ext-ms-win-coreui-navshutdown, he-he
четверг, 30 апреля 2015 г.
среда, 29 апреля 2015 г.
Cezurity cota in wincheck logs
Nothing new and interesting actually:
And new fltmgr instance:
SDT entry 44 (ZwDuplicateObject) hooked BA8000CC !
SDT entry 7A (ZwOpenProcess) hooked BA800060 !
SDT entry 80 (ZwOpenThread) hooked BA800096 !
SDT entry C1 (ZwReplaceKey) hooked BA800138 !
SDT entry CC (ZwRestoreKey) hooked BA80016E !
SDT entry ED (ZwSetSecurityObject) hooked BA800102 !
Process notifiers:
[0] B9BB78D0 cz_cota.sys
Registry notifiers:
[0] B9BBCC10 cz_cota.sys
IopNotifyLastChanceShutdownQueueHead:
[0] DevObj 8AF07F18 Drv 8AF2CB40 \??\C:\WINDOWS\system32\Drivers\cz_ddall.sys
And new fltmgr instance:
INSTANCE 8AA5F720:
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION: 8AA5F864
PreOperation: B9718EE0 cz_cotam.sys
PostOperation: 00000000
IRP_MJ_CREATE: 8AA5F8AC
PreOperation: B9719270 cz_cotam.sys
PostOperation: 00000000
IRP_MJ_WRITE: 8AA5F894
PreOperation: B9719020 cz_cotam.sys
PostOperation: 00000000
IRP_MJ_SET_INFORMATION: 8AA5F87C
PreOperation: B9718F50 cz_cotam.sys
PostOperation: B9718FA0 cz_cotam.sys
IRP_MJ_CLEANUP: 8AA5F8C4
PreOperation: B9718FD0 cz_cotam.sys
PostOperation: B9719000 cz_cotam.sys
INSTANCE 8AAA2008:
IRP_MJ_CREATE: 8AAA214C
PreOperation: B9BC3AE0 cz_cota.sys
PostOperation: B9BC3A40 cz_cota.sys
IRP_MJ_SET_INFORMATION: 8AAA2164
PreOperation: B9BC3930 cz_cota.sys
PostOperation: 00000000
понедельник, 27 апреля 2015 г.
tcpip6!ADDRESS_OBJECT
try to recover offsets of ADDRESS_OBJECT fields for tcpip6
code from CopyAO_TCPConn function:
code from TdiOpenAddress function:
So structure ADDRESS6_OBJECT looks like:
for 64bit tcpip6.sys:
code from CopyAO_TCPConn function:
cmp byte ptr [edx+3Ah], 6 ; protocol - 0x3a
jnz loc_12425
mov ecx, [ebp+arg_8]
mov eax, 0C8h
cmp [ebp+arg_4], eax
jb short loc_1235C
mov dword ptr [ecx+34h], 2
jmp short loc_12363
loc_1235C:
mov dword ptr [ecx+30h], 2
loc_12363:
cmp [ebp+arg_4], eax
push esi
push edi
lea esi, [edx+24h] ; local_ip - 0x24, size 16 bytes
jb short loc_123EC
mov [ecx], eax
lea edi, [ecx+4]
movsd
movsd
movsd
movsd
mov eax, [edx+34h]
mov [ecx+14h], eax
movzx eax, word ptr [edx+38h] ; local_port - 0x38
code from TdiOpenAddress function:
call _PsGetCurrentProcessId
mov [ebx+0C8h], eax ; pid - 0xc8
lea eax, [ebx+0D8h] ; CreateTime - 0xd8
push eax
call ds:__imp__KeQuerySystemTime@4
So structure ADDRESS6_OBJECT looks like:
'_ADDRESS6_OBJECT' : [ 0x68, { | |
'Next' : [ 0x0, ['pointer', ['_ADDRESS6_OBJECT']]], | |
'LocalIpAddress' : [ 0x24, ['Ip6Address']], | |
'LocalPort' : [ 0x38, ['unsigned be short']], | |
'Protocol' : [ 0x3a, ['unsigned short']], | |
'Pid' : [ 0xc8, ['unsigned long']], | |
'CreateTime' : [ 0xd8, ['WinTimeStamp', dict(is_utc = True)]], | |
}], |
среда, 15 апреля 2015 г.
суббота, 4 апреля 2015 г.
windows 10 win32kbase.sys exports
It seems that windows 10 moved some important data (like gpepCSRSS or gpsi) from win32k.sys to win32kbase.sys and made in exported. I think it`s epic win, he-he
четверг, 2 апреля 2015 г.
wincheck rc8.54
download
mirror
Changelog:
mirror
Changelog:
- add support of windows10 build 10041.
- add -obcb key for dumping object type callbacks. Sample from machine infected with dr.web (btw this north papua av consider wincheck as process.injecter, hell yeah):
ObType Process (FFFFFA800CCCBBC0):
DumpProcedure: 0000000000000000
OpenProcedure: FFFFF80003365620 \SystemRoot\system32\ntoskrnl.exe
CloseProcedure: FFFFF8000334C9A0 \SystemRoot\system32\ntoskrnl.exe
DeleteProcedure: FFFFF8000334BC50 \SystemRoot\system32\ntoskrnl.exe
ParseProcedure: 0000000000000000
SecurityProcedure: FFFFF8000337D530 \SystemRoot\system32\ntoskrnl.exe
QueryNameProcedure: 0000000000000000
OkayToCloseProcedure: 0000000000000000
2 callback(s):
cb[0] operation 3
PreOperation FFFFF88001157914 \SystemRoot\system32\drivers\dwprot.sys
cb[1] operation 3
PreOperation FFFFF88004890E30 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
PreOperation FFFFF8800488EBD0 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
- add tables checking inside wudfx02000.dll