суббота, 5 декабря 2015 г.

WNF identifiers

I have made a mistake in my previous article about WNF. It seems that WNF idenificators are not standard IID but pair of DWORDs, so struct my_wnf_item actually looks like:
// struct can be ripped from ntdll!RtlpCreateWnfNameSubscription
struct wnf_name
{
/*  0x0 */  DWORD tag; // 0x980912 under x64, 0x700912 under x86
/*  0x4 */  DWORD unk4;
/*  0x8 */  DWORD unk8;
/*  0xC */  DWORD unkC;
/* 0x10 */  DWORD id1;
/* 0x14 */  DWORD id2;
};
 

struct my_wnf_item
{
  LIST_ENTRY List; // linked list of my_wnf_item
  wnf_name *wnfId;
  PBYTE notify;
};


Sample from windows 10 build 10586:
CheckProcess PID 420 (csrss.exe):
PEB.NtGlobalFlag: 0
PEB.Ldr: 00007FF946ED5200
PEB.GdiSharedHandleTable: 000001EFD8BC0000
WnfRoot: 000001EFD8A05BF0
 Wnf[0] at 000001EFD8A08238: id1 A3BC4035 id2 96003D (WNF_PNPA_PORTS_CHANGED_SESSION) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[1] at 000001EFD8A080C8: id1 A3BC3875 id2 96003D (WNF_PNPA_PORTS_CHANGED) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[2] at 000001EFD8A07F58: id1 A3BC3035 id2 96003D (WNF_PNPA_HARDWAREPROFILES_CHANGED_SESSION) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[3] at 000001EFD8A07DE8: id1 A3BC2875 id2 96003D (WNF_PNPA_HARDWAREPROFILES_CHANGED) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[4] at 000001EFD8A07C78: id1 A3BC2035 id2 96003D (WNF_PNPA_VOLUMES_CHANGED_SESSION) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[5] at 000001EFD8A07B08: id1 A3BC1875 id2 96003D (WNF_PNPA_VOLUMES_CHANGED) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[6] at 000001EFD8A04EF8: id1 A3BC1035 id2 96003D (WNF_PNPA_DEVNODES_CHANGED_SESSION) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)
 Wnf[7] at 000001EFD8A05058: id1 A3BC0875 id2 96003D (WNF_PNPA_DEVNODES_CHANGED) - 00007FF943335410 (C:\Windows\system32\winsrv.DLL)


List of some WNF identifiers (sure is not completed):

четверг, 19 ноября 2015 г.

среда, 18 ноября 2015 г.

apisetschema.dll from windows 10 build 10586

Several new modules added:
  • api-ms-win-core-enclave
  • api-ms-win-eventing-tdh
  • ext-ms-win-mininput-systeminputhost
  • ext-ms-win-rtcore-ntuser-inputintercept
  • ext-ms-win-security-srp

пятница, 9 октября 2015 г.

using CFG on more old windows

As you may know support for CodeFlow Guard exists only since windows 10. But it seems that you still can gain some profit from CFG on more old versions of windows (for example in fuzzers/honeypots)

1) you need inject your code in target process
2) you must check if CFG presents in your target module. It seems that MS linker has a bug - DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size eq 0x40. but IMAGE_LOAD_CONFIG_DIRECTORY.Size contains right value
3) you must just patch pointer in *(IMAGE_LOAD_CONFIG_DIRECTORY.GuardCFCheckFunctionPointer) to your handler. Prototype of handler:
void __fastcall my_check_icall(PBYTE addr)
4) now you can check addr parameter. One possible check - just see if this addr located in some loaded module, so you can traverse on PEB_LDR_DATA

Have fun !

