среда, 18 декабря 2013 г.


I play a bit today with this disasm library with BSD license and I should note that it is now virtually unusable
  1. size of libcapstone.so is 6.5Mb and even if you remove arch/Mips, arch/AArch64 and arch/ARM from Makefile size of libcapstone.so is still 3.5Mb. Just to compare - size of libudis86.a on the same machine is only 452Kb
  2. with udis86 you can easy remove tables with mnemonics (for example they are useless in code analyzers) but this is hard to do with capstone - every arch/mapping.c file contains mix of register names, mnemonic tabs and insn_map structures
  3. X86GenDisassemblerTables.inc has size 37Mb ! Authors claim "That is the price to pay for good performance". Perhaps, but 37Mb - it's too much IMHO
  4. It seems also that it is very hard to build a library that will fill cs_x86 structure and does not contain references to xprintf or other CRT functions (for example if you plan to use this library in kernel mode driver)

понедельник, 16 декабря 2013 г.

ida 6.5

PC: handle code sequences which load imagebase value into a temporary register (common in x64 Windows code)
yeah, finally I don`t need to recompile my plugin wpic64 for each new ida version

added win8_um.til and wdk8_km.til for Windows8 WDK (user and kernel mode headers)
he-he. How about WdfFunctions ?

четверг, 24 октября 2013 г.

суббота, 19 октября 2013 г.

вторник, 1 октября 2013 г.

llvm 3.3 - wtf ?

was built under xp 64bit with visual studio 2010
And I got:
30>  Testing Time: 106.52s
30>  ********************
30>  Failing Tests (32):
30>      LLVM :: CodeGen/ARM/lsr-scale-addr-mode.ll
30>      LLVM :: CodeGen/X86/rodata-relocs.ll
30>      LLVM :: Linker/2003-08-24-InheritPtrSize.ll
30>      LLVM :: Linker/2008-03-05-AliasReference2.ll
30>      LLVM :: Linker/2008-07-06-AliasFnDecl2.ll
30>      LLVM :: Linker/2008-07-06-AliasWeakDest2.ll
30>      LLVM :: Linker/2009-09-03-mdnode2.ll
30>      LLVM :: Linker/2011-08-04-DebugLoc2.ll
30>      LLVM :: Linker/2011-08-04-Metadata2.ll
30>      LLVM :: Linker/2011-08-18-unique-class-type2.ll
30>      LLVM :: Linker/2011-08-18-unique-debug-type2.ll
30>      LLVM :: Linker/2011-08-22-ResolveAlias2.ll
30>      LLVM :: Linker/DbgDeclare2.ll
30>      LLVM :: Linker/available_externally_b.ll
30>      LLVM :: Linker/linkmdnode2.ll
30>      LLVM :: Linker/linknamedmdnode2.ll
30>      LLVM :: Linker/metadata-b.ll
30>      LLVM :: Linker/module-flags-1-b.ll
30>      LLVM :: Linker/module-flags-2-b.ll
30>      LLVM :: Linker/module-flags-3-b.ll
30>      LLVM :: Linker/module-flags-4-b.ll
30>      LLVM :: Linker/module-flags-5-b.ll
30>      LLVM :: Linker/module-flags-6-b.ll
30>      LLVM :: Linker/module-flags-7-b.ll
30>      LLVM :: Linker/module-flags-8-b.ll
30>      LLVM :: Linker/partial-type-refinement-link.ll
30>      LLVM :: Linker/testlink2.ll
30>      LLVM :: Linker/unnamed-addr1-b.ll
30>      LLVM :: Linker/visibility2.ll
30>      LLVM :: MC/MachO/gen-dwarf-producer.s
30>      LLVM :: Transforms/ArgumentPromotion/byval-2.ll
30>      LLVM :: Transforms/LoopSimplify/indirectbr.ll
30>    Expected Passes    : 8274
30>    Expected Failures  : 52
30>    Unsupported Tests  : 264
30>    Unexpected Failures: 32

Is it "normal" ?

вторник, 24 сентября 2013 г.

msbuild 4.0 debugger

Just patch registry:
c:\windows\system32\reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\4.0" /v DebuggerEnabled /d true
 and for syswow64:
c:\windows\syswow64\reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\4.0" /v DebuggerEnabled /d true

пятница, 6 сентября 2013 г.

clang and msbuild integration

chapter 12 of "Inside the Microsoft Build Engine" describes how you can add mingw toolchain to msbuild (visual studio 2010 and newer versions)
So I was very glad to see this patch. But it seems that it does not contains nothing usefull and just don't works !
I wonder if there are some way to integrate clang with msbuild. I missed something ?

вторник, 3 сентября 2013 г.

crc32 binding for perl

I am tired calculating thousands crc32 hashes of exported functions so I made today binding crc32 for perl
Sample of using:
my $val = crc::my_crc32("GetProcAddress"); # 0xC97C1FFF

or even inside IDA Pro:
use IDA;
use crc;

sub form_ascii
  my $addr = shift;
  my $res = '';
  my $c;
  while( $c = Byte($addr) )
    $res .= chr($c);
  return $res;

printf("%X\n", crc::my_crc32(form_ascii(ScreenEA())));

This binding uses swig

суббота, 24 августа 2013 г.


a very common problem in static code analysis is finding an exported functions that refers to some desired address. For example KseEngine has 21 references in windows kernel but only 5 of these functions are exported
So I wrote simple perl script for IDA Pro to automate this boring work. Sample of output for KseEngine:
_KseQueryDeviceFlags@12: 74A6C1 addr 74A6E2
_KseQueryDeviceData@20: 74A75B addr 74A77A
_KseQueryDeviceDataList@16: 7A5E74 addr 7A5E95
_KseSetDeviceFlags@16: 7A672D addr 7A6760
_KseUnregisterShim@12: 7A692B addr 7A698B

среда, 21 августа 2013 г.

wincheck rc8.49

Download mirror
  • add checking of shims inside apphelp.dll
  • add checking of ole32 hook callbacks like pfnInitHookOle/pfnUninitHookOle/pfnEnableHookObject etc
  • add some identification of applications within AppContainer
  • add checking of KernelBase.dll!pfnAdjustObjectAttributesForPrivateNamespace (windows 8.1 only)
  • some other bugs were fixed

среда, 7 августа 2013 г.

how to find ntdll!LdrpHashTable

Old article (warning - it is written in French and has eye-breaking font) describes a good idea of loaded modules cross-scaning using LdrpHashTable. But Ivanlef0u did not show how you can find address of LdrpHashTable with static analysis
It seems that this is not easy task - xrefs to LdrpHashTable are not inside exported functions and they called too deeply from nearest export:
  • LdrpResolveDllName
  • LdrpFindLoadedDllByName
  • LdrpInsertDataTableEntry
so ordinary code-flow graph analysis is very difficult. But actually there is more easy way to find address of LdrpHashTable

воскресенье, 4 августа 2013 г.

Inside the Microsoft Build Engine

it seems that book contains huge amount of misprints. for example on page 79:
The syntax when accessing a static property would be as follows:
o`k, lets check sample of using static properties:
<Message Text="DataTime.Now: $([System.DateTime]::Now)"/>
and below in PropertyFunctions02.proj was used GetPathToSystemFile('msbuild.exe') but output shows path to mspaint.exe

пятница, 26 июля 2013 г.

wincheck rc8.48

Download mirror
  • add some support of windows server 2012 r2
  • fixed logic for addresses extracting from windows 8.1 preview win32k.sys
  • fixed opening of protected processes on windows 8.1 preview
  • add checking of dxgi!g_pDebugPrivate & dxgi!g_pDXGIMessage
  • some other bugs were fixed 

среда, 17 июля 2013 г.

updated perl binding for IDA Pro

I add functions for accessing cmd structure
Now you can do things like this:
#!perl -w
use strict;
use warnings;
use IDA;

my $addr = ScreenEA();
my $href = ua_ana($addr);
my $str = GetDisasm($addr);
if ( defined($href) )
  my $iter;
  printf("real: %s, %s:\n", $str, get_mnem);
  foreach $iter ( keys %$href )
    printf("%s: %X\n", $iter, $href->{$iter});
  my $op_idx;
  for ( $op_idx = 0; $op_idx < 6; $op_idx++ )
    my $op = get_op($op_idx);
    last if ( !defined $op );
    printf("operand %d:\n", $op_idx);
    foreach $iter ( keys %$op )
      printf(" %s ", $iter);
      print $op->{$iter} . "\n";

среда, 10 июля 2013 г.

wincheck rc8.47

Download mirror
  • interrupts dumping now works on w8.1 preview 32bit
  • fixed NDIS interfaces under w8.1 preview
  • fixed registry notifiers for w8.1 preview 64bit
  • modules loaded by wdfldr now shown under w8.1 preview
  • fixed WMI regentries for w8.1 preview 64bit
  • add dumping handlers registsred with KdRegisterPowerHandler

понедельник, 8 июля 2013 г.

interrupts in w8.1

Lets see what windbg !idt command say:
Dumping IDT:

37: 817d0acc hal!HalpX86InterruptSpuriousService
c0: 817d0b78 hal!HalpX86InterruptStubService
d1: 817d1878 hal!HalpTimerClockInterrupt
d2: 817d1b54 hal!HalpTimerClockIpiRoutine
df: 817d1128 hal!HalpX86InterruptRebootService
e1: 817d1388 hal!HalpX86InterruptIpiService
e2: 817d0e50 hal!HalpX86InterruptLocalErrorService
fd: 817d210c hal!HalpTimerProfileInterrupt
fe: 817d23f0 hal!HalpPerfInterrupt

четверг, 4 июля 2013 г.

wincheck rc8.46

Download mirror
Some initial support of windows 8.1 preview was added
Known problems:
  • -idt option does not work on 32bit w8.1. Btw !idt command in windbg also shows trash
  • NDIS interfaces are not shown 
  • registry notifiers are not shown on w8.1 64bit
  • modules loaded by wdfldr are not shown

вторник, 2 июля 2013 г.

w8.1 preview GetVersionEx - wtf ?

Some simple code:

 ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
 osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);

 if (!::GetVersionExW((LPOSVERSIONINFOW)&osvi))
   return 0;
 printf("Major %d Minor %d\n", osvi.dwMajorVersion, osvi.dwMinorVersion);

produces output
Major 6 Minor 2

O`k, next code sample:
  memset(&osverEx, 0, sizeof(osverEx));
  osverEx.dwOSVersionInfoSize = sizeof(osverEx);
  NTSTATUS res = RtlGetVersion((PRTL_OSVERSIONINFOW)&osverEx);
  if ( NT_SUCCESS(res) )

    printf("Major %d Minor %d\n", osverEx.dwMajorVersion, osverEx.dwMinorVersion);

produces output:
Major 6 Minor 3
wtf ?

