среда, 27 марта 2013 г.

The Garbage Collection Handbook

I finished reading this book today
This is just incredible useful book especially if you writing application-specific heap-spray detectors

Site
Bibliography
Glossary

четверг, 21 марта 2013 г.

wincheck rc8.44

Download mirror
Changelog:
  • add dumping of registered MINIRDR_DISPATCH in rdbss. Sample of output:
    rdbss registered devs count: 1
     [0] DevObj 8A98E030 DrvObj 8AC45C28 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
      MINIRDR_DISPATCH at A8D949A0:
       MRxStop: A8DABFD3 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCancel: A8DC069A \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCollapseOpen: A8D9A60E \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxShouldTryToCollapseThisOpen: A8D9CF1A \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxFlush: A8D9AA23 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxZeroExtend: A8DA490E \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCleanupFobx: A8D9A403 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCloseSrvOpen: A8D9A4AC \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxDeallocateForFcb: A8D9A2B0 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxDeallocateForFobx: A8D9A410 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxIsLockRealizable: A8D98623 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxForceClosed: A8DA01C1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxOpenPrintFile: A8D9A403 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxClosePrintFile: A8D787FF \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetFileInfo: A8D9DA55 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetFileInfoAtCleanup: A8D9C941 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxQueryEaInfo: A8D9E1B1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetEaInfo: A8D98623 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxQuerySdInfo: A8DBEFC1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetSdInfo: A8DBEC6C \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxQueryQuotaInfo: A8DBE953 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetQuotaInfo: A8DBEA90 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxQueryVolumeInfo: A8D883E7 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSetVolumeInfo: A8D885C9 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxIsValidDirectory: A8D9C6B5 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxComputeNewBufferingState: A8DBF506 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_READ]: A8DBF362 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_WRITE]: A8D9F98F \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_SHAREDLOCK]: A8D9F7D6 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_EXCLUSIVELOCK]: A8D9EA5B \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_UNLOCK]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_UNLOCK_MULTIPLE]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_FSCTL]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_IOCTL]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_NOTIFY_CHANGE_DIRECTORY]: A8DA1E1F \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxLowIOSubmit[LOWIO_OP_CLEAROUT]: A8DC00F2 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCompleteBufferingStateChangeRequest: A8D9E639 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCreateVNetRoot: A8DBF9A2 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxFinalizeVNetRoot: A8D9FF36 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxFinalizeNetRoot: A8DA21EF \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxUpdateNetRootState: A8D78B02 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxExtractNetRootName: A8DA14FB \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCreateSrvCall: A8DA60E3 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxCancelCreateSrvCall: A8DA2385 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxSrvCallWinnerNotify: A8DA3529 \SystemRoot\system32\DRIVERS\mrxsmb.sys
       MRxDevFcbXXXControlFile: A8DA30A9 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  • fixed srvnet!SrvNetRegisterClient registered clients dumping for w8 32bit
  • fixed bad rdbss!RxFsdDispatch detection on w8 32bit
  • some other bugs were fixed

вторник, 19 марта 2013 г.

ZwQueryLicenseValue in windows 8 user-mode

appidapi.dll
  • appid-EnableV2
appidsvc.dll
  • appid-EnableV2
d3d9.dll
  • TerminalServices-RemoteConnectionManager-b7857721-7a62-4a37-aff3-253fe2b8b0e8-MaxSessions
lsasrv.dll
  • LSA-Policy-EnableTrustedDomains
lsm.dll
  • TerminalServices-RemoteConnectionManager-AllowMultipleSessions
  • TerminalServices-RemoteConnectionManager-b7857721-7a62-4a37-aff3-253fe2b8b0e8-MaxSessions
netjoin.dll
  • WorkstationService-DomainJoinEnabled
sppwinob.dll
  • Security-SPP-GenuineLocalStatus
sppobjs.dll
  • Kernel-ExpirationDate
shell32.dll
  • Security-SPP-GenuineLocalStatus
  • Security-SPP-TokenActivation-AdditionalInfo
This license names used to determine if current windows license is time-based:
  • Security-SPP-Reserved-TBLProductKeyType
  • Security-SPP-Reserved-TBLState
  • Security-SPP-Reserved-TBLRemainingTime
Also I wrote simple console program dumpwlic to hex-dump license value by name. Sample of using:

суббота, 16 марта 2013 г.

