воскресенье, 30 октября 2016 г.

IMAGE_LOAD_CONFIG_DIRECTORY from sdk 14951

typedef struct _IMAGE_LOAD_CONFIG_CODE_INTEGRITY {
    WORD    Flags;          // Flags to indicate if CI information is available, etc.
    WORD    Catalog;        // 0xFFFF means not available
    DWORD   CatalogOffset;
    DWORD   Reserved;       // Additional bitmask to be defined later
} IMAGE_LOAD_CONFIG_CODE_INTEGRITY, *PIMAGE_LOAD_CONFIG_CODE_INTEGRITY;

пятница, 28 октября 2016 г.

how to find nt!KeServiceDescriptorTableFilter

Unfortunately all xrefs to KeServiceDescriptorTableFilter are from non-exported functions, for example PsConvertToGuiThread:
     test    dword ptr [edi+2E8h], 18000h ; EPROCESS.Flags3
     jnz     short loc_6CAD9D

...
loc_6CAD9D:
     mov     dword ptr [esi+3Ch], offset _KeServiceDescriptorTableFilter

But we can use signatures search for part of test dword ptr [edi+2E8h], 18000h.

среда, 19 октября 2016 г.

rfg patches in windows 10 build 14942

Lets see for example body of function user32!GetCursor:
.text:00000001800026E0             GetCursor       proc near          .text:00000001800026E0 66 90                   xchg    ax, ax
.text:00000001800026E2 0F 1F 80 00 00 00 00    nop     dword ptr [rax+00000000h]
.text:00000001800026E9 B9 06 00 00 00          mov     ecx, 6
.text:00000001800026EE 48 FF 25 EB 76 09 00    jmp cs:__imp_NtUserGetThreadState
.text:00000001800026EE                         GetCursor       endp
.text:00000001800026F5 90 90 90 90 90 90 90 90                 db 8 dup(90h)


and in debugger:
0:007> ? user32!GetCursor
Evaluate expression: 140732937348832 = 00007ffe`f0bd26e0
0:007> u 00007ffe`f0bd26e0
USER32!GetCursor:
00007ffe`f0bd26e0 488b0424        mov     rax,qword ptr [rsp]
00007ffe`f0bd26e4 6448890424      mov     qword ptr fs:[rsp],rax
00007ffe`f0bd26e9 b906000000      mov     ecx,6
00007ffe`f0bd26ee 644c8b1c24      mov     r11,qword ptr fs:[rsp]
00007ffe`f0bd26f3 4c3b1c24        cmp     r11,qword ptr [rsp]
00007ffe`f0bd26f7 0f85a3e40300    jne     USER32!_guard_ss_verify_failure (00007ffe`f0c10ba0)
00007ffe`f0bd26fd 48ff25dc760900  jmp     qword ptr [USER32!_imp_NtUserGetThreadState (00007ffe`f0c69de0)]


dramatic differences ! it seems that this code has some compiler support and changes in kernel

понедельник, 10 октября 2016 г.

another cross-process scan

you can use EPROCESS.WnfContext to find list of processes. Lets see how this can be done:
kd> ? nt!ExpWnfProcessesListHead
Evaluate expression: -8781752063864 = fffff803`56c9a888
kd> dp fffff803`56c9a888
fffff803`56c9a888  fffff8a0`00125750 fffff8a0`021fb760
fffff803`56c9a898  00000000`00840082 fffff803`56a43460
fffff803`56c9a8a8  00000000`00120010 fffff803`56a43448
fffff803`56c9a8b8  00000000`00000060 00000000`00000058
fffff803`56c9a8c8  fffff803`56693df0 fffff803`56693dd8
fffff803`56c9a8d8  00000000`00760074 fffff803`56a41cd0
fffff803`56c9a8e8  00000000`00240022 fffff803`56a416c0
fffff803`56c9a8f8  00000000`00140012 fffff803`56a416a8
kd> !pool fffff8a0`00125750 2
Pool page fffff8a000125750 region is Paged pool
*fffff8a000125730 size:   f0 previous size:   90  (Allocated) *Wnf
        Pooltag Wnf  : Windows Notification Facility, Binary : nt!wnf
kd> dp fffff8a0`00125740
fffff8a0`00125740  00000000`00d80906 fffffa80`018a46c0
fffff8a0`00125750  fffff8a0`0010b9e0 fffff803`56c9a888
fffff8a0`00125760  00000000`00000000 00000000`00000000
fffff8a0`00125770  00000000`00000000 00000000`00000000
fffff8a0`00125780  fffff8a0`020c5a50 fffff8a0`00f03690
fffff8a0`00125790  00000000`00000000 fffff8a0`00129028
fffff8a0`001257a0  fffff8a0`015ee5c8 00000000`00000000
fffff8a0`001257b0  fffff8a0`001257b0 fffff8a0`001257b0
kd> !process fffffa80`018a46c0 0
PROCESS fffffa80018a46c0
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00187000  ObjectTable: fffff8a000003000  HandleCount:
    Image: System

kd> dp fffff8a0`0010b9d0
fffff8a0`0010b9d0  00000000`00d80906 fffffa80`038b4940
fffff8a0`0010b9e0  fffff8a0`058ed020 fffff8a0`00125750
fffff8a0`0010b9f0  fffff8a0`00117f40 00000000`00000000
fffff8a0`0010ba00  00000000`00000000 00000000`00000000
fffff8a0`0010ba10  fffff8a0`0010ba10 fffff8a0`0010ba10
fffff8a0`0010ba20  00000000`00000000 fffff8a0`0010b938
fffff8a0`0010ba30  fffff8a0`0587f968 00000000`00000000
fffff8a0`0010ba40  fffff8a0`0010ba40 fffff8a0`0010ba40
kd> !process fffffa80`038b4940 0
PROCESS fffffa80038b4940
    SessionId: 0  Cid: 0148    Peb: 7f630624000  ParentCid: 0140
    DirBase: 10feb000  ObjectTable: fffff8a000555cc0  HandleCount:
    Image: csrss.exe


вторник, 4 октября 2016 г.

simple wnf id decoder

extern "C" int __stdcall check_id(PDWORD);
extern "C" int __stdcall get_wnf_value(PDWORD);

int _tmain(int argc, _TCHAR* argv[])
{
  if ( argc == 3 )
  {
    wchar_t *end;
    DWORD ids[2];
    ids[0] = wcstoul(argv[1], &end, 16);
    ids[1] = wcstoul(argv[2], &end, 16);
    int whut = check_id(ids);
    if ( whut )
      printf("invalid pair\n");
    else
      printf("id1 %X id2 %X index %d\n", ids[0] ^ 0xA3BC0074, ids[1] ^ 0x41C64E6D, get_wnf_value(ids) );
  }
  return 0; 
 }

the main part of code is functions check_id & get_wnf_value. I am too lazy so just ripped piece of code from ntoskrnl.exe!ExpCaptureWnfStateName function: