понедельник, 17 августа 2020 г.

etw part 4: _TlgProvider_t in kernel

let's continue to dissect ETW (parts 1,2 & 3)
Basically structure _TlgProvider_t in kernel almost the same as in user mode but field RegHandle points to ETW_REG_ENTRY. You can easily find them using simple search for known guids - I made PoC for arm64 (and for ndis.sys too)

kernel contains following tlg providers:
  • Microsoft.Windows.TlgAggregateInternal, GUID 703FCC13-B66F-5868-DDD9-E2DB7F381FFB
  • KernelExecutive, GUID 8944A53C-A561-4E53-A0C6-D565414745FC
  • Microsoft.Windows.Kernel.BootEnvironment, GUID 23B76A75-CE4F-56EF-F903-C3A2D6AE3F6B
  • MSTelCov, GUID 1DD9B8C9-E078-4075-B9DE-4E5125071A18
  • KernelProcess, GUID 2839FF94-8F12-4E1B-82E3-AF7AF77A450F
  • KernelGeneral, GUID 7614521C-4D0B-4341-BFC9-873082C0F1D3
  • Microsoft-Windows-Kernel-Vm, GUID B7FBD4E0-FA8F-4C58-B0FB-3CC227B86ED6. Located in section ALMOSTRO
  • Microsoft.Windows.Kernel.Security, GUID 09A69A38-2680-4BFA-AD01-792AD63A4FF2
  • Microsoft.Windows.Security.Capabilities, GUID 27A8FDF4-9B77-575B-BE3B-E7163EF159BB
  • Microsoft.Windows.Kernel.ProcessSubsystem, GUID C59673D8-B796-58DF-FBF8-A70BAD656DCA
  • Microsoft.Windows.Kernel.Ttm, GUID 5E753E4D-2B0D-4451-B8F9-0F1253CA0B44. Located in section PAGEDATA
  • Microsoft.Windows.Kernel.Power.PowerTransitions, GUID 050BF899-DA06-4852-A63A-81E6B9A1C74F
  • Microsoft.Windows.Kernel.Power.DirectedDrips, GUID 0D2ED727-38A0-4B2B-9F7E-EC79B5EC4AA5. Located in section PAGEDATA
  • Microsoft.Windows.Kernel.Power, GUID 63BCA7A1-77EC-4EA7-95D0-98D3F0C0EBF7
  • Microsoft.Windows.Kernel.Power.DiagFxAccounting, GUID 57D04B7B-550A-49A2-ABCC-A7FA15598A30
  • Microsoft.Windows.Kernel.ObjectManager, GUID F39412D1-C9FD-5E79-8A82-9C9CBD8CA809
  • Microsoft-Windows-Kernel-Mm, GUID 7E9E8B9C-406C-5D73-E566-0F50EA3ADE3E
  • Microsoft.Windows.Kernel.Kernel, GUID 061C37C3-1363-5C1B-B8ED-F3D8F74633CE
  • Microsoft.Windows.Kernel.PnP, GUID 6C0EBBBB-C292-457D-9675-DFCC1C0D58B0
  • Microsoft.Windows.Kernel.DeviceConfig, GUID C8BDE9FF-F31F-59DC-6C27-CA37C516ADA5
  • Microsoft.Windows.Kernel.SysEnv, GUID A9FDF37B-D72D-4051-A3CD-D422103CE079
  • Microsoft.Windows.Kernel.LiveDump, GUID A4D16FC5-D1CF-4D72-A055-25F3EB02A70E
  • Microsoft.Windows.Kernel.Dump, GUID A51EE86B-8EA5-454C-9A7D-37B6655A535D
  • IumTelemetryProvider, GUID 73A33AB2-1966-4999-8ADD-868C41415269
  • Microsoft.Windows.Containers.RegistryVirtualization, GUID 252D9ECC-1C9F-4917-8760-F872A83BF018
  • Microsoft.Windows.Kernel.FeatureConfigurationManager, GUID F7E83426-2B81-58F9-C5D4-F2DB6D0AD473
  • Microsoft.Windows.Kernel.Registry, GUID E9EAF418-0C07-464C-AD14-A7F353349A00
  • Microsoft.Windows.FileSystem.Cache, GUID 74093E1D-DBE3-4019-B97D-54EDCB02CFED
  • Microsoft.Windows.Kernel.HAL, GUID 0F51C5A7-0E76-47A5-BEDE-7CF62C5822F6

So what bad guys can do knowing addresses of this _TlgProvider_t?

  • as in user mode they could zero field LevelPlus1
  • they could hijaq ETW_REG_ENTRY to some custom etw provider
  • they can patch TRACE_ENABLE_INFO in ETW_REG_ENTRY.GuidEntry and so disable tracing
  • and much better - do you see field EnableCallback? By default it set to function TlgAggregateInternalRegisteredProviderEtwCallback with prototype
    void TlgAggregateInternalRegisteredProviderEtwCallback(struct _GUID const *, unsigned long, unsigned char, unsigned __int64, unsigned __int64, struct _EVENT_FILTER_DESCRIPTOR *, void *)
    so perhaps hooking it you could have real-time notification when someone want to turn-on logging for your system (and perhaps clear all your hooks until better times) 

Mitigations

To ensure than you ETW-based EDR still not blind you could
  1. find _TlgProvider_t in kernel and drivers
  2. check field LevelPlus1
  3. check hook for EnableCallback
  4. check that field RegHandle points to right ETW_REG_ENTRY
  5. which in turn points to right ETW_GUID_ENTRY
  6. and check that this ETW_GUID_ENTRY was not disabled
Btw this is exactly what my new tool I'm working on does - so lets see sample of output:
 [1] Microsoft.Windows.Kernel.Registry at FFFFF80328202198
  LevelPlus1: 100
  KeywordAny: 800000000000
  KeywordAll: 0
  RegHandle:  FFFFBC0F1A88D190
  EnableCallback: FFFFF80327E02BF0 \SystemRoot\system32\ntoskrnl.exe
  GuidEntry: FFFFBC0F19F59DE0
 
and ETW_GUID_ENTRY from ETW_SILODRIVERSTATE.EtwpGuidHashTable:
 KEtw10[33.23]: RefCount 1 IsEnabled 0 level 0 at FFFFBC0F19F59DE0 (E9EAF418-0C07-464C-AD14-A7F353349A00) Microsoft.Windows.Kernel.Registry

as you can see this ETW_GUID_ENTRY was disabled and no tracing for registry events happens

Комментариев нет:

Отправить комментарий