суббота, 5 декабря 2015 г.

WNF identifiers

I have made a mistake in my previous article about WNF. It seems that WNF idenificators are not standard IID but pair of DWORDs, so struct my_wnf_item actually looks like:
// struct can be ripped from ntdll!RtlpCreateWnfNameSubscription
struct wnf_name
/*  0x0 */  DWORD tag; // 0x980912 under x64, 0x700912 under x86
/*  0x4 */  DWORD unk4;
/*  0x8 */  DWORD unk8;
/*  0xC */  DWORD unkC;
/* 0x10 */  DWORD id1;
/* 0x14 */  DWORD id2;

struct my_wnf_item
  LIST_ENTRY List; // linked list of my_wnf_item
  wnf_name *wnfId;
  PBYTE notify;

Sample from windows 10 build 10586:
CheckProcess PID 420 (csrss.exe):
PEB.NtGlobalFlag: 0
PEB.Ldr: 00007FF946ED5200
PEB.GdiSharedHandleTable: 000001EFD8BC0000
WnfRoot: 000001EFD8A05BF0
 Wnf[0] at 000001EFD8A08238: id1 A3BC4035 id2 96003D (WNF_PNPA_PORTS_CHANGED_SESSION) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[1] at 000001EFD8A080C8: id1 A3BC3875 id2 96003D (WNF_PNPA_PORTS_CHANGED) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[2] at 000001EFD8A07F58: id1 A3BC3035 id2 96003D (WNF_PNPA_HARDWAREPROFILES_CHANGED_SESSION) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[3] at 000001EFD8A07DE8: id1 A3BC2875 id2 96003D (WNF_PNPA_HARDWAREPROFILES_CHANGED) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[4] at 000001EFD8A07C78: id1 A3BC2035 id2 96003D (WNF_PNPA_VOLUMES_CHANGED_SESSION) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[5] at 000001EFD8A07B08: id1 A3BC1875 id2 96003D (WNF_PNPA_VOLUMES_CHANGED) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[6] at 000001EFD8A04EF8: id1 A3BC1035 id2 96003D (WNF_PNPA_DEVNODES_CHANGED_SESSION) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[7] at 000001EFD8A05058: id1 A3BC0875 id2 96003D (WNF_PNPA_DEVNODES_CHANGED) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)

List of some WNF identifiers (sure is not completed):

пятница, 9 октября 2015 г.

using CFG on more old windows

As you may know support for CodeFlow Guard exists only since windows 10. But it seems that you still can gain some profit from CFG on more old versions of windows (for example in fuzzers/honeypots)

1) you need inject your code in target process
2) you must check if CFG presents in your target module. It seems that MS linker has a bug - DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size eq 0x40. but IMAGE_LOAD_CONFIG_DIRECTORY.Size contains right value
3) you must just patch pointer in *(IMAGE_LOAD_CONFIG_DIRECTORY.GuardCFCheckFunctionPointer) to your handler. Prototype of handler:
void __fastcall my_check_icall(PBYTE addr)
4) now you can check addr parameter. One possible check - just see if this addr located in some loaded module, so you can traverse on PEB_LDR_DATA

Have fun !

среда, 9 сентября 2015 г.

iertutil.dll unnamed exports

Perl script to make such files (must be run after applying appropriate .pdb):
#!perl -w
use strict;
use warnings;
use IDA;

my $with_addr = 0;

my $exp_cnt = GetEntryPointQty();
my $dparm = GetLongPrm(INF_SHORT_DN);
my($fh, $name, $mang, $i, $ord, $addr);
if ( $exp_cnt )
  open($fh, '>', "exp") or die("Cannot open file exp, error $!\n");
  for ( $i = 0; $i < $exp_cnt; $i++ )
    $ord = GetEntryOrdinal($i);
    $name = GetEntryName($ord);
    $addr = GetEntryPoint($ord);
    next if ( $addr == BADADDR );
    next if ( $name !~ /_\d+$/i );
    $mang = GetTrueNameEx(BADADDR, $addr);
    $name = Demangle($mang, $dparm);
    $name =~ s/\(.*\)//g;
    if ( $name ne '' )
      if ( $with_addr )
        printf($fh "%d %X %s ; %s\n", $ord, $addr, $name, $mang);
      } else {
        printf($fh "%d %s ; %s\n", $ord, $name, $mang);
    } else {
      if ( $with_addr )
        printf($fh "%d %X %s\n", $ord, $addr, $mang);
      } else {
        printf($fh "%d %s\n", $ord, $mang);
  close $fh;

вторник, 8 сентября 2015 г.

urlmon unnamed exports

It seems that ordinal 470 (RegisterProtocolMonitor) used in networkinspection.dll
This info was ripped from ida pro with simple perl script

воскресенье, 26 июля 2015 г.

pdbdump for vs2015 pdbs

It seems that sourceforge finally came out of the coma so I commited today patches to my version of pdbdump for some support of vs2015 pdb files
Also I added support of DIA SDK from Microsoft Visual Studio 12.0 (patch 67)

четверг, 11 июня 2015 г.

is vtguard slow ?