воскресенье, 30 июня 2013 г.

w8.1 preview on vbox

64bit on vbox 4.2.14
right after boot
"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" setextradata "VM Name" VBoxInternal/CPUM/CMPXCHG16B 1

WdfFunctions.idc patch for w8.1 preview

Some time ago I wrote simple script for finding _WDFFUNCTIONS in KMDF based drivers. It seems that Wdf01000.sys!_WDFFUNCTIONS from windows 8.1 preview has some additional fields, so I just added their to my script:

суббота, 29 июня 2013 г.

windows 8.1 preview 64bit ntoskrnl.exe exports

to compare with


  SystemBasicInformation = 0x0,
  SystemProcessorInformation = 0x1,
  SystemPerformanceInformation = 0x2,
  SystemTimeOfDayInformation = 0x3,
  SystemPathInformation = 0x4,
  SystemProcessInformation = 0x5,
  SystemCallCountInformation = 0x6,
  SystemDeviceInformation = 0x7,
  SystemProcessorPerformanceInformation = 0x8,
  SystemFlagsInformation = 0x9,
  SystemCallTimeInformation = 0xa,
  SystemModuleInformation = 0xb,
  SystemLocksInformation = 0xc,
  SystemStackTraceInformation = 0xd,
  SystemPagedPoolInformation = 0xe,
  SystemNonPagedPoolInformation = 0xf,
  SystemHandleInformation = 0x10,
  SystemObjectInformation = 0x11,
  SystemPageFileInformation = 0x12,
  SystemVdmInstemulInformation = 0x13,
  SystemVdmBopInformation = 0x14,
  SystemFileCacheInformation = 0x15,
  SystemPoolTagInformation = 0x16,
  SystemInterruptInformation = 0x17,
  SystemDpcBehaviorInformation = 0x18,
  SystemFullMemoryInformation = 0x19,
  SystemLoadGdiDriverInformation = 0x1a,
  SystemUnloadGdiDriverInformation = 0x1b,
  SystemTimeAdjustmentInformation = 0x1c,
  SystemSummaryMemoryInformation = 0x1d,
  SystemMirrorMemoryInformation = 0x1e,
  SystemPerformanceTraceInformation = 0x1f,
  SystemObsolete0 = 0x20,
  SystemExceptionInformation = 0x21,
  SystemCrashDumpStateInformation = 0x22,
  SystemKernelDebuggerInformation = 0x23,
  SystemContextSwitchInformation = 0x24,
  SystemRegistryQuotaInformation = 0x25,
  SystemExtendServiceTableInformation = 0x26,
  SystemPrioritySeperation = 0x27,
  SystemVerifierAddDriverInformation = 0x28,
  SystemVerifierRemoveDriverInformation = 0x29,
  SystemProcessorIdleInformation = 0x2a,
  SystemLegacyDriverInformation = 0x2b,
  SystemCurrentTimeZoneInformation = 0x2c,
  SystemLookasideInformation = 0x2d,
  SystemTimeSlipNotification = 0x2e,
  SystemSessionCreate = 0x2f,
  SystemSessionDetach = 0x30,
  SystemSessionInformation = 0x31,
  SystemRangeStartInformation = 0x32,
  SystemVerifierInformation = 0x33,
  SystemVerifierThunkExtend = 0x34,
  SystemSessionProcessInformation = 0x35,
  SystemLoadGdiDriverInSystemSpace = 0x36,
  SystemNumaProcessorMap = 0x37,
  SystemPrefetcherInformation = 0x38,
  SystemExtendedProcessInformation = 0x39,
  SystemRecommendedSharedDataAlignment = 0x3a,
  SystemComPlusPackage = 0x3b,
  SystemNumaAvailableMemory = 0x3c,
  SystemProcessorPowerInformation = 0x3d,
  SystemEmulationBasicInformation = 0x3e,
  SystemEmulationProcessorInformation = 0x3f,
  SystemExtendedHandleInformation = 0x40,
  SystemLostDelayedWriteInformation = 0x41,
  SystemBigPoolInformation = 0x42,
  SystemSessionPoolTagInformation = 0x43,
  SystemSessionMappedViewInformation = 0x44,
  SystemHotpatchInformation = 0x45,
  SystemObjectSecurityMode = 0x46,
  SystemWatchdogTimerHandler = 0x47,
  SystemWatchdogTimerInformation = 0x48,
  SystemLogicalProcessorInformation = 0x49,
  SystemWow64SharedInformationObsolete = 0x4a,
  SystemRegisterFirmwareTableInformationHandler = 0x4b,
  SystemFirmwareTableInformation = 0x4c,
  SystemModuleInformationEx = 0x4d,
  SystemVerifierTriageInformation = 0x4e,
  SystemSuperfetchInformation = 0x4f,
  SystemMemoryListInformation = 0x50,
  SystemFileCacheInformationEx = 0x51,
  SystemThreadPriorityClientIdInformation = 0x52,
  SystemProcessorIdleCycleTimeInformation = 0x53,
  SystemVerifierCancellationInformation = 0x54,
  SystemProcessorPowerInformationEx = 0x55,
  SystemRefTraceInformation = 0x56,
  SystemSpecialPoolInformation = 0x57,
  SystemProcessIdInformation = 0x58,
  SystemErrorPortInformation = 0x59,
  SystemBootEnvironmentInformation = 0x5a,
  SystemHypervisorInformation = 0x5b,
  SystemVerifierInformationEx = 0x5c,
  SystemTimeZoneInformation = 0x5d,
  SystemImageFileExecutionOptionsInformation = 0x5e,
  SystemCoverageInformation = 0x5f,
  SystemPrefetchPatchInformation = 0x60,
  SystemVerifierFaultsInformation = 0x61,
  SystemSystemPartitionInformation = 0x62,
  SystemSystemDiskInformation = 0x63,
  SystemProcessorPerformanceDistribution = 0x64,
  SystemNumaProximityNodeInformation = 0x65,
  SystemDynamicTimeZoneInformation = 0x66,
  SystemCodeIntegrityInformation = 0x67,
  SystemProcessorMicrocodeUpdateInformation = 0x68,
  SystemProcessorBrandString = 0x69,
  SystemVirtualAddressInformation = 0x6a,
  SystemLogicalProcessorAndGroupInformation = 0x6b,
  SystemProcessorCycleTimeInformation = 0x6c,
  SystemStoreInformation = 0x6d,
  SystemRegistryAppendString = 0x6e,
  SystemAitSamplingValue = 0x6f,
  SystemVhdBootInformation = 0x70,
  SystemCpuQuotaInformation = 0x71,
  SystemNativeBasicInformation = 0x72,
  SystemErrorPortTimeouts = 0x73,
  SystemLowPriorityIoInformation = 0x74,
  SystemBootEntropyInformation = 0x75,
  SystemVerifierCountersInformation = 0x76,
  SystemPagedPoolInformationEx = 0x77,
  SystemSystemPtesInformationEx = 0x78,
  SystemNodeDistanceInformation = 0x79,
  SystemAcpiAuditInformation = 0x7a,
  SystemBasicPerformanceInformation = 0x7b,
  SystemQueryPerformanceCounterInformation = 0x7c,
  SystemSessionBigPoolInformation = 0x7d,
  SystemBootGraphicsInformation = 0x7e,
  SystemScrubPhysicalMemoryInformation = 0x7f,
  SystemBadPageInformation = 0x80,
  SystemProcessorProfileControlArea = 0x81,
  SystemCombinePhysicalMemoryInformation = 0x82,
  SystemEntropyInterruptTimingInformation = 0x83,
  SystemConsoleInformation = 0x84,
  SystemPlatformBinaryInformation = 0x85,
  SystemThrottleNotificationInformation = 0x86,
  SystemHypervisorProcessorCountInformation = 0x87,
  SystemDeviceDataInformation = 0x88,
  SystemDeviceDataEnumerationInformation = 0x89,
  SystemMemoryTopologyInformation = 0x8a,
  SystemMemoryChannelInformation = 0x8b,
  SystemBootLogoInformation = 0x8c,
  SystemProcessorPerformanceInformationEx = 0x8d,
  SystemSpare0 = 0x8e,
  SystemSecureBootPolicyInformation = 0x8f,
  SystemPageFileInformationEx = 0x90,
  SystemSecureBootInformation = 0x91,
  SystemEntropyInterruptTimingRawInformation = 0x92,
  SystemPortableWorkspaceEfiLauncherInformation = 0x93,
  SystemFullProcessInformation = 0x94,
  SystemKernelDebuggerInformationEx = 0x95,
  SystemBootMetadataInformation = 0x96,
  SystemSoftRebootInformation = 0x97,
  SystemElamCertificateInformation = 0x98,
  SystemOfflineDumpConfigInformation = 0x99,
  SystemProcessorFeaturesInformation = 0x9a,
  SystemRegistryReconciliationInformation = 0x9b,
  MaxSystemInfoClass = 0x9c,

