среда, 25 мая 2016 г.

KiServiceTable from w10 build 14342 x64

In healthy windows (for example w10 build 14332) KiServiceTable looks like:
.rdata:00000001402DE4C0 KiServiceTable  dq offset NtAccessCheck ; DATA XREF: KiInitializeKernel+5EF o
.rdata:00000001402DE4C8        dq offset NtWorkerFactoryWorkerReady
.rdata:00000001402DE4D0        dq offset NtAcceptConnectPort
.rdata:00000001402DE4D8        dq offset NtMapUserPhysicalPagesScatter


And in w10 build 14342 like:
.rdata:00000001402E1380 KiServiceTable  dd 0DECCCh              ; DATA XREF: KiInitializeKernel+600 o
.rdata:00000001402E1384        dd 0E44ECh
.rdata:00000001402E1388        dd 4E3470h
.rdata:00000001402E138C        db  20h
.rdata:00000001402E138D        db 0AFh ; ï
.rdata:00000001402E138E        db  64h ; d
.rdata:00000001402E138F        db    0


so I had to write a IDC script to convert this offsets to normal view:
#include <idc.idc>

static get_pe_base()
{
  auto addr, segm;
  addr = GetLongPrm(INF_MIN_EA);
  segm = SegByName("HEADER");
  if ( segm != BADADDR )
    return addr;
  return addr - 0x1000; // ditry hack
}

static main(void)
{
  auto base, cnt, addr, tab, i;
  base = get_pe_base();
  addr = LocByName("KiServiceLimit");
  if ( addr == BADADDR )
  {
    Warn("Cannot find KiServiceLimit");
    return;
  }
  cnt = Dword(addr);
  tab = LocByName("KiServiceTable");
  if ( tab == BADADDR )
  {
    Warn("Cannot find KiServiceTable");
    return;
  }
  for ( i = 0; i < cnt; i++, tab = tab + 4 )
  {
    MakeDword(tab);
    addr = Dword(tab);
    MakeComm(tab, sprintf("%x", addr + base));
    add_dref(tab, addr + base, dr_O);
  }
}