среда, 9 сентября 2015 г.

iertutil.dll unnamed exports

Perl script to make such files (must be run after applying appropriate .pdb):
#!perl -w
use strict;
use warnings;
use IDA;

my $with_addr = 0;

my $exp_cnt = GetEntryPointQty();
my $dparm = GetLongPrm(INF_SHORT_DN);
my($fh, $name, $mang, $i, $ord, $addr);
if ( $exp_cnt )
{
  open($fh, '>', "exp") or die("Cannot open file exp, error $!\n");
  for ( $i = 0; $i < $exp_cnt; $i++ )
  {
    $ord = GetEntryOrdinal($i);
    $name = GetEntryName($ord);
    $addr = GetEntryPoint($ord);
    next if ( $addr == BADADDR );
    next if ( $name !~ /_\d+$/i );
    $mang = GetTrueNameEx(BADADDR, $addr);
    $name = Demangle($mang, $dparm);
    $name =~ s/\(.*\)//g;
    if ( $name ne '' )
    {
      if ( $with_addr )
      {
        printf($fh "%d %X %s ; %s\n", $ord, $addr, $name, $mang);
      } else {
        printf($fh "%d %s ; %s\n", $ord, $name, $mang);
      }
    } else {
      if ( $with_addr )
      {
        printf($fh "%d %X %s\n", $ord, $addr, $mang);
      } else {
        printf($fh "%d %s\n", $ord, $mang);
      }
    }
  }
  close $fh;
}

вторник, 8 сентября 2015 г.

urlmon unnamed exports

It seems that ordinal 470 (RegisterProtocolMonitor) used in networkinspection.dll
This info was ripped from ida pro with simple perl script

воскресенье, 26 июля 2015 г.

pdbdump for vs2015 pdbs

It seems that sourceforge finally came out of the coma so I commited today patches to my version of pdbdump for some support of vs2015 pdb files
Also I added support of DIA SDK from Microsoft Visual Studio 12.0 (patch 67)

понедельник, 22 июня 2015 г.

четверг, 11 июня 2015 г.

is vtguard slow ?

Saw some strange code in fresh mshtml.dll (version 11.00.9600.17842) after jun 2015 security update:

.text:635F4700 ?ReleaseInterface@@YGXPAUIUnknown@@@Z proc near
.text:635F4700   mov   edi, edi
.text:635F4702   push  esi
.text:635F4703   push  edi
.text:635F4704   test  ecx, ecx
.text:635F4706   jnz   short loc_635F470B
.text:635F4708 loc_635F4708:

.text:635F4708   pop   edi
.text:635F4709   pop   esi
.text:635F470A   retn

.text:635F470B loc_635F470B:
.text:635F470B   mov   eax, [ecx]
.text:635F470D   mov   edi, [eax+8]
.text:635F4710   cmp   edi, offset ?PrivateRelease@CElement@@UAGKXZ ; CElement::PrivateRelease(void)
.text:635F4716   jz    loc_6362BE29
.text:635F471C   cmp   edi, offset ?PlainRelease@@YGKPAUTEAROFF_THUNK@@@Z ; PlainRelease(TEAROFF_THUNK *)
.text:635F4722   jz    loc_6362B928
.text:635F4728   mov   esi, esp
.text:635F472A   push  ecx
.text:635F472B   mov   ecx, edi
.text:635F472D   call  ds:___guard_check_icall_fptr
.text:635F4733   call  edi
.text:635F4735   cmp   esi, esp
.text:635F4737   jz    short loc_635F4708
.text:635F4739   jmp   loc_63CA3FDD
.text:635F4739 ?ReleaseInterface@@YGXPAUIUnknown@@@Z endp


.text:6362BE29 loc_6362BE29:
.text:6362BE29   push  ecx
.text:6362BE2A   call  ?PrivateRelease@CElement@@UAGKXZ ; CElement::PrivateRelease(void)
.text:6362BE2F   jmp   loc_635F4708


.text:6362B928 loc_6362B928:
.text:6362B928   push  ecx                             ; struct TEAROFF_THUNK *
.text:6362B929   call  ?PlainRelease@@YGKPAUTEAROFF_THUNK@@@Z ; PlainRelease(TEAROFF_THUNK *)
.text:6362B92E   jmp   loc_635F4708
It seems that compiler added checking for some (most frequently called) methods and calls them directly with no vtguard. I wonder why may be needed such optimization ?