Saw some strange code in fresh mshtml.dll (version 11.00.9600.17842) after jun 2015 security update:

.text:635F4700 ?ReleaseInterface@@YGXPAUIUnknown@@@Z proc near
.text:635F4700   mov   edi, edi
.text:635F4702   push  esi
.text:635F4703   push  edi
.text:635F4704   test  ecx, ecx
.text:635F4706   jnz   short loc_635F470B
.text:635F4708 loc_635F4708:

.text:635F4708   pop   edi
.text:635F4709   pop   esi
.text:635F470A   retn

.text:635F470B loc_635F470B:
.text:635F470B   mov   eax, [ecx]
.text:635F470D   mov   edi, [eax+8]
.text:635F4710   cmp   edi, offset ?PrivateRelease@CElement@@UAGKXZ ; CElement::PrivateRelease(void)
.text:635F4716   jz    loc_6362BE29
.text:635F471C   cmp   edi, offset ?PlainRelease@@YGKPAUTEAROFF_THUNK@@@Z ; PlainRelease(TEAROFF_THUNK *)
.text:635F4722   jz    loc_6362B928
.text:635F4728   mov   esi, esp
.text:635F472A   push  ecx
.text:635F472B   mov   ecx, edi
.text:635F472D   call  ds:___guard_check_icall_fptr
.text:635F4733   call  edi
.text:635F4735   cmp   esi, esp
.text:635F4737   jz    short loc_635F4708
.text:635F4739   jmp   loc_63CA3FDD
.text:635F4739 ?ReleaseInterface@@YGXPAUIUnknown@@@Z endp

.text:6362BE29 loc_6362BE29:
.text:6362BE29   push  ecx
.text:6362BE2A   call  ?PrivateRelease@CElement@@UAGKXZ ; CElement::PrivateRelease(void)
.text:6362BE2F   jmp   loc_635F4708

.text:6362B928 loc_6362B928:
.text:6362B928   push  ecx                             ; struct TEAROFF_THUNK *
.text:6362B929   call  ?PlainRelease@@YGKPAUTEAROFF_THUNK@@@Z ; PlainRelease(TEAROFF_THUNK *)
.text:6362B92E   jmp   loc_635F4708
It seems that compiler added checking for some (most frequently called) methods and calls them directly with no vtguard. I wonder why may be needed such optimization ?

вторник, 5 мая 2015 г.

wincheck rc8.55

  • add support of windows10 build 10074
  • add -gahti option to dump win32k!gahti
  • add -sockets option to dump from tcpip.sys sockets and established connections. xp/w2k3 only
  • add -sockets6 option to dump from tcpip6.sys sockets and established connections. xp/w2k3 only
  • add checking win32k!gDxgkWin32kEngInterface
  • add Period in timers dump
  • lots of bugs were fixed

среда, 29 апреля 2015 г.

Cezurity cota in wincheck logs

Nothing new and interesting actually:
SDT entry 44 (ZwDuplicateObject) hooked BA8000CC !
SDT entry 7A (ZwOpenProcess) hooked BA800060 !
SDT entry 80 (ZwOpenThread) hooked BA800096 !
SDT entry C1 (ZwReplaceKey) hooked BA800138 !
SDT entry CC (ZwRestoreKey) hooked BA80016E !
SDT entry ED (ZwSetSecurityObject) hooked BA800102 !

Process notifiers:
[0] B9BB78D0 cz_cota.sys

Registry notifiers:
[0] B9BBCC10 cz_cota.sys

 [0] DevObj 8AF07F18 Drv 8AF2CB40 \??\C:\WINDOWS\system32\Drivers\cz_ddall.sys

And new fltmgr instance:  
   PreOperation:            B9718EE0 cz_cotam.sys
   PostOperation:           00000000
   PreOperation:            B9719270 cz_cotam.sys
   PostOperation:           00000000
   PreOperation:            B9719020 cz_cotam.sys
   PostOperation:           00000000
   PreOperation:            B9718F50 cz_cotam.sys
   PostOperation:           B9718FA0 cz_cotam.sys
   PreOperation:            B9718FD0 cz_cotam.sys
   PostOperation:           B9719000 cz_cotam.sys

