added 95 new NTSTATUS values
воскресенье, 30 октября 2016 г.
IMAGE_LOAD_CONFIG_DIRECTORY from sdk 14951
typedef struct _IMAGE_LOAD_CONFIG_CODE_INTEGRITY {
WORD Flags; // Flags to indicate if CI information is available, etc.
WORD Catalog; // 0xFFFF means not available
DWORD CatalogOffset;
DWORD Reserved; // Additional bitmask to be defined later
} IMAGE_LOAD_CONFIG_CODE_INTEGRITY, *PIMAGE_LOAD_CONFIG_CODE_INTEGRITY;
пятница, 28 октября 2016 г.
how to find nt!KeServiceDescriptorTableFilter
Unfortunately all xrefs to KeServiceDescriptorTableFilter are from non-exported functions, for example PsConvertToGuiThread:
But we can use signatures search for part of test dword ptr [edi+2E8h], 18000h.
test dword ptr [edi+2E8h], 18000h ; EPROCESS.Flags3
jnz short loc_6CAD9D
...
loc_6CAD9D
:
mov dword ptr [esi+3Ch], offset _KeServiceDescriptorTableFilter
But we can use signatures search for part of test dword ptr [edi+2E8h], 18000h.
среда, 19 октября 2016 г.
rfg patches in windows 10 build 14942
Lets see for example body of function user32!GetCursor:
and in debugger:
dramatic differences ! it seems that this code has some compiler support and changes in kernel
.text:00000001800026E0 GetCursor proc near .text:00000001800026E0 66 90 xchg ax, ax
.text:00000001800026E2 0F 1F 80 00 00 00 00 nop dword ptr [rax+00000000h]
.text:00000001800026E9 B9 06 00 00 00 mov ecx, 6
.text:00000001800026EE 48 FF 25 EB 76 09 00 jmp cs:__imp_NtUserGetThreadState
.text:00000001800026EE GetCursor endp
.text:00000001800026F5 90 90 90 90 90 90 90 90 db 8 dup(90h)
and in debugger:
0:007> ? user32!GetCursor
Evaluate expression: 140732937348832 = 00007ffe`f0bd26e0
0:007> u 00007ffe`f0bd26e0
USER32!GetCursor:
00007ffe`f0bd26e0 488b0424 mov rax,qword ptr [rsp]
00007ffe`f0bd26e4 6448890424 mov qword ptr fs:[rsp],rax
00007ffe`f0bd26e9 b906000000 mov ecx,6
00007ffe`f0bd26ee 644c8b1c24 mov r11,qword ptr fs:[rsp]
00007ffe`f0bd26f3 4c3b1c24 cmp r11,qword ptr [rsp]
00007ffe`f0bd26f7 0f85a3e40300 jne USER32!_guard_ss_verify_failure (00007ffe`f0c10ba0)
00007ffe`f0bd26fd 48ff25dc760900 jmp qword ptr [USER32!_imp_NtUserGetThreadState (00007ffe`f0c69de0)]
dramatic differences ! it seems that this code has some compiler support and changes in kernel
понедельник, 10 октября 2016 г.
another cross-process scan
you can use EPROCESS.WnfContext to find list of processes. Lets see how this can be done:
kd> ? nt!ExpWnfProcessesListHead
Evaluate expression: -8781752063864 = fffff803`56c9a888
kd> dp fffff803`56c9a888
fffff803`56c9a888 fffff8a0`00125750 fffff8a0`021fb760
fffff803`56c9a898 00000000`00840082 fffff803`56a43460
fffff803`56c9a8a8 00000000`00120010 fffff803`56a43448
fffff803`56c9a8b8 00000000`00000060 00000000`00000058
fffff803`56c9a8c8 fffff803`56693df0 fffff803`56693dd8
fffff803`56c9a8d8 00000000`00760074 fffff803`56a41cd0
fffff803`56c9a8e8 00000000`00240022 fffff803`56a416c0
fffff803`56c9a8f8 00000000`00140012 fffff803`56a416a8
kd> !pool fffff8a0`00125750 2
Pool page fffff8a000125750 region is Paged pool
*fffff8a000125730 size: f0 previous size: 90 (Allocated) *Wnf
Pooltag Wnf : Windows Notification Facility, Binary : nt!wnf
kd> dp fffff8a0`00125740
fffff8a0`00125740 00000000`00d80906 fffffa80`018a46c0
fffff8a0`00125750 fffff8a0`0010b9e0 fffff803`56c9a888
fffff8a0`00125760 00000000`00000000 00000000`00000000
fffff8a0`00125770 00000000`00000000 00000000`00000000
fffff8a0`00125780 fffff8a0`020c5a50 fffff8a0`00f03690
fffff8a0`00125790 00000000`00000000 fffff8a0`00129028
fffff8a0`001257a0 fffff8a0`015ee5c8 00000000`00000000
fffff8a0`001257b0 fffff8a0`001257b0 fffff8a0`001257b0
kd> !process fffffa80`018a46c0 0
PROCESS fffffa80018a46c0
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00187000 ObjectTable: fffff8a000003000 HandleCount:
Image: System
kd> dp fffff8a0`0010b9d0
fffff8a0`0010b9d0 00000000`00d80906 fffffa80`038b4940
fffff8a0`0010b9e0 fffff8a0`058ed020 fffff8a0`00125750
fffff8a0`0010b9f0 fffff8a0`00117f40 00000000`00000000
fffff8a0`0010ba00 00000000`00000000 00000000`00000000
fffff8a0`0010ba10 fffff8a0`0010ba10 fffff8a0`0010ba10
fffff8a0`0010ba20 00000000`00000000 fffff8a0`0010b938
fffff8a0`0010ba30 fffff8a0`0587f968 00000000`00000000
fffff8a0`0010ba40 fffff8a0`0010ba40 fffff8a0`0010ba40
kd> !process fffffa80`038b4940 0
PROCESS fffffa80038b4940
SessionId: 0 Cid: 0148 Peb: 7f630624000 ParentCid: 0140
DirBase: 10feb000 ObjectTable: fffff8a000555cc0 HandleCount:
Image: csrss.exe
вторник, 4 октября 2016 г.
simple wnf id decoder
extern "C" int __stdcall check_id(PDWORD); extern "C" int __stdcall get_wnf_value(PDWORD); int _tmain(int argc, _TCHAR* argv[]) { if ( argc == 3 ) { wchar_t *end; DWORD ids[2]; ids[0] = wcstoul(argv[1], &end, 16); ids[1] = wcstoul(argv[2], &end, 16); int whut = check_id(ids); if ( whut ) printf("invalid pair\n"); else printf("id1 %X id2 %X index %d\n", ids[0] ^ 0xA3BC0074, ids[1] ^ 0x41C64E6D, get_wnf_value(ids) ); }
return 0;
}
the main part of code is functions check_id & get_wnf_value. I am too lazy so just ripped piece of code from ntoskrnl.exe!ExpCaptureWnfStateName function: