четверг, 21 апреля 2016 г.

wincheck rc8.56


  • add support of windows 10rtm, build 14279 & 14295
  • add dumping of g_pAuditingFuncs
  • add dumping of hal!InterruptController
  • add dumping of PICO. Sample of output:
    PspPicoProviderRoutines at FFFFF803D2F42EA0:
     DispatchSystemCall: FFFFF803B997B4B0 \SystemRoot\system32\drivers\LXCORE.SYS
     ExitThread:         FFFFF803B997B4E0 \SystemRoot\system32\drivers\LXCORE.SYS
     ExitProcess:        FFFFF803B997B450 \SystemRoot\system32\drivers\LXCORE.SYS
     DispatchException:  FFFFF803B997B1E0 \SystemRoot\system32\drivers\LXCORE.SYS
     ProcessTerminate:   FFFFF803B997B480 \SystemRoot\system32\drivers\LXCORE.SYS
     WalkUserStack:      FFFFF803B997B630 \SystemRoot\system32\drivers\LXCORE.SYS
     ProtectedRanges:    FFFFF803B9930400 \SystemRoot\system32\drivers\LXCORE.SYS
     GetAllocatedProcessImageName: FFFFF803B997B650 \SystemRoot\system32\drivers\LXCORE.SYS
  • fix wnf identifiers
  • fix WFP callouts for w8.1 & w10
  • lots of bugs were fixed

понедельник, 18 апреля 2016 г.


Nice piece of code from lsasrv:
_GetCngAuditFunctions@4 proc near   ; CODE XREF: SrvPrepKeyIso(x)+33p
                                    ; LsapInitCNGAuditing()+Dp
  test  ecx, ecx
  jz    short loc_5095F661
  mov   dword ptr [ecx], offset _AuditFunctionTable
  xor   eax, eax

_AuditFunctionTable db    1
  db    0
  db    0
  db    0
  dd offset _CngAdtSelfTest@12              ; offset 4
  dd offset _CngAdtKeyFileOperation@32      ; offset 8
  dd offset _CngAdtKeyMigrationOperation@28 ; offset C
  dd offset _CngAdtVerificationFailure@24   ; offset 10
  dd offset _CngAdtCryptOperation@28        ; offset 14
  dd offset _CngAdtPrimitiveFailure@16      ; offset 18

This table used in SrvPrepKeyIso & LsapInitCNGAuditing functions: