加工厂

2020年1月13日星期一

Mini-filter的资源的引用计数的泄露一例

2: kd> g
[FltMgr] Mini-filter verification enabled for "MagicArmorDrv" filter.
FILTER VERIFIER ERROR: A filter (Filter = FFFFDE02BC2C0680 (MagicArmorDrv)) leaked references to the following resources:
00000000 Filter Context Structures
00000000 FLT_CALLBACK_DATA structures
00000000 FLT_DEFERRED_IO_WORKITEM structures
00000000 FLT_GENERIC_WORKITEM structures
00000000 FLT_FILE_NAME_INFORMATION structures
00000016 FILE_OBJECT structures
00000000 FLT_OBJECT structures
00000000 ECP context structures
Type "!fltkd.filter FFFFDE02BC2C0680 8 1" in the debugger for a list of leaked

Break, ignore, zap or remove ? b
b
Breaking in... (press g<enter> to return to assert menu)
Break instruction exception - code 80000003 (first chance)
FLTMGR!FltpvPrintErrors+0x1ed:
fffff801`4471da15 cc int 3
4: kd> !fltkd.filter FFFFDE02BC2C0680 8 1

FLT_FILTER: ffffde02bc2c0680 "MagicArmorDrv" "[ERROR READING NAME]"
InstanceList : (ffffde02bc2c06e8)
Resource (ffffde02bc2c0750) List [ffffde02bc2c0750-ffffde02bc2c0750] rCount=0
Object usage/reference information:
References to FLT_CONTEXT : 0
Allocations of FLT_CALLBACK_DATA : 0
Allocations of FLT_DEFERRED_IO_WORKITEM : 0
Allocations of FLT_GENERIC_WORKITEM : 0
References to FLT_FILE_NAME_INFORMATION : 0
Open files : 16
References to FLT_OBJECT : 0
List of objects used/referenced::
FLT_VERIFIER_OBJECT: ffffde02bea033e0
Object: ffffde02bc6497f0 Type: FILE_OBJECT RefCount: 00000001
FLT_VERIFIER_OBJECT: ffffde02bea03b00
Object: ffffde02bc6499a0 Type: FILE_OBJECT RefCount: 00000001
FLT_VERIFIER_OBJECT: ffffde02bea12c20
Object: ffffde02bc64a3c0 Type: FILE_OBJECT RefCount: 00000001
FLT_VERIFIER_OBJECT: ffffde02bea11f00
Object: ffffde02be049760 Type: FILE_OBJECT RefCount: 00000001
FLT_VERIFIER_OBJECT: ffffde02bf88f9a0
Object: ffffde02be04c850 Type: FILE_OBJECT RefCount: 00000001
FLT_VERIFIER_OBJECT: ffffde02bd4cda20
Object: ffffde02bf423140 Type: FILE_OBJECT RefCount: 00000002
FLT_VERIFIER_OBJECT: ffffde02bea04dc0
Object: ffffde02bf42f350 Type: FILE_OBJECT RefCount: 00000002
FLT_VERIFIER_OBJECT: ffffde02bea11780
Object: ffffde02bf431d80 Type: FILE_OBJECT RefCount: 00000005
FLT_VERIFIER_OBJECT: ffffde02bea12b00
Object: ffffde02bf43b560 Type: FILE_OBJECT RefCount: 00000001
FLT_VERIFIER_OBJECT: ffffde02bf87ba20
Object: ffffde02bf8ba220 Type: FILE_OBJECT RefCount: 00000001
4: kd> !fileobj ffffde02bf8ba220

Device Object: 0xffffde02b271d8f0 \Driver\cdrom
Vpb is NULL

Flags: 0x40802
Synchronous IO
Direct Device Open
Handle Created

CurrentByteOffset: 0

--------------------------------------------------------------------------------------------------

刚开始以为是：FLT_CALLBACK_DATA导致的。
又怀疑是FLT_FILE_NAME_INFORMATION导致的。

其实上面写的很清楚，是FILE_OBJECT导致的。

检查代码，上下文该释放的都释放了。
最后用代码二分屏蔽发定位到了某个函数。
看这个函数，句柄也没有泄露，该关闭的也都关闭了。

猛地看到：ZwClose，但是它的句柄是FltCreateFile获取的。
是不是这里的问题？

经过查看FltCreateFile的文档发现：
Any handle that is obtained from FltCreateFile must eventually be released by calling FltClose.

把ZwClose改为FltClose，再也没有出现这个问题了。

看来ZwClose和FltClose还是有差别的，至少在处理上下文的处理上不一样。

made by correy
https://correy.webs.com

2019年1月19日星期六

没有对应驱动文件的系统线程

/*
早在2014.10.22都已经写过一个失败的隐藏系统线程的代码.
现在看来,当时失败在函数的处理上,里面有很多无效/非法的指令.

这几天突然看到:
https://github.com/tandasat/MemoryMon.git
https://github.com/Cr4sh/DrvHide-PoC.git
来个灵感的想法,写个测试,所以有了此文.

此驱动在procexp.exe是查不到的,因为驱动加载失败.
保留搜索内存的PE特征也应该搜索不到,因为驱动加载失败.
但是procexp.exe查看system的进程的线程信息能看到,但是你找不到对应的驱动,因为驱动加载失败.
假如驱动支持卸载,让驱动启动成功,卸载函数不做任何处理,我想驱动卸载后自己的那个系统线程还会继续运行.

最后说下:
这是个小玩意,
也许对你有用,
请勿用于非法用途,
小心MemoryMon监控出.
其实线程回调也能监控出,并进程识别和阻断(自己编写杀系统线程的代码)的.

编译环境:VS2017+WDK10
测试环境:Windows 10 x64

made by correy
made at 10:38 2019/1/19
https://correy.webs.com
*/

#include <ntifs.h>
#include <windef.h>
#include <intrin.h>

#define TAG 'tset' //test


PVOID gThreadObj;


/*
这里有众多的注意事项要说明:
1.函数内不准有异常处理的函数,特别是X64.
2.编译选项要关闭/JMC.否者会出现一些怪异的函数.
3.编译选项要关闭/guard:cf
4.此函数可考虑用汇编写.
5.此函数也可考虑用ShellCode写.
6.此函数不可访问本驱动的全局变量.
7.此函数不可直接调用系统的API,可获取地址,因为导入表在本驱动.
*/
#pragma region Context code that cannot reference any exports directly
#pragma optimize("", off)
#pragma check_stack(off)
#pragma runtime_checks("", off)


KSTART_ROUTINE MyThreadStart;
VOID MyThreadStart(__in PVOID  StartContext)
/*
此函数的功能在于的你的想象.
StartContext传入的内容,你想想吧!但这必须是你申请的内存,不可使本驱动的(局部或全局)变量.
*/
{
    //LARGE_INTEGER li;

    UNREFERENCED_PARAMETER(StartContext);