KiServiceLimit .eq. 0x1c2
NtAccessCheck
NtWorkerFactoryWorkerReady
NtAcceptConnectPort
NtMapUserPhysicalPagesScatter
NtWaitForSingleObject
NtCallbackReturn
NtReadFile
NtDeviceIoControlFile
NtWriteFile
NtRemoveIoCompletion
NtReleaseSemaphore
NtReplyWaitReceivePort
NtReplyPort
NtSetInformationThread
NtSetEvent
NtClose
NtQueryObject
NtQueryInformationFile
NtOpenKey
NtEnumerateValueKey
NtFindAtom
NtQueryDefaultLocale
NtQueryKey
NtQueryValueKey
NtAllocateVirtualMemory
NtQueryInformationProcess
NtWaitForMultipleObjects32
NtWriteFileGather
NtSetInformationProcess
NtCreateKey
NtFreeVirtualMemory
NtImpersonateClientOfPort
NtReleaseMutant
NtQueryInformationToken
NtRequestWaitReplyPort
NtQueryVirtualMemory
NtOpenThreadToken
NtQueryInformationThread
NtOpenProcess
NtSetInformationFile
NtMapViewOfSection
NtAccessCheckAndAuditAlarm
NtUnmapViewOfSection
NtReplyWaitReceivePortEx
NtTerminateProcess
NtSetEventBoostPriority
NtReadFileScatter
NtOpenThreadTokenEx
NtOpenProcessTokenEx
NtQueryPerformanceCounter
NtEnumerateKey
NtOpenFile
NtDelayExecution
NtQueryDirectoryFile
NtQuerySystemInformation
NtOpenSection
NtQueryTimer
NtFsControlFile
NtWriteVirtualMemory
NtCloseObjectAuditAlarm
NtDuplicateObject
NtQueryAttributesFile
NtClearEvent
NtReadVirtualMemory
NtOpenEvent
NtAdjustPrivilegesToken
NtDuplicateToken
NtContinue
NtQueryDefaultUILanguage
NtQueueApcThread
NtYieldExecution
NtAddAtom
NtCreateEvent
NtQueryVolumeInformationFile
NtCreateSection
NtFlushBuffersFile
NtApphelpCacheControl
NtCreateProcessEx
NtCreateThread
NtIsProcessInJob
NtProtectVirtualMemory
NtQuerySection
NtResumeThread
NtTerminateThread
NtReadRequestData
NtCreateFile
NtQueryEvent
NtWriteRequestData
NtOpenDirectoryObject
NtAccessCheckByTypeAndAuditAlarm
NtQuerySystemTime
NtWaitForMultipleObjects
NtSetInformationObject
NtCancelIoFile
NtTraceEvent
NtPowerInformation
NtSetValueKey
NtCancelTimer
NtSetTimer
NtAccessCheckByType
NtAccessCheckByTypeResultList
NtAccessCheckByTypeResultListAndAuditAlarm
NtAccessCheckByTypeResultListAndAuditAlarmByHandle
NtAddAtomEx
NtAddBootEntry
NtAddDriverEntry
NtAdjustGroupsToken
NtAdjustTokenClaimsAndDeviceGroups
NtAlertResumeThread
NtAlertThread
NtAlertThreadByThreadId
NtAllocateLocallyUniqueId
NtAllocateReserveObject
NtAllocateUserPhysicalPages
NtAllocateUuids
NtAlpcAcceptConnectPort
NtAlpcCancelMessage
NtAlpcConnectPort
NtAlpcConnectPortEx
NtAlpcCreatePort
NtAlpcCreatePortSection
NtAlpcCreateResourceReserve
NtAlpcCreateSectionView
NtAlpcCreateSecurityContext
NtAlpcDeletePortSection
NtAlpcDeleteResourceReserve
NtAlpcDeleteSectionView
NtAlpcDeleteSecurityContext
NtAlpcDisconnectPort
NtAlpcImpersonateClientContainerOfPort
NtAlpcImpersonateClientOfPort
NtAlpcOpenSenderProcess
NtAlpcOpenSenderThread
NtAlpcQueryInformation
NtAlpcQueryInformationMessage
NtAlpcRevokeSecurityContext
NtAlpcSendWaitReceivePort
NtAlpcSetInformation
NtAreMappedFilesTheSame
NtAssignProcessToJobObject
NtAssociateWaitCompletionPacket
NtCancelIoFileEx
NtCancelSynchronousIoFile
NtCancelTimer2
NtCancelWaitCompletionPacket
NtCommitComplete
NtCommitEnlistment
NtCommitRegistryTransaction
NtCommitTransaction
NtCompactKeys
NtCompareObjects
NtCompareTokens
NtCompleteConnectPort
NtCompressKey
NtConnectPort
NtCreateDebugObject
NtCreateDirectoryObject
NtCreateDirectoryObjectEx
NtCreateEnclave
NtCreateEnlistment
NtCreateEventPair
NtCreateIRTimer
NtCreateIoCompletion
NtCreateJobObject
NtCreateJobSet
NtCreateKeyTransacted
NtCreateKeyedEvent
NtCreateLowBoxToken
NtCreateMailslotFile
NtCreateMutant
NtCreateNamedPipeFile
NtCreatePagingFile
NtCreatePartition
NtCreatePort
NtCreatePrivateNamespace
NtCreateProcess
NtCreateProfile
NtCreateProfileEx
NtCreateRegistryTransaction
NtCreateResourceManager
NtCreateSemaphore
NtCreateSymbolicLinkObject
NtCreateThreadEx
NtCreateTimer
NtCreateTimer2
NtCreateToken
NtCreateTokenEx
NtCreateTransaction
NtCreateTransactionManager
NtCreateUserProcess
NtCreateWaitCompletionPacket
NtCreateWaitablePort
NtCreateWnfStateName
NtCreateWorkerFactory
NtDebugActiveProcess
NtDebugContinue
NtDeleteAtom
NtDeleteBootEntry
NtDeleteDriverEntry
NtDeleteFile
NtDeleteKey
NtDeleteObjectAuditAlarm
NtDeletePrivateNamespace
NtDeleteValueKey
NtDeleteWnfStateData
NtDeleteWnfStateName
NtDisableLastKnownGood
NtDisplayString
NtDrawText
NtEnableLastKnownGood
NtEnumerateBootEntries
NtEnumerateDriverEntries
NtEnumerateSystemEnvironmentValuesEx
NtEnumerateTransactionObject
NtExtendSection
NtFilterBootOption
NtFilterToken
NtFilterTokenEx
NtFlushBuffersFileEx
NtFlushInstallUILanguage
NtFlushInstructionCache
NtFlushKey
NtFlushProcessWriteBuffers
NtFlushVirtualMemory
NtFlushWriteBuffer
NtFreeUserPhysicalPages
NtFreezeRegistry
NtFreezeTransactions
NtGetCachedSigningLevel
NtGetCompleteWnfStateSubscription
NtGetContextThread
NtGetCurrentProcessorNumber
NtGetCurrentProcessorNumberEx
NtGetDevicePowerState
NtGetMUIRegistryInfo
NtGetNextProcess
NtGetNextThread
NtGetNlsSectionPtr
NtGetNotificationResourceManager
NtGetWriteWatch
NtImpersonateAnonymousToken
NtImpersonateThread
NtInitializeEnclave
NtInitializeNlsFiles
NtInitializeRegistry
NtInitiatePowerAction
NtIsSystemResumeAutomatic
NtIsUILanguageComitted
NtListenPort
NtLoadDriver
NtLoadEnclaveData
NtLoadKey
NtLoadKey2
NtLoadKeyEx
NtLockFile
NtLockProductActivationKeys
NtLockRegistryKey
NtLockVirtualMemory
NtMakePermanentObject
NtMakeTemporaryObject
NtManagePartition
NtMapCMFModule
NtMapUserPhysicalPages
NtModifyBootEntry
NtModifyDriverEntry
NtNotifyChangeDirectoryFile
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtNotifyChangeSession
NtOpenEnlistment
NtOpenEventPair
NtOpenIoCompletion
NtOpenJobObject
NtOpenKeyEx
NtOpenKeyTransacted
NtOpenKeyTransactedEx
NtOpenKeyedEvent
NtOpenMutant
NtOpenObjectAuditAlarm
NtOpenPartition
NtOpenPrivateNamespace
NtOpenProcessToken
NtOpenRegistryTransaction
NtOpenResourceManager
NtOpenSemaphore
NtOpenSession
NtOpenSymbolicLinkObject
NtOpenThread
NtOpenTimer
NtOpenTransaction
NtOpenTransactionManager
NtPlugPlayControl
NtPrePrepareComplete
NtPrePrepareEnlistment
NtPrepareComplete
NtPrepareEnlistment
NtPrivilegeCheck
NtPrivilegeObjectAuditAlarm
NtPrivilegedServiceAuditAlarm
NtPropagationComplete
NtPropagationFailed
NtPulseEvent
NtQueryBootEntryOrder
NtQueryBootOptions
NtQueryDebugFilterState
NtQueryDirectoryObject
NtQueryDriverEntryOrder
NtQueryEaFile
