, [ebp+callback]
lea ecx, [edx+edx*2] ; * 3
mov [edi+ecx*4+2B8h], eax ; * 12
movzx ecx, [ebp+arg_4]
mov eax, _gWfpGlobal
lea edx, [edx+edx*2]
add edx, edx
add edx, edx
mov [edx+eax+2B4h], ecx
mov ecx, [ebp+arg_0]
mov eax, _gWfpGlobal
mov [edx+eax+2B0h], ecx
...
inc edx
add ecx, 0Ch
cmp edx, 5
jb loc_32314
We can see here that gWfpGlobal contains at offset 0x2B8 5 elements with size 0xC (0x10 on x64) where stored pointer to callback function. Both gWfpGlobal and offset can be obtained with static analysis
пятница, 13 июля 2012 г.
callback tables in Fwpkclnt.sys on w8
It seems that under w8 there are couple of undocumented exported functions called to set some callback tables - FwpsL2DispatchTableAndGlobalsSet0 & FwpsTcpIpDispatchTableAndGlobalsSet0:
Check for example FwpsTcpIpDispatchTableAndGlobalsSet0 in disasm:
We see here that arg_0 are copied to some variable which I named as TcpIpDispatchTable. It can easy be obtained with static analysis. FwpsL2DispatchTableAndGlobalsSet0 looks identical
Sample of output from w8 release preview:
Check for example FwpsTcpIpDispatchTableAndGlobalsSet0 in disasm:
mov edi, edi
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_0]
push edi
mov edi, TcpIpDispatchTable
push 2Ah
pop ecx
rep movsd
We see here that arg_0 are copied to some variable which I named as TcpIpDispatchTable. It can easy be obtained with static analysis. FwpsL2DispatchTableAndGlobalsSet0 looks identical
Sample of output from w8 release preview:
среда, 11 июля 2012 г.
usbshim kernel shim
New in w8 release preview, located in driver usbd.sys
GUID: FD8FD62E-4D94-4FC7-8A68-BFF7865A706B
Hooks IofCallDriver function
GUID: FD8FD62E-4D94-4FC7-8A68-BFF7865A706B
Hooks IofCallDriver function
вторник, 10 июля 2012 г.
wincheck rc8.21
Download mirror
Changelog:
Changelog:
- add new option -rdbss to dump rdbss registered devices
- add checking of NPI clients & providers (with -ndis option. It seems that don`t work on w8rp 64bit although)
- add checking of NsiRegisterChangeNotification(Ex) callbacks (with -ndis option)
- checking of ntdll!RtlpDebugPageHeapXXX handlers now works on 64bit
- some other bugs was fixed
netio!NsiRegisterChangeNotification(Ex)
This undocumented function set some callback for NSI providers. I`ll show how to find this registered callbacks. Quick look in disasm shows that this callbacks are stored somewhere deeply in structures linked in list with head in NsiNmpList, so lets check it with debugger:
It seems that first 2 pointers are LIST_ENTRY. Lets see some more samples:
kd> ? netio!NsiNmpList
Evaluate expression: -6184740751232 = fffffa60`00b97880
kd> dt _LIST_ENTRY fffffa60`00b97880
nt!_LIST_ENTRY
[ 0xfffffa60`00b974e8 - 0xfffffa80`03240408 ]
+0x000 Flink : 0xfffffa60`00b974e8 _LIST_ENTRY [ 0xfffffa80`0168e018 - 0xfffffa60`00b97880 ]
+0x008 Blink : 0xfffffa80`03240408 _LIST_ENTRY [ 0xfffffa60`00b97880 - 0xfffffa80`018ec738 ]
kd> dp fffffa60`00b974e8
fffffa60`00b974e8 fffffa80`0168e018 fffffa60`00b97880
fffffa60`00b974f8 fffffa60`00b8b530 00000000`00000001
fffffa60`00b97508 00000000`00000000 fffffa60`00b8ee28
fffffa60`00b97518 00000000`00000000 00000000`00000000
fffffa60`00b97528 00000000`00000000 00000001`000e0002
fffffa60`00b97538 fffffa60`00b97538 fffffa60`00b97538
fffffa60`00b97548 00000000`00000000 00000000`00000000
fffffa60`00b97558 00000000`00000000 00000000`00000100
kd> u fffffa60`00b8b530 l1
NETIO!NPI_MS_NSI_MODULEID:
fffffa60`00b8b530 1800 sbb byte ptr [rax],al
kd> u fffffa60`00b8ee28 l1
NETIO!NsipObjectProviderDispatch:
fffffa60`00b8ee28 0000 add byte ptr [rax],al
It seems that first 2 pointers are LIST_ENTRY. Lets see some more samples:
kd> !pool fffffa80`0168e018 2
Pool page fffffa800168e018 region is Nonpaged pool
*fffffa800168e000 size: d0 previous size: 0 (Allocated) *NMpc
Owning component : Unknown (update pooltag.txt)
kd> dp fffffa80`0168e018
fffffa80`0168e018 fffffa80`0189f3f8 fffffa60`00b974e8
fffffa80`0168e028 fffffa60`00b8b548 00000000`00000002
fffffa80`0168e038 fffffa80`0168d270 fffffa60`00b8ffc0
fffffa80`0168e048 00000000`00000000 fffffa80`0168d30c
fffffa80`0168e058 00000000`00000000 00000001`000e0002
fffffa80`0168e068 fffffa80`0168e068 fffffa80`0168e068
fffffa80`0168e078 00000000`00000000 00000000`00000000
fffffa80`0168e088 00000000`00000000 00000000`00000100
kd> u fffffa60`00b8b548 l1
NETIO!NPI_MS_NMR_MODULEID:
fffffa60`00b8b548 1800 sbb byte ptr [rax],al
kd> !pool fffffa80`0168d270 2
Pool page fffffa800168d270 region is Nonpaged pool
*fffffa800168d260 size: 50 previous size: 40 (Allocated) *RMcc
Owning component : Unknown (update pooltag.txt)
kd> u fffffa60`00b8ffc0 l1
NETIO!NmrfpNsiProviderDispatch:
fffffa60`00b8ffc0 0000 add byte ptr [rax],al
kd> !pool fffffa80`0168d30c 2
Pool page fffffa800168d30c region is Nonpaged pool
*fffffa800168d2b0 size: 80 previous size: 50 (Allocated) *NMRb
Pooltag NMRb : Network Module Registrar Bindings, Binary : tcpip.sys
...
