среда, 19 октября 2016 г.

rfg patches in windows 10 build 14942

Lets see for example body of function user32!GetCursor:
.text:00000001800026E0             GetCursor       proc near          .text:00000001800026E0 66 90                   xchg    ax, ax
.text:00000001800026E2 0F 1F 80 00 00 00 00    nop     dword ptr [rax+00000000h]
.text:00000001800026E9 B9 06 00 00 00          mov     ecx, 6
.text:00000001800026EE 48 FF 25 EB 76 09 00    jmp cs:__imp_NtUserGetThreadState
.text:00000001800026EE                         GetCursor       endp
.text:00000001800026F5 90 90 90 90 90 90 90 90                 db 8 dup(90h)

and in debugger:
0:007> ? user32!GetCursor
Evaluate expression: 140732937348832 = 00007ffe`f0bd26e0
0:007> u 00007ffe`f0bd26e0
00007ffe`f0bd26e0 488b0424        mov     rax,qword ptr [rsp]
00007ffe`f0bd26e4 6448890424      mov     qword ptr fs:[rsp],rax
00007ffe`f0bd26e9 b906000000      mov     ecx,6
00007ffe`f0bd26ee 644c8b1c24      mov     r11,qword ptr fs:[rsp]
00007ffe`f0bd26f3 4c3b1c24        cmp     r11,qword ptr [rsp]
00007ffe`f0bd26f7 0f85a3e40300    jne     USER32!_guard_ss_verify_failure (00007ffe`f0c10ba0)
00007ffe`f0bd26fd 48ff25dc760900  jmp     qword ptr [USER32!_imp_NtUserGetThreadState (00007ffe`f0c69de0)]

dramatic differences ! it seems that this code has some compiler support and changes in kernel

понедельник, 10 октября 2016 г.

another cross-process scan

you can use EPROCESS.WnfContext to find list of processes. Lets see how this can be done:
kd> ? nt!ExpWnfProcessesListHead
Evaluate expression: -8781752063864 = fffff803`56c9a888
kd> dp fffff803`56c9a888
fffff803`56c9a888  fffff8a0`00125750 fffff8a0`021fb760
fffff803`56c9a898  00000000`00840082 fffff803`56a43460
fffff803`56c9a8a8  00000000`00120010 fffff803`56a43448
fffff803`56c9a8b8  00000000`00000060 00000000`00000058
fffff803`56c9a8c8  fffff803`56693df0 fffff803`56693dd8
fffff803`56c9a8d8  00000000`00760074 fffff803`56a41cd0
fffff803`56c9a8e8  00000000`00240022 fffff803`56a416c0
fffff803`56c9a8f8  00000000`00140012 fffff803`56a416a8
kd> !pool fffff8a0`00125750 2
Pool page fffff8a000125750 region is Paged pool
*fffff8a000125730 size:   f0 previous size:   90  (Allocated) *Wnf
        Pooltag Wnf  : Windows Notification Facility, Binary : nt!wnf
kd> dp fffff8a0`00125740
fffff8a0`00125740  00000000`00d80906 fffffa80`018a46c0
fffff8a0`00125750  fffff8a0`0010b9e0 fffff803`56c9a888
fffff8a0`00125760  00000000`00000000 00000000`00000000
fffff8a0`00125770  00000000`00000000 00000000`00000000
fffff8a0`00125780  fffff8a0`020c5a50 fffff8a0`00f03690
fffff8a0`00125790  00000000`00000000 fffff8a0`00129028
fffff8a0`001257a0  fffff8a0`015ee5c8 00000000`00000000
fffff8a0`001257b0  fffff8a0`001257b0 fffff8a0`001257b0
kd> !process fffffa80`018a46c0 0
PROCESS fffffa80018a46c0
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00187000  ObjectTable: fffff8a000003000  HandleCount:
    Image: System

kd> dp fffff8a0`0010b9d0
fffff8a0`0010b9d0  00000000`00d80906 fffffa80`038b4940
fffff8a0`0010b9e0  fffff8a0`058ed020 fffff8a0`00125750
fffff8a0`0010b9f0  fffff8a0`00117f40 00000000`00000000
fffff8a0`0010ba00  00000000`00000000 00000000`00000000
fffff8a0`0010ba10  fffff8a0`0010ba10 fffff8a0`0010ba10
fffff8a0`0010ba20  00000000`00000000 fffff8a0`0010b938
fffff8a0`0010ba30  fffff8a0`0587f968 00000000`00000000
fffff8a0`0010ba40  fffff8a0`0010ba40 fffff8a0`0010ba40
kd> !process fffffa80`038b4940 0
PROCESS fffffa80038b4940
    SessionId: 0  Cid: 0148    Peb: 7f630624000  ParentCid: 0140
    DirBase: 10feb000  ObjectTable: fffff8a000555cc0  HandleCount:
    Image: csrss.exe

вторник, 4 октября 2016 г.

simple wnf id decoder

extern "C" int __stdcall check_id(PDWORD);
extern "C" int __stdcall get_wnf_value(PDWORD);

int _tmain(int argc, _TCHAR* argv[])
  if ( argc == 3 )
    wchar_t *end;
    DWORD ids[2];
    ids[0] = wcstoul(argv[1], &end, 16);
    ids[1] = wcstoul(argv[2], &end, 16);
    int whut = check_id(ids);
    if ( whut )
      printf("invalid pair\n");
      printf("id1 %X id2 %X index %d\n", ids[0] ^ 0xA3BC0074, ids[1] ^ 0x41C64E6D, get_wnf_value(ids) );
  return 0; 

the main part of code is functions check_id & get_wnf_value. I am too lazy so just ripped piece of code from ntoskrnl.exe!ExpCaptureWnfStateName function:

среда, 31 августа 2016 г.

bugs in mbedtls DH client/server

1) altough always used constant MBEDTLS_MD_SHA256 parameters are signed with sha1 and then we have MBEDTLS_ERR_RSA_VERIFY_FAILED in library\rsa.c on line 1435
2) in dh_server.c when receiving client's public value length of buffer must be dhm.len

Nice cryptolibrary, totally ready to work in kernel mode I think

вторник, 30 августа 2016 г.

how to build mbedtls-2.3.0 with wdk7

Lets say that you want to have some Diffie-Hellman-Merkle algorithm & hmac inside your driver. I found plain C library mbedtls which is very suitable for this, but has one minor problem - it does not support wdk7. So I just made port for it