четверг, 20 июня 2013 г.


How to build subj for windows 64bit ? Offical solutions do not work

perl Configure VC-WIN64A
makefile(609) : fatal error U1002: syntax error : invalid macro invocation '$'

O`k, second way:  
nmake -f ms/nt.mak
perl crypto\sha\asm\sha256-586.pl tmp32\sha256-586.asm
Pick one target type from
        elf     - Linux, FreeBSD, Solaris x86, etc.
        a.out   - DJGPP, elder OpenBSD, etc.
        coff    - GAS/COFF such as Win32 targets
        win32n  - Windows 95/Windows NT NASM format
        nw-nasm - NetWare NASM format
        macosx  - Mac OS X
NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE' : return code '0x1'

Wtf, why sha256-586 ? Lets check:  
dir /b crypto\sha\asm\*64.pl

So source tree does not even contain sha256-x86_64.pl !

суббота, 15 июня 2013 г.

пятница, 7 июня 2013 г.

building botan with openssl

I`ll describe how to build this cool crypto library with openssl with msvc
It seems that configure.py does not allow you to set additional include & library directories for external packets like openssl/zlib etc
So I used dirty hack
First you just must run configure.py:
python configure.py --cc=msvc --cpu=p4 --enable-asm --with-openssl

Now you can just patch generated Makefile:  
CXX           = cl /MD /IC:\work\src\crypto\openssl-0.9.8y\include
LINK_TO       = advapi32.lib C:\work\src\crypto\openssl-0.9.8y\out32\libeay32.lib user32.lib gdi32.lib

You also need to add gdi32.lib bcs it is used in openssl for functions like DeleteDC. So now you are able build both botan.dll and check.exe:
nmake check 
check --test

среда, 22 мая 2013 г.

delphi xe4

I know you may not believe me but this zombie is still alive
So if you want some support for dcu loader for this version - you can share all dcu & dcc32/dcc64.exe and pay me thousands of dollars, he-he

четверг, 16 мая 2013 г.

qmake - wtf ?

I tried today build fresh eql from git and got 16815 errors from linker !
After a comparison with the old version I found that qmake generating different Makefile.Release:

Yes, was used the same version of qmake in both cases
Wtf ?

