Let`s check function LsapLoadLsaDbExtensionDll:
lea eax, [ebp+LibFileName]
push eax
push 0
push 6
push offset aLsadbextpt ; "LsaDbExtPt"
push offset aSystemCurrentc ; "SYSTEM\\CurrentControlSet\\Services\\NTDS"
push 80000002h
call ds:__imp__RegGetValueW@28 ; RegGetValueW(x,x,x,x,x,x,x)
test eax, eax
jz loc_509D269B
...
loc_509D269B:
push 8 ; dwFlags
push 0 ; hFile
lea eax, [ebp+LibFileName]
push eax ; lpLibFileName
call ds:__imp__LoadLibraryExW@12 ; LoadLibraryExW(x,x,x)
mov edi, eax
test edi, edi
jz loc_509342CB
push offset aInitializelsad ; "InitializeLsaDbExtension"
push edi ; hModule
call ds:__imp__GetProcAddress@8 ; GetProcAddress(x,x)
mov esi, eax
test esi, esi
jnz short loc_509D26D2
mov esi, STATUS_ENTRYPOINT_NOT_FOUND
jmp loc_509342CB
...
loc_509D26D2:
mov eax, large fs:30h
push 150h
push 0
push dword ptr [eax+18h]
call ds:__imp__RtlAllocateHeap@12 ; RtlAllocateHeap(x,x,x)
mov ebx, eax
test ebx, ebx
jnz short loc_509D26F8
mov esi, STATUS_NO_MEMORY
jmp loc_509342CB
...
push ebx
call esi
mov esi, eax
test esi, esi
js loc_509342CB
push 0 ; Comperand
push ebx ; Exchange
push offset _g_pLsaExtensionTableLsaDb ; Destination
call ds:__imp__InterlockedCompareExchange@12 ; InterlockedCompareExchange(x,x,x)
test eax, eax
jnz loc_50954E98
This code reads value of (undocumented) key LsaDbExtPt from SYSTEM\CurrentControlSet\Services\NTDS, load dll whose name located in this key, allocates some memory (size 0x150, in x64 0x2A0) and call exported function InitializeLsaDbExtensionCheck how this g_pLsaExtensionTableLsaDb used:
loc_509DEB4D: ; CODE XREF: LsarLookupPrivilegeValue_notify()+7 j
mov eax, _g_pLsaExtensionTableLsaDb
push offset aLsarlookuppr_1 ; "LsarLookupPrivilegeValue"
call dword ptr [eax+9Ch]
retn
It seems that this is just table with functions pointers
Комментариев нет:
Отправить комментарий