    __debugbreak();

    for (;;)
    {
        /*
        这里没有加退出条件。
        */

        __debugbreak();

        //li.QuadPart = -(10000 * 3 * 1000 * 60);
        //KeDelayExecutionThread(KernelMode, FALSE, &li);
    }

    //PsTerminateSystemThread(STATUS_SUCCESS);
}


VOID MyThreadEnd(VOID)
{
    NOTHING
}


#pragma runtime_checks("", restore)
#pragma check_stack()
#pragma optimize("", on)
#pragma endregion


DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry(__in struct _DRIVER_OBJECT  * DriverObject, __in PUNICODE_STRING  RegistryPath)
{
    NTSTATUS status = STATUS_SUCCESS;
    HANDLE                hThread = 0;
    OBJECT_ATTRIBUTES    oa;
    PVOID buffer = NULL;
    ULONG bufferLength = 0;

    UNREFERENCED_PARAMETER(RegistryPath);

    KdBreakPoint();

    bufferLength = (ULONG)((SIZE_T)MyThreadStart - (SIZE_T)MyThreadEnd);
    buffer = ExAllocatePoolWithTag(NonPagedPoolExecute, bufferLength, TAG);
    if (buffer == NULL) {
        return STATUS_INSUFFICIENT_RESOURCES;
    }
    RtlZeroMemory(buffer, bufferLength);

    RtlCopyMemory(buffer, (PVOID)MyThreadStart, bufferLength);
    /*
    此时检查buffer函数中有没非法的指令,有没调用非法的函数,调用的函数中有没非法的指令.
    可以与MyThreadStart函数做个对比.
    还可以对buffer下个断点.
    */

    InitializeObjectAttributes(&oa, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
    status = PsCreateSystemThread(&hThread, THREAD_ALL_ACCESS, &oa, NULL, NULL, (PKSTART_ROUTINE)buffer, NULL);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("PsCreateSystemThread failed.\r\n"));
        return status;
    }

    ObReferenceObjectByHandle(hThread, THREAD_ALL_ACCESS, NULL, KernelMode, &gThreadObj, NULL);
    ZwClose(hThread);

    return STATUS_UNSUCCESSFUL;//不返回STATUS_CANCELLED也照样能运行那个线程的代码.
}

2018年5月1日星期二

手工替换进程的令牌

标题:在内核调试器下给进程提权.

前言:
安全的一个重要话题是权限.
对于操作系统而言,其重要的安全就是两个:
1.进程(用户)自身的权限,即令牌.
2.对象自身的权限,如:文件,注册表,进程,线程,互斥体等.
3.以及和上面相关的结构.

但是对于CPU来说还有另外一个概念的权限,如:常说的ring0,cs代码段的内存的属性等.

另外还有漏洞,

另外还有网络,加密,通讯等的安全.

另外还有各种意义上的非技术的安全.

闲话不多,进入正题.

--------------------------------------------------------------------------------------------------

打开一个cmd.exe,在里面输入whoami,显示如下:
C:\Users\Administrator>whoami
desktop-aps5qst\administrator

挂上内核调试器,进行如下操作:

查看进程的令牌和system进程的令牌信息.

0: kd> vertarget
Windows 10 Kernel Version 16299 MP (4 procs) Free x64
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff801`b020e000 PsLoadedModuleList = 0xfffff801`b056fff0
Debug session time: Fri Feb 23 08:55:50.166 2018 (UTC + 8:00)
System Uptime: 0 days 0:17:06.651
0: kd> dt nt!_eprocess token 
   +0x358 Token : _EX_FAST_REF
0: kd> dt _EX_FAST_REF
ntdll!_EX_FAST_REF
   +0x000 Object           : Ptr64 Void
   +0x000 RefCnt           : Pos 0, 4 Bits
   +0x000 Value            : Uint8B
0: kd> !process 0 0 system
PROCESS ffff9c804d0b9040
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 001aa000  ObjectTable: ffffc201774031c0  HandleCount: 2336.
    Image: System
0: kd> dq ffff9c804d0b9040+358 L1
ffff9c80`4d0b9398  ffffc201`7741804a
0: kd> ? ffffc201`7741804a & ffffffff`fffffff0
Evaluate expression: -68163425173440 = ffffc201`77418040
0: kd> !token ffffc201`77418040
_TOKEN 0xffffc20177418040
TS Session ID: 0
User: S-1-5-18
User Groups: 
 00 S-1-5-32-544
    Attributes - Default Enabled Owner 
 01 S-1-1-0
    Attributes - Mandatory Default Enabled 
 02 S-1-5-11
    Attributes - Mandatory Default Enabled 
 03 S-1-16-16384
    Attributes - GroupIntegrity GroupIntegrityEnabled 
Primary Group: S-1-5-18
Privs: 
 02 0x000000002 SeCreateTokenPrivilege            Attributes - 
 03 0x000000003 SeAssignPrimaryTokenPrivilege     Attributes - 
 04 0x000000004 SeLockMemoryPrivilege             Attributes - Enabled Default 
 05 0x000000005 SeIncreaseQuotaPrivilege          Attributes - 
 07 0x000000007 SeTcbPrivilege                    Attributes - Enabled Default 
 08 0x000000008 SeSecurityPrivilege               Attributes - 
 09 0x000000009 SeTakeOwnershipPrivilege          Attributes - 
 10 0x00000000a SeLoadDriverPrivilege             Attributes - 
 11 0x00000000b SeSystemProfilePrivilege          Attributes - Enabled Default 
 12 0x00000000c SeSystemtimePrivilege             Attributes - 
 13 0x00000000d SeProfileSingleProcessPrivilege   Attributes - Enabled Default 
 14 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes - Enabled Default 
 15 0x00000000f SeCreatePagefilePrivilege         Attributes - Enabled Default 
 16 0x000000010 SeCreatePermanentPrivilege        Attributes - Enabled Default 
 17 0x000000011 SeBackupPrivilege                 Attributes - 
 18 0x000000012 SeRestorePrivilege                Attributes - 
 19 0x000000013 SeShutdownPrivilege               Attributes - 
 20 0x000000014 SeDebugPrivilege                  Attributes - Enabled Default 
 21 0x000000015 SeAuditPrivilege                  Attributes - Enabled Default 
 22 0x000000016 SeSystemEnvironmentPrivilege      Attributes - 
 23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
 25 0x000000019 SeUndockPrivilege                 Attributes - 
 28 0x00000001c SeManageVolumePrivilege           Attributes - 
 29 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default 
 30 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default 
 31 0x00000001f SeTrustedCredManAccessPrivilege   Attributes - 
 32 0x000000020 SeRelabelPrivilege                Attributes - 
 33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - Enabled Default 
 34 0x000000022 SeTimeZonePrivilege               Attributes - Enabled Default 
 35 0x000000023 SeCreateSymbolicLinkPrivilege     Attributes - Enabled Default 
 36 0x000000024 SeDelegateSessionUserImpersonatePrivilege  Attributes - Enabled Default 
Authentication ID:         (0,3e7)
Impersonation Level:       Anonymous
TokenType:                 Primary
Source: *SYSTEM*           TokenFlags: 0x2000 ( Token in use )
Token ID: 3eb              ParentToken ID: 0
Modified ID:               (0, 3ec)
RestrictedSidCount: 0      RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 0
PackageSid: (null)
CapabilityCount: 0      Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Invalid AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION with no claims
Process Token TrustLevelSid: S-1-19-1024-8192

查看cmd.exe进程的令牌信息.