   PreOperation:            B9BC3AE0 cz_cota.sys
   PostOperation:           B9BC3A40 cz_cota.sys
   PreOperation:            B9BC3930 cz_cota.sys
   PostOperation:           00000000

понедельник, 27 апреля 2015 г.


try to recover offsets of ADDRESS_OBJECT fields for tcpip6
code from CopyAO_TCPConn function:
  cmp   byte ptr [edx+3Ah], 6       ; protocol - 0x3a
  jnz   loc_12425
  mov   ecx, [ebp+arg_8]
  mov   eax, 0C8h
  cmp   [ebp+arg_4], eax
  jb    short loc_1235C
  mov   dword ptr [ecx+34h], 2
  jmp   short loc_12363


  mov   dword ptr [ecx+30h], 2

  cmp   [ebp+arg_4], eax
  push  esi
  push  edi
  lea   esi, [edx+24h]              ; local_ip - 0x24, size 16 bytes
  jb    short loc_123EC
  mov   [ecx], eax
  lea   edi, [ecx+4]
  mov   eax, [edx+34h]
  mov   [ecx+14h], eax
  movzx eax, word ptr [edx+38h]     ; local_port - 0x38

code from TdiOpenAddress function:  
  call  _PsGetCurrentProcessId
  mov   [ebx+0C8h], eax   ; pid - 0xc8
  lea   eax, [ebx+0D8h]   ; CreateTime - 0xd8
  push  eax

  call  ds:__imp__KeQuerySystemTime@4

So structure ADDRESS6_OBJECT looks like:
'_ADDRESS6_OBJECT' : [ 0x68, {
'Next' : [ 0x0, ['pointer', ['_ADDRESS6_OBJECT']]],
'LocalIpAddress' : [ 0x24, ['Ip6Address']],
'LocalPort' : [ 0x38, ['unsigned be short']],
'Protocol' : [ 0x3a, ['unsigned short']],
'Pid' : [ 0xc8, ['unsigned long']],
'CreateTime' : [ 0xd8, ['WinTimeStamp', dict(is_utc = True)]],
for 64bit tcpip6.sys:

суббота, 4 апреля 2015 г.

windows 10 win32kbase.sys exports

It seems that windows 10 moved some important data (like gpepCSRSS or gpsi) from win32k.sys to win32kbase.sys and made in exported. I think it`s epic win, he-he

четверг, 2 апреля 2015 г.

wincheck rc8.54

  • add support of windows10 build 10041.
  • add -obcb key for dumping object type callbacks. Sample from machine infected with dr.web (btw this north papua av consider wincheck as process.injecter, hell yeah):
    ObType Process (FFFFFA800CCCBBC0):
     DumpProcedure:        0000000000000000
     OpenProcedure:        FFFFF80003365620 \SystemRoot\system32\ntoskrnl.exe
     CloseProcedure:       FFFFF8000334C9A0 \SystemRoot\system32\ntoskrnl.exe
     DeleteProcedure:      FFFFF8000334BC50 \SystemRoot\system32\ntoskrnl.exe
     ParseProcedure:       0000000000000000
     SecurityProcedure:    FFFFF8000337D530 \SystemRoot\system32\ntoskrnl.exe
     QueryNameProcedure:   0000000000000000
     OkayToCloseProcedure: 0000000000000000
     2 callback(s):
      cb[0] operation 3
       PreOperation FFFFF88001157914 \SystemRoot\system32\drivers\dwprot.sys
      cb[1] operation 3
       PreOperation FFFFF88004890E30 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
       PreOperation FFFFF8800488EBD0 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
  • add tables checking inside wudfx02000.dll

пятница, 27 марта 2015 г.

KiServiceTable from windows 10 build 10041 64bit

KiServiceLimit .eq. 0x1B7

apisetschema.dll from windows 10 build 10041

very intresting - api-ms-win-core-debug-minidump was added

windows 10 build 10041 W32pServiceTable

W32pServiceLimit .eq. 0x467

KiServiceTable from windows 10 build 10041

KiServiceLimit .eq. 1b7

вторник, 10 февраля 2015 г.


