среда, 29 апреля 2015 г.

Cezurity cota in wincheck logs

Nothing new and interesting actually:
SDT entry 44 (ZwDuplicateObject) hooked BA8000CC !
SDT entry 7A (ZwOpenProcess) hooked BA800060 !
SDT entry 80 (ZwOpenThread) hooked BA800096 !
SDT entry C1 (ZwReplaceKey) hooked BA800138 !
SDT entry CC (ZwRestoreKey) hooked BA80016E !
SDT entry ED (ZwSetSecurityObject) hooked BA800102 !


Process notifiers:
[0] B9BB78D0 cz_cota.sys


Registry notifiers:
[0] B9BBCC10 cz_cota.sys


IopNotifyLastChanceShutdownQueueHead:
 [0] DevObj 8AF07F18 Drv 8AF2CB40 \??\C:\WINDOWS\system32\Drivers\cz_ddall.sys

And new fltmgr instance:  
 INSTANCE 8AA5F720:
  IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION: 8AA5F864
   PreOperation:            B9718EE0 cz_cotam.sys
   PostOperation:           00000000
  IRP_MJ_CREATE: 8AA5F8AC
   PreOperation:            B9719270 cz_cotam.sys
   PostOperation:           00000000
  IRP_MJ_WRITE: 8AA5F894
   PreOperation:            B9719020 cz_cotam.sys
   PostOperation:           00000000
  IRP_MJ_SET_INFORMATION: 8AA5F87C
   PreOperation:            B9718F50 cz_cotam.sys
   PostOperation:           B9718FA0 cz_cotam.sys
  IRP_MJ_CLEANUP: 8AA5F8C4
   PreOperation:            B9718FD0 cz_cotam.sys
   PostOperation:           B9719000 cz_cotam.sys

 INSTANCE 8AAA2008:
  IRP_MJ_CREATE: 8AAA214C
   PreOperation:            B9BC3AE0 cz_cota.sys
   PostOperation:           B9BC3A40 cz_cota.sys
  IRP_MJ_SET_INFORMATION: 8AAA2164
   PreOperation:            B9BC3930 cz_cota.sys
   PostOperation:           00000000

понедельник, 27 апреля 2015 г.

tcpip6!ADDRESS_OBJECT

try to recover offsets of ADDRESS_OBJECT fields for tcpip6
code from CopyAO_TCPConn function:
  cmp   byte ptr [edx+3Ah], 6       ; protocol - 0x3a
  jnz   loc_12425
  mov   ecx, [ebp+arg_8]
  mov   eax, 0C8h
  cmp   [ebp+arg_4], eax
  jb    short loc_1235C
  mov   dword ptr [ecx+34h], 2
  jmp   short loc_12363

loc_1235C:

  mov   dword ptr [ecx+30h], 2
loc_12363:

  cmp   [ebp+arg_4], eax
  push  esi
  push  edi
  lea   esi, [edx+24h]              ; local_ip - 0x24, size 16 bytes
  jb    short loc_123EC
  mov   [ecx], eax
  lea   edi, [ecx+4]
  movsd
  movsd
  movsd
  movsd
  mov   eax, [edx+34h]
  mov   [ecx+14h], eax
  movzx eax, word ptr [edx+38h]     ; local_port - 0x38


code from TdiOpenAddress function:  
  call  _PsGetCurrentProcessId
  mov   [ebx+0C8h], eax   ; pid - 0xc8
  lea   eax, [ebx+0D8h]   ; CreateTime - 0xd8
  push  eax

  call  ds:__imp__KeQuerySystemTime@4

So structure ADDRESS6_OBJECT looks like:
'_ADDRESS6_OBJECT' : [ 0x68, {
'Next' : [ 0x0, ['pointer', ['_ADDRESS6_OBJECT']]],
'LocalIpAddress' : [ 0x24, ['Ip6Address']],
'LocalPort' : [ 0x38, ['unsigned be short']],
'Protocol' : [ 0x3a, ['unsigned short']],
'Pid' : [ 0xc8, ['unsigned long']],
'CreateTime' : [ 0xd8, ['WinTimeStamp', dict(is_utc = True)]],
}],
for 64bit tcpip6.sys:

суббота, 4 апреля 2015 г.

windows 10 win32kbase.sys exports

It seems that windows 10 moved some important data (like gpepCSRSS or gpsi) from win32k.sys to win32kbase.sys and made in exported. I think it`s epic win, he-he

четверг, 2 апреля 2015 г.

wincheck rc8.54

download
mirror
Changelog:
  • add support of windows10 build 10041.
  • add -obcb key for dumping object type callbacks. Sample from machine infected with dr.web (btw this north papua av consider wincheck as process.injecter, hell yeah):
    ObType Process (FFFFFA800CCCBBC0):
     DumpProcedure:        0000000000000000
     OpenProcedure:        FFFFF80003365620 \SystemRoot\system32\ntoskrnl.exe
     CloseProcedure:       FFFFF8000334C9A0 \SystemRoot\system32\ntoskrnl.exe
     DeleteProcedure:      FFFFF8000334BC50 \SystemRoot\system32\ntoskrnl.exe
     ParseProcedure:       0000000000000000
     SecurityProcedure:    FFFFF8000337D530 \SystemRoot\system32\ntoskrnl.exe
     QueryNameProcedure:   0000000000000000
     OkayToCloseProcedure: 0000000000000000
     2 callback(s):
      cb[0] operation 3
       PreOperation FFFFF88001157914 \SystemRoot\system32\drivers\dwprot.sys
      cb[1] operation 3
       PreOperation FFFFF88004890E30 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
       PreOperation FFFFF8800488EBD0 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
  • add tables checking inside wudfx02000.dll