вторник, 10 февраля 2015 г.

lsasrv.dll!LsapLoadLsaDbExtensionDll

It seems that since windows8 lsasrv.dll allows you to load some arbitrary .dll inside lsass process.
Let`s check function LsapLoadLsaDbExtensionDll:

  lea   eax, [ebp+LibFileName]
  push  eax
  push  0
  push  6
  push  offset aLsadbextpt              ; "LsaDbExtPt"
  push  offset aSystemCurrentc          ; "SYSTEM\\CurrentControlSet\\Services\\NTDS"
  push  80000002h
  call  ds:__imp__RegGetValueW@28       ; RegGetValueW(x,x,x,x,x,x,x)
  test  eax, eax
  jz    loc_509D269B
...

loc_509D269B:                          
  push  8                               ; dwFlags
  push  0                               ; hFile
  lea   eax, [ebp+LibFileName]
  push  eax                             ; lpLibFileName
  call  ds:__imp__LoadLibraryExW@12     ; LoadLibraryExW(x,x,x)
  mov   edi, eax
  test  edi, edi
  jz    loc_509342CB
  push  offset aInitializelsad          ; "InitializeLsaDbExtension"
  push  edi                             ; hModule
  call  ds:__imp__GetProcAddress@8      ; GetProcAddress(x,x)
  mov   esi, eax
  test  esi, esi
  jnz   short loc_509D26D2
  mov   esi, STATUS_ENTRYPOINT_NOT_FOUND
  jmp   loc_509342CB
...

loc_509D26D2:                          
  mov   eax, large fs:30h
  push  150h
  push  0
  push  dword ptr [eax+18h]
  call  ds:__imp__RtlAllocateHeap@12    ; RtlAllocateHeap(x,x,x)
  mov   ebx, eax
  test  ebx, ebx
  jnz   short loc_509D26F8
  mov   esi, STATUS_NO_MEMORY
  jmp   loc_509342CB
...

  push  ebx
  call  esi
  mov   esi, eax
  test  esi, esi
  js    loc_509342CB
  push  0                               ; Comperand
  push  ebx                             ; Exchange
  push  offset _g_pLsaExtensionTableLsaDb ; Destination
  call  ds:__imp__InterlockedCompareExchange@12 ; InterlockedCompareExchange(x,x,x)
  test  eax, eax
  jnz   loc_50954E98
This code reads value of (undocumented) key LsaDbExtPt from SYSTEM\CurrentControlSet\Services\NTDS, load dll whose name located in this key, allocates some memory (size 0x150, in x64 0x2A0) and call exported function InitializeLsaDbExtension
Check how this g_pLsaExtensionTableLsaDb used:
loc_509DEB4D:                           ; CODE XREF: LsarLookupPrivilegeValue_notify()+7 j
  mov   eax, _g_pLsaExtensionTableLsaDb
  push  offset aLsarlookuppr_1          ; "LsarLookupPrivilegeValue"
  call  dword ptr [eax+9Ch]
  retn

It seems that this is just table with functions pointers

Комментариев нет:

Отправить комментарий