четверг, 7 марта 2013 г.

srvnet!SrvNetRegisterClient registered clients

It seems that undocumented function srvnet!SrvNetRegisterClient accepts as first argument some structure with handlers. Lets see how it was stored and how we can extract it.

    mov eax, [ebp+srvnet_clnt] ; first argument
    push esi
    movzx esi, word ptr [eax]  ; UNICODE_STRING.Length
    add esi, 84h  ; plus some internal structure size
    push edi
    push 'fbSL'   ; Tag
    push esi      ; NumberOfBytes
    push 200h     ; PoolType
    call ds:__imp__ExAllocatePoolWithTag

  ...
    mov edx, [ebp+srvnet_clnt]
    mov esi, edx
    lea edi, [ebx+4Ch] ; ebx holds allocated memory address

    mov ecx, 8         ; size 4 * 8 = 0x20 bytes
    rep movsd


It seems that input structure srvnet_clnt was copied in offset 0x4c. Prototype of srvnet_clnt: 

struct srvnet_clnt
{
/*  0 */  UNICODE_STRING Name;
/*  8 */  PBYTE RegisterEndpointHandler;
/*  C */  PBYTE DeregisterEndpointHandler;
/* 10 */  PBYTE NegotiateHandler;
/* 14 */  PBYTE ConnectHandler;
/* 18 */  PBYTE ReceiveHandler;
/* 1C */  PBYTE DisconnectHandler;
/* 20 */  PBYTE CredentialHandler;
};


Lets see how this allocated buffer was used next:
    mov edx, _SrvNetDeviceExtension ; some global ptr in srvnet.sys
    cmp dword ptr [edx+0ECh], 4     ; seems like max count check
    mov [ebp+var_1], al
    jge loc_27DAE
    xor eax, eax  ; zero index before cycle
loc_14911:
    movzx ecx, ax
    cmp dword ptr [edx+ecx*4+0DCh], 0 ; check for next free ptr
    jnz loc_149E8
loc_14922:

    lea ecx, [edx+38h]
    cmp ax, 4   
; check for max count
    jz  loc_27E16
    ...
    inc dword ptr [edx+0ECh]  ; inc count of clients
    mov [edx+eax*4+0DCh], ebx ; store current client ptr
loc_149E8:

    inc eax       ; inc current index
    cmp ax, 4     ; again check for max count
    jb  loc_14911 ; go to next cycle
    jmp loc_14922 ; out of cycle

It`s easy to see that all registered clients stored in some internal structure (its address can be found in srvnet!SrvNetDeviceExtension var) in fixed-size (max 4) buffer at offset 0xDC and count of registered clients located at offset 0xEC


Results (from windows 8 server):
SrvNet clients: 2
 Client 0 SMB 2.0 Provider:
  RegisterEndpointHandler  : FFFFF88005D033E0 \SystemRoot\System32\DRIVERS\srv2.sys
  DeRegisterEndpointHandler: FFFFF88005D02F10 \SystemRoot\System32\DRIVERS\srv2.sys
  NegotiateHandler         : FFFFF88005CBB9C0 \SystemRoot\System32\DRIVERS\srv2.sys
  ConnectHandler           : FFFFF88005CBBA70 \SystemRoot\System32\DRIVERS\srv2.sys
  ReceiveHandler           : FFFFF88005CB2420 \SystemRoot\System32\DRIVERS\srv2.sys
  DisconnectHandler        : FFFFF88005CBB050 \SystemRoot\System32\DRIVERS\srv2.sys
 Client 1 LanmanServer:
  RegisterEndpointHandler  : FFFFF88005D598C0 \SystemRoot\System32\DRIVERS\srv.sys
  DeRegisterEndpointHandler: FFFFF88005D59860 \SystemRoot\System32\DRIVERS\srv.sys
  NegotiateHandler         : FFFFF88005D588B4 \SystemRoot\System32\DRIVERS\srv.sys
  ConnectHandler           : FFFFF88005D588F0 \SystemRoot\System32\DRIVERS\srv.sys
  ReceiveHandler           : FFFFF88005D51EA4 \SystemRoot\System32\DRIVERS\srv.sys
  DisconnectHandler        : FFFFF88005D58F44 \SystemRoot\System32\DRIVERS\srv.sys

Комментариев нет:

Отправить комментарий