kd> dp fffffa80`018d9d48
fffffa80`018d9d48 fffffa80`018e0cc8 fffffa80`018adde8
fffffa80`018d9d58 fffffa60`00f26f28 00000000`00000006
fffffa80`018d9d68 fffffa80`018d9c60 fffffa60`00f2b5f0
fffffa80`018d9d78 00000000`00000000 fffffa80`018d43fc
fffffa80`018d9d88 fffffa80`032f2b60 00000001`000e0002
fffffa80`018d9d98 fffffa80`018d9d98 fffffa80`018d9d98
fffffa80`018d9da8 fffffa80`029784c0 fffffa80`018d9de0
fffffa80`018d9db8 00000000`00000000 00000000`00000100
kd> u fffffa60`00f26f28 l1
tcpip!NPI_MS_IPV4_MODULEID:
fffffa60`00f26f28 1800 sbb byte ptr [rax],al
kd> u fffffa60`00f2b5f0 l1
tcpip!Ipv4NsiProviderDispatch:
fffffa60`00f2b5f0 0000 add byte ptr [rax],al
kd> !pool fffffa80`032f2b60 2
Pool page fffffa80032f2b60 region is Unknown
*fffffa80032f2b50 size: 280 previous size: 270 (Allocated) *NSIr
Pooltag NSIr : NSI Generic Buffers, Binary : nsi.dll
понедельник, 9 июля 2012 г.
воскресенье, 8 июля 2012 г.
Stupid question
There are some source code/samples for developing of system health agents/validators ?
пятница, 6 июля 2012 г.
NPI clients & providers
Some good introduction about NPI can be found here
The main question is how to enumerate all registered NPI clients & providers ? It seems that windbg does not have any plugin for netio.sys support
Lets check some code in disasm - function NmrpFindOrAddRegisteredNpiId called from NmrpGetModule & NmrpRegisterModuleAndGetBindableCandidates:
We (o`k, at least I) can see here that non exported data NmrRegisteredNpiIdTable used as hash table with 2 slots and store linked list to some other structure with size 0x30 byte. netio.pdb does not contain any usefull info besides names but recovering of this structure is easy:
So now we can traverse all NpiIdItem from both NmrRegisteredNpiIdTable slots and for each NpiIdItem also traverse clients & providers linked list.
Example from vista 32bit:
The main question is how to enumerate all registered NPI clients & providers ? It seems that windbg does not have any plugin for netio.sys support
Lets check some code in disasm - function NmrpFindOrAddRegisteredNpiId called from NmrpGetModule & NmrpRegisterModuleAndGetBindableCandidates:
mov esi, [ebp+arg_0]
mov ebx, [esi]
and ebx, 1 ; 2 items
imul ebx, 30h ; with length 0x30
add ebx, offset _NmrRegisteredNpiIdTable
loc_1D65B:
push esi
lea eax, [ebx+4] ; offset 4 - NpiId
push eax
call _NmrpIsEqualNpiId@8
test al, al
jnz short loc_1D6BE
mov [ebp+arg_0], ebx
mov ebx, [ebx]
test ebx, ebx
jnz short loc_1D65B
cmp [ebp+arg_4], bl
jz short loc_1D6BE
push 6E524D4Eh ; Tag - 'nRMN'
push 30h ; NumberOfBytes
push ebx ; PoolType
call ds:__imp__ExAllocatePoolWithTag@12
mov ebx, eax
test ebx, ebx
jz short loc_1D6BE
push edi
push 30h ; size_t
push 0 ; int
push ebx ; void *
call _memset
lea edi, [ebx+4] ; offset 4 - GUID NpiId
movsd
movsd
movsd
movsd
lea eax, [ebx+14h] ; offset 14 - list_entry
mov [eax+4], eax
mov [eax], eax
lea eax, [ebx+1Ch] ; offset 1C - list_entry
mov [eax+4], eax
mov [eax], eax
lea eax, [ebx+24h] ; offset 24 - list_entry
mov [eax+4], eax
mov [eax], eax
We (o`k, at least I) can see here that non exported data NmrRegisteredNpiIdTable used as hash table with 2 slots and store linked list to some other structure with size 0x30 byte. netio.pdb does not contain any usefull info besides names but recovering of this structure is easy:
struct NpiIdItem
{
/* win32 win64 offsets */
/* 0x0 0x0 */ NpiIdItem *Next;
/* 0x4 0x8 */ GUID Id;
/* 0x14 0x18 */ LIST_ENTRY clients;
/* 0x1c 0x28 */ LIST_ENTRY providers;
/* 0x24 0x38 */ LIST_ENTRY filters;
/* 0x2c 0x48 */ DWORD flags;
};
So now we can traverse all NpiIdItem from both NmrRegisteredNpiIdTable slots and for each NpiIdItem also traverse clients & providers linked list.
