вторник, 15 ноября 2016 г.

W32pServiceTableFilter from windows 10 build 14951 x64

kd> ? nt!KeServiceDescriptorTableFilter
Evaluate expression: -8795428636992 = fffff800`2799b6c0

kd> dps fffff800`2799b6c0
fffff800`2799b6c0  fffff800`278f4450 nt!KiServiceTable
fffff800`2799b6c8  00000000`00000000
fffff800`2799b6d0  00000000`000001c4
fffff800`2799b6d8  fffff800`278f4b64 nt!KiArgumentTable
fffff800`2799b6e0  ffffa344`ba544bc0 win32k!W32pServiceTableFilter

fffff800`2799b6e8  00000000`00000000
fffff800`2799b6f0  00000000`0000049c
fffff800`2799b6f8  ffffa344`ba5462d4 win32k!W32pArgumentTableFilter

среда, 9 ноября 2016 г.

rfg longjumps

In IMAGE_LOAD_CONFIG_DIRECTORY64 there are two fields for setjmp/longjmp support - GuardLongJumpTargetTable & GuardLongJumpTargetCount. Lets see some module where this fields are not zero - for example hal.dll

воскресенье, 30 октября 2016 г.

ntstatus.idc for WDK 10.0.14931.0

added 95 new NTSTATUS values


    WORD    Flags;          // Flags to indicate if CI information is available, etc.
    WORD    Catalog;        // 0xFFFF means not available
    DWORD   CatalogOffset;
    DWORD   Reserved;       // Additional bitmask to be defined later

пятница, 28 октября 2016 г.

how to find nt!KeServiceDescriptorTableFilter

Unfortunately all xrefs to KeServiceDescriptorTableFilter are from non-exported functions, for example PsConvertToGuiThread:
     test    dword ptr [edi+2E8h], 18000h ; EPROCESS.Flags3
     jnz     short loc_6CAD9D

     mov     dword ptr [esi+3Ch], offset _KeServiceDescriptorTableFilter

But we can used signatures search for part of test dword ptr [edi+2E8h], 18000h.

среда, 19 октября 2016 г.

rfg patches in windows 10 build 14942

Lets see for example body of function user32!GetCursor:
.text:00000001800026E0             GetCursor       proc near          .text:00000001800026E0 66 90                   xchg    ax, ax
.text:00000001800026E2 0F 1F 80 00 00 00 00    nop     dword ptr [rax+00000000h]
.text:00000001800026E9 B9 06 00 00 00          mov     ecx, 6
.text:00000001800026EE 48 FF 25 EB 76 09 00    jmp cs:__imp_NtUserGetThreadState
.text:00000001800026EE                         GetCursor       endp
.text:00000001800026F5 90 90 90 90 90 90 90 90                 db 8 dup(90h)

and in debugger:
0:007> ? user32!GetCursor
Evaluate expression: 140732937348832 = 00007ffe`f0bd26e0
0:007> u 00007ffe`f0bd26e0
00007ffe`f0bd26e0 488b0424        mov     rax,qword ptr [rsp]
00007ffe`f0bd26e4 6448890424      mov     qword ptr fs:[rsp],rax
00007ffe`f0bd26e9 b906000000      mov     ecx,6
00007ffe`f0bd26ee 644c8b1c24      mov     r11,qword ptr fs:[rsp]
00007ffe`f0bd26f3 4c3b1c24        cmp     r11,qword ptr [rsp]
00007ffe`f0bd26f7 0f85a3e40300    jne     USER32!_guard_ss_verify_failure (00007ffe`f0c10ba0)
00007ffe`f0bd26fd 48ff25dc760900  jmp     qword ptr [USER32!_imp_NtUserGetThreadState (00007ffe`f0c69de0)]

dramatic differences ! it seems that this code has some compiler support and changes in kernel

понедельник, 10 октября 2016 г.

another cross-process scan

you can use EPROCESS.WnfContext to find list of processes. Lets see how this can be done:
kd> ? nt!ExpWnfProcessesListHead
Evaluate expression: -8781752063864 = fffff803`56c9a888
kd> dp fffff803`56c9a888
fffff803`56c9a888  fffff8a0`00125750 fffff8a0`021fb760
fffff803`56c9a898  00000000`00840082 fffff803`56a43460
fffff803`56c9a8a8  00000000`00120010 fffff803`56a43448
fffff803`56c9a8b8  00000000`00000060 00000000`00000058
fffff803`56c9a8c8  fffff803`56693df0 fffff803`56693dd8
fffff803`56c9a8d8  00000000`00760074 fffff803`56a41cd0
fffff803`56c9a8e8  00000000`00240022 fffff803`56a416c0
fffff803`56c9a8f8  00000000`00140012 fffff803`56a416a8
kd> !pool fffff8a0`00125750 2
Pool page fffff8a000125750 region is Paged pool
*fffff8a000125730 size:   f0 previous size:   90  (Allocated) *Wnf
        Pooltag Wnf  : Windows Notification Facility, Binary : nt!wnf
kd> dp fffff8a0`00125740
fffff8a0`00125740  00000000`00d80906 fffffa80`018a46c0
fffff8a0`00125750  fffff8a0`0010b9e0 fffff803`56c9a888
fffff8a0`00125760  00000000`00000000 00000000`00000000
fffff8a0`00125770  00000000`00000000 00000000`00000000
fffff8a0`00125780  fffff8a0`020c5a50 fffff8a0`00f03690
fffff8a0`00125790  00000000`00000000 fffff8a0`00129028
fffff8a0`001257a0  fffff8a0`015ee5c8 00000000`00000000
fffff8a0`001257b0  fffff8a0`001257b0 fffff8a0`001257b0
kd> !process fffffa80`018a46c0 0
PROCESS fffffa80018a46c0
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00187000  ObjectTable: fffff8a000003000  HandleCount:
    Image: System

kd> dp fffff8a0`0010b9d0
fffff8a0`0010b9d0  00000000`00d80906 fffffa80`038b4940
fffff8a0`0010b9e0  fffff8a0`058ed020 fffff8a0`00125750
fffff8a0`0010b9f0  fffff8a0`00117f40 00000000`00000000
fffff8a0`0010ba00  00000000`00000000 00000000`00000000
fffff8a0`0010ba10  fffff8a0`0010ba10 fffff8a0`0010ba10
fffff8a0`0010ba20  00000000`00000000 fffff8a0`0010b938
fffff8a0`0010ba30  fffff8a0`0587f968 00000000`00000000
fffff8a0`0010ba40  fffff8a0`0010ba40 fffff8a0`0010ba40
kd> !process fffffa80`038b4940 0
PROCESS fffffa80038b4940
    SessionId: 0  Cid: 0148    Peb: 7f630624000  ParentCid: 0140
    DirBase: 10feb000  ObjectTable: fffff8a000555cc0  HandleCount:
    Image: csrss.exe