0: kd> !process 0 0 cmd.exe
PROCESS ffff9c804e97f080
    SessionId: 1  Cid: 10a4    Peb: fc49f44000  ParentCid: 1224
    DirBase: 9d213000  ObjectTable: ffffc201852a6900  HandleCount:  43.
    Image: cmd.exe
0: kd> dq ffff9c804e97f080+358 L1
ffff9c80`4e97f3d8  ffffc201`80ee306b
0: kd> ? ffffc201`80ee306b & ffffffff`fffffff0
Evaluate expression: -68163262861216 = ffffc201`80ee3060
0: kd> !token ffffc201`80ee3060
_TOKEN 0xffffc20180ee3060
TS Session ID: 0x1
User: S-1-5-21-4121102992-2463281863-3266931683-500
User Groups: 
 00 S-1-5-21-4121102992-2463281863-3266931683-513
    Attributes - Mandatory Default Enabled 
 01 S-1-1-0
    Attributes - Mandatory Default Enabled 
 02 S-1-5-114
    Attributes - DenyOnly 
 03 S-1-5-21-4121102992-2463281863-3266931683-1000
    Attributes - Mandatory Default Enabled 
 04 S-1-5-32-544
    Attributes - DenyOnly 
 05 S-1-5-32-545
    Attributes - Mandatory Default Enabled 
 06 S-1-5-4
    Attributes - Mandatory Default Enabled 
 07 S-1-2-1
    Attributes - Mandatory Default Enabled 
 08 S-1-5-11
    Attributes - Mandatory Default Enabled 
 09 S-1-5-15
    Attributes - Mandatory Default Enabled 
 10 S-1-5-113
    Attributes - Mandatory Default Enabled 
 11 S-1-5-5-0-263777
    Attributes - Mandatory Default Enabled LogonId 
 12 S-1-2-0
    Attributes - Mandatory Default Enabled 
 13 S-1-5-64-10
    Attributes - Mandatory Default Enabled 
 14 S-1-16-8192
    Attributes - GroupIntegrity GroupIntegrityEnabled 
Primary Group: S-1-5-21-4121102992-2463281863-3266931683-513
Privs: 
 19 0x000000013 SeShutdownPrivilege               Attributes - 
 23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
 25 0x000000019 SeUndockPrivilege                 Attributes - 
 33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - 
 34 0x000000022 SeTimeZonePrivilege               Attributes - 
Authentication ID:         (0,40725)
Impersonation Level:       Anonymous
TokenType:                 Primary
Source: User32             TokenFlags: 0x2a00 ( Token in use )
Token ID: 327462           ParentToken ID: 40728
Modified ID:               (0, 40731)
RestrictedSidCount: 0      RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 3e7
PackageSid: (null)
CapabilityCount: 0      Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Unable to get the offset of nt!_AUTHZBASEP_SECURITY_ATTRIBUTE.ListLink
Process Token TrustLevelSid: (null)

最重要的一步就这一个操作:

0: kd> eq ffff9c80`4e97f3d8 ffffc201`77418040
0: kd> g

下面是验证:

C:\Users\Administrator>whoami
nt authority\system

不过,此时用procexp.exe查看,相应的conhost.exe的权限还是没有变.
而且cmd.exe的安全属性是打不开的,估计是权限不足.
注意:此时需要重新打开一下procexp.exe,否者显示的还是以前的信息.


--------------------------------------------------------------------------------------------------


参考:
https://www.anquanke.com/post/id/87292
https://blog.xpnsec.com/becoming-system/

made by correy
made at 9:32 2018/2/23
http://correy.webs.com

手工分析进程的句柄表

对象体由执行体管理
对象头由对象管理器管理器
句柄由进程的句柄表维护。

0: kd> $实验环境是：
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff803`7b41c000 PsLoadedModuleList = 0xfffff803`7b782fd0
Debug session time: Tue Mar 6 09:25:21.921 2018 (UTC + 8:00)
System Uptime: 27 days 19:47:07.599
0: kd> $文件的版本是：
0: kd> lm vm nt
Browse full module list
start end module name
fffff803`7b41c000 fffff803`7bcf1000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\9378084E8DBD4AB1A155099BCE693E341\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Timestamp: Mon Jan 1 19:07:05 2018 (5A4A1659)
CheckSum: 00842CC4
ImageSize: 008D5000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0: kd> $测试的进程是：
0: kd> !process 0 0 cmd.exe
PROCESS ffff8c08dc95f080
SessionId: 4 Cid: 0fdc Peb: 008ff000 ParentCid: 1934
DirBase: 1d7a00000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS ffff8c08d9136080
SessionId: 11 Cid: 0168 Peb: f170b88000 ParentCid: 16fc
DirBase: 112600000 ObjectTable: ffffa00a63dc1600 HandleCount: 40.
Image: cmd.exe

0: kd> $这里选定第二个。
0: kd> $另一个看法是：
0: kd> dt nt!_eprocess ffff8c08d9136080 ObjectTable
+0x418 ObjectTable : 0xffffa00a`63dc1600 _HANDLE_TABLE

句柄表的信息是：
0: kd> dt 0xffffa00a`63dc1600 nt!_HANDLE_TABLE
+0x000 NextHandleNeedingPool : 0x400
+0x004 ExtraInfoPages : 0n0
+0x008 TableCode : 0xffffa00a`591d4000
+0x010 QuotaProcess : 0xffff8c08`d9136080 _EPROCESS
+0x018 HandleTableList : _LIST_ENTRY [ 0xffffa00a`74606b58 - 0xffffa00a`56527758 ]
+0x028 UniqueProcessId : 0x168
+0x02c Flags : 0x10
+0x02c StrictFIFO : 0y0
+0x02c EnableHandleExceptions : 0y0
+0x02c Rundown : 0y0
+0x02c Duplicated : 0y0
+0x02c RaiseUMExceptionOnInvalidHandleClose : 0y1
+0x030 HandleContentionEvent : _EX_PUSH_LOCK
+0x038 HandleTableLock : _EX_PUSH_LOCK
+0x040 FreeLists : [1] _HANDLE_TABLE_FREE_LIST
+0x040 ActualEntry : [32] ""
+0x060 DebugInfo : (null)

要实现的效果是：
0: kd> !handle 0 0 0168

PROCESS ffff8c08d9136080
SessionId: 11 Cid: 0168 Peb: f170b88000 ParentCid: 16fc
DirBase: 112600000 ObjectTable: ffffa00a63dc1600 HandleCount: 40.
Image: cmd.exe

Handle table at ffffa00a63dc1600 with 40 entries in use

0004: Object: ffff8c08d7911fe0 GrantedAccess: 001f0003 (Protected) (Inherit)