вторник, 5 мая 2015 г.

wincheck rc8.55

download
mirror
Changelog:
  • add support of windows10 build 10074
  • add -gahti option to dump win32k!gahti
  • add -sockets option to dump from tcpip.sys sockets and established connections. xp/w2k3 only
  • add -sockets6 option to dump from tcpip6.sys sockets and established connections. xp/w2k3 only
  • add checking win32k!gDxgkWin32kEngInterface
  • add Period in timers dump
  • lots of bugs were fixed

четверг, 30 апреля 2015 г.

среда, 29 апреля 2015 г.

Cezurity cota in wincheck logs

Nothing new and interesting actually:
SDT entry 44 (ZwDuplicateObject) hooked BA8000CC !
SDT entry 7A (ZwOpenProcess) hooked BA800060 !
SDT entry 80 (ZwOpenThread) hooked BA800096 !
SDT entry C1 (ZwReplaceKey) hooked BA800138 !
SDT entry CC (ZwRestoreKey) hooked BA80016E !
SDT entry ED (ZwSetSecurityObject) hooked BA800102 !


Process notifiers:
[0] B9BB78D0 cz_cota.sys


Registry notifiers:
[0] B9BBCC10 cz_cota.sys


IopNotifyLastChanceShutdownQueueHead:
 [0] DevObj 8AF07F18 Drv 8AF2CB40 \??\C:\WINDOWS\system32\Drivers\cz_ddall.sys

And new fltmgr instance:  
 INSTANCE 8AA5F720:
  IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION: 8AA5F864
   PreOperation:            B9718EE0 cz_cotam.sys
   PostOperation:           00000000
  IRP_MJ_CREATE: 8AA5F8AC
   PreOperation:            B9719270 cz_cotam.sys
   PostOperation:           00000000
  IRP_MJ_WRITE: 8AA5F894
   PreOperation:            B9719020 cz_cotam.sys
   PostOperation:           00000000
  IRP_MJ_SET_INFORMATION: 8AA5F87C
   PreOperation:            B9718F50 cz_cotam.sys
   PostOperation:           B9718FA0 cz_cotam.sys
  IRP_MJ_CLEANUP: 8AA5F8C4
   PreOperation:            B9718FD0 cz_cotam.sys
   PostOperation:           B9719000 cz_cotam.sys

 INSTANCE 8AAA2008:
  IRP_MJ_CREATE: 8AAA214C
   PreOperation:            B9BC3AE0 cz_cota.sys
   PostOperation:           B9BC3A40 cz_cota.sys
  IRP_MJ_SET_INFORMATION: 8AAA2164
   PreOperation:            B9BC3930 cz_cota.sys
   PostOperation:           00000000

понедельник, 27 апреля 2015 г.

tcpip6!ADDRESS_OBJECT

try to recover offsets of ADDRESS_OBJECT fields for tcpip6
code from CopyAO_TCPConn function:
  cmp   byte ptr [edx+3Ah], 6       ; protocol - 0x3a
  jnz   loc_12425
  mov   ecx, [ebp+arg_8]
  mov   eax, 0C8h
  cmp   [ebp+arg_4], eax
  jb    short loc_1235C
  mov   dword ptr [ecx+34h], 2
  jmp   short loc_12363

loc_1235C:

  mov   dword ptr [ecx+30h], 2
loc_12363:

  cmp   [ebp+arg_4], eax
  push  esi
  push  edi
  lea   esi, [edx+24h]              ; local_ip - 0x24, size 16 bytes
  jb    short loc_123EC
  mov   [ecx], eax
  lea   edi, [ecx+4]
  movsd
  movsd
  movsd
  movsd
  mov   eax, [edx+34h]
  mov   [ecx+14h], eax
  movzx eax, word ptr [edx+38h]     ; local_port - 0x38


code from TdiOpenAddress function:  
  call  _PsGetCurrentProcessId
  mov   [ebx+0C8h], eax   ; pid - 0xc8
  lea   eax, [ebx+0D8h]   ; CreateTime - 0xd8
  push  eax

