I finished reading this book today
This is just incredible useful book especially if you writing application-specific heap-spray detectors
Site
Bibliography
Glossary
среда, 27 марта 2013 г.
четверг, 21 марта 2013 г.
wincheck rc8.44
Download mirror
Changelog:
Changelog:
- add dumping of registered MINIRDR_DISPATCH in rdbss. Sample of output:
rdbss registered devs count: 1
[0] DevObj 8A98E030 DrvObj 8AC45C28 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
MINIRDR_DISPATCH at A8D949A0:
MRxStop: A8DABFD3 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxCancel: A8DC069A \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxCollapseOpen: A8D9A60E \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxShouldTryToCollapseThisOpen: A8D9CF1A \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxFlush: A8D9AA23 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxZeroExtend: A8DA490E \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxCleanupFobx: A8D9A403 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxCloseSrvOpen: A8D9A4AC \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxDeallocateForFcb: A8D9A2B0 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxDeallocateForFobx: A8D9A410 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxIsLockRealizable: A8D98623 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxForceClosed: A8DA01C1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxOpenPrintFile: A8D9A403 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxClosePrintFile: A8D787FF \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxSetFileInfo: A8D9DA55 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxSetFileInfoAtCleanup: A8D9C941 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxQueryEaInfo: A8D9E1B1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxSetEaInfo: A8D98623 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxQuerySdInfo: A8DBEFC1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxSetSdInfo: A8DBEC6C \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxQueryQuotaInfo: A8DBE953 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxSetQuotaInfo: A8DBEA90 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxQueryVolumeInfo: A8D883E7 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxSetVolumeInfo: A8D885C9 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxIsValidDirectory: A8D9C6B5 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxComputeNewBufferingState: A8DBF506 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxLowIOSubmit[LOWIO_OP_READ]: A8DBF362 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxLowIOSubmit[LOWIO_OP_WRITE]: A8D9F98F \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxLowIOSubmit[LOWIO_OP_SHAREDLOCK]: A8D9F7D6 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxLowIOSubmit[LOWIO_OP_EXCLUSIVELOCK]: A8D9EA5B \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxLowIOSubmit[LOWIO_OP_UNLOCK]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxLowIOSubmit[LOWIO_OP_UNLOCK_MULTIPLE]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxLowIOSubmit[LOWIO_OP_FSCTL]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxLowIOSubmit[LOWIO_OP_IOCTL]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxLowIOSubmit[LOWIO_OP_NOTIFY_CHANGE_DIRECTORY]: A8DA1E1F \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxLowIOSubmit[LOWIO_OP_CLEAROUT]: A8DC00F2 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxCompleteBufferingStateChangeRequest: A8D9E639 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxCreateVNetRoot: A8DBF9A2 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxFinalizeVNetRoot: A8D9FF36 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxFinalizeNetRoot: A8DA21EF \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxUpdateNetRootState: A8D78B02 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxExtractNetRootName: A8DA14FB \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxCreateSrvCall: A8DA60E3 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxCancelCreateSrvCall: A8DA2385 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxSrvCallWinnerNotify: A8DA3529 \SystemRoot\system32\DRIVERS\mrxsmb.sys
MRxDevFcbXXXControlFile: A8DA30A9 \SystemRoot\system32\DRIVERS\mrxsmb.sys - fixed srvnet!SrvNetRegisterClient registered clients dumping for w8 32bit
- fixed bad rdbss!RxFsdDispatch detection on w8 32bit
- some other bugs were fixed
вторник, 19 марта 2013 г.
ZwQueryLicenseValue in windows 8 user-mode
appidapi.dll
- appid-EnableV2
- appid-EnableV2
- TerminalServices-RemoteConnectionManager-b7857721-7a62-4a37-aff3-253fe2b8b0e8-MaxSessions
- LSA-Policy-EnableTrustedDomains
- TerminalServices-RemoteConnectionManager-AllowMultipleSessions
- TerminalServices-RemoteConnectionManager-b7857721-7a62-4a37-aff3-253fe2b8b0e8-MaxSessions
- WorkstationService-DomainJoinEnabled
- Security-SPP-GenuineLocalStatus
- Kernel-ExpirationDate
- Security-SPP-GenuineLocalStatus
- Security-SPP-TokenActivation-AdditionalInfo
- Security-SPP-Reserved-TBLProductKeyType
- Security-SPP-Reserved-TBLState
- Security-SPP-Reserved-TBLRemainingTime
суббота, 16 марта 2013 г.
