- Microsoft-based native Win32 port. No binary distribution available yet; download the source distribution and compile it.
- Microsoft-based native Win64 port. Same features as the Microsoft-based native Win32 port, but generates 64-bit code. No binary distribution available yet; download the source distribution and compile it.
пятница, 27 июля 2012 г.
Ocaml 4.00
released
среда, 25 июля 2012 г.
wincheck rc8.22
Download mirror
Changelog:
Changelog:
- add checking of various hypervisor callbacks
- add checking of netio!KfdRegisterLayerEventNotify callbacks (-ndis option)
- add checking of callback tables in Fwpkclnt.sys (-ndis option)
- some bugs was fixed
вторник, 24 июля 2012 г.
hypervisor callbacks in w8
There are couple of exported functions to set up some hypervisor related callbacks
HvlRegisterWheaErrorNotification
Set WHEA callback into global variable HvlpWheaErrorNotificationCallback
HvlRegisterInterruptCallback
Set up to 5 (in w8 release preview up to 8) callbacks in global array HvlpInterruptCallback. This callbacks are called in HvlRouteInterrupt:
HvlRegisterWheaErrorNotification
Set WHEA callback into global variable HvlpWheaErrorNotificationCallback
HvlRegisterInterruptCallback
Set up to 5 (in w8 release preview up to 8) callbacks in global array HvlpInterruptCallback. This callbacks are called in HvlRouteInterrupt:
- index 0 - from KiHvInterrupt
- index 1 - from KiVmbusInterrupt0
- index 2 - from KiVmbusInterrupt1
- index 3 - from KiVmbusInterrupt2
- index 4 - from KiVmbusInterrupt3
понедельник, 16 июля 2012 г.
netio!KfdRegisterLayerEventNotify
In windows 8 there is some another undocumented function to set callback inside netio.sys. Check it in disasm:
We can see here that gWfpGlobal contains at offset 0x2B8 5 elements with size 0xC (0x10 on x64) where stored pointer to callback function. Both gWfpGlobal and offset can be obtained with static analysis
mov edi, _gWfpGlobal
xor edx, edx
lea ecx, [edi+2B8h]
lea esp, [esp+0Ch+var_C]
loc_32314:
cmp dword ptr [ecx], 0
jnz short loc_32397
mov eax, [ebp+callback]
lea ecx, [edx+edx*2] ; * 3
mov [edi+ecx*4+2B8h], eax ; * 12
movzx ecx, [ebp+arg_4]
mov eax, _gWfpGlobal
lea edx, [edx+edx*2]
add edx, edx
add edx, edx
mov [edx+eax+2B4h], ecx
mov ecx, [ebp+arg_0]
mov eax, _gWfpGlobal
mov [edx+eax+2B0h], ecx
... inc edx
add ecx, 0Ch
cmp edx, 5
jb loc_32314
We can see here that gWfpGlobal contains at offset 0x2B8 5 elements with size 0xC (0x10 on x64) where stored pointer to callback function. Both gWfpGlobal and offset can be obtained with static analysis
пятница, 13 июля 2012 г.
callback tables in Fwpkclnt.sys on w8
It seems that under w8 there are couple of undocumented exported functions called to set some callback tables - FwpsL2DispatchTableAndGlobalsSet0 & FwpsTcpIpDispatchTableAndGlobalsSet0:
Check for example FwpsTcpIpDispatchTableAndGlobalsSet0 in disasm:
We see here that arg_0 are copied to some variable which I named as TcpIpDispatchTable. It can easy be obtained with static analysis. FwpsL2DispatchTableAndGlobalsSet0 looks identical
Sample of output from w8 release preview:
Check for example FwpsTcpIpDispatchTableAndGlobalsSet0 in disasm:
mov edi, edi
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_0]
push edi
mov edi, TcpIpDispatchTable
push 2Ah
pop ecx
rep movsd
We see here that arg_0 are copied to some variable which I named as TcpIpDispatchTable. It can easy be obtained with static analysis. FwpsL2DispatchTableAndGlobalsSet0 looks identical
Sample of output from w8 release preview:
Подписаться на:
Сообщения (Atom)