Update: I found real reason of such behaviour - it`s bcs I forgot add DEFINES     += QT_NAMESPACE=QT to each of eql .pro files. I think this is very annoying and error-prone to fix every .pro file

четверг, 9 мая 2013 г.

how Rootkit.Avatar looks like in wincheck logs

Many thanks to Anton Cherepanov for wincheck log from infected machine
Detailed description of avatar can be found here

1) FS Change notifiers
FS Change notifiers: 3 (actual 3)
DriverObj 8B6A31B8 addr 8362CBDA \SystemRoot\system32\drivers\fltmgr.sys
DriverObj 8BEC91B8 addr 8C477D40 UNKNOWN
DriverObj 8B6A31B8 addr 8362CBDA \SystemRoot\system32\drivers\fltmgr.sys

2) Pnp Notifiers
Pnp Notifiers: total 19, readed 19
 Pnp[6] CategoryHardwareProfileChange DEVINTERFACE_MT_COMPOSITE addr 92FE793A \SystemRoot\system32\DRIVERS\CompositeBus.sys
 Pnp[7] CategoryHardwareProfileChange DEVINTERFACE_DISK addr 8B618180 UNKNOWN
 Pnp[8] CategoryHardwareProfileChange DEVINTERFACE_HIDDEN_VOLUME addr 8356D3E0 \SystemRoot\system32\DRIVERS\volmgr.sys

3) numerous driver patches

понедельник, 6 мая 2013 г.

windows 8.1 interrupts

I just try to find some differences from w8 rtm:
w8 rtm _KiTrap02:
 mov     eax, large fs:40h
w8.1 _KiTrap02:
 mov     eax, large fs:40h

Also it seems that w8.1 requires processor with SSE - check for example w8.1 _KiTrap03:
  stmxcsr dword ptr [ebp+48h]
  ldmxcsr large dword ptr fs:8
  sub   esp, 80h
  and   esp, 0FFFFFFF0h
  mov   esi, esp
  movaps oword ptr [esi], xmm0
  movaps oword ptr [esi+10h], xmm1
  movaps oword ptr [esi+20h], xmm2
  movaps oword ptr [esi+30h], xmm3
  movaps oword ptr [esi+40h], xmm4
  movaps oword ptr [esi+50h], xmm5
  movaps oword ptr [esi+60h], xmm6
  movaps oword ptr [esi+70h], xmm7

воскресенье, 5 мая 2013 г.

RPat another update

I rebuild today RPat with mingw gcc 4.6.2 and binutils 2.23.2
Fresh version can be downloaded here
New object files formats was added in binutils 2.23.2:
  • elf32-epiphany
  • elf32-powerpc-freebsd
  • elf32-rl78
  • elf32-tilegx-be
  • elf32-tilegx-le
  • elf32-xgate

суббота, 4 мая 2013 г.


I wrote today some simple hack tool for creating signatures from delphi .dcu files for IDA flair
The main idea is very simple - flair expects .pat file to produce .sig file with signatures. So I just add some logic to my .dcu files loader to generate .pat files in right format
Supported Delphi versions:
  • Delphi 2007 (v12)
  • Delphi 2009 (v14)
  • Delphi 2010 (v15)
  • Delphi XE (v16)
  • Delphi XE2 (v17)
signatures for delphi 2007
.pat files
Sample of using:

четверг, 25 апреля 2013 г.

VfXdvThunks in windows 8.1 (build 9374)

Added functions:
  • IoSetDeviceToVerify
  • RtlCompareUnicodeString
  • RtlDowncaseUnicodeChar
  • RtlEqualUnicodeString
  • RtlFreeUnicodeString
  • RtlGenerateClass5Guid
  • RtlGUIDFromString
  • RtlHashUnicodeString
  • RtlStringFromGUID
  • RtlUnicodeToUTF8N
  • RtlUpcaseUnicodeChar
  • RtlUTF8ToUnicodeN
  • RtlxAnsiStringToUnicodeSize
  • RtlxUnicodeStringToAnsiSize

вторник, 23 апреля 2013 г.

KiServiceTable for windows 8.1 (build 9374)

KiServiceLimit eq 0x1B1

new items in CmControlVector on windows 8.1 (build 9374)

Just to compare with CmControlVector from w8
  • Session Manager\Memory Management - EnableCfg
  • Session Manager\Kernel - VerifierDpcScalingFactor
  • Session Manager\Kernel - KernelSEHOPEnabled
  • Session Manager\Kernel - MaximumSharedReadyQueueSize
  • Session Manager\Kernel - DisableAutoBoost
  • Session Manager\Power - SleepStudyDisabled
  • Session Manager\Power - SleepStudyDeviceAccountingLevel
  • Session Manager\Power - ThermalZoneMetricsSqmPeriod
  • Power - LatencyToleranceDefault
  • Power - LatencyTolerancePerfOverride
  • Power - LatencyToleranceVSyncEnabled
  • Power - LatencyToleranceFSVP
  • Power - LatencyToleranceScreenOffIR
  • Session Manager\Debug Print Filter - WER
  • Session Manager - AlpcWakePolicy

понедельник, 22 апреля 2013 г.

wincheck rc8.45

Download mirror
  • add dumping of ObTypeIndexTable (thnx to for this paper)
  • add checking of partmgr!PmFilterDispatch & partmgr!PmLegacyDispatch
  • lots of fixes in udis86 disasm
  • some other bugs were fixed

суббота, 13 апреля 2013 г.

Metasploit - A Penetration Tester's Guide

Page 251
Before you begin, download and install Metasploit’s vulnerable Linux virtual machine called Metasploitable. (You can find it at http://www.thepiratebay.org/torrent/5573179/Metasploitable/)

среда, 27 марта 2013 г.