using ZwQueryLicenseValue in windows 8 drivers

Function ZwQueryLicenseValue gets the data for a particular license value. As you can see the first argument is PUNICODE_STRING for some license feature name. Let's see which names are checked in windows 8 kernel mode

kernel
  • Kernel-ProductInfo - in function RtlGetProductInfo
  • Kernel-ProductInfoLegacyMapping - in function RtlGetProductInfo
  • Kernel-VirtualDynamicPartitioningSupported
  • Kernel-VmPhysicalMemoryAddAllowed
  • Kernel-RegisteredProcessors
  • Kernel-CsChecksDisabled
  • Kernel-PersistDefectiveMemoryList
  • Kernel-ExpirationDate
  • Kernel-MemoryMirroringSupported
  • WSLicensingService-LOBSideloadingActivated
Also function RtlpGetWindowsPolicy checks following names:
  • WindowsExcludedProcs
  • Kernel-MUI-Number-Allowed
  • Kernel-MUI-Language-Allowed
  • Kernel-MUI-Language-Disallowed
  • Kernel-MUI-Language-SKU
hal.dll
  • Kernel-RegisteredProcessors
win32k.sys
  • Microsoft-Windows-Core-THQAEnabled
  • Microsoft-Windows-Core-AllowMultiMon

четверг, 14 марта 2013 г.

wincheck rc8.43

Download mirror
Changelog:
  • add dumping of srvnet!SrvNetRegisterClient registered clients
  • add dumping of WdfLdr registered libraries (-wdf or -full options). Sample of output:
      RegService: \Registry\Machine\System\CurrentControlSet\Services\Wdf01000
      DrvName: Wdf01000.sys
      Module: FFFFF880010D4000 \SystemRoot\system32\drivers\Wdf01000.sys
      WdfLibraryInfo: FFFFF8800117E128 \SystemRoot\system32\drivers\Wdf01000.sys
  • some other bugs were fixed

пятница, 8 марта 2013 г.

UCXFunctions.idc

It seems that KMDF has possibility to register extension drivers with undocumented (as usually) function WdfRegisterClassLibrary
For example driver Ucx01000.sys (USB host controller extension) contains functions table which I named UCXFUNCTIONS. I wrote simple IDC script to find and add this structure (in addition to ordinary WDFFUNCTIONS) in clients drivers of this extension

четверг, 7 марта 2013 г.

srvnet!SrvNetRegisterClient registered clients

It seems that undocumented function srvnet!SrvNetRegisterClient accepts as first argument some structure with handlers. Lets see how it was stored and how we can extract it.

    mov eax, [ebp+srvnet_clnt] ; first argument
    push esi
    movzx esi, word ptr [eax]  ; UNICODE_STRING.Length
    add esi, 84h  ; plus some internal structure size
    push edi
    push 'fbSL'   ; Tag
    push esi      ; NumberOfBytes
    push 200h     ; PoolType
    call ds:__imp__ExAllocatePoolWithTag

  ...
    mov edx, [ebp+srvnet_clnt]
    mov esi, edx
    lea edi, [ebx+4Ch] ; ebx holds allocated memory address

    mov ecx, 8         ; size 4 * 8 = 0x20 bytes
    rep movsd


It seems that input structure srvnet_clnt was copied in offset 0x4c. Prototype of srvnet_clnt: 

struct srvnet_clnt
{
/*  0 */  UNICODE_STRING Name;
/*  8 */  PBYTE RegisterEndpointHandler;
/*  C */  PBYTE DeregisterEndpointHandler;
/* 10 */  PBYTE NegotiateHandler;
/* 14 */  PBYTE ConnectHandler;
/* 18 */  PBYTE ReceiveHandler;
/* 1C */  PBYTE DisconnectHandler;
/* 20 */  PBYTE CredentialHandler;
};


Lets see how this allocated buffer was used next:
    mov edx, _SrvNetDeviceExtension ; some global ptr in srvnet.sys
    cmp dword ptr [edx+0ECh], 4     ; seems like max count check
    mov [ebp+var_1], al
    jge loc_27DAE
    xor eax, eax  ; zero index before cycle
loc_14911:
    movzx ecx, ax
    cmp dword ptr [edx+ecx*4+0DCh], 0 ; check for next free ptr
    jnz loc_149E8
loc_14922:

    lea ecx, [edx+38h]
    cmp ax, 4   
; check for max count
    jz  loc_27E16
    ...
    inc dword ptr [edx+0ECh]  ; inc count of clients
    mov [edx+eax*4+0DCh], ebx ; store current client ptr
loc_149E8:

    inc eax       ; inc current index
    cmp ax, 4     ; again check for max count
    jb  loc_14911 ; go to next cycle
    jmp loc_14922 ; out of cycle

It`s easy to see that all registered clients stored in some internal structure (its address can be found in srvnet!SrvNetDeviceExtension var) in fixed-size (max 4) buffer at offset 0xDC and count of registered clients located at offset 0xEC

среда, 6 марта 2013 г.

wincheck rc8.42

Download mirror
Changelog:
  • add dumping of HW_INITIALIZATION_DATA for scsiport & storport driver extensions (-dext option)
  • add checking of Hub[PF]doGenDispatch/Hub[PF]doPnPDispatch from usbhub (-usb option)
  • some other bugs were fixed