using ZwQueryLicenseValue in windows 8 drivers
Function ZwQueryLicenseValue gets the data for a particular license value. As you can see the first argument is PUNICODE_STRING for some license feature name. Let's see which names are checked in windows 8 kernel mode
kernel
kernel
- Kernel-ProductInfo - in function RtlGetProductInfo
- Kernel-ProductInfoLegacyMapping - in function RtlGetProductInfo
- Kernel-VirtualDynamicPartitioningSupported
- Kernel-VmPhysicalMemoryAddAllowed
- Kernel-RegisteredProcessors
- Kernel-CsChecksDisabled
- Kernel-PersistDefectiveMemoryList
- Kernel-ExpirationDate
- Kernel-MemoryMirroringSupported
- WSLicensingService-LOBSideloadingActivated
- WindowsExcludedProcs
- Kernel-MUI-Number-Allowed
- Kernel-MUI-Language-Allowed
- Kernel-MUI-Language-Disallowed
- Kernel-MUI-Language-SKU
- Kernel-RegisteredProcessors
- Microsoft-Windows-Core-THQAEnabled
- Microsoft-Windows-Core-AllowMultiMon
четверг, 14 марта 2013 г.
wincheck rc8.43
Download mirror
Changelog:
Changelog:
- add dumping of srvnet!SrvNetRegisterClient registered clients
- add dumping of WdfLdr registered libraries (-wdf or -full options). Sample of output:
RegService: \Registry\Machine\System\CurrentControlSet\Services\Wdf01000
DrvName: Wdf01000.sys
Module: FFFFF880010D4000 \SystemRoot\system32\drivers\Wdf01000.sys
WdfLibraryInfo: FFFFF8800117E128 \SystemRoot\system32\drivers\Wdf01000.sys - some other bugs were fixed
пятница, 8 марта 2013 г.
UCXFunctions.idc
It seems that KMDF has possibility to register extension drivers with undocumented (as usually) function WdfRegisterClassLibrary
For example driver Ucx01000.sys (USB host controller extension) contains functions table which I named UCXFUNCTIONS. I wrote simple IDC script to find and add this structure (in addition to ordinary WDFFUNCTIONS) in clients drivers of this extension
For example driver Ucx01000.sys (USB host controller extension) contains functions table which I named UCXFUNCTIONS. I wrote simple IDC script to find and add this structure (in addition to ordinary WDFFUNCTIONS) in clients drivers of this extension
четверг, 7 марта 2013 г.
srvnet!SrvNetRegisterClient registered clients
It seems that undocumented function srvnet!SrvNetRegisterClient accepts as first argument some structure with handlers. Lets see how it was stored and how we can extract it.
It seems that input structure srvnet_clnt was copied in offset 0x4c. Prototype of srvnet_clnt:
Lets see how this allocated buffer was used next:
It`s easy to see that all registered clients stored in some internal structure (its address can be found in srvnet!SrvNetDeviceExtension var) in fixed-size (max 4) buffer at offset 0xDC and count of registered clients located at offset 0xEC
mov eax, [ebp+srvnet_clnt] ; first argument
push esi
movzx esi, word ptr [eax] ; UNICODE_STRING.Length
add esi, 84h ; plus some internal structure size
push edi
push 'fbSL' ; Tag
push esi ; NumberOfBytes
push 200h ; PoolType
call ds:__imp__ExAllocatePoolWithTag
...
mov edx, [ebp+srvnet_clnt]
mov esi, edx
lea edi, [ebx+4Ch] ; ebx holds allocated memory address
mov ecx, 8 ; size 4 * 8 = 0x20 bytes
rep movsd
It seems that input structure srvnet_clnt was copied in offset 0x4c. Prototype of srvnet_clnt:
struct srvnet_clnt
{
/* 0 */ UNICODE_STRING Name;
/* 8 */ PBYTE RegisterEndpointHandler;
/* C */ PBYTE DeregisterEndpointHandler;
/* 10 */ PBYTE NegotiateHandler;
/* 14 */ PBYTE ConnectHandler;
/* 18 */ PBYTE ReceiveHandler;
/* 1C */ PBYTE DisconnectHandler;
/* 20 */ PBYTE CredentialHandler;
};
Lets see how this allocated buffer was used next:
mov edx, _SrvNetDeviceExtension ; some global ptr in srvnet.sys
cmp dword ptr [edx+0ECh], 4 ; seems like max count check
mov [ebp+var_1], al
jge loc_27DAE
xor eax, eax ; zero index before cycle
loc_14911:
movzx ecx, ax
cmp dword ptr [edx+ecx*4+0DCh], 0 ; check for next free ptr
jnz loc_149E8
loc_14922:
lea ecx, [edx+38h]
cmp ax, 4
; check for max count
jz loc_27E16
...
inc dword ptr [edx+0ECh] ; inc count of clients
mov [edx+eax*4+0DCh], ebx ; store current client ptr
loc_149E8:
inc eax ; inc current index
cmp ax, 4 ; again check for max count
jb loc_14911 ; go to next cycle
jmp loc_14922 ; out of cycle
It`s easy to see that all registered clients stored in some internal structure (its address can be found in srvnet!SrvNetDeviceExtension var) in fixed-size (max 4) buffer at offset 0xDC and count of registered clients located at offset 0xEC