Example from vista 32bit:
четверг, 5 июля 2012 г.
rdbss registered devices
In exported function rdbss!RxRegisterMinirdr there is such code:
Freshly created device object was inserted in some unnamed LIST_ENTRY minidrd_list at offset 0xd4 and before was obtained fast mutex (also unnamed). All this data can be obtained with static analysis
Sample on w7 32bit:
mov esi, offset mutex
mov ecx, esi
call ds:__imp_@ExAcquireFastMutexUnsafe@4
mov eax, [ebp+DeviceObject]
mov ecx, dword_23B50
add eax, 0D4h
mov dword ptr [eax], offset minidrd_list
mov [eax+4], ecx
mov [ecx], eax
inc minidrd_cnt
Freshly created device object was inserted in some unnamed LIST_ENTRY minidrd_list at offset 0xd4 and before was obtained fast mutex (also unnamed). All this data can be obtained with static analysis
Sample on w7 32bit:
rbdss registered devs count: 3
[0] DevObj 85248020 DrvObj 8524F458 - \SystemRoot\system32\drivers\csc.sys
[1] DevObj 851D3A68 DrvObj 85C3D740 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
[2] DevObj 851D2A68 DrvObj 85C3D740 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
вторник, 3 июля 2012 г.
wincheck rc8.20
Download irusmirror
Changelog:
Changelog:
- add -kshims option to show registered kernel shims
- add checking of IoRegisterPriorityCallback callbacks
- add checking of PoRegisterCoalescingCallback callbacks (with -pofx option)
- add checking of http.sys!UlIoctlTable
- Add checking of TLS callbacks (in user mode)
- some other bugs was fixed
воскресенье, 1 июля 2012 г.
суббота, 30 июня 2012 г.
kernel shims in w8
It seems that windows 8 kernel now has some support for driver shims.
Exported functions to provide this functionality are:
KseRegisterShim called twice in ntoskrnl.exe with two shim descriptors:
Win7VersionLieShim
GUID: 3E28B2D1-E633-408C-8E9B-2AFA6F47FCC3
Hooks RtlGetVersion & PsGetVersion functions
KseDsShim
GUID: BC04AB45-EA7E-4A11-A7BB-977615F4CAAE
Hooks:
Exported functions to provide this functionality are:
- KseRegisterShim
- KseRegisterShimEx
- KseUnregisterShim
struct shim_descriptor
{
DWORD Size;
GUID *guid;
wchar_t *Name;
PVOID unk1;
PVOID HookDriverUntargeted; // func ptr
PVOID HookDriverTargeted; // func ptr
PVOID HookTab; // ptr to hooks descriptor table
};
KseRegisterShim called twice in ntoskrnl.exe with two shim descriptors:
Win7VersionLieShim
GUID: 3E28B2D1-E633-408C-8E9B-2AFA6F47FCC3
Hooks RtlGetVersion & PsGetVersion functions
KseDsShim
GUID: BC04AB45-EA7E-4A11-A7BB-977615F4CAAE
Hooks:
- IoCreateDevice
- PoRequestPowerIrp
- ExAllocatePoolWithTag
- ExFreePoolWithTag
- ExAllocatePool
- ExFreePool
среда, 27 июня 2012 г.
wincheck rc8.19
Download mirror
Changelog:
Changelog:
- Add -pofx option to dump & check plugins registered with PoFxRegisterPluginEx
- Add dumping w8 specific ETW trace callbacks (with -wmi option)
- ole32 channel hooks checking again works on w8 release preview
- Add checking of ole32!NdrOleExportForwardTable & ole32!NdrOleExportForwardTable
- Add checking of ntdll!RtlpDebugPageHeapXXX handlers (works only on 32bit processes)
- some other bugs was fixed
вторник, 26 июня 2012 г.
CoRegisterChannelHook in w8 consumer preview
Declared in ole32.dll as forwarded export to COMBASE.CoRegisterChannelHook
But combase.dll does not have such exported name, he-he
So wincheck cannot find some COM-related structures on w8 consumer preview. On w8 dev preview all work fine
But combase.dll does not have such exported name, he-he
So wincheck cannot find some COM-related structures on w8 consumer preview. On w8 dev preview all work fine
воскресенье, 24 июня 2012 г.
