can be found using the same old trick
Sure constants are now different, so now KUSER_SHARED_DATA.SystemCall is 0xFFFFF78000000308 and KUSER_SHARED_DATA.ProcessorFeatures is 0xFFFFF78000000274
Commited today simple logic to find and parse it in my armpatched
суббота, 18 апреля 2020 г.
пятница, 17 апреля 2020 г.
IDA Pro plugin for arm64 switch tables processing
IDA Pro supports arm64 very poorly - it also cannot parse switch tables. Let`s see how they looks on arm64 - for example in function NtQueryInformationThread:
What happens here? first "ADR x9, addr" loads address of switch table
Next LDRSW is like "mov x8, [x9 + 4 * w1]" on Intel - load DWORD at x9 + index w1 left shifted by 2
Then second ADR loads address of base for this switch table
ADD x8, x9, x8 << 2 sets in x8 address of actual jumps
and finally BR go to this address
So I just wrote quick and dirty plugin arm64sw.p64 based on armpatched for switch tables processing
CMP W1, #0x2D ; check index
B.HI loc_140673294
ADR X9, dword_14066E9EC ; switch tab address
LDRSW X8, [X9,W1,UXTW#2] ; index in W1 << 2
ADR X9, loc_14066E358 ; base address
ADD X8, X9, X8,LSL#2 ; base address + offset << 2
BR X8What happens here? first "ADR x9, addr" loads address of switch table
Next LDRSW is like "mov x8, [x9 + 4 * w1]" on Intel - load DWORD at x9 + index w1 left shifted by 2
Then second ADR loads address of base for this switch table
ADD x8, x9, x8 << 2 sets in x8 address of actual jumps
and finally BR go to this address
So I just wrote quick and dirty plugin arm64sw.p64 based on armpatched for switch tables processing
четверг, 16 апреля 2020 г.
KiTpExcludedRoutines
As you can guess from name this is array of functions for which you can`t set kernel tracepoint. Curious that this lists differs in x64 and arm64
x64
x64
воскресенье, 12 апреля 2020 г.
bug in ida pro arm64 module
Lets see in ida pro some arm64 windows kernel, for example good old function PspSetCreateThreadNotifyRoutine:
register x11 contains address of PspNotifyEnableMask - in my case this is 0x1408AE6B0 and then x10 loading address of PspNotifyEnableMask + 0x33c = 0x1408AE9EC - this is actually PspCreateThreadNotifyRoutineCount. And no - you cannot fix last instruction with pressing O or Ctrl + O
Given that cross-refs in arm64 is highly dependent from correct code analysis - this is very annoing
Tested in ida pro 6.9 and 7.2
ADRP X8, #PspNotifyEnableMask@PAGE
ADD X11, X8, #PspNotifyEnableMask@PAGEOFF
TBNZ W20, #0, loc_140690960
ADD X10, X11, #0x33Cregister x11 contains address of PspNotifyEnableMask - in my case this is 0x1408AE6B0 and then x10 loading address of PspNotifyEnableMask + 0x33c = 0x1408AE9EC - this is actually PspCreateThreadNotifyRoutineCount. And no - you cannot fix last instruction with pressing O or Ctrl + O
Given that cross-refs in arm64 is highly dependent from correct code analysis - this is very annoing
Tested in ida pro 6.9 and 7.2
четверг, 9 апреля 2020 г.
armpatched
Several days ago I started my new pet project on GitHub, bcs
Main magic happens in ntoskrnl_hack::find_lock_list function
- quarantine is boring
- reading a book "ARM 64-Bit Assembly Language" without practice is useless
Main magic happens in ntoskrnl_hack::find_lock_list function
воскресенье, 5 апреля 2020 г.
static code analysis
This cool article is good case to show how you can employ static code analysis for extracting some unexported symbols from binary code - in this case we need ExNPagedLookasideLock & ExNPagedLookasideListHead
Sure the first thing you need is disassembler. If you search at GitHub "x86 disasm" you will get something about 20 repositories, but we need one that satisfies some requirements:
So just choose the one with the most comprehensible code - bcs they all contains bugs and you anyway will fix them and/or add missed instructions
Lets start with exported function ExInitializeNPagedLookasideList. Simplest cases - xp 64bit:
Sure the first thing you need is disassembler. If you search at GitHub "x86 disasm" you will get something about 20 repositories, but we need one that satisfies some requirements:
- disasm to some intermediate code and not in string output
- can be used in kernel mode (just in case if you want to do it) which means that it must be written in C
So just choose the one with the most comprehensible code - bcs they all contains bugs and you anyway will fix them and/or add missed instructions
Lets start with exported function ExInitializeNPagedLookasideList. Simplest cases - xp 64bit:
четверг, 2 апреля 2020 г.
VfDifThunks
It seems that in w10 build 19569 new verifier table has appeared - VfDifThunks along with new exported function DifRegisterPlugin (which is used only in VerifierExt.sys for now). List of intercepted functions: