среда, 3 мая 2017 г.

kernel etw traces in windows 10

In windows 10 there is no good old EtwpGuidHashTable and all registered Etw stored in SILO. Let`s see how we can extract them

Check first function exported function EtwRegister:
  call    _PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
  push    [ebp+arg_C]
  mov     edx, [ebp+arg_0]
  push    dword ptr [ebp+4]
  mov     ecx, [eax+1F0h]               ; ESERVERSILO_GLOBALS.EtwSiloState
  push    [ebp+arg_8]
  push    [ebp+arg_4]
  push    3
  call    _EtwpRegisterProvider@28      ; EtwpRegisterProvider(x,x,x,x,x,x,x)


Function PsGetCurrentServerSiloGlobals returns processes SILO or default SILO PspHostSiloGlobals stored in kernel which has type ESERVERSILO_GLOBALS. Field EtwSiloState has type ETW_SILODRIVERSTATE:
struct _ETW_SILODRIVERSTATE {
  /*   0x0 */ /*|0x4|*/ struct _ESERVERSILO_GLOBALS* SiloGlobals;
  /*   0x8 */ /*|0x168|*/ struct _ETW_GUID_ENTRY EtwpSecurityProviderGuidEntry;
  /* 0x170 */ /*|0x100|*/ struct _EX_RUNDOWN_REF_CACHE_AWARE* EtwpLoggerRundown[64];
  /* 0x270 */ /*|0x100|*/ struct _WMI_LOGGER_CONTEXT* WmipLoggerContext[64];
  /* 0x370 */ /*|0x700|*/ struct _ETW_HASH_BUCKET EtwpGuidHashTable[64];
  /* 0xa70 */ /*|0x10|*/ unsigned short EtwpSecurityLoggers[8];
  /* 0xa80 */ /*|0x1|*/ unsigned char EtwpSecurityProviderEnableMask;
  /* 0xa84 */ /*|0x4|*/ long EtwpShutdownInProgress;
  /* 0xa88 */ /*|0x4|*/ unsigned long EtwpSecurityProviderPID;
  /* 0xa8c */ /*|0x10|*/ struct _ETW_PRIV_HANDLE_DEMUX_TABLE PrivHandleDemuxTable;
  /* 0xa9c */ /*|0x10|*/ struct _ETW_COUNTERS EtwpCounters;
  /* 0xab0 */ /*|0x8|*/ union _LARGE_INTEGER LogfileBytesWritten;
  /* 0xab8 */ /*|0x4|*/ struct _ETW_SILO_TRACING_BLOCK* ProcessorBlocks;
};


So we almost found our hashtable - this is EtwpGuidHashTable[64] with type ETW_HASH_BUCKET:
struct _ETW_HASH_BUCKET {
  /*  0x0 */ /*|0x18|*/ struct _LIST_ENTRY ListHead[3];
  /* 0x18 */ /*|0x4|*/ struct _EX_PUSH_LOCK BucketLock;
};


I don`t know why 3 list was used but we need to traverse all of them. Each list contains ETW_GUID_ENTRY:
struct _ETW_GUID_ENTRY {
  /*   0x0 */ /*|0x8|*/ struct _LIST_ENTRY GuidList;
  /*   0x8 */ /*|0x4|*/ long RefCount;
  /*   0xc */ /*|0x10|*/ struct _GUID Guid;
  /*  0x1c */ /*|0x8|*/ struct _LIST_ENTRY RegListHead;
  /*  0x24 */ /*|0x4|*/ void* SecurityDescriptor;
  /*  0x28 */ /*|0x10|*/ struct _ETW_LAST_ENABLE_INFO LastEnable;
  /*  0x28 */ /*|0x8|*/ unsigned __int64 MatchId;
  /*  0x38 */ /*|0x20|*/ struct _TRACE_ENABLE_INFO ProviderEnableInfo;
  /*  0x58 */ /*|0x100|*/ struct _TRACE_ENABLE_INFO EnableInfo[8];
  /* 0x158 */ /*|0x4|*/ struct _ETW_FILTER_HEADER* FilterData;
  /* 0x15c */ /*|0x4|*/ struct _ETW_SILODRIVERSTATE* SiloState;
  /* 0x160 */ /*|0x4|*/ struct _EX_PUSH_LOCK Lock;
  /* 0x164 */ /*|0x4|*/ struct _ETHREAD* LockOwner;
};


ETW_GUID_ENTRY are chained by list GuidList
Sample of output:
KEtw10[18] list 0 - 17 items
 KEtw10[18.0]: RefCount 1 (C755EF4D-DE1C-4E7D-A10D-B8D1E26F5035) CTLGUID_EfsWrtCtlGuid
 KEtw10[18.1]: RefCount 1 (C906ED7B-D3D9-435B-97CD-22F4E7445F2A) Microsoft.Windows.WorkFolders
 KEtw10[18.2]: RefCount 2, KProvider - C1A60542-0621-455E-9326-FC12A2437B43
 KEtw10[18.3]: RefCount 2, KProvider - B702D31C-F586-4FC0-BCF5-F929745199A4
 KEtw10[18.4]: RefCount 1 (81F307DB-F5FB-4C3E-9B9D-8B39A9CB6198) CTLGUID_LmhsvcWppGuid
 KEtw10[18.5]: RefCount 4 (6966FE51-E224-4BAA-99BC-897B3ED3B823) Microsoft.Windows.BrokerBase
 KEtw10[18.6]: RefCount 1 (D0B639E0-E650-4D1D-8F39-1580ADE72784) CTLGUID_LsaTraceControlGuid
 KEtw10[18.7]: RefCount 1 (C1661A64-0A98-48E3-847F-70FFEA51C2EB) CTLGUID_COMPOSITE_BUS
 KEtw10[18.8]: RefCount 3 (CE8DEE0B-D539-4000-B0F8-77BED049C590) ControlGuid_UserModePowerService
 KEtw10[18.9]: RefCount 1, KProvider - BAD49E08-45BE-4E45-BECF-29965AA7D967
 KEtw10[18.10]: RefCount 6 (B92D1FF0-92EC-444D-B7EC-C016F971C000) Microsoft.Windows.Notifications.WpnCore.ToastInteractedWith
 KEtw10[18.11]: RefCount 2 (AA6F6A10-8A13-417D-8799-52361684BD76) Microsoft.Windows.ForegroundManager.RequestExtendedExecution
 KEtw10[18.12]: RefCount 1, KProvider - 72D164BF-FD64-4B2B-87A0-62DBCEC9AE2A
 KEtw10[18.13]: RefCount 4 (3DA5AA05-5152-551F-A243-80A4E743C70E) Microsoft.Windows.Skype.App.SkypeHomePageConversationSelected
 KEtw10[18.14]: RefCount 2 (22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716) PsProvGuid
 KEtw10[18.15]: RefCount 3 (0879871C-E412-4C6A-87A6-74581B0AFAC5) MicrosoftWindowsShellNetworkUX.PNILaunchNetworkUI
 KEtw10[18.16]: RefCount 3 (E18D0FC9-9515-4232-98E4-89E456D8551B) Microsoft-Windows-RTWorkQueue-Threading
KEtw10[18] list 2 - 1 items
 KEtw10[18.0]: RefCount 1, KProvider - 0D943590-B235-5BDB-F854-89520F32FC0B

Комментариев нет:

Отправить комментарий