четверг, 21 марта 2013 г.

wincheck rc8.44

Download mirror
  • add dumping of registered MINIRDR_DISPATCH in rdbss. Sample of output:
    rdbss registered devs count: 1
     [0] DevObj 8A98E030 DrvObj 8AC45C28 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxStop: A8DABFD3 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCancel: A8DC069A \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCollapseOpen: A8D9A60E \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxShouldTryToCollapseThisOpen: A8D9CF1A \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxFlush: A8D9AA23 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxZeroExtend: A8DA490E \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCleanupFobx: A8D9A403 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCloseSrvOpen: A8D9A4AC \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxDeallocateForFcb: A8D9A2B0 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxDeallocateForFobx: A8D9A410 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxIsLockRealizable: A8D98623 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxForceClosed: A8DA01C1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxOpenPrintFile: A8D9A403 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxClosePrintFile: A8D787FF \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetFileInfo: A8D9DA55 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetFileInfoAtCleanup: A8D9C941 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxQueryEaInfo: A8D9E1B1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetEaInfo: A8D98623 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxQuerySdInfo: A8DBEFC1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetSdInfo: A8DBEC6C \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxQueryQuotaInfo: A8DBE953 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetQuotaInfo: A8DBEA90 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxQueryVolumeInfo: A8D883E7 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetVolumeInfo: A8D885C9 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxIsValidDirectory: A8D9C6B5 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxComputeNewBufferingState: A8DBF506 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_READ]: A8DBF362 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_WRITE]: A8D9F98F \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_SHAREDLOCK]: A8D9F7D6 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_EXCLUSIVELOCK]: A8D9EA5B \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_UNLOCK]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_UNLOCK_MULTIPLE]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_FSCTL]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_IOCTL]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_NOTIFY_CHANGE_DIRECTORY]: A8DA1E1F \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_CLEAROUT]: A8DC00F2 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCompleteBufferingStateChangeRequest: A8D9E639 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCreateVNetRoot: A8DBF9A2 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxFinalizeVNetRoot: A8D9FF36 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxFinalizeNetRoot: A8DA21EF \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxUpdateNetRootState: A8D78B02 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxExtractNetRootName: A8DA14FB \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCreateSrvCall: A8DA60E3 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCancelCreateSrvCall: A8DA2385 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSrvCallWinnerNotify: A8DA3529 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxDevFcbXXXControlFile: A8DA30A9 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  • fixed srvnet!SrvNetRegisterClient registered clients dumping for w8 32bit
  • fixed bad rdbss!RxFsdDispatch detection on w8 32bit
  • some other bugs were fixed

вторник, 19 марта 2013 г.

ZwQueryLicenseValue in windows 8 user-mode

  • appid-EnableV2
  • appid-EnableV2
  • TerminalServices-RemoteConnectionManager-b7857721-7a62-4a37-aff3-253fe2b8b0e8-MaxSessions
  • LSA-Policy-EnableTrustedDomains
  • TerminalServices-RemoteConnectionManager-AllowMultipleSessions
  • TerminalServices-RemoteConnectionManager-b7857721-7a62-4a37-aff3-253fe2b8b0e8-MaxSessions
  • WorkstationService-DomainJoinEnabled
  • Security-SPP-GenuineLocalStatus
  • Kernel-ExpirationDate
  • Security-SPP-GenuineLocalStatus
  • Security-SPP-TokenActivation-AdditionalInfo
This license names used to determine if current windows license is time-based:
  • Security-SPP-Reserved-TBLProductKeyType
  • Security-SPP-Reserved-TBLState
  • Security-SPP-Reserved-TBLRemainingTime
Also I wrote simple console program dumpwlic to hex-dump license value by name. Sample of using:

суббота, 16 марта 2013 г.

using ZwQueryLicenseValue in windows 8 drivers

Function ZwQueryLicenseValue gets the data for a particular license value. As you can see the first argument is PUNICODE_STRING for some license feature name. Let's see which names are checked in windows 8 kernel mode

  • Kernel-ProductInfo - in function RtlGetProductInfo
  • Kernel-ProductInfoLegacyMapping - in function RtlGetProductInfo
  • Kernel-VirtualDynamicPartitioningSupported
  • Kernel-VmPhysicalMemoryAddAllowed
  • Kernel-RegisteredProcessors
  • Kernel-CsChecksDisabled
  • Kernel-PersistDefectiveMemoryList
  • Kernel-ExpirationDate
  • Kernel-MemoryMirroringSupported
  • WSLicensingService-LOBSideloadingActivated
Also function RtlpGetWindowsPolicy checks following names:
  • WindowsExcludedProcs
  • Kernel-MUI-Number-Allowed
  • Kernel-MUI-Language-Allowed
  • Kernel-MUI-Language-Disallowed
  • Kernel-MUI-Language-SKU
  • Kernel-RegisteredProcessors
  • Microsoft-Windows-Core-THQAEnabled
  • Microsoft-Windows-Core-AllowMultiMon

четверг, 14 марта 2013 г.

wincheck rc8.43

Download mirror
  • add dumping of srvnet!SrvNetRegisterClient registered clients
  • add dumping of WdfLdr registered libraries (-wdf or -full options). Sample of output:
      RegService: \Registry\Machine\System\CurrentControlSet\Services\Wdf01000
      DrvName: Wdf01000.sys
      Module: FFFFF880010D4000 \SystemRoot\system32\drivers\Wdf01000.sys
      WdfLibraryInfo: FFFFF8800117E128 \SystemRoot\system32\drivers\Wdf01000.sys
  • some other bugs were fixed

пятница, 8 марта 2013 г.