binary tree for multithread access
Task
I need some binary tree structure for concurrent access from multiple threads where some threads do searching and some other perform insert/delete operations. This structure must work both in kernel and user mode
Solutions
Lets add some sync primitive to each tree node - it is going to be SRWLock in user mode and EX_PUSH_LOCK in kernel mode. It`s clear that reader can acquire shared lock while writer will use exclusive one. Bcs order of locks always have to be the same - we need tree structure with top-down rebalancing (I hope this is right assumption). So lets see which kinds of trees allow such operations
I need some binary tree structure for concurrent access from multiple threads where some threads do searching and some other perform insert/delete operations. This structure must work both in kernel and user mode
Solutions
Lets add some sync primitive to each tree node - it is going to be SRWLock in user mode and EX_PUSH_LOCK in kernel mode. It`s clear that reader can acquire shared lock while writer will use exclusive one. Bcs order of locks always have to be the same - we need tree structure with top-down rebalancing (I hope this is right assumption). So lets see which kinds of trees allow such operations
- weight-balanced tree. Drawbacks: need to use floating point, so in kernel mode we must care about FPU context saving/restoring
- classical B-tree. I think there may be a problem with granularity - when node contains a big number of keys and we need to lock it exclusively - all search operations will be blocked from this node till the lowest level of its children
- red-black tree. Looks like it is a good candidate but sadly I cannot find implementation in plain C with top-down rebalancing :-(
generic access rights mapping in w8
Name | ObjectType | Read | Write | Execute | All |
---|---|---|---|---|---|
AlpcpPortMapping | AlpcPortObjectType | 20001 | 10001 | 0 | 1F0001 |
EtwpGenericMappingg | EtwpRealTimeConnectionObjectType | 2000D | 20062 | 20E90 | 20EFF |
ExpCallbackMapping | ExCallbackObjectType | 20000 | 20001 | 120000 | 1F0001 |
ExpCompositionSurfaceMapping | ExCompositionSurfaceObjectType | 20000 | 20000 | 20000 | F0000 |
ExpDesktopMapping | ExDesktopObjectType | 20000 | 20000 | 20000 | F0000 |
ExpEventMapping | ExEventObjectType | 20001 | 20002 | 120000 | 1F0003 |
ExpEventPairMapping | ExEventPairObjectType | 120000 | 120000 | 120000 | 1F0000 |
ExpMutantMapping | ExMutantObjectType | 20001 | 20000 | 120000 | 1F0001 |
ExpProfileMapping | ExProfileObjectType | 20001 | 20001 | 20001 | F0001 |
ExpSemaphoreMapping | ExSemaphoreObjectType | 20001 | 20002 | 120000 | 1F0003 |
ExpTimerMapping | ExTimerObjectType | 20001 | 20002 | 120000 | 1F0003 |
ExpWindowStationMapping | ExWindowStationObjectType | 20000 | 20000 | 20000 | F0000 |
ExpWnfNotificationMapping | 120001 | 2 | 1F0000 | 1F0013 | |
ExpWorkerFactoryMapping | ExpWorkerFactoryObjectType | 20008 | 20004 | 20003 | F00FF |
IopCompletionMapping | IoCompletionObjectType | 20001 | 20002 | 120000 | 1F0003 |
IopFileMapping | IoFileObjectType | 120089 | 120116 | 1200A0 | 1F01FF |
IopWaitCompletionMapping | IopWaitCompletionPacketObjectType | 20001 | 20001 | 20001 | F0001 |
MiSectionMapping | MmSectionObjectType | 20005 | 20002 | 20008 | F001F |
MiSessionMapping | MmSessionObjectType | 20001 | 20002 | 120001 | F0003 |
ObpDirectoryMapping | ObpDirectoryObjectType | 20003 | 2000C | 20003 | F000F |
ObpSymbolicLinkMapping | ObpSymbolicLinkObjectType | 20001 | 20000 | 20001 | F0001 |
ObpTypeMapping | ObpTypeObjectType | 20000 | 20000 | 20000 | F0001 |
PiAuLocalSystemSecurityMapping | 20000 | 20000 | 20000 | F0000 | |
PiAuSecurityObjectMapping | 20001 | 20042 | 20024 | F00FF | |
PopPowerRequestMapping | PopPowerRequestObjectType | 20000 | 20000 | 20000 | 1F0000 |
PspJobMapping | PsJobType | 20004 | 2000B | 120000 | 1F001F |
PspMemReserveMapping | 20001 | 20002 | 20000 | F0003 | |
PspProcessMapping | PsProcessType | 20410 | 20BEA | 121001 | 1FFFFF |
PspThreadMapping | PsThreadType | 20048 | 20437 | 120800 | 1FFFFF |
SepTokenMapping | SeTokenObjectType | 2001A | 201E0 | 20005 | F01FF |
StandardBitMapping | 20000 | 10D0000 | 100000 | 11F0000 | |
SystemContextGenericMapping | 20001 | 20000 | 20000 | 1F0001 | |
WmipGenericMapping | WmipGuidObjectType | 1 | 2 | 10 | 120FFF |
суббота, 23 июня 2012 г.
new TRACE_INFORMATION_CLASS in w8
The official documentation for WmiQueryTraceInformation says that TRACE_INFORMATION_CLASS has only 10 values. Although build date of this documentation is 6/11/2012 in reality there are some more values
- 0xB - return address of EtwpDiskIoNotifyRoutines. TraceInformationLength eq sizeof(PVOID)
- 0xC - copy content of EtwpAllNotifyRoutines. TraceInformationLength eq 0xD * sizeof(PVOID) (on w8 consumer preview size must be 0xE * sizeof(PVOID))
- 0xD - return address of EtwpFltIoNotifyRoutines. TraceInformationLength eq sizeof(PVOID)
- 0xE - return address of EtwpTraceHypervisorStackwalk function. TraceInformationLength eq sizeof(PVOID)
- 0xF - copy address of EtwpWdfNotifyRoutines. TraceInformationLength eq sizeof(PVOID)
пятница, 22 июня 2012 г.
How to find IopRootDeviceNode
using static analysis only ?
Lets see
xp/w2k3/vista
From exported function IoPnPDeliverServicePowerNotification:
KeWaitForSingleObject called only one time in whole code graph of this function
Lets see
xp/w2k3/vista
From exported function IoPnPDeliverServicePowerNotification:
lea eax, [esp+38h+Object]
push eax ; Object
call _KeWaitForSingleObject@20
cmp [esp+28h+var_20], ebx
jge short loc_64963A
lea eax, [esp+28h+var_18]
push eax
push [esp+2Ch+var_1C]
mov eax, _IopRootDeviceNode
push dword ptr [eax+0B8h]
push [ebp+arg_0]
call _PnpSetPowerVetoEvent@24
KeWaitForSingleObject called only one time in whole code graph of this function
суббота, 16 июня 2012 г.
Sublime Text 2
Installed today this nice editor. One minor problem is that it does not have support of Asm from the box. Google search gives link to x86-assembly-textmate-bundle but it seems that it was made only for 32bit with GAS syntax. So I made patch for it - add more registers, instructions and some keywords from yasm/nasm
Result:
Patch
Result:
Patch
пятница, 15 июня 2012 г.
wincheck rc8.18
понедельник, 11 июня 2012 г.
суббота, 9 июня 2012 г.
!alpc /lpc
First - this command don`t work on vista:
Second - I think it just don`t work
lkd> !object \Sessions\1\Windows\SbApiPort
Object: 89c40ed0 Type: (82b6fed0) ALPC Port
ObjectHeader: 89c40eb8 (old version)
HandleCount: 1 PointerCount: 4
Directory Object: 8fe397e0 Name: SbApiPort
lkd> !alpc /lpc 89c40ed0
Error querying field CommunicationInfo of structure nt!_ALPC_PORT at 89c40ed0
Port @89c40ed0 is not a connection port.
Second - I think it just don`t work
пятница, 8 июня 2012 г.
windows internals 6th edition
page 271:
page 590:
List of other erratas
Compile-time hotpatching support works by adding 7 additional bytes to the beginning of each function—4 are considered part of the end of the previous function, and 2 are part of the function prolog—that is, the function’s beginning.4 + 2 = 6. I double checked with calc.exe, he-he
page 590:
In the next chapter, we’ll look at the I/O system.Next (7th) chapter has name Networking
List of other erratas
среда, 6 июня 2012 г.
wincheck rc8.17
Download mirror
Changelog:
Changelog:
- Add initial support of windows 8 release preview. pdb for 32bit win32k.sys is still unavailable so all win32k related checks do not work. Also I am sure that this version is very far from full support of w8 release preview (although it is much better than rc8.16 which just crashes on w8 rp)
- Add -acpi option to check some ACPI tables
- Fixed Etw structures for wow64 apps
вторник, 5 июня 2012 г.
воскресенье, 3 июня 2012 г.
суббота, 2 июня 2012 г.
пятница, 1 июня 2012 г.
Windows 8 Release Preview
понедельник, 28 мая 2012 г.
Building ecl 12.5.1 for win64
It seems that current support of win64 is broken - you can only set GMP_TYPE to gc (although gmp has right project in msvc\gmp\build.vc8\lib_gmp_amd64) and anyway building ends with following error:
So I made set of patches to build ecl on win64
cl -c /EHsc /DGC_DLL /DGC_BUILD /nologo /D_CRT_SECURE_NO_DEPRECATE /DNDEBUG /MD /O2 /arch:SSE2 -DG
ECL_API="__declspec(dllexport)" -I./ -I../ -I..\..\src\c -I..\..\src/gc/include -I..\..\src/gc/include/pr
umber.obj number.c
cl : Command line warning D9002 : ignoring unknown option '/arch:SSE2'
number.c
../../src/c/number.d(479) : error C4235: nonstandard extension used : '__asm' keyword not supported on this architecture
../../src/c/number.d(479) : error C2065: 'fwait' : undeclared identifier
../../src/c/number.d(497) : error C4235: nonstandard extension used : '__asm' keyword not supported on this architecture
../../src/c/number.d(497) : error C2065: 'fwait' : undeclared identifier
NMAKE : fatal error U1077: '"c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\amd64\cl.EXE"' : re
'0x2'
Stop.
So I made set of patches to build ecl on win64
суббота, 26 мая 2012 г.
dcu files loader for ida pro v2
Download
Changelog:
Changelog:
- Initial support for 64bit DCU files from XE2 added. dcu64.l64 now can load at least some files, he-he
- Changed logic that calculates size of .bss section. Now if size of some type is not known (for example it is imported from other .dcu) code just assumes that it has pointer size
- Reloc type 6 processing (xe2 specific ?) fixed
пятница, 25 мая 2012 г.
ecl 12.5.1 on xp64
I tried today to build subj with vs2008 on xp 64 bit and got error:
;;; Invoking external command:Stack trace:
;;; cl -I. -IC:/src/ecl/msvc/ -DECL_API -IC:/src/ecl/msvc/c /EHsc /DGC_DLL /DGC_BUILD /nRT_SECURE_NO_DEPRECATE /Zi /D_DEBUG /MDd /Od -DGC_BUILD -w -c C:/src/ecl/msvc/lsp/export.c -FoC:/sched/msvc/lsp/export.obj
Internal or unrecoverable error in:
illegal stream mode
вторник, 22 мая 2012 г.
wincheck rc8.16
Download mirror
Changelog:
Changelog:
- add -rdata option for checking .rdata sections. These sections must be non-discardable and their names cannot begin with PAGE. Kernel-mode only
- add checking of kernelbase!KernelBaseGlobalData functions pointers (windows 7 only)
- add checking of SSPI dispatcher tables (called from SECPKG_FUNCTION_TABLE.CallPackage function)
- add checking of dxg!gaDxgFuncs table
- fixed function names in W32pServiceTable for windows 8 64bit
воскресенье, 20 мая 2012 г.
