пятница, 11 января 2013 г.

crashdmp.sys & CrashdmpCallTable

I noticed in cool presentation "Regaining Control of Your Disk in the Presence of Bootkits" that DriverEntry of crashdmp.sys has strange prototype:

  mov   ebx, [ebp+arg_4] ; DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath). Do we really write to RegistryPath here ?
  test  ebx, ebx
  cmp   dword ptr [ebx], 1
  jz    short loc_19038
  cmp   dword ptr [ebx+4], 4
  jz    short loc_19038

loc_19038:
  ...
  mov   dword ptr [ebx], 1
  mov   dword ptr [ebx+4], 4
  mov   dword ptr [ebx+8], offset _CrashdmpInitialize@16
  mov   dword ptr [ebx+0Ch], offset _CrashdmpLoadDumpStack@20
  mov   dword ptr [ebx+10h], offset _CrashdmpInitDumpStack@8
  mov   dword ptr [ebx+14h], offset _CrashdmpFreeDumpStack@4
  mov   dword ptr [ebx+18h], offset _CrashdmpDisable@0
  mov   dword ptr [ebx+1Ch], offset _CrashdmpNotify@12
  mov   dword ptr [ebx+20h], offset _CrashdmpWrite@8
  mov   dword ptr [ebx+24h], offset _CrashdmpUpdatePhysicalRange@4
  mov   dword ptr [ebx+28h], offset _CrashdmpResumeCapable@4
  mov   dword ptr [ebx+2Ch], offset _CrashdmpGetTransferSizes@8
  mov   dword ptr [ebx+30h], offset _CrashdmpLogStatusData@16
  mov   dword ptr [ebx+34h], offset _CrashdmpReady@0


Lets check crashdmp.sys loading mechanics in kernel:
Some code from function IopLoadCrashdumpDriver:

  push  offset aSystemrootSy_1          ; \SystemRoot\System32\Drivers\crashdmp.sys
  lea   eax, [ebp+DestinationString]
  push  eax
  call  _RtlInitUnicodeString@8
  lea   eax, [ebp+ImageBase]
  push  eax
  lea   eax, [ebp+var_8]
  push  eax
  push  2
  push  0
  push  0
  lea   eax, [ebp+DestinationString]
  push  eax
  call  _MmLoadSystemImage@24           ; load
crashdmp.sys driver
  test  eax, eax
  js    short loc_4A829B
  mov   esi, [ebp+ImageBase]
  push  esi                             ; ImageBase
  call  _RtlImageNtHeader@4             ; Get IMAGE_NT_HEADERS
  test  eax, eax
  jz    short loc_4A829F
  mov   edi, [eax+28h]    ;
IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint
  add   edi, esi          ; add ImageBase
  mov   [ebp+var_20], offset _IoArcBootDeviceName
  call  _IopGetPhysicalMemoryBlock@0
  mov   [ebp+var_1C], eax
  test  eax, eax
  jz    short loc_4A82A6
  push  offset _CrashdmpCallTable
  lea   eax, [ebp+var_20]
  push  eax
  mov   [ebp+var_18], offset _MmLoadSystemImage@24
  mov   [ebp+var_14], offset _MmUnloadSystemImage@4
  mov   _CrashdmpCallTable, 1
  mov   dword_5D7004, 4
  call  edi ; second argument points to
CrashdmpCallTable

Explanation for mere mortals - crashdmp.sys!DriverEntry has such strange prototype bcs this driver loaded by special way - using unexported function MmLoadSystemImage and DriverEntry called with second argument pointed to function pointers table CrashdmpCallTable
Format of CrashdmpCallTable is
  • DWORD - 1
  • DWORD - 4
  • table of functions, size is 7 on vista, 8 on windows 7 and 12 on windows 8

5 комментариев:

  1. Да, рельно пишет в RegistryPath :) http://kitrap08.blogspot.ru/2013/01/dos-win78.html

    ОтветитьУдалить
  2. as you can see at least crashdmp.sys checks its second argument for signatures dwords 1 & 4
    I don`t know why this was cut out for other drivers in dump stack

    ОтветитьУдалить
  3. Я вижу только проверку на ноль RegistryPath на вин7 х86, и после этого запись в эту память. Самое интересное, что писать туда согласно документации вполне себе можно:

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff544113%28v=vs.85%29.aspx

    The registry path string pointed to by RegistryPath is of the form \Registry\Machine\System\CurrentControlSet\Services\DriverName. A driver can use this path to store driver-specific information

    ОтветитьУдалить
  4. code from 32bit w8 rtm:
    mov ebx, [ebp+arg_4]
    test ebx, ebx ; check for NULL
    cmp dword ptr [ebx], 1 ; check first dword
    jz short loc_19038
    cmp dword ptr [ebx+4], 4 ; check second dword
    jz short loc_19038

    ОтветитьУдалить
  5. А, на восьмерке ввели значит. Ну скоро dos пофиксят думаю, я отписал Марку Руссиновичу.

    ОтветитьУдалить