вторник, 19 ноября 2019 г.

last version of wincheck

it`s last because of
My former employer was so so nice that he allowed me to publish this build. Btw I seek new job

Download
Mirror

Changelog: 
  • add support of Windows 1909
  • add support of new RFG relocs. As usually kernel itself has bad IMAGE_DYNAMIC_RELOCATION_TABLE - it contains zero type somewhere inside IMAGE_DYNAMIC_RELOCATION
  • add dumping of WMI_LOGGER_CONTEXTs for InfinityHook detection (with -wmi option)
  • add dumping of PsAltSystemCallHandlers
  • add dumping of PoPdcCallbacks (with -pofx option)
  • add dumping of PpmPlatformStates (with -ppm option)
  • add dumping callbacks registered with RtlRegisterFeatureConfigurationChangeNotification function 
Автор: redp на 18:12 1 коммент.
Ярлыки:

пятница, 15 ноября 2019 г.

kernel resource FUNCTIONEXTENTLIST

I commited today plugin for processing 64bit kernel resource with name "FUNCTIONEXTENTLIST" (located in RCDATA)

It seems that processing of this resource happens in huge unnamed sub called from famous KiFilterFiberContext, so this is apparently part of PatchGuard. Format of this resource relative simple.
At start we have signature CTXE for compressed data (LTXE for noncompressed but I have never seen this). Data unpacking with RtlDecompressBufferEx function. In packed data we have table with pair offsets, first to RUNTIME_FUNCTION recognised from IDA and second to some additional RUNTIME_FUNCTION (which usually skipped in IDA Pro for unknown reason)

 And even after calling this plugin there are lots of some valid RUNTIME_FUNCTION in .pdata section - I don`t know why
Автор: redp на 19:00 0 коммент.
Ярлыки: , ,

четверг, 14 ноября 2019 г.

there will be no more new versions of wincheck

bcs all source code belongs to my former employer
I do not have time and motivation to rewrite it for free
Sorry
Автор: redp на 18:12 0 коммент.
Ярлыки:

понедельник, 2 сентября 2019 г.

new RFG reloc types

It seems that est since build 18922 Microsoft turned on retpoline
This is implemented as RFG relocations with 3 new type:

Type 3
typedef struct _IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION {
    DWORD       PageRelativeOffset : 12;
    DWORD       IndirectCall       : 1;
    DWORD       IATIndex           : 19;
} IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION;

Looks like IAT function calling patch:
     call    cs:__imp_PshedFreeMemory
     nop     dword ptr [rax+rax+00h]

Type 4
typedef struct _IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION {
    WORD        PageRelativeOffset : 12;
    WORD        IndirectCall       : 1;
    WORD        RexWPrefix         : 1;
    WORD        CfgCheck           : 1;
    WORD        Reserved           : 1;
} IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION;

Looks like call reg patch:
    call    rax
    nop     dword ptr [rax]

Type 5
typedef struct _IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION {
    WORD        PageRelativeOffset : 12;
    WORD        RegisterNumber     : 4;
} IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION;

Looks like call reg in switch patch:
   mov     ecx, ds:rva off_14000DEBC[rdx+rdi*4]
   add     rcx, rdx
   jmp     rcx             ; switch jump
   db 4 dup(0CCh)

I patched today my RFG plugin to IDA Pro to support this new types
Автор: redp на 16:38 0 коммент.
Ярлыки: ,

пятница, 12 июля 2019 г.

wincheck rc8.61

download
mirror
Changelog:
  • add support of Windows 10 RS4, 1809 & 1903
  • add support of Windows 10 build 18922, but seems that this build hangs on RPC interfaces enumeration
  • add dumping of AlpcpLogCallbackListHead (with -alpc option)
  • add dumping of CfgMgr32.dll!CM_Register_Notification registered callbacks
  • add dumping of providers from mpr.dll
  • add new comdline options:
    • -denc - dump ntdll registered enclaves
    • -dynf - dump registered dynamic functions from RtlpDynamicFunctionTable
    • -dkt - dump kernel tracepoints
    • -vf - dump kernel verifier tables
    • -fs - dump DRIVER_OBJECTs registered with IoRegisterFsRegistrationChangeMountAware function
  • lots of bugs was fixed (and added as usually)
Автор: redp на 16:55 0 коммент.
Ярлыки:

пятница, 31 мая 2019 г.