  call  ds:__imp__KeQuerySystemTime@4

So structure ADDRESS6_OBJECT looks like:
'_ADDRESS6_OBJECT' : [ 0x68, {
'Next' : [ 0x0, ['pointer', ['_ADDRESS6_OBJECT']]],
'LocalIpAddress' : [ 0x24, ['Ip6Address']],
'LocalPort' : [ 0x38, ['unsigned be short']],
'Protocol' : [ 0x3a, ['unsigned short']],
'Pid' : [ 0xc8, ['unsigned long']],
'CreateTime' : [ 0xd8, ['WinTimeStamp', dict(is_utc = True)]],
}],
for 64bit tcpip6.sys:

среда, 15 апреля 2015 г.

суббота, 4 апреля 2015 г.

windows 10 win32kbase.sys exports

It seems that windows 10 moved some important data (like gpepCSRSS or gpsi) from win32k.sys to win32kbase.sys and made in exported. I think it`s epic win, he-he

четверг, 2 апреля 2015 г.

wincheck rc8.54

download
mirror
Changelog:
  • add support of windows10 build 10041.
  • add -obcb key for dumping object type callbacks. Sample from machine infected with dr.web (btw this north papua av consider wincheck as process.injecter, hell yeah):
    ObType Process (FFFFFA800CCCBBC0):
     DumpProcedure:        0000000000000000
     OpenProcedure:        FFFFF80003365620 \SystemRoot\system32\ntoskrnl.exe
     CloseProcedure:       FFFFF8000334C9A0 \SystemRoot\system32\ntoskrnl.exe
     DeleteProcedure:      FFFFF8000334BC50 \SystemRoot\system32\ntoskrnl.exe
     ParseProcedure:       0000000000000000
     SecurityProcedure:    FFFFF8000337D530 \SystemRoot\system32\ntoskrnl.exe
     QueryNameProcedure:   0000000000000000
     OkayToCloseProcedure: 0000000000000000
     2 callback(s):
      cb[0] operation 3
       PreOperation FFFFF88001157914 \SystemRoot\system32\drivers\dwprot.sys
      cb[1] operation 3
       PreOperation FFFFF88004890E30 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
       PreOperation FFFFF8800488EBD0 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
  • add tables checking inside wudfx02000.dll

пятница, 20 февраля 2015 г.

wincheck rc8.53

Download
Mirror
Changelog:

вторник, 10 февраля 2015 г.

lsasrv.dll!LsapLoadLsaDbExtensionDll

It seems that since windows8 lsasrv.dll allows you to load some arbitrary .dll inside lsass process.
Let`s check function LsapLoadLsaDbExtensionDll:

  lea   eax, [ebp+LibFileName]
  push  eax
  push  0
  push  6
  push  offset aLsadbextpt              ; "LsaDbExtPt"
  push  offset aSystemCurrentc          ; "SYSTEM\\CurrentControlSet\\Services\\NTDS"
  push  80000002h
  call  ds:__imp__RegGetValueW@28       ; RegGetValueW(x,x,x,x,x,x,x)
  test  eax, eax
  jz    loc_509D269B
...

loc_509D269B:                          
  push  8                               ; dwFlags
  push  0                               ; hFile
  lea   eax, [ebp+LibFileName]
  push  eax                             ; lpLibFileName
  call  ds:__imp__LoadLibraryExW@12     ; LoadLibraryExW(x,x,x)
  mov   edi, eax
  test  edi, edi
  jz    loc_509342CB
  push  offset aInitializelsad          ; "InitializeLsaDbExtension"
  push  edi                             ; hModule
  call  ds:__imp__GetProcAddress@8      ; GetProcAddress(x,x)
  mov   esi, eax
  test  esi, esi
  jnz   short loc_509D26D2
  mov   esi, STATUS_ENTRYPOINT_NOT_FOUND
  jmp   loc_509342CB
...