It seems that since windows8 lsasrv.dll allows you to load some arbitrary .dll inside lsass process.
Let`s check function LsapLoadLsaDbExtensionDll:

  lea   eax, [ebp+LibFileName]
  push  eax
  push  0
  push  6
  push  offset aLsadbextpt              ; "LsaDbExtPt"
  push  offset aSystemCurrentc          ; "SYSTEM\\CurrentControlSet\\Services\\NTDS"
  push  80000002h
  call  ds:__imp__RegGetValueW@28       ; RegGetValueW(x,x,x,x,x,x,x)
  test  eax, eax
  jz    loc_509D269B

  push  8                               ; dwFlags
  push  0                               ; hFile
  lea   eax, [ebp+LibFileName]
  push  eax                             ; lpLibFileName
  call  ds:__imp__LoadLibraryExW@12     ; LoadLibraryExW(x,x,x)
  mov   edi, eax
  test  edi, edi
  jz    loc_509342CB
  push  offset aInitializelsad          ; "InitializeLsaDbExtension"
  push  edi                             ; hModule
  call  ds:__imp__GetProcAddress@8      ; GetProcAddress(x,x)
  mov   esi, eax
  test  esi, esi
  jnz   short loc_509D26D2
  jmp   loc_509342CB

  mov   eax, large fs:30h
  push  150h
  push  0
  push  dword ptr [eax+18h]
  call  ds:__imp__RtlAllocateHeap@12    ; RtlAllocateHeap(x,x,x)
  mov   ebx, eax
  test  ebx, ebx
  jnz   short loc_509D26F8
  mov   esi, STATUS_NO_MEMORY
  jmp   loc_509342CB

  push  ebx
  call  esi
  mov   esi, eax
  test  esi, esi
  js    loc_509342CB
  push  0                               ; Comperand
  push  ebx                             ; Exchange
  push  offset _g_pLsaExtensionTableLsaDb ; Destination
  call  ds:__imp__InterlockedCompareExchange@12 ; InterlockedCompareExchange(x,x,x)
  test  eax, eax
  jnz   loc_50954E98
This code reads value of (undocumented) key LsaDbExtPt from SYSTEM\CurrentControlSet\Services\NTDS, load dll whose name located in this key, allocates some memory (size 0x150, in x64 0x2A0) and call exported function InitializeLsaDbExtension

понедельник, 2 февраля 2015 г.

bug in vs2010 inlined function

All know how to calculate the crc32, yeah ?
Let`s see output from visual studio 2010 for inlined version of crc32:

Here list is alias for ecx register:

  mov     [ebp+params.list_rva], list  
  not     cl 
  movzx   list, cl ; ok, now in ECX 00 00 00 cl
  mov     eax, ds:CRCTable[list*4]
  xor     eax, 0FFFFFFh 
  movzx   ebx, al
  movzx   list, ch ; wait, CH now zero bcs of previous movzx ecx, cl !
  shr     eax, 8
  xor     list, ebx
  xor     eax, ds:CRCTable[list*4]
  movzx   list, byte ptr [ebp+params.list_rva+2]
  movzx   ebx, al
  shr     eax, 8
  xor     list, ebx
  xor     eax, ds:CRCTable[list*4]
  movzx   list, byte ptr [ebp+params.list_rva+3]
  movzx   ebx, al
it is obvious that the result of this functions is incorrect

пятница, 30 января 2015 г.

modernexecserver.dll RPC interface

version info says "Modern Execution Server". I don`t know what this means
8EC21E98-B5CE-4916-A3D6-449FA428A007 version 0.0
19 methods:
  • FmMuxSrvRegisterCoreUIEndpoints
  • FmMuxSrvLaunchTask
  • FmMuxSrvResumeTask
  • FmMuxSrvPauseTask
  • FmMuxSrvCancelTask
  • FmMuxSrvAbortTask
  • FmMuxSrvGetTaskPid
  • FmMuxSrvSetTaskDehydrationEligibility
  • FmMuxSrvResolveApplicationUri
  • FmMuxSrvGetActivationPolicy
  • FmMuxSrvShutdown
  • FmMuxSrvSetForegroundTaskInstanceId
  • FmMuxSrvGenerateActivationInstanceId
  • FmMuxSrvActivationPrerequisitePhase
  • FmMuxSrvIsCBETask
  • FmMuxSrvIsValidTaskPid
  • FmMuxSrvResumePrerequisitePhase
  • FmMuxSrvGetForegroundTaskInstanceId
  • FmMuxSrvActivationBypass

среда, 21 января 2015 г.

interrupts in w10 build 9879 64bit

it seems that Microsoft completely removed KiInterruptTemplate in this version of windows and interrutps now stored in KPRCB (like in w8.1)
Lets see on function KiConnectInterrupt

среда, 7 января 2015 г.

apisetschema.dll from windows 10 build 9879 64bit

only api-ms-win-core-ums-l1-1-0 was added

apisetschema.dll from windows 10 build 9879

Yep, they did it again - apisetschema.dll now has version 5. One hard evening of reversing and you can enjoy the results
Btw - there are module in kernel mode which is missed in apisetschema.dll:ext-ms-win-ntos-ksigningpolicy-l1-1-0.dll in cia.dll. I have no ideas about how translation of ext-ms- names happens in kernel mode