пятница, 18 мая 2012 г.
w8 64bit kernel object types
Added since windows 7:
- ExCompositionSurfaceObjectType
- ExpIRTimerObjectType
- IopWaitCompletionPacketObjectType
среда, 16 мая 2012 г.
ecl.dll
I already claimed that ecl.dll crashes when loaded from .dll in ecl.dll!_GC_init_thread_local(). So finally I know why. Short answer - bcs it contains static TLS and so cannot be loaded with LoadLibrary:
On Windows operating systems before Windows Vista, __declspec( thread ) has some limitations. If a DLL declares any data or object as __declspec( thread ), it can cause a protection fault if dynamically loaded. After the DLL is loaded with LoadLibrary, it causes system failure whenever the code references the __declspec( thread ) data. Because the global variable space for a thread is allocated at run time, the size of this space is based on a calculation of the requirements of the application plus the requirements of all the DLLs that are statically linked. When you use LoadLibrary, you cannot extend this space to allow for the thread local variables declared with __declspec( thread )Problem is that thread_local_alloc.c (where located function GC_init_thread_local) MUST be used bcs it required for elc threads. And you just cannot build ECL without threads support - msvc\Makefile contains following astounding lines:
# Currently it is NOT SUPPORTED to build ECL without threads. The reasonWonderful
# is that certain exception handlers in Windows always use new threads.
воскресенье, 13 мая 2012 г.
wincheck rc8.15
Download mirror
Changelog:
Changelog:
- add -timp option to show threads with some impersonation tokens
- Add NDIS OID handlers checking
- Add TcpOffloadHandlers checking
- Lots of meaningful fields of NDIS protocols/minidrivers/miniports was added to dump (vista/windows 7/windows 8 specific mostly)
- Add dumping of NDIS interrupts (you must use both -ndis & -idt options)
- Add dumping of WheapErrorSourceInitializer (vista only)
- Fixed win32k callout on windows8
- Some other bugs was also
addedfixed
среда, 9 мая 2012 г.
dcu files loader for ida pro
Supports 32bit dcu files from
This is not open source. No warranty. No support. No stupid questions
- Delphi 2007 (v12)
- Delphi 2009 (v14)
- Delphi 2010 (v15)
- Delphi XE (v16)
- Delphi XE2 (v17)
- perhaps some more necrophilous versions too - I didn`t check
- work improperly. I know at least 2 files from xe/xe2 debug library which cannot be parsed and loaded
- harm your computer
- damage your brain
- destroy your poor life
- etc etc
This is not open source. No warranty. No support. No stupid questions
суббота, 5 мая 2012 г.
Programming Windows Security
Reading this old but still good book I stumbled upon this code sample:
Can you see handles leakage here ?
HANDLE getEffectiveToken(
DWORD dwDesiredAccess,
BOOL bWantlmpToken,
SECURITY_IMPERSONATION_LEVEL impLevel)
{
HANDLE htok;
// Try to get thread token
if (OpenThreadToken(GetCurrentThread(), dwDesiredAccess, TRUE, &htok))
{
return htok;
}
else if (ERROR_NO_TOKEN == GetLastError())
{
// No thread tokens, we must get process token
DWORD grfAccess = bWantlmpToken ?
TOKEN_DUPLICATE : dwDesiredAccess;
if (OpenProcessToken(GetCurrentProcess(), grfAccess, &htok))
{
if (bWantImpToken)
{
// convert primary to impersonation token
HANDLE htokImp;
if (!DuplicateTokenEx(htok, dwDesiredAccess, 0,
impLevel, TokenImpersonation, &htokImp))
{
htokImp = 0;
}
CloseHandle(htok);
return htokImp;
}
else
{
return htok;
}
}
}
return 0;
}
BOOL WINAPI CheckTokenMembership(HANDLE TokenHandle,
PSID SidToCheck, PBOOL IsMember)
{
// if no token was passed, CTM uses the effective
// security context (the thread or process token)
if (!TokenHandle)
{
TokenHandle = getEffectiveToken(
TOKEN_QUERY, TRUE, SecurityIdentification);
}
if (!TokenHandle) return FALSE;
... // irrelevant code skipped
return AccessCheck(&sd, TokenHandle, 1, &gm, &ps, &cb, &ga, IsMember);
}
Can you see handles leakage here ?
пятница, 4 мая 2012 г.
понедельник, 30 апреля 2012 г.
process token hijaqing
I was asked yesterday - wincheck now is able to detect only process token hijaqed from system process but what if somebody want to steal token of some other privileged process ?
I think it`s easy to detect from wincheck log with some simple perl script like this one:
I think it`s easy to detect from wincheck log with some simple perl script like this one:
#!perl -w
# Lame script to check processes token hijaq
# 30 Apr 2012 (C) RedPlait
use strict; use warnings; sub parse { my $fname = shift; my %hdb; my($fh, $str, $pid, $token); open($fh, '<', $fname) or die("Cannot open $fname, error $!"); while( $str = <$fh> ) { chomp $str; next if ( $str !~ /Process PID (\d+) token: (.*)$/ ); $pid = int($1); $token = $2; if ( exists $hdb{$token} ) { printf("Process %d has the same token as %d !\n", $pid, $hdb{$token}); } else { $hdb{$token} = $pid; } } close $fh; } parse $_ foreach @ARGV;
среда, 25 апреля 2012 г.
lpdm.plw
wincheck can (with -dump_patched option) dump patched sections of loaded drivers. You get two files for each section. Lets assume that there are patched bytes in section PAGE inside driver evildrv.sys. In this case your dump includes these files:
Since I am too lazy so I wrote simple plugin lpdm for IDA Pro (for 5.x version) which
You can download lpdm plugin (for idag & idag64) from here
- evildrv.sysPAGE.kmem - actual content of PAGE section from memory
- evildrv.sysPAGE.orig - relocated content of PAGE section from disk
Since I am too lazy so I wrote simple plugin lpdm for IDA Pro (for 5.x version) which
- load .kmem file
- relocates it to image base currently used in your .idb. You'll need original PE file (evildrv.sys in this case) of course, not only .idb
- load only patched bytes
FFFFF880070EA000:70000 flags 49104000 LoadCount 1 \SystemRoot\system32\drivers\evildrv.sys
You can download lpdm plugin (for idag & idag64) from here
понедельник, 23 апреля 2012 г.