0008: Object: ffff8c08d9a8b4d0 GrantedAccess: 00000001 (Inherit)

000c: Object: ffff8c08d4ae0700 GrantedAccess: 001f0003 (Protected) (Audit)

0010: Object: ffff8c08de983660 GrantedAccess: 000f00ff (Protected) (Inherit)

0014: Object: ffff8c08d509e430 GrantedAccess: 00100002

0018: Object: ffff8c08d65c3260 GrantedAccess: 00000001 (Protected) (Inherit)

001c: Object: ffff8c08d6353f30 GrantedAccess: 00100002

0020: Object: ffff8c08d50642b0 GrantedAccess: 00000001

0024: Object: ffff8c08d8e81e20 GrantedAccess: 00000804 (Protected) (Inherit) (Audit)

0028: Object: ffff8c08d78fabd0 GrantedAccess: 00000804 (Inherit)

002c: Object: ffff8c08d81c6bb0 GrantedAccess: 00000804

0030: Object: ffffa00a484f2560 GrantedAccess: 00000003 (Protected) (Inherit)

0034: Object: ffff8c08d82241f0 GrantedAccess: 001f0003 (Audit)

0038: Object: ffff8c08d7aeba60 GrantedAccess: 001f0003 (Protected) (Inherit)

003c: Object: ffff8c08d5b034b0 GrantedAccess: 00100020

0040: Object: ffff8c08d9b79e30 GrantedAccess: 0012019f

0044: Object: ffff8c08d8d678e0 GrantedAccess: 0012019f (Protected) (Inherit)

0048: Object: ffff8c08dfe92a10 GrantedAccess: 001f0001 (Inherit) (Audit)

004c: Object: ffff8c08d50d9ef0 GrantedAccess: 0012019f (Audit)

0050: Object: ffff8c08d82243b0 GrantedAccess: 0012019f

0054: Object: ffff8c08d82243b0 GrantedAccess: 0012019f

0058: Object: ffff8c08d7fcd1f0 GrantedAccess: 00000804 (Audit)

005c: Object: ffff8c08d477f070 GrantedAccess: 00000804 (Audit)

0060: Object: ffff8c08d7692080 GrantedAccess: 001f0003 (Protected) (Audit)

0064: Object: ffff8c08d5fef8a0 GrantedAccess: 000f00ff (Protected) (Inherit) (Audit)

0068: Object: ffff8c08d56f6470 GrantedAccess: 00100002 (Audit)

006c: Object: ffff8c08dbcbcbb0 GrantedAccess: 00000001

0070: Object: ffff8c08d3aa7b00 GrantedAccess: 00100002 (Protected) (Audit)

0074: Object: ffff8c08da19e7a0 GrantedAccess: 00000001 (Protected) (Inherit) (Audit)

0078: Object: ffffa00a651f3b20 GrantedAccess: 00020019 (Protected) (Inherit) (Audit)

007c: Object: ffff8c08db568700 GrantedAccess: 001fffff (Protected) (Audit)

0088: Object: ffffa00a5f9292a0 GrantedAccess: 000f003f (Protected) (Inherit) (Audit)

008c: Object: ffffa00a555e3780 GrantedAccess: 000f003f (Protected) (Audit)

0090: Object: ffffa00a62d1cf70 GrantedAccess: 00020019 (Audit)

0094: Object: ffffa00a5b95f760 GrantedAccess: 00020019 (Protected) (Inherit)

0098: Object: ffffa00a6f835950 GrantedAccess: 00020019 (Inherit)

009c: Object: ffff8c08d5ca9070 GrantedAccess: 00000804 (Audit)

00a0: Object: ffffa00a627c16c0 GrantedAccess: 00000001 (Protected)

00a4: Object: ffffa00a59d39880 GrantedAccess: 00020019 (Protected) (Audit)

00a8: Object: ffff8c08dba217c0 GrantedAccess: 00120089 (Protected)

也就是要手工实现/分析出这个命令的效果。
有时候仅仅这一个命令就够了，但是有时候，需要更详细的分析，会有更多/更深的用途。

--------------------------------------------------------------------------------------------------
先熟悉两个结构的信息：

nt!_HANDLE_TABLE
+0x000 NextHandleNeedingPool : Uint4B
+0x004 ExtraInfoPages : Int4B
+0x008 TableCode : Uint8B
+0x010 QuotaProcess : Ptr64 _EPROCESS
+0x018 HandleTableList : _LIST_ENTRY
+0x028 UniqueProcessId : Uint4B
+0x02c Flags : Uint4B
+0x02c StrictFIFO : Pos 0, 1 Bit
+0x02c EnableHandleExceptions : Pos 1, 1 Bit
+0x02c Rundown : Pos 2, 1 Bit
+0x02c Duplicated : Pos 3, 1 Bit
+0x02c RaiseUMExceptionOnInvalidHandleClose : Pos 4, 1 Bit
+0x030 HandleContentionEvent : _EX_PUSH_LOCK
+0x038 HandleTableLock : _EX_PUSH_LOCK
+0x040 FreeLists : [1] _HANDLE_TABLE_FREE_LIST
+0x040 ActualEntry : [32] UChar
+0x060 DebugInfo : Ptr64 _HANDLE_TRACE_DEBUG_INFO

0: kd> dt nt!_object_header
+0x000 PointerCount : Int8B
+0x008 HandleCount : Int8B
+0x008 NextToFree : Ptr64 Void
+0x010 Lock : _EX_PUSH_LOCK
+0x018 TypeIndex : UChar
+0x019 TraceFlags : UChar
+0x019 DbgRefTrace : Pos 0, 1 Bit
+0x019 DbgTracePermanent : Pos 1, 1 Bit
+0x01a InfoMask : UChar
+0x01b Flags : UChar
+0x01b NewObject : Pos 0, 1 Bit
+0x01b KernelObject : Pos 1, 1 Bit
+0x01b KernelOnlyAccess : Pos 2, 1 Bit
+0x01b ExclusiveObject : Pos 3, 1 Bit
+0x01b PermanentObject : Pos 4, 1 Bit
+0x01b DefaultSecurityQuota : Pos 5, 1 Bit
+0x01b SingleHandleEntry : Pos 6, 1 Bit
+0x01b DeletedInline : Pos 7, 1 Bit
+0x01c Reserved : Uint4B
+0x020 ObjectCreateInfo : Ptr64 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : Ptr64 Void
+0x028 SecurityDescriptor : Ptr64 Void
+0x030 Body : _QUAD
0: kd> ?? sizeof(nt!_object_header)
unsigned int64 0x38

因为nt!_object_header包含Body成员信息，所以nt!_object_header的大小为0x030。

0: kd> ?? sizeof(nt!_HANDLE_TABLE_ENTRY)
unsigned int64 0x10

注意：以上结构，你应该能看到位成员的信息，如果又联合还应看到联合成员的信息。

--------------------------------------------------------------------------------------------------

