вторник, 15 ноября 2016 г.

W32pServiceTableFilter from windows 10 build 14951 x64

kd> ? nt!KeServiceDescriptorTableFilter
Evaluate expression: -8795428636992 = fffff800`2799b6c0

kd> dps fffff800`2799b6c0
fffff800`2799b6c0  fffff800`278f4450 nt!KiServiceTable
fffff800`2799b6c8  00000000`00000000
fffff800`2799b6d0  00000000`000001c4
fffff800`2799b6d8  fffff800`278f4b64 nt!KiArgumentTable
fffff800`2799b6e0  ffffa344`ba544bc0 win32k!W32pServiceTableFilter

fffff800`2799b6e8  00000000`00000000
fffff800`2799b6f0  00000000`0000049c
fffff800`2799b6f8  ffffa344`ba5462d4 win32k!W32pArgumentTableFilter

среда, 9 ноября 2016 г.

rfg longjumps

In IMAGE_LOAD_CONFIG_DIRECTORY64 there are two fields for setjmp/longjmp support - GuardLongJumpTargetTable & GuardLongJumpTargetCount. Lets see some module where this fields are not zero - for example hal.dll

воскресенье, 30 октября 2016 г.

ntstatus.idc for WDK 10.0.14931.0

added 95 new NTSTATUS values


    WORD    Flags;          // Flags to indicate if CI information is available, etc.
    WORD    Catalog;        // 0xFFFF means not available
    DWORD   CatalogOffset;
    DWORD   Reserved;       // Additional bitmask to be defined later

пятница, 28 октября 2016 г.

how to find nt!KeServiceDescriptorTableFilter

Unfortunately all xrefs to KeServiceDescriptorTableFilter are from non-exported functions, for example PsConvertToGuiThread:
     test    dword ptr [edi+2E8h], 18000h ; EPROCESS.Flags3
     jnz     short loc_6CAD9D

     mov     dword ptr [esi+3Ch], offset _KeServiceDescriptorTableFilter

But we can used signatures search for part of test dword ptr [edi+2E8h], 18000h.

среда, 19 октября 2016 г.

rfg patches in windows 10 build 14942

Lets see for example body of function user32!GetCursor:
.text:00000001800026E0             GetCursor       proc near          .text:00000001800026E0 66 90                   xchg    ax, ax
.text:00000001800026E2 0F 1F 80 00 00 00 00    nop     dword ptr [rax+00000000h]
.text:00000001800026E9 B9 06 00 00 00          mov     ecx, 6
.text:00000001800026EE 48 FF 25 EB 76 09 00    jmp cs:__imp_NtUserGetThreadState
.text:00000001800026EE                         GetCursor       endp
.text:00000001800026F5 90 90 90 90 90 90 90 90                 db 8 dup(90h)

and in debugger:
0:007> ? user32!GetCursor
Evaluate expression: 140732937348832 = 00007ffe`f0bd26e0
0:007> u 00007ffe`f0bd26e0
00007ffe`f0bd26e0 488b0424        mov     rax,qword ptr [rsp]
00007ffe`f0bd26e4 6448890424      mov     qword ptr fs:[rsp],rax
00007ffe`f0bd26e9 b906000000      mov     ecx,6
00007ffe`f0bd26ee 644c8b1c24      mov     r11,qword ptr fs:[rsp]
00007ffe`f0bd26f3 4c3b1c24        cmp     r11,qword ptr [rsp]
00007ffe`f0bd26f7 0f85a3e40300    jne     USER32!_guard_ss_verify_failure (00007ffe`f0c10ba0)
00007ffe`f0bd26fd 48ff25dc760900  jmp     qword ptr [USER32!_imp_NtUserGetThreadState (00007ffe`f0c69de0)]

dramatic differences ! it seems that this code has some compiler support and changes in kernel