понедельник, 14 марта 2016 г.

W32pServiceTable from windows 10 build 14279 64bit

W32pServiceLimit .eq. 0x47D

apisetschema.dll from windows 10 build 14279

Several new modules was added:
  • onecoreuap-print-render
  • onecoreuap-settingsync-status
  • win-core-ums
  • win-gdi-internal-uap
  • net-eap-sim
  • win-audiocore-coreaudiopolicymanager
  • win-casting-shell
  • win-com-psmregister
  • win-desktopappx
  • win-direct2d-desktop
  • win-dx-ddraw
  • win-gaming-xinput
  • win-kernelbase-packagebreakaway
  • win-media-avi
  •  win-mf-vfw
  • win-ntuser-private
  • win-rtcore-ntuser-wmpointer
  • win-security-shutdownext
  • win-uwf-servicing-apis

четверг, 3 марта 2016 г.

lxcore syscall table

I can`t get symbols for lxcore.sys so I just write simple idc scipt. Each item in table has very simple structure:
PAGE:00000001C0046620   imul  r14, r12, 38h      ; size of item in syscall table
PAGE:00000001C0046624   mov   r15, rax
PAGE:00000001C0046627   lea   rax, lx_ssdt
PAGE:00000001C004662E   add   r14, rax
PAGE:00000001C0046631   cmp   r12, 136h          ; count of items in syscall table
PAGE:00000001C0046638   jnb   loc_1C00467AE

string with name of method and arguments located at offset 0x10
IDC script to dump syscall table from lxcore.sys:
#include <idc.idc>

static main(void)
{
  auto addr, name, fp, idx, s_addr;
  fp = fopen("lx.dmp", "w");
  if ( !fp )
  {
    return;
  }
  addr = 0x1C0008110;
  for ( idx = 0; idx < 0x136; idx = idx + 1, addr = addr + 0x38 )
  {
    s_addr = Qword(addr + 0x10);
    fprintf(fp, "%X\t", idx);
    if ( s_addr != 0 )
    {
      // dump string
      for ( ; ; s_addr = s_addr + 1 )
      {
        name = Byte(s_addr);
        if ( !name )
          break;
        fprintf(fp, "%c", name);
      }
    }
    fprintf(fp, "\n");
  }
  fclose(fp);
}

And table itself