注意：_HANDLE_TABLE的TableCode的信息实际是PHANDLE_TABLE_ENTRY，而且最低的几位是几维数组的标志。
这里是0，说明这就是HANDLE_TABLE_ENTRY的数组的第一个元素。
不过第一个元素始终为空，见各种书籍的说明。
之所以这样设计是因为句柄为0的是无效的吧！

_HANDLE_TABLE的TableCode的信息实际是PHANDLE_TABLE_ENTRY，这句话的证据的是：见ExpAllocateHandleTable的函数。

0: kd> dq 0xffffa00a`591d4000
ffffa00a`591d4000 00000000`00000000 00000000`00000000
ffffa00a`591d4010 8c08d791`1fb0fffb 00000000`001f0003
ffffa00a`591d4020 8c08d9a8`b4a0fffd 00000000`00000001
ffffa00a`591d4030 8c08d4ae`06d0fff7 00000000`001f0003
ffffa00a`591d4040 8c08de98`3630fff9 00000000`000f00ff
ffffa00a`591d4050 8c08d509`e400fffd 00000000`00100002
ffffa00a`591d4060 8c08d65c`3230fffd 00000000`00000001
ffffa00a`591d4070 8c08d635`3f00fffd 00000000`00100002
注意：这个到底有多少个有效的呢？
WIN7的_HANDLE_TABLE有个成员叫HandleCount,但是win10没有。
其实dq的命令的地址的后面加个参数，就是显示的长度，尽量长些，但是不超过NextHandleNeedingPool。
可以发现，dq的第一个64位的值位0就是为空，就是无效的句柄。

注意：
1.句柄是按照数组的位置来计算的，具体的算法相信你应该领会，但是还是看WRK的代码为好。
2.句柄不一定是连续的，只要第一个64位不为空，就是有效的句柄，数组的大小不超过NextHandleNeedingPool。

从这里也能看到一些信息，如准许的权限等。
注意第一个是空的。

0: kd> dt nt!_HANDLE_TABLE_ENTRY ffffa00a`591d4010
+0x000 VolatileLowValue : 0n-8356192090284032005
+0x000 LowValue : 0n-8356192090284032005
+0x000 InfoTable : 0x8c08d791`1fb0fffb _HANDLE_TABLE_ENTRY_INFO
+0x008 HighValue : 0n2031619
+0x008 NextFreeHandleEntry : 0x00000000`001f0003 _HANDLE_TABLE_ENTRY
+0x008 LeafHandleValue : _EXHANDLE
+0x000 RefCountField : 0n-8356192090284032005
+0x000 Unlocked : 0y1
+0x000 RefCnt : 0y0111111111111101 (0x7ffd)
+0x000 Attributes : 0y000
+0x000 ObjectPointerBits : 0y10001100000010001101011110010001000111111011 (0x8c08d7911fb)
+0x008 GrantedAccessBits : 0y0000111110000000000000011 (0x1f0003)
+0x008 NoRightsUpgrade : 0y0
+0x008 Spare1 : 0y000000 (0)
+0x00c Spare2 : 0
0: kd> dt nt!_HANDLE_TABLE_ENTRY_INFO
+0x000 AuditMask : Uint4B
+0x004 MaxRelativeAccessMask : Uint4B
0: kd> dt nt!_EXHANDLE
+0x000 TagBits : Pos 0, 2 Bits
+0x000 Index : Pos 2, 30 Bits
+0x000 GenericHandleOverlay : Ptr64 Void
+0x000 Value : Uint8B

注意：
0x8c08d7911fb
ffff8c08d7911fe0
最后一个补0，高位补f,还差0x30

0: kd> !object ffff8c08d7911fe0
Object: ffff8c08d7911fe0 Type: (ffff8c08d32ecdb0) Event
ObjectHeader: ffff8c08d7911fb0 (new version)
HandleCount: 1 PointerCount: 32768

0: kd> dt nt!_HANDLE_TABLE_ENTRY ffffa00a`591d4020
+0x000 VolatileLowValue : 0n-8356189789977772035
+0x000 LowValue : 0n-8356189789977772035
+0x000 InfoTable : 0x8c08d9a8`b4a0fffd _HANDLE_TABLE_ENTRY_INFO
+0x008 HighValue : 0n1
+0x008 NextFreeHandleEntry : 0x00000000`00000001 _HANDLE_TABLE_ENTRY
+0x008 LeafHandleValue : _EXHANDLE
+0x000 RefCountField : 0n-8356189789977772035
+0x000 Unlocked : 0y1
+0x000 RefCnt : 0y0111111111111110 (0x7ffe)
+0x000 Attributes : 0y000
+0x000 ObjectPointerBits : 0y10001100000010001101100110101000101101001010 (0x8c08d9a8b4a)
+0x008 GrantedAccessBits : 0y0000000000000000000000001 (0x1)
+0x008 NoRightsUpgrade : 0y0
+0x008 Spare1 : 0y000000 (0)
+0x00c Spare2 : 0

0: kd> dt nt!_HANDLE_TABLE_ENTRY
+0x000 VolatileLowValue : Int8B
+0x000 LowValue : Int8B
+0x000 InfoTable : Ptr64 _HANDLE_TABLE_ENTRY_INFO
+0x008 HighValue : Int8B
+0x008 NextFreeHandleEntry : Ptr64 _HANDLE_TABLE_ENTRY
+0x008 LeafHandleValue : _EXHANDLE
+0x000 RefCountField : Int8B
+0x000 Unlocked : Pos 0, 1 Bit
+0x000 RefCnt : Pos 1, 16 Bits
+0x000 Attributes : Pos 17, 3 Bits
+0x000 ObjectPointerBits : Pos 20, 44 Bits
+0x008 GrantedAccessBits : Pos 0, 25 Bits
+0x008 NoRightsUpgrade : Pos 25, 1 Bit
+0x008 Spare1 : Pos 26, 6 Bits
+0x00c Spare2 : Uint4B
注意：位和联合的定义。

--------------------------------------------------------------------------------------------------

注意：WRK还顶一个系统进程的句柄表，可以说是内核的全局的句柄表，专用于内核的句柄的。
0: kd> x nt!ObpKernelHandleTable
fffff803`7b780ce0 nt!ObpKernelHandleTable = <no type information>

made by correy
made at 10:36 2018/3/8
http://correy.webs.com

枚举ObRegisterCallbacks注册的信息

2: kd> dt nt!_OBJECT_TYPE poi(nt!PsProcessType)
+0x000 TypeList : _LIST_ENTRY [ 0xffff8481`f02d7350 - 0xffff8481`f02d7350 ]
+0x010 Name : _UNICODE_STRING "Process"
+0x020 DefaultObject : (null)
+0x028 Index : 0x7 ''
+0x02c TotalNumberOfObjects : 0x3f
+0x030 TotalNumberOfHandles : 0x20a
+0x034 HighWaterNumberOfObjects : 0x51
+0x038 HighWaterNumberOfHandles : 0x25c
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x636f7250
+0x0c8 CallbackList : _LIST_ENTRY [ 0xffffcf0d`19f25b90 - 0xffffcf0d`19f25b90 ]

这个CallbackList链表的前后节点都一样,我还以为是空呢?