CfgMgr32.dll!CM_Register_Notification registered callbacks

Declaration of CM_Register_Notification:

CMAPI CONFIGRET CM_Register_Notification(
  PCM_NOTIFY_FILTER   pFilter,
  PVOID               pContext,
  PCM_NOTIFY_CALLBACK pCallback,
  PHCMNOTIFICATION    pNotifyContext
);
 
It`s easy to recover structures stored in EventSystemClientList:
field32bit offset64bit offset
WORD - signature 0xF09700
LIST_ENTRY0xC0x18
CM_NOTIFY_FILTER0x240x40
pCallback0x1c40x1e0

sample of output on windows w10 build 18898:

Дальше »
Автор: redp на 16:58 0 коммент.
Ярлыки: ,

вторник, 26 марта 2019 г.

Windows 10 1809 kernel sensors

After reading this article I was curious which info Mocrosoft gather in it`s telemetry. There is some theoretical possibility to ask Microsoft via MVI but link to "apply for membership" gives 404, lol. So as usually run IDA Pro and start with KeInsertQueueApc function

 We can see that code checks EtwThreatIntProvRegHandle and somewhere inside function calls etw logger function EtwTiLogInsertQueueUserApc. So lets collect other etw loggers reffered to
EtwThreatIntProvRegHandle (and EtwSecurityMitigationsRegHandle too)
  • EtwThreatIntProvRegHandle - called from KeInsertQueueApc and IopfCompleteRequest
  • EtwTiLogSetContextThread - called from PspWow64SetContextThread & PspSetContextThreadInternal
  • EtwTiLogAllocExecVm - called from MiAllocateVirtualMemory
  • EtwTiLogProtectExecVm - called from NtProtectVirtualMemory
  • EtwTiLogReadWriteVm - called from MiReadWriteVirtualMemory
  • EtwTiLogDeviceObjectLoadUnload - called from IoDeleteDevice & IoCreateDevice
  • EtwTiLogDriverObjectLoad - called from IopLoadDriver & IoCreateDriver
  • EtwTiLogMapExecView - called from NtMapViewOfSection & MiMapViewOfSectionExCommon
  • EtwTiLogSuspendResumeProcess - called from PsThawProcess, PsFreezeProcess, PsResumeProcess & PsSuspendProcess
  • EtwTiLogSuspendResumeThread - called from PsSuspendThread & PsResumeThread
etw loggers reffered to EtwSecurityMitigationsRegHandle
  • EtwpTimLogMitigationForProcess - called from MiAllowImageMap
  • EtwTimLogProhibitDynamicCode - called from MiArbitraryCodeBlocked
  • EtwTimLogProhibitWin32kSystemCalls - called from PsConvertToGuiThread
  • EtwTimLogProhibitNonMicrosoftBinaries - called from MiValidateSectionSigningPolicy
  • EtwTimLogProhibitChildProcessCreation - called from SeSubProcessToken
  • EtwTimLogProhibitLowILImageMap - called from MiAllowImageMap
Автор: redp на 17:00 0 коммент.
Ярлыки: , ,

понедельник, 21 января 2019 г.

simple way to find PsKernelRangeList

It seems that since est. build 15025 to PsKernelRangeList was added absolute addresses of KUSER_SHARED_DATA.SystemCall and KUSER_SHARED_DATA.ProcessorFeatures
So now it can be trivially found with signature 0xFFFFF78000000308 (0xFFDF0308 for 32bit) in .data section
Lets see what is interesting in this list
Items in PsKernelRangeList can be described something like

 struct protected_area
{
 PBYTE addr;
 PBYTE len;
};
Also it seems that new entries always adding in end of this list. On build 18312 this list contains
  1. PspPicoProviderRoutines
  2. 3 zero entry
  3. MmUserProbeAddress (exported)
  4. MmSystemRangeStart (exported)
  5. MmHighestUserAddress (exported)
  6. MmBadPointer (exported)
  7. HvcallCodeVa
  8. PsWin32NullCallBack
  9. PspSystemMitigationOptions (size 0x10)
  10. KdpBootedNodebug
  11. KUSER_SHARED_DATA.SystemCall
  12.  KUSER_SHARED_DATA.ProcessorFeatures
  13. KiDynamicTraceEnabled
  14. KiDynamicTraceCallouts (size 0x28 on 32bit, 0x50 on 64bit)
Автор: redp на 18:51 0 коммент.
Ярлыки: , ,

понедельник, 14 января 2019 г.

WNF IDs from w10 build 18312

ripped from ContentDeliveryManager.Utilities.dll

Дальше »
Автор: redp на 16:59 0 коммент.
Ярлыки: ,
Подписаться на: Сообщения (Atom)