It seems that KMDF has possibility to register extension drivers with undocumented (as usually) function WdfRegisterClassLibrary
For example driver Ucx01000.sys (USB host controller extension) contains functions table which I named UCXFUNCTIONS. I wrote simple IDC script to find and add this structure (in addition to ordinary WDFFUNCTIONS) in clients drivers of this extension

четверг, 7 марта 2013 г.

srvnet!SrvNetRegisterClient registered clients

It seems that undocumented function srvnet!SrvNetRegisterClient accepts as first argument some structure with handlers. Lets see how it was stored and how we can extract it.

    mov eax, [ebp+srvnet_clnt] ; first argument
    push esi
    movzx esi, word ptr [eax]  ; UNICODE_STRING.Length
    add esi, 84h  ; plus some internal structure size
    push edi
    push 'fbSL'   ; Tag
    push esi      ; NumberOfBytes
    push 200h     ; PoolType
    call ds:__imp__ExAllocatePoolWithTag

    mov edx, [ebp+srvnet_clnt]
    mov esi, edx
    lea edi, [ebx+4Ch] ; ebx holds allocated memory address

    mov ecx, 8         ; size 4 * 8 = 0x20 bytes
    rep movsd

It seems that input structure srvnet_clnt was copied in offset 0x4c. Prototype of srvnet_clnt: 

struct srvnet_clnt
/*  0 */  UNICODE_STRING Name;
/*  8 */  PBYTE RegisterEndpointHandler;
/*  C */  PBYTE DeregisterEndpointHandler;
/* 10 */  PBYTE NegotiateHandler;
/* 14 */  PBYTE ConnectHandler;
/* 18 */  PBYTE ReceiveHandler;
/* 1C */  PBYTE DisconnectHandler;
/* 20 */  PBYTE CredentialHandler;

Lets see how this allocated buffer was used next:
    mov edx, _SrvNetDeviceExtension ; some global ptr in srvnet.sys
    cmp dword ptr [edx+0ECh], 4     ; seems like max count check
    mov [ebp+var_1], al
    jge loc_27DAE
    xor eax, eax  ; zero index before cycle
    movzx ecx, ax
    cmp dword ptr [edx+ecx*4+0DCh], 0 ; check for next free ptr
    jnz loc_149E8

    lea ecx, [edx+38h]
    cmp ax, 4   
; check for max count
    jz  loc_27E16
    inc dword ptr [edx+0ECh]  ; inc count of clients
    mov [edx+eax*4+0DCh], ebx ; store current client ptr

    inc eax       ; inc current index
    cmp ax, 4     ; again check for max count
    jb  loc_14911 ; go to next cycle
    jmp loc_14922 ; out of cycle

It`s easy to see that all registered clients stored in some internal structure (its address can be found in srvnet!SrvNetDeviceExtension var) in fixed-size (max 4) buffer at offset 0xDC and count of registered clients located at offset 0xEC

среда, 6 марта 2013 г.

wincheck rc8.42

Download mirror
  • add dumping of HW_INITIALIZATION_DATA for scsiport & storport driver extensions (-dext option)
  • add checking of Hub[PF]doGenDispatch/Hub[PF]doPnPDispatch from usbhub (-usb option)
  • some other bugs were fixed

понедельник, 25 февраля 2013 г.

HW_INITIALIZATION_DATA in storport driver extensions

Function StorPortInitialize has struct HW_INITIALIZATION_DATA as third args, but where this structure is stored ?
Run wincheck.exe -alldrv -dext -f dext.log and see dext.log for storport.sys driver extensions:

Driver \Driver\LSI_SCSI extensions:
 8389AA78 Key 80738711 \SystemRoot\system32\drivers\storport.sys
Check address 8389AA78 in windbg:

воскресенье, 24 февраля 2013 г.

HW_INITIALIZATION_DATA in scsiport driver extensions

Function ScsiPortInitialize has struct HW_INITIALIZATION_DATA as third args, but where this structure is stored ?
Run wincheck.exe -alldrv -dext -f dext.log and see dext.log for scsiport.sys driver extensions:
Driver \Driver\viamraid extensions:

пятница, 22 февраля 2013 г.

wincheck rc8.41

Download mirror
  • add -dext option to dump all driver extensions
  • add checking of  (Fdo|Pdo)PnpDispatchTable, (Fdo|Pdo)PowerDispatchTable & (Fdo|Pdo)WmiDispatchTable in pciidex.sys
  • checking of CLASS_DRIVER_EXTENSION now works under w2k
  • some other bugs were fixed

среда, 13 февраля 2013 г.

wincheck rc8.40

Download mirror

Add checking & dumping of CLASS_INIT_DATA & CLASS_DRIVER_EXTENSION. Output sample:
Driver Disk DrvObj FFFFFA8007F15640:
 Fdo.ClassError: FFFFF88001B4F430 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassReadWriteVerification: FFFFF88001B4F010 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassDeviceControl: FFFFF88001B4F1F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassShutdownFlush: FFFFF88001B57010 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassInitDevice:    FFFFF88001B5DCE0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassStartDevice:   FFFFF88001B5C4F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassPowerDevice:   FFFFF88001B4FA94 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassStopDevice:    FFFFF88001B503F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassRemoveDevice:  FFFFF88001B5AF10 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassQueryWmiRegInfo:   FFFFF88001B57B60 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassQueryWmiDataBlock: FFFFF88001B5C9D0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassSetWmiDataBlock:   FFFFF88001B5C7F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassSetWmiDataItem:   FFFFF88001B58850 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassExecuteWmiMethod: FFFFF88001B5D3A0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassWmiFunctionControl: FFFFF88001B5D900 \SystemRoot\system32\DRIVERS\disk.sys
 ClassAddDevice: FFFFF88001B5B000 \SystemRoot\system32\DRIVERS\disk.sys
 ClassUnload:  FFFFF88001B5AD10 \SystemRoot\system32\DRIVERS\disk.sys