2: kd> dps ffffcf0d`19f25b90
ffffcf0d`19f25b90 ffff8481`f02d7418 这个和下面的一样,可以考虑是LIST_ENTRY
ffffcf0d`19f25b98 ffff8481`f02d7418
ffffcf0d`19f25ba0 00000001`00000003 后面的3是Operations
ffffcf0d`19f25ba8 ffffcf0d`19f25b70 又是一个结构
ffffcf0d`19f25bb0 ffff8481`f02d7350 是PsProcessType
ffffcf0d`19f25bb8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25bc0 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25bc8 00000000`00000000 未知,补充,保留
ffffcf0d`19f25bd0 ffff8481`f02c7b88
ffffcf0d`19f25bd8 ffff8481`f02c7b88
ffffcf0d`19f25be0 00000001`00000003 后面的3是Operations
ffffcf0d`19f25be8 ffffcf0d`19f25b70
ffffcf0d`19f25bf0 ffff8481`f02c7ac0 是PsThreadType
ffffcf0d`19f25bf8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25c00 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25c08 00000000`00000000
2: kd> !object ffff8481`f02d7350
Object: ffff8481f02d7350 Type: (ffff8481f02f7ec0) Type
ObjectHeader: ffff8481f02d7320 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffffcf0d11e147f0 Name: Process
2: kd> !object ffff8481`f02c7ac0
Object: ffff8481f02c7ac0 Type: (ffff8481f02f7ec0) Type
ObjectHeader: ffff8481f02c7a90 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffffcf0d11e147f0 Name: Thread
2: kd> dps ffffcf0d`19f25b70 L20
ffffcf0d`19f25b70 00000000`00020100
ffffcf0d`19f25b78 fffff802`425f50b0 ObCallbackTest!CBCallbackRegistration
ffffcf0d`19f25b80 00000000`00080008
ffffcf0d`19f25b88 ffffcf0d`19f25c10
ffffcf0d`19f25b90 ffff8481`f02d7418
ffffcf0d`19f25b98 ffff8481`f02d7418
ffffcf0d`19f25ba0 00000001`00000003
ffffcf0d`19f25ba8 ffffcf0d`19f25b70
ffffcf0d`19f25bb0 ffff8481`f02d7350
ffffcf0d`19f25bb8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25bc0 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25bc8 00000000`00000000
ffffcf0d`19f25bd0 ffff8481`f02c7b88
ffffcf0d`19f25bd8 ffff8481`f02c7b88
ffffcf0d`19f25be0 00000001`00000003
ffffcf0d`19f25be8 ffffcf0d`19f25b70
ffffcf0d`19f25bf0 ffff8481`f02c7ac0
ffffcf0d`19f25bf8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25c00 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25c08 00000000`00000000
ffffcf0d`19f25c10 00300030`00300031
ffffcf0d`19f25c18 00000012`00000201
ffffcf0d`19f25c20 3066744e`0303030c
ffffcf0d`19f25c28 07be696e`a40c5c62
ffffcf0d`19f25c30 ffffcf0d`18bec700
ffffcf0d`19f25c38 ffffcf0d`19f8e430
ffffcf0d`19f25c40 00000064`04d44d5b
ffffcf0d`19f25c48 00000073`006c006f
ffffcf0d`19f25c50 6e664d46`03160303
ffffcf0d`19f25c58 07be696e`a40c5c12
ffffcf0d`19f25c60 00000000`0150f204
ffffcf0d`19f25c68 00000000`00000000

typedef struct _CALLBACK_ENTRY_ITEM {
LIST_ENTRY EntryItemList;
OB_OPERATION Operations;
CALLBACK_ENTRY* CallbackEntry; // Points to the CALLBACK_ENTRY which we use for ObUnRegisterCallback
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
__int64 unk;
}CALLBACK_ENTRY_ITEM, *PCALLBACK_ENTRY_ITEM;

typedef struct _CALLBACK_ENTRY{
__int16 Version;
char buffer1[6];
POB_OPERATION_REGISTRATION RegistrationContext;
__int16 AltitudeLength1;
__int16 AltitudeLength2;
char buffer2[4];
WCHAR* AltitudeString;
CALLBACK_ENTRY_ITEM Items; // Is actually an array of CALLBACK_ENTRY_ITEMs that are also in a doubly linked list
}CALLBACK_ENTRY, *PCALLBACK_ENTRY;

https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/
https://www.unknowncheats.me/forum/dayz-sa/166167-douggem-_callback_entry-rebuilding.html

2018年4月28日星期六

minifilter驱动的静态分析

前言：

有不少的minifilter驱动是可以用IDA静态分析的，但是如何分析呢？
做过minifilter驱动的都知道FltRegisterFilter的第二个参数是关键。

如果分析呢？也就是如何定义这个参数的类型呢？
思路有三：
1.导入头文件，这个最省事，但是也容易出错。
2.那就自己写个头文件，然后导入，这也不少费事，但成功率比较高，还通用。
3.那就是自己在IDA中手动定义/添加结构，这个比较复杂，不通用，别的工程还得重复这样做。

其实还有一种办法，就是本文的，比较省事，但是不通用。
前提是你知道这些数据结构。

怎么做呢？
这就有用一个实例演示下。

怎么演示呢？
实际分析的SYS是没有符号的而且是经过优化的发行版。
这里以一个调试版，且有符号的和一个发行版且没有符号文件的对比做演示。
选用的工程是WDK的ctx工程，之所以选择这个，是因为它比较全，有上下文的处理。

下面正式开始：

--------------------------------------------------------------------------------------------------

