среда, 10 февраля 2021 г.

using FSM to recover struct fields offsets

In previous post I described declarative way to find non-exported data and functions using FSM. But often you also need to know offsets to some fields in structures - they can be changed in different versions of Windows. So let see if this can be done in the same declarative manner

Perhaps most safe way is to track registers contained arguments to some function (btw not necessary exported). So I added yet two states to FSM

  • ldrx register_index. Can have prefix stg N to remember this address
  • addx register_index. Can have prefix stg N to remember this address
Amazing but it`s all that we need to start recover offsets!

Lets see example - I wrote simple rules to extract some ETW related structures fields offsets. It starts with exported function EtwRegister contained couple of non-exported functions PsGetCurrentServerSiloGlobals (which you can use for example to extract address of PspHostSiloGlobals - I'll leave this as simple exercise for the reader) and EtwpRegisterProvider - it expects ETW_SILODRIVERSTATE as first parameter, so we can ldrx0 here and get ESERVERSILO_GLOBALS.EtwSiloState offset

Then process EtwpRegisterProvider - it contains calls to EtwpFindGuidEntryByGuid & EtwpAddGuidEntry and ExAcquirePushLockExclusiveEx - in x0 we also can get ETW_GUID_ENTRY.Lock offset

Finally process EtwpFindGuidEntryByGuid to extract ETW_GUID_ENTRY.Guid offset
Run on kernel 20251:
afsm.exe -a D:\src\armpatched\fsm\etw.fsm d:\work\kernel\w10\20251\arm\ntoskrnl.exe
 1 - 27A2F8
 2 - 360
 3 - 686490
 4 - 681558
 5 - 67D008
 6 - 198
 7 - 28


ESERVERSILO_GLOBALS.EtwSiloState was stored in index 2, ETW_GUID_ENTRY.Lock in 6, ETW_GUID_ENTRY.Guid in 7. And now the same rules apply for build 18362:

afsm.exe -a D:\src\armpatched\fsm\etw.fsm d:\work\kernel\w10\18362\arm\ntoskrnl.exe
 1 - 120BE8
 2 - 360
 3 - 5D42F8
 4 - 574DE0
 5 - 59F188
 6 - 180
 7 - 18

You can check in pdb that ETW_GUID_ENTRY.Lock really has offset 0x180 in this build and ETW_GUID_ENTRY.Guid 0x18

Комментариев нет:

Отправить комментарий