wincheck rc8.14
Download mirror
Changelog:
Changelog:
- Add -ext option for dumping of tables registered with ExRegisterExtension function (since windows 7)
- Fixed format of NDIS_M_DRIVER_BLOCK for vista, windows 7 & windows 8. Also now in dump presents non-empty structure NDIS_CO_CALL_MANAGER_OPTIONAL_HANDLERS
- Fixed format of WFP callouts on windows 7 32bit
- Fixed bug in processing of bad PE files
- Some other bugs was also fixed
пятница, 20 апреля 2012 г.
четверг, 19 апреля 2012 г.
вторник, 17 апреля 2012 г.
Simda.gen!A
wincheck -ndis said:
on 7 of 19 OpenBlocks.
Btw MS Forefront was unable to cure infected machine - it just completely removed acpi.sys and windows didn`t boot anymore, he-he
OpenBlock [1] 8AB7D868
RootName: \DEVICE\{ABEB65C6-0636-48CF-81DC-4C0282FB061A}
BindName: \DEVICE\{ABEB65C6-0636-48CF-81DC-4C0282FB061A}
Flags: 1
SendHandler: 8A7A74F0 UNKNOWN
WanSendHandler: 8A1A0398 UNKNOWN
TransferDataHandler: 8A3259E0 UNKNOWN
SendCompleteHandler: 8A1BA3C0 UNKNOWN
TransferDataCompleteHandler: 8A2B4458 UNKNOWN
ReceiveHandler: A8B68AC6 \SystemRoot\system32\DRIVERS\ndisuio.sys
ReceiveCompleteHandler: 00000000
WanReceiveHandler: A8B689A6 \SystemRoot\system32\DRIVERS\ndisuio.sys
RequestCompleteHandler: 8A672880 UNKNOWN
ReceivePacketHandler: 8A331340 UNKNOWN
SendPacketsHandler: B9E20B65 NDIS.sys
ResetHandler: B9E1D8C7 NDIS.sys
RequestHandler: A8B6899E \SystemRoot\system32\DRIVERS\ndisuio.sys
ResetCompleteHandler: A8B689C8 \SystemRoot\system32\DRIVERS\ndisuio.sys
StatusHandler: A8B68AC6 \SystemRoot\system32\DRIVERS\ndisuio.sys
StatusCompleteHandler: 00000000
on 7 of 19 OpenBlocks.
Btw MS Forefront was unable to cure infected machine - it just completely removed acpi.sys and windows didn`t boot anymore, he-he
wincheck rc8.13
воскресенье, 15 апреля 2012 г.
Installed windows 8 server build 8250
You can get it here
Good news:
Good news:
- It can be installed on Virtual Box with 1Gb RAM & 32Gb of disk
- It has less crazy GUI (not metro useless panes)
- wincheck works on it
sometimes - you can still install windbg from wdk7 on it
- no "start" button anyway
- IE10 cons preview with paranoid "server" settings
- I am unable to open its install.wim image
суббота, 7 апреля 2012 г.
who writes linux
over 75% of all kernel development is demonstrably done by developers who are being paid forProof
their work
Also wonderful:
Microsoft - 688 patchesHe-he
wincheck rc8.12
Download mirror
Changelog:
Changelog:
- Add checking of PlugPlayHandlerTable
- Fixed BSOD on w2k3 32bit
- some other bugs was also fixed
среда, 4 апреля 2012 г.
reactos sources lie
Let`s see for example RPC_RegisterChannelHook function code. We have to look at channel_hook_entry undocumented structure:
O`k, lets check its disasm code (it was taken from xp sp2 32bit):
Looks good so far - the size of channel_hook_entry is really 0x18 bytes.
As you can see the real channel_hook_entry has completely different layout:
I am sure that all code of reactos was made using reversing engeneering so this misrepresentations was introduced intentionally. Believe me it is not first time when reactos sources lie. Actually any undocumented internal structures in reactos either have wrong fields layout or monstrously incomplete
/* offset 0x0 */ struct list entry;
/* offset 0x4 */ GUID id;
/* offset 0x14 */ IChannelHook hook;
/* Size 0x18 */
O`k, lets check its disasm code (it was taken from xp sp2 32bit):
push 18h ; dwBytes
push 0 ; dwFlags
push ?g_hHeap@@3PAXA ; int
call ?pfnHeapAlloc@@3P6GPAXPAXKK@ZA ; PrivHeapAlloc(void *,ulong,ulong)
Looks good so far - the size of channel_hook_entry is really 0x18 bytes.
mov esi, [ebp+ExtensionUuid]
mov eax, [ebp+pChannelHook]
lea edi, [ebx+8] ; GUID located at offset 0x8
movsd
movsd
movsd
movsd
mov [ebx+4], eax ; store
pChannelHook at offset 0x4
mov eax, ?gHookList@@3USHookList@@A
[ebx], eax ; put ptr to prev list item
As you can see the real channel_hook_entry has completely different layout:
/* offset 0x0 */ struct list entry;
/* offset 0x4 */ IChannelHook hook;
/* offset 0x8 */ GUID id;
/* Size 0x18 */
I am sure that all code of reactos was made using reversing engeneering so this misrepresentations was introduced intentionally. Believe me it is not first time when reactos sources lie. Actually any undocumented internal structures in reactos either have wrong fields layout or monstrously incomplete
вторник, 3 апреля 2012 г.
