Basically structure _TlgProvider_t in kernel almost the same as in user mode but field RegHandle points to ETW_REG_ENTRY. You can easily find them using simple search for known guids - I made PoC for arm64 (and for ndis.sys too)
kernel contains following tlg providers:
- Microsoft.Windows.TlgAggregateInternal, GUID 703FCC13-B66F-5868-DDD9-E2DB7F381FFB
- KernelExecutive, GUID 8944A53C-A561-4E53-A0C6-D565414745FC
- Microsoft.Windows.Kernel.BootEnvironment, GUID 23B76A75-CE4F-56EF-F903-C3A2D6AE3F6B
- MSTelCov, GUID 1DD9B8C9-E078-4075-B9DE-4E5125071A18
- KernelProcess, GUID 2839FF94-8F12-4E1B-82E3-AF7AF77A450F
- KernelGeneral, GUID 7614521C-4D0B-4341-BFC9-873082C0F1D3
- Microsoft-Windows-Kernel-Vm, GUID B7FBD4E0-FA8F-4C58-B0FB-3CC227B86ED6. Located in section ALMOSTRO
- Microsoft.Windows.Kernel.Security, GUID 09A69A38-2680-4BFA-AD01-792AD63A4FF2
- Microsoft.Windows.Security.Capabilities, GUID 27A8FDF4-9B77-575B-BE3B-E7163EF159BB
- Microsoft.Windows.Kernel.ProcessSubsystem, GUID C59673D8-B796-58DF-FBF8-A70BAD656DCA
- Microsoft.Windows.Kernel.Ttm, GUID 5E753E4D-2B0D-4451-B8F9-0F1253CA0B44. Located in section PAGEDATA
- Microsoft.Windows.Kernel.Power.PowerTransitions, GUID 050BF899-DA06-4852-A63A-81E6B9A1C74F
- Microsoft.Windows.Kernel.Power.DirectedDrips, GUID 0D2ED727-38A0-4B2B-9F7E-EC79B5EC4AA5. Located in section PAGEDATA
- Microsoft.Windows.Kernel.Power, GUID 63BCA7A1-77EC-4EA7-95D0-98D3F0C0EBF7
- Microsoft.Windows.Kernel.Power.DiagFxAccounting, GUID 57D04B7B-550A-49A2-ABCC-A7FA15598A30
- Microsoft.Windows.Kernel.ObjectManager, GUID F39412D1-C9FD-5E79-8A82-9C9CBD8CA809
- Microsoft-Windows-Kernel-Mm, GUID 7E9E8B9C-406C-5D73-E566-0F50EA3ADE3E
- Microsoft.Windows.Kernel.Kernel, GUID 061C37C3-1363-5C1B-B8ED-F3D8F74633CE
- Microsoft.Windows.Kernel.PnP, GUID 6C0EBBBB-C292-457D-9675-DFCC1C0D58B0
- Microsoft.Windows.Kernel.DeviceConfig, GUID C8BDE9FF-F31F-59DC-6C27-CA37C516ADA5
- Microsoft.Windows.Kernel.SysEnv, GUID A9FDF37B-D72D-4051-A3CD-D422103CE079
- Microsoft.Windows.Kernel.LiveDump, GUID A4D16FC5-D1CF-4D72-A055-25F3EB02A70E
- Microsoft.Windows.Kernel.Dump, GUID A51EE86B-8EA5-454C-9A7D-37B6655A535D
- IumTelemetryProvider, GUID 73A33AB2-1966-4999-8ADD-868C41415269
- Microsoft.Windows.Containers.RegistryVirtualization, GUID 252D9ECC-1C9F-4917-8760-F872A83BF018
- Microsoft.Windows.Kernel.FeatureConfigurationManager, GUID F7E83426-2B81-58F9-C5D4-F2DB6D0AD473
- Microsoft.Windows.Kernel.Registry, GUID E9EAF418-0C07-464C-AD14-A7F353349A00
- Microsoft.Windows.FileSystem.Cache, GUID 74093E1D-DBE3-4019-B97D-54EDCB02CFED
- Microsoft.Windows.Kernel.HAL, GUID 0F51C5A7-0E76-47A5-BEDE-7CF62C5822F6
So what bad guys can do knowing addresses of this _TlgProvider_t?
- as in user mode they could zero field LevelPlus1
- they could hijaq ETW_REG_ENTRY to some custom etw provider
- they can patch TRACE_ENABLE_INFO in ETW_REG_ENTRY.GuidEntry and so disable tracing
- and much better - do you see field EnableCallback? By default it set to function TlgAggregateInternalRegisteredProviderEtwCallback with prototype
void TlgAggregateInternalRegisteredProviderEtwCallback(struct _GUID const *, unsigned long, unsigned char, unsigned __int64, unsigned __int64, struct _EVENT_FILTER_DESCRIPTOR *, void *)
so perhaps hooking it you could have real-time notification when someone want to turn-on logging for your system (and perhaps clear all your hooks until better times)
Mitigations
To ensure than you ETW-based EDR still not blind you could- find _TlgProvider_t in kernel and drivers
- check field LevelPlus1
- check hook for EnableCallback
- check that field RegHandle points to right ETW_REG_ENTRY
- which in turn points to right ETW_GUID_ENTRY
- and check that this ETW_GUID_ENTRY was not disabled
Btw this is exactly what my new tool I'm working on does - so lets see sample of output:
and ETW_GUID_ENTRY from ETW_SILODRIVERSTATE.EtwpGuidHashTable: [1] Microsoft.Windows.Kernel.Registry at FFFFF80328202198
LevelPlus1: 100
KeywordAny: 800000000000
KeywordAll: 0
RegHandle: FFFFBC0F1A88D190
EnableCallback: FFFFF80327E02BF0 \SystemRoot\system32\ntoskrnl.exe
GuidEntry: FFFFBC0F19F59DE0
KEtw10[33.23]: RefCount 1 IsEnabled 0 level 0 at FFFFBC0F19F59DE0 (E9EAF418-0C07-464C-AD14-A7F353349A00) Microsoft.Windows.Kernel.Registry
as you can see this ETW_GUID_ENTRY was disabled and no tracing for registry events happens
Комментариев нет:
Отправить комментарий