首先找到驱动入口的FltRegisterFilter函数，点击第二个参数，进去是这样的：
.data:00000001400030A0 unk_1400030A0 db 70h ; p ; DATA XREF: sub_140006000+62↓o
.data:00000001400030A1 db 0
.data:00000001400030A2 db 3
.data:00000001400030A3 db 2
.data:00000001400030A4 db 0
.data:00000001400030A5 db 0
.data:00000001400030A6 db 0
.data:00000001400030A7 db 0
.data:00000001400030A8 dq offset unk_1400020F0
.data:00000001400030B0 dq offset unk_140003000
.data:00000001400030B8 dq offset sub_140005458
.data:00000001400030C0 dq offset sub_1400054F0
.data:00000001400030C8 dq offset sub_1400055E4
.data:00000001400030D0 dq offset nullsub_2
.data:00000001400030D8 dq offset sub_1400055EC
.data:00000001400030E0 db 0
.data:00000001400030E1 db 0
.data:00000001400030E2 db 0
.data:00000001400030E3 db 0
.data:00000001400030E4 db 0
.data:00000001400030E5 db 0
.data:00000001400030E6 db 0
.data:00000001400030E7 db 0
.data:00000001400030E8 db 0
.data:00000001400030E9 db 0
.data:00000001400030EA db 0
.data:00000001400030EB db 0
.data:00000001400030EC db 0
.data:00000001400030ED db 0
.data:00000001400030EE db 0
.data:00000001400030EF db 0
.data:00000001400030F0 db 0
.data:00000001400030F1 db 0
.data:00000001400030F2 db 0
.data:00000001400030F3 db 0
.data:00000001400030F4 db 0
.data:00000001400030F5 db 0
.data:00000001400030F6 db 0
.data:00000001400030F7 db 0
.data:00000001400030F8 db 0
.data:00000001400030F9 db 0
.data:00000001400030FA db 0
.data:00000001400030FB db 0
.data:00000001400030FC db 0
.data:00000001400030FD db 0
.data:00000001400030FE db 0
.data:00000001400030FF db 0
.data:0000000140003100 db 0
.data:0000000140003101 db 0
.data:0000000140003102 db 0
.data:0000000140003103 db 0
.data:0000000140003104 db 0
.data:0000000140003105 db 0
.data:0000000140003106 db 0
.data:0000000140003107 db 0
.data:0000000140003108 db 0
.data:0000000140003109 db 0
.data:000000014000310A db 0
.data:000000014000310B db 0
.data:000000014000310C db 0
.data:000000014000310D db 0
.data:000000014000310E db 0
.data:000000014000310F db 0

但是，你在debug版本且带有符号文件的情况下，你会看到变量的名字，点击这个变量，你会看到这个全局的数据结构变量的解释。
这就是差别啊！
无奈我们没有符号文件且不是调试版本，假定如此，所以我们只能苦逼继续。

此时，我们可以根据工程找到FLT_REGISTRATION的定义，根据这个定义，我们可以重新定义/修改上面的数据如下：
.data:00000001400030A0 word_1400030A0 dw 70h ; DATA XREF: sub_140006000+62↓o
.data:00000001400030A0 ; Size
.data:00000001400030A2 dw 203h ; Version 这个可以决定这个数据结构的大小，这个数据结构后面有几个扩展选项。
.data:00000001400030A4 dd 0 ; Flags 这个也有几个选项，不言了，你细看，深入探索。
.data:00000001400030A8 dq offset ContextRegistration ; 这里直接给这几个函数或成员改名。
.data:00000001400030B0 dq offset OperationRegistration
.data:00000001400030B8 dq offset FilterUnloadCallback
.data:00000001400030C0 dq offset InstanceSetupCallback
.data:00000001400030C8 dq offset InstanceQueryTeardownCallback
.data:00000001400030D0 dq offset InstanceTeardownStartCallback
.data:00000001400030D8 dq offset InstanceTeardownCompleteCallback
.data:00000001400030E0 dq 0 ; 这几个直接改变成员的类型/大小。
.data:00000001400030E8 dq 0
.data:00000001400030F0 dq 0
.data:00000001400030F8 dq 0
.data:0000000140003100 dq 0
.data:0000000140003108 dq 0
注意：
技巧：
1.点击一个数据，不停的按d直到切换到你选中的数据。
2.按;可以天机注释。
3.还可以给word_1400030A0这个变量改个名字，如：Registration 。

--------------------------------------------------------------------------------------------------