пятница, 8 февраля 2013 г.

wincheck rc8.39

Download mirror
  • add checking of callbacks registered with IoRegisterIoTracking (w8 only)
  • add checking of advapi32.dll!g_ActivationStateCallback
  • lots of GUID names was added for PoRegisterPowerSettingCallback
  • fixed error "Cannot resolve WdfFunctions for tpm.sys"
  • some other bugs were fixed

пятница, 25 января 2013 г.

wincheck rc8.38

Download mirror
  • add checking of old mfc42 CRuntimeClasses in .data section
  • fixed bug in PE exports reader
  • add checking of AppHelp.dll encoded handlers in kernel32.dll. Sample of output:
    gApphelpGlobals: 1
     Apphelp.ApphelpCheckRunAppEx: c:\windows\system32\apphelp.dll (000007FEFDBF5B70)
     Apphelp.ApphelpQueryModuleDataEx: c:\windows\system32\apphelp.dll (000007FEFDC0A4A8)
     Apphelp.ApphelpCreateAppcompatData: c:\windows\system32\apphelp.dll (000007FEFDBF1090)
     Apphelp.SdbInitDatabaseEx: c:\windows\system32\apphelp.dll (000007FEFDBF5084)
     Apphelp.SdbReleaseDatabase: c:\windows\system32\apphelp.dll (000007FEFDBF4F10)
     Apphelp.SdbUnpackAppCompatData: c:\windows\system32\apphelp.dll (000007FEFDBFE540)
     Apphelp.SdbQueryContext: c:\windows\system32\apphelp.dll (000007FEFDBFD18C)
  • some other bugs were fixed

четверг, 17 января 2013 г.

bug in Malware and Rootkits Secrets and Solutions

Code from appendix of this book:
 //oops, out of memory...
 if (pModuleList == NULL)
    DbgPrint("\nExamineDriverIrpTables():  [0] Out of memory.\n");
 if (nt != STATUS_SUCCESS)
       DbgPrint("\nExamineDriverIrpTables():  [0] Error:
             ZwQuerySystemInformation() failed\n.");

Yeah, memory leak - when authors prepare for memory freeing if call to ZwQuerySystemInformation was unsuccessful ?

вторник, 15 января 2013 г.

hidden processes in wincheck log

It`s easy to make cross-scan of processes and threads from scheduler (run wincheck with -sched or -full options) and analyze produced log
Simple perl script for this tedious task:

понедельник, 14 января 2013 г.

пятница, 11 января 2013 г.

crashdmp.sys & CrashdmpCallTable

I noticed in cool presentation "Regaining Control of Your Disk in the Presence of Bootkits" that DriverEntry of crashdmp.sys has strange prototype:

  mov   ebx, [ebp+arg_4] ; DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath). Do we really write to RegistryPath here ?
  test  ebx, ebx
  cmp   dword ptr [ebx], 1
  jz    short loc_19038
  cmp   dword ptr [ebx+4], 4
  jz    short loc_19038

  mov   dword ptr [ebx], 1
  mov   dword ptr [ebx+4], 4
  mov   dword ptr [ebx+8], offset _CrashdmpInitialize@16
  mov   dword ptr [ebx+0Ch], offset _CrashdmpLoadDumpStack@20
  mov   dword ptr [ebx+10h], offset _CrashdmpInitDumpStack@8
  mov   dword ptr [ebx+14h], offset _CrashdmpFreeDumpStack@4
  mov   dword ptr [ebx+18h], offset _CrashdmpDisable@0
  mov   dword ptr [ebx+1Ch], offset _CrashdmpNotify@12
  mov   dword ptr [ebx+20h], offset _CrashdmpWrite@8
  mov   dword ptr [ebx+24h], offset _CrashdmpUpdatePhysicalRange@4
  mov   dword ptr [ebx+28h], offset _CrashdmpResumeCapable@4
  mov   dword ptr [ebx+2Ch], offset _CrashdmpGetTransferSizes@8
  mov   dword ptr [ebx+30h], offset _CrashdmpLogStatusData@16
  mov   dword ptr [ebx+34h], offset _CrashdmpReady@0

Lets check crashdmp.sys loading mechanics in kernel:

ida 6.4

[sarcasm mode on]
PC: added decoding of AVX, AVX2, FMA, BMI1, BMI2, F16C, ADX, RDSEED, SMAP, INVPCID, RTM x86 extensions
I just cant believe it, he-he

UI: moved to Qt 4.8.3
I foresee another bloody quest to build pyside in nearest couple of weeks (for example bcs pyside for qt 4.8.3 is still missed in IDA download center)

DWARF: detect and apply Dwarf debug info for ELF and Mach-O files
Why I don`t see mingw here ?

IDS: add IDT files for mfcNN.dll and msvcrNN.dll for VC9/10/11
Oh yeah baby, he-he

IDAPython: wrap obsolete IDA API functions too, so that old scripts continue to work
And there is still no support for functions from include\intel.hpp like x86_scale. Perhaps bcs this functions are not enough "obsolete", he-he

[sarcasm mode off]