wincheck rc8.53

Download
Mirror
Changelog:

• improve support of different user-mode modules from w10
• add dumping of lsasrv!g_pLsaExtensionTableLsaDb

lsasrv.dll!LsapLoadLsaDbExtensionDll

It seems that since windows8 lsasrv.dll allows you to load some arbitrary .dll inside lsass process.
Let`s check function LsapLoadLsaDbExtensionDll:

  lea   eax, [ebp+LibFileName]
  push  eax
  push  0
  push  6
  push  offset aLsadbextpt              ; "LsaDbExtPt"
  push  offset aSystemCurrentc          ; "SYSTEM\\CurrentControlSet\\Services\\NTDS"
  push  80000002h
  call  ds:__imp__RegGetValueW@28       ; RegGetValueW(x,x,x,x,x,x,x)
  test  eax, eax
  jz    loc_509D269B
...
loc_509D269B:                          
  push  8                               ; dwFlags
  push  0                               ; hFile
  lea   eax, [ebp+LibFileName]
  push  eax                             ; lpLibFileName
  call  ds:__imp__LoadLibraryExW@12     ; LoadLibraryExW(x,x,x)
  mov   edi, eax
  test  edi, edi
  jz    loc_509342CB
  push  offset aInitializelsad          ; "InitializeLsaDbExtension"
  push  edi                             ; hModule
  call  ds:__imp__GetProcAddress@8      ; GetProcAddress(x,x)
  mov   esi, eax
  test  esi, esi
  jnz   short loc_509D26D2
  mov   esi, STATUS_ENTRYPOINT_NOT_FOUND
  jmp   loc_509342CB
...
loc_509D26D2:                          
  mov   eax, large fs:30h
  push  150h
  push  0
  push  dword ptr [eax+18h]
  call  ds:__imp__RtlAllocateHeap@12    ; RtlAllocateHeap(x,x,x)
  mov   ebx, eax
  test  ebx, ebx
  jnz   short loc_509D26F8
  mov   esi, STATUS_NO_MEMORY
  jmp   loc_509342CB
...
  push  ebx
  call  esi
  mov   esi, eax
  test  esi, esi
  js    loc_509342CB
  push  0                               ; Comperand
  push  ebx                             ; Exchange
  push  offset _g_pLsaExtensionTableLsaDb ; Destination
  call  ds:__imp__InterlockedCompareExchange@12 ; InterlockedCompareExchange(x,x,x)
  test  eax, eax
  jnz   loc_50954E98
This code reads value of (undocumented) key LsaDbExtPt from SYSTEM\CurrentControlSet\Services\NTDS, load dll whose name located in this key, allocates some memory (size 0x150, in x64 0x2A0) and call exported function InitializeLsaDbExtension

wincheck rc8.52

Add support of windows 10 (Technical Preview‎, build 9879 & 9926)

Download
Mirror

W32pServiceTable from windows 10 build 9926 64bit

W32pServiceLimit .eq. 0x45E

windows 10 build 9926 W32pServiceTable

W32pServiceLimit .eq. 0x45C

bug in vs2010 inlined function

All know how to calculate the crc32, yeah ?
Let`s see output from visual studio 2010 for inlined version of crc32:

Here list is alias for ecx register:

  mov     [ebp+params.list_rva], list  
  not     cl 
  movzx   list, cl ; ok, now in ECX 00 00 00 cl
  mov     eax, ds:CRCTable[list*4]
  xor     eax, 0FFFFFFh 
  movzx   ebx, al
  movzx   list, ch ; wait, CH now zero bcs of previous movzx ecx, cl !
  shr     eax, 8
  xor     list, ebx
  xor     eax, ds:CRCTable[list*4]
  movzx   list, byte ptr [ebp+params.list_rva+2]
  movzx   ebx, al
  shr     eax, 8
  xor     list, ebx
  xor     eax, ds:CRCTable[list*4]
  movzx   list, byte ptr [ebp+params.list_rva+3]
  movzx   ebx, al

it is obvious that the result of this functions is incorrect