Hex-Rays Newsletter
Promised features in version 6.3:
- source-level debugging (experimental, requires PDB with private symbols)
- trace replayer
- page-level breakpoints (arbitrarily-sized memory breakpoints implemented using page permissions) for Win32 and Linux
- .net file loader for Linux and OS X
- improved FLIRT signatures
- new processor modules: M16C, TMS320C1, unSP; new instructions for PPC, MIPS
- WinCE debugger over TCP/IP with debugging possible from Linux/OS X
- decompiler: more intrinsics, cached decompilation results, data initializers, and more...
понедельник, 2 апреля 2012 г.
воскресенье, 1 апреля 2012 г.
суббота, 31 марта 2012 г.
NtPlugPlayControl
This poorly documented function can serves as silently communication channel between UM & KM. Let see how it works (code was borrowed from w8 dev preview 64bit)
The main problem with this code is that it calls function by pointer which located in writable PAGEDATA section. Also this section is not checking by PatchGuard. So you can rewrite some unused handler (and perhaps length of PnPControlDataLength) and call PnPControlClass with patched PnPControlClass to pass some data to code in KM.
Actually there is a lot of unused entries in PlugPlayHandlerTable - on w8 dev preview it contains only 8 handlers:
cmp r15d, 17h ; check
PnPControlClass
jnb loc_1405C73D5 ; return STATUS_INVALID_PARAMETER_1
mov r14, r15
lea rcx, PlugPlayHandlerTable ; located in writable PAGEDATA section
shl r14, 4 ; PnPControlClass << 4
add r14, rcx ; get record describing this
PnPControlClass
cmp [r14], r15d ; field at offset 0 -
PnPControlClass
jnz loc_1405C73CB ; return STATUS_INTERNAL_ERROR
test r14, r14 ; I don`t know for what this paranoid check
jz loc_1405C73D5 ; return STATUS_INVALID_PARAMETER_1
cmp qword ptr [r14+8], 0 ; Gotcha ! This is pointer to function
jz loc_1405C7304 ; return STATUS_NOT_IMPLEMENTED
cmp [r14+4], ebp ; field at offset 4 - PnPControlDataLength
jnz loc_1405C730E ; return STATUS_INVALID_PARAMETER_MIX
...
mov r8d, ebp ; PnPControlDataLength
mov rdx, rbx ; PnPControlData
mov ecx, r15d ; PnPControlClass
call qword ptr [r14+8] ; call handler by pointer
The main problem with this code is that it calls function by pointer which located in writable PAGEDATA section. Also this section is not checking by PatchGuard. So you can rewrite some unused handler (and perhaps length of PnPControlDataLength) and call PnPControlClass with patched PnPControlClass to pass some data to code in KM.
Actually there is a lot of unused entries in PlugPlayHandlerTable - on w8 dev preview it contains only 8 handlers:
- PiControlStartDevice for code 4
- PiControlQueryAndRemoveDevice for code 6
- PiControlGetPropertyData for code 0xA
- PiControlGetRelatedDevice for code 0xC
- PiControlGetSetDeviceStatus for code 0xE
- PiControlGetDeviceDepth for code 0xF
- PiControlQueryDeviceRelations for code 0x10
- PiControlQueryConflictList for code 0x12
wincheck rc8.11
среда, 28 марта 2012 г.
EtwEventRegister on w8 consumer preview
I described already organization of internal data structures for this function on vista/windows 7
Unfortunately on windows 8 consumer preview all was changed.
Now all registered items storing in red-black tree whose root placed in EtwpRegistrationTable
Some excerpts from ntdll.pdb:
Node of this tree looks like
As usually we can partially recover event registrations structure from function EtwpAllocateRegistration.I intentionally omitted unimportant details:
As before Type eq 3 if this item was allocated from function EtwEventRegister and 2 if from EtwRegisterTraceGuids[AW]
All operations on EtwpRegistrationTable must be synchronized with SRW lock EtwpProvLock
Sample of output on w8 64bit (deep-first traversing of tree was used):
Unfortunately on windows 8 consumer preview all was changed.
Now all registered items storing in red-black tree whose root placed in EtwpRegistrationTable
Some excerpts from ntdll.pdb:
struct _RTL_RB_TREE {
struct _RTL_BALANCED_NODE* Root;
struct _RTL_BALANCED_NODE* Min;
};
Node of this tree looks like
struct _RTL_BALANCED_NODE {
struct _RTL_BALANCED_NODE* Left;
struct _RTL_BALANCED_NODE* Right;
unsigned long ParentValue;
};
As usually we can partially recover event registrations structure from function EtwpAllocateRegistration.I intentionally omitted unimportant details:
struct EtwRegEntry_w8cons
{
/* Win32 Win64 - offsets */
/* 0x0 0x0 */ struct _RTL_BALANCED_NODE Node;
/* Etw reg entry */
/* 0xC 0x20 */ GUID ProviderId;
/* 0x28 0x48 */ PVOID InternalCallback;
/* 0x2C 0x50 */ PVOID CallbackContext;
/* 0x34 0x5C */ WORD Index;
/* 0x36 0x5E */ WORD Type;
};
As before Type eq 3 if this item was allocated from function EtwEventRegister and 2 if from EtwRegisterTraceGuids[AW]
All operations on EtwpRegistrationTable must be synchronized with SRW lock EtwpProvLock
Sample of output on w8 64bit (deep-first traversing of tree was used):