loc_509D26D2:                          
  mov   eax, large fs:30h
  push  150h
  push  0
  push  dword ptr [eax+18h]
  call  ds:__imp__RtlAllocateHeap@12    ; RtlAllocateHeap(x,x,x)
  mov   ebx, eax
  test  ebx, ebx
  jnz   short loc_509D26F8
  mov   esi, STATUS_NO_MEMORY
  jmp   loc_509342CB
...

  push  ebx
  call  esi
  mov   esi, eax
  test  esi, esi
  js    loc_509342CB
  push  0                               ; Comperand
  push  ebx                             ; Exchange
  push  offset _g_pLsaExtensionTableLsaDb ; Destination
  call  ds:__imp__InterlockedCompareExchange@12 ; InterlockedCompareExchange(x,x,x)
  test  eax, eax
  jnz   loc_50954E98
This code reads value of (undocumented) key LsaDbExtPt from SYSTEM\CurrentControlSet\Services\NTDS, load dll whose name located in this key, allocates some memory (size 0x150, in x64 0x2A0) and call exported function InitializeLsaDbExtension

четверг, 5 февраля 2015 г.

wincheck rc8.52

Add support of windows 10 (Technical Preview‎, build 9879 & 9926)

Download
Mirror

вторник, 3 февраля 2015 г.

понедельник, 2 февраля 2015 г.

bug in vs2010 inlined function

All know how to calculate the crc32, yeah ?
Let`s see output from visual studio 2010 for inlined version of crc32:

Here list is alias for ecx register:

  mov     [ebp+params.list_rva], list  
  not     cl 
  movzx   list, cl ; ok, now in ECX 00 00 00 cl
  mov     eax, ds:CRCTable[list*4]
  xor     eax, 0FFFFFFh 
  movzx   ebx, al
  movzx   list, ch ; wait, CH now zero bcs of previous movzx ecx, cl !
  shr     eax, 8
  xor     list, ebx
  xor     eax, ds:CRCTable[list*4]
  movzx   list, byte ptr [ebp+params.list_rva+2]
  movzx   ebx, al
  shr     eax, 8
  xor     list, ebx
  xor     eax, ds:CRCTable[list*4]
  movzx   list, byte ptr [ebp+params.list_rva+3]
  movzx   ebx, al
it is obvious that the result of this functions is incorrect

пятница, 30 января 2015 г.

modernexecserver.dll RPC interface

version info says "Modern Execution Server". I don`t know what this means
8EC21E98-B5CE-4916-A3D6-449FA428A007 version 0.0
19 methods:
  • FmMuxSrvRegisterCoreUIEndpoints
  • FmMuxSrvLaunchTask
  • FmMuxSrvResumeTask
  • FmMuxSrvPauseTask
  • FmMuxSrvCancelTask
  • FmMuxSrvAbortTask
  • FmMuxSrvGetTaskPid
  • FmMuxSrvSetTaskDehydrationEligibility
  • FmMuxSrvResolveApplicationUri
  • FmMuxSrvGetActivationPolicy
  • FmMuxSrvShutdown
  • FmMuxSrvSetForegroundTaskInstanceId
  • FmMuxSrvGenerateActivationInstanceId
  • FmMuxSrvActivationPrerequisitePhase
  • FmMuxSrvIsCBETask
  • FmMuxSrvIsValidTaskPid
  • FmMuxSrvResumePrerequisitePhase
  • FmMuxSrvGetForegroundTaskInstanceId
  • FmMuxSrvActivationBypass

воскресенье, 25 января 2015 г.

среда, 21 января 2015 г.

interrupts in w10 build 9879 64bit

it seems that Microsoft completely removed KiInterruptTemplate in this version of windows and interrutps now stored in KPRCB (like in w8.1)
Lets see on function KiConnectInterrupt

среда, 7 января 2015 г.

apisetschema.dll from windows 10 build 9879

Yep, they did it again - apisetschema.dll now has version 5. One hard evening of reversing and you can enjoy the results
Btw - there are module in kernel mode which is missed in apisetschema.dll:ext-ms-win-ntos-ksigningpolicy-l1-1-0.dll in cia.dll. I have no ideas about how translation of ext-ms- names happens in kernel mode