NtQueryFullAttributesFile
NtQueryInformationAtom
NtQueryInformationEnlistment
NtQueryInformationJobObject
NtQueryInformationPort
NtQueryInformationResourceManager
NtQueryInformationTransaction
NtQueryInformationTransactionManager
NtQueryInformationWorkerFactory
NtQueryInstallUILanguage
NtQueryIntervalProfile
NtQueryIoCompletion
NtQueryLicenseValue
NtQueryMultipleValueKey
NtQueryMutant
NtQueryOpenSubKeys
NtQueryOpenSubKeysEx
NtQueryPortInformationProcess
NtQueryQuotaInformationFile
NtQuerySecurityAttributesToken
NtQuerySecurityObject
NtQuerySecurityPolicy
NtQuerySemaphore
NtQuerySymbolicLinkObject
NtQuerySystemEnvironmentValue
NtQuerySystemEnvironmentValueEx
NtQuerySystemInformationEx
NtQueryTimerResolution
NtQueryWnfStateData
NtQueryWnfStateNameInformation
NtQueueApcThreadEx
NtRaiseException
NtRaiseHardError
NtReadOnlyEnlistment
NtRecoverEnlistment
NtRecoverResourceManager
NtRecoverTransactionManager
NtRegisterProtocolAddressInformation
NtRegisterThreadTerminatePort
NtReleaseKeyedEvent
NtReleaseWorkerFactoryWorker
NtRemoveIoCompletionEx
NtRemoveProcessDebug
NtRenameKey
NtRenameTransactionManager
NtReplaceKey
NtReplacePartitionUnit
NtReplyWaitReplyPort
NtRequestPort
NtResetEvent
NtResetWriteWatch
NtRestoreKey
NtResumeProcess
NtRevertContainerImpersonation
NtRollbackComplete
NtRollbackEnlistment
NtRollbackRegistryTransaction
NtRollbackTransaction
NtRollforwardTransactionManager
NtSaveKey
NtSaveKeyEx
NtSaveMergedKeys
NtSecureConnectPort
NtSerializeBoot
NtSetBootEntryOrder
NtSetBootOptions
NtSetCachedSigningLevel
NtSetCachedSigningLevel2
NtSetContextThread
NtSetDebugFilterState
NtSetDefaultHardErrorPort
NtSetDefaultLocale
NtSetDefaultUILanguage
NtSetDriverEntryOrder
NtSetEaFile
NtSetHighEventPair
NtSetHighWaitLowEventPair
NtSetIRTimer
NtSetInformationDebugObject
NtSetInformationEnlistment
NtSetInformationJobObject
NtSetInformationKey
NtSetInformationResourceManager
NtSetInformationSymbolicLink
NtSetInformationToken
NtSetInformationTransaction
NtSetInformationTransactionManager
NtSetInformationVirtualMemory
NtSetInformationWorkerFactory
NtSetIntervalProfile
NtSetIoCompletion
NtSetIoCompletionEx
NtSetLdtEntries
NtSetLowEventPair
NtSetLowWaitHighEventPair
NtSetQuotaInformationFile
NtSetSecurityObject
NtSetSystemEnvironmentValue
NtSetSystemEnvironmentValueEx
NtSetSystemInformation
NtSetSystemPowerState
NtSetSystemTime
NtSetThreadExecutionState
NtSetTimer2
NtSetTimerEx
NtSetTimerResolution
NtSetUuidSeed
NtSetVolumeInformationFile
NtSetWnfProcessNotificationEvent
NtShutdownSystem
NtShutdownWorkerFactory
NtSignalAndWaitForSingleObject
NtSinglePhaseReject
NtStartProfile
NtStopProfile
NtSubscribeWnfStateChange
NtSuspendProcess
NtSuspendThread
NtSystemDebugControl
NtTerminateJobObject
NtTestAlert
NtThawRegistry
NtThawTransactions
NtTraceControl
NtTranslateFilePath
NtUmsThreadYield
NtUnloadDriver
NtUnloadKey
NtUnloadKey2
NtUnloadKeyEx
NtUnlockFile
NtUnlockVirtualMemory
NtUnmapViewOfSectionEx
NtUnsubscribeWnfStateChange
NtUpdateWnfStateData
NtVdmControl
NtWaitForAlertByThreadId
NtWaitForDebugEvent
NtWaitForKeyedEvent
NtWaitForWorkViaWorkerFactory
NtWaitLowEventPair

Комментариев нет:

Отправить комментарий