Lets see what generates gcc for arm64 - for example gcc7.5 and linux kernel
Function do_sysinstr:
process_all_poor_gcc_functions poorgcc64 0 1
FFFFFFC010C116C8 is address of sys64_hooks and now it has right xref
вы все еще верите написанному кириллицей ?
Lets see what generates gcc for arm64 - for example gcc7.5 and linux kernel
Function do_sysinstr:
process_all_poor_gcc_functions poorgcc64 0 1
I already described how you can extract address of GlobalRpcServer and offset to some RPC_SERVER_T fields. Lets do it for arm64 in declarative manner using FSM
Start again with I_RpcServerRegisterForwardFunction function - we can get address of RpcHasBeenInitialized (will be stored with index 1), GlobalRpcServer (with index 2) and RPC_SERVER_T.pRpcForwardFunction offset (with index 3):
In previous post I described declarative way to find non-exported data and functions using FSM. But often you also need to know offsets to some fields in structures - they can be changed in different versions of Windows. So let see if this can be done in the same declarative manner
Perhaps most safe way is to track registers contained arguments to some function (btw not necessary exported). So I added yet two states to FSM
I added saving and loading of FSM rules in file - so now you can edit them (or perhaps even write new manually) and then apply with new tool afsm. So lets see how it works
As expected results of auto-derived FSM for usermode dlls are much worse - for example on rpcrt4.dll can be found only 76 symbols from 228. It's because code in usermode contains much fewer unique constants (like NTSTATUS or allocation tags in kernel). So we need to use some additional data to make edges more distinguishable. Lets consider several candidates
It seems that MS cut off whole apfnSimpleCall dispatching - no more functions
Let`s see what we can do with our auto-derived state-machines. All source code in my github repo
ldr.exe -se -t 8 -der D:\work\kernel\w10\18346\arm\ntoskrnl.exe 37CC18
found at 0076D850 - KdSystemDebugControl
ldrb exorted KdDebuggerEnabled ldrbapply return 37CC18, must_be 37CC18
ldr.exe -se -t 8 -der D:\work\kernel\w10\18346\arm\ntoskrnl.exe 37CC18 -T d:\work\kernel\w10\rtm\2004\arm\ntoskrnl.exe
ldrb exorted KdDebuggerEnabled ldrbTest[0]: C3F639
// pubsym <rva 0xc3f639> KdLocalDebugEnabled