双击ContextRegistration，进入，得到如下界面：
.rdata:00000001400020F0 ContextRegistration db 2 ; DATA XREF: .data:00000001400030A8↓o
.rdata:00000001400020F1 db 0
.rdata:00000001400020F2 db 0
.rdata:00000001400020F3 db 0
.rdata:00000001400020F4 db 0
.rdata:00000001400020F5 db 0
.rdata:00000001400020F6 db 0
.rdata:00000001400020F7 db 0
.rdata:00000001400020F8 dq offset sub_140005478
.rdata:0000000140002100 db 20h
.rdata:0000000140002101 db 0
.rdata:0000000140002102 db 0
.rdata:0000000140002103 db 0
.rdata:0000000140002104 db 0
.rdata:0000000140002105 db 0
.rdata:0000000140002106 db 0
.rdata:0000000140002107 db 0
.rdata:0000000140002108 db 43h ; C
.rdata:0000000140002109 db 78h ; x
.rdata:000000014000210A db 49h ; I
.rdata:000000014000210B db 63h ; c
.rdata:000000014000210C db 0
.rdata:000000014000210D db 0
.rdata:000000014000210E db 0
.rdata:000000014000210F db 0
.rdata:0000000140002110 db 0
.rdata:0000000140002111 db 0
.rdata:0000000140002112 db 0
.rdata:0000000140002113 db 0
.rdata:0000000140002114 db 0
.rdata:0000000140002115 db 0
.rdata:0000000140002116 db 0
.rdata:0000000140002117 db 0
.rdata:0000000140002118 db 0
.rdata:0000000140002119 db 0
.rdata:000000014000211A db 0
.rdata:000000014000211B db 0
.rdata:000000014000211C db 0
.rdata:000000014000211D db 0
.rdata:000000014000211E db 0
.rdata:000000014000211F db 0
.rdata:0000000140002120 db 0
.rdata:0000000140002121 db 0
.rdata:0000000140002122 db 0
.rdata:0000000140002123 db 0
.rdata:0000000140002124 db 0
.rdata:0000000140002125 db 0
.rdata:0000000140002126 db 0
.rdata:0000000140002127 db 0
.rdata:0000000140002128 db 4
.rdata:0000000140002129 db 0
.rdata:000000014000212A db 0
.rdata:000000014000212B db 0
.rdata:000000014000212C db 0
.rdata:000000014000212D db 0
.rdata:000000014000212E db 0
.rdata:000000014000212F db 0
.rdata:0000000140002130 dq offset sub_140005478
.rdata:0000000140002138 db 10h
.rdata:0000000140002139 db 0
.rdata:000000014000213A db 0
.rdata:000000014000213B db 0
.rdata:000000014000213C db 0
.rdata:000000014000213D db 0
.rdata:000000014000213E db 0
.rdata:000000014000213F db 0
.rdata:0000000140002140 db 43h ; C
.rdata:0000000140002141 db 78h ; x
.rdata:0000000140002142 db 46h ; F
.rdata:0000000140002143 db 63h ; c
.rdata:0000000140002144 db 0
.rdata:0000000140002145 db 0
.rdata:0000000140002146 db 0
.rdata:0000000140002147 db 0
.rdata:0000000140002148 db 0
.rdata:0000000140002149 db 0
.rdata:000000014000214A db 0
.rdata:000000014000214B db 0
.rdata:000000014000214C db 0
.rdata:000000014000214D db 0
.rdata:000000014000214E db 0
.rdata:000000014000214F db 0
.rdata:0000000140002150 db 0
.rdata:0000000140002151 db 0
.rdata:0000000140002152 db 0
.rdata:0000000140002153 db 0
.rdata:0000000140002154 db 0
.rdata:0000000140002155 db 0
.rdata:0000000140002156 db 0
.rdata:0000000140002157 db 0
.rdata:0000000140002158 db 0
.rdata:0000000140002159 db 0
.rdata:000000014000215A db 0
.rdata:000000014000215B db 0
.rdata:000000014000215C db 0
.rdata:000000014000215D db 0
.rdata:000000014000215E db 0
.rdata:000000014000215F db 0
.rdata:0000000140002160 db 8
.rdata:0000000140002161 db 0
.rdata:0000000140002162 db 0
.rdata:0000000140002163 db 0
.rdata:0000000140002164 db 0
.rdata:0000000140002165 db 0
.rdata:0000000140002166 db 0
.rdata:0000000140002167 db 0
.rdata:0000000140002168 dq offset sub_140005478
.rdata:0000000140002170 db 28h ; (
.rdata:0000000140002171 db 0
.rdata:0000000140002172 db 0
.rdata:0000000140002173 db 0
.rdata:0000000140002174 db 0
.rdata:0000000140002175 db 0
.rdata:0000000140002176 db 0
.rdata:0000000140002177 db 0
.rdata:0000000140002178 db 43h ; C
.rdata:0000000140002179 db 78h ; x
.rdata:000000014000217A db 53h ; S
.rdata:000000014000217B db 63h ; c
.rdata:000000014000217C db 0
.rdata:000000014000217D db 0
.rdata:000000014000217E db 0
.rdata:000000014000217F db 0
.rdata:0000000140002180 db 0
.rdata:0000000140002181 db 0
.rdata:0000000140002182 db 0
.rdata:0000000140002183 db 0
.rdata:0000000140002184 db 0
.rdata:0000000140002185 db 0
.rdata:0000000140002186 db 0
.rdata:0000000140002187 db 0
.rdata:0000000140002188 db 0
.rdata:0000000140002189 db 0
.rdata:000000014000218A db 0
.rdata:000000014000218B db 0
.rdata:000000014000218C db 0
.rdata:000000014000218D db 0
.rdata:000000014000218E db 0
.rdata:000000014000218F db 0
.rdata:0000000140002190 db 0
.rdata:0000000140002191 db 0
.rdata:0000000140002192 db 0
.rdata:0000000140002193 db 0
.rdata:0000000140002194 db 0
.rdata:0000000140002195 db 0
.rdata:0000000140002196 db 0
.rdata:0000000140002197 db 0
.rdata:0000000140002198 db 10h
.rdata:0000000140002199 db 0
.rdata:000000014000219A db 0
.rdata:000000014000219B db 0
.rdata:000000014000219C db 0
.rdata:000000014000219D db 0
.rdata:000000014000219E db 0
.rdata:000000014000219F db 0
.rdata:00000001400021A0 dq offset sub_140005478
.rdata:00000001400021A8 db 18h
.rdata:00000001400021A9 db 0
.rdata:00000001400021AA db 0
.rdata:00000001400021AB db 0
.rdata:00000001400021AC db 0
.rdata:00000001400021AD db 0
.rdata:00000001400021AE db 0
.rdata:00000001400021AF db 0
.rdata:00000001400021B0 db 43h ; C
.rdata:00000001400021B1 db 78h ; x
.rdata:00000001400021B2 db 48h ; H
.rdata:00000001400021B3 db 63h ; c
.rdata:00000001400021B4 db 0
.rdata:00000001400021B5 db 0
.rdata:00000001400021B6 db 0
.rdata:00000001400021B7 db 0
.rdata:00000001400021B8 db 0
.rdata:00000001400021B9 db 0
.rdata:00000001400021BA db 0
.rdata:00000001400021BB db 0
.rdata:00000001400021BC db 0
.rdata:00000001400021BD db 0
.rdata:00000001400021BE db 0
.rdata:00000001400021BF db 0
.rdata:00000001400021C0 db 0
.rdata:00000001400021C1 db 0
.rdata:00000001400021C2 db 0
.rdata:00000001400021C3 db 0
.rdata:00000001400021C4 db 0
.rdata:00000001400021C5 db 0
.rdata:00000001400021C6 db 0
.rdata:00000001400021C7 db 0
.rdata:00000001400021C8 db 0
.rdata:00000001400021C9 db 0
.rdata:00000001400021CA db 0
.rdata:00000001400021CB db 0
.rdata:00000001400021CC db 0
.rdata:00000001400021CD db 0
.rdata:00000001400021CE db 0
.rdata:00000001400021CF db 0
.rdata:00000001400021D0 db 0FFh
.rdata:00000001400021D1 db 0FFh
.rdata:00000001400021D2 db 0
.rdata:00000001400021D3 db 0
.rdata:00000001400021D4 db 0
.rdata:00000001400021D5 db 0
.rdata:00000001400021D6 db 0
.rdata:00000001400021D7 db 0
.rdata:00000001400021D8 db 0
.rdata:00000001400021D9 db 0
.rdata:00000001400021DA db 0
.rdata:00000001400021DB db 0
.rdata:00000001400021DC db 0
.rdata:00000001400021DD db 0
.rdata:00000001400021DE db 0
.rdata:00000001400021DF db 0
.rdata:00000001400021E0 db 0
.rdata:00000001400021E1 db 0
.rdata:00000001400021E2 db 0
.rdata:00000001400021E3 db 0
.rdata:00000001400021E4 db 0
.rdata:00000001400021E5 db 0
.rdata:00000001400021E6 db 0
.rdata:00000001400021E7 db 0
.rdata:00000001400021E8 db 0
.rdata:00000001400021E9 db 0
.rdata:00000001400021EA db 0
.rdata:00000001400021EB db 0
.rdata:00000001400021EC db 0
.rdata:00000001400021ED db 0
.rdata:00000001400021EE db 0
.rdata:00000001400021EF db 0
.rdata:00000001400021F0 db 0
.rdata:00000001400021F1 db 0
.rdata:00000001400021F2 db 0
.rdata:00000001400021F3 db 0
.rdata:00000001400021F4 db 0
.rdata:00000001400021F5 db 0
.rdata:00000001400021F6 db 0
.rdata:00000001400021F7 db 0
.rdata:00000001400021F8 db 0
.rdata:00000001400021F9 db 0
.rdata:00000001400021FA db 0
.rdata:00000001400021FB db 0
.rdata:00000001400021FC db 0
.rdata:00000001400021FD db 0
.rdata:00000001400021FE db 0
.rdata:00000001400021FF db 0
.rdata:0000000140002200 db 0
.rdata:0000000140002201 db 0
.rdata:0000000140002202 db 0
.rdata:0000000140002203 db 0
.rdata:0000000140002204 db 0
.rdata:0000000140002205 db 0
.rdata:0000000140002206 db 0
.rdata:0000000140002207 db 0
.rdata:0000000140002208 db 0
.rdata:0000000140002209 db 0
.rdata:000000014000220A db 0
.rdata:000000014000220B db 0
.rdata:000000014000220C db 0
.rdata:000000014000220D db 0
.rdata:000000014000220E db 0
.rdata:000000014000220F db 0

熟悉minifilter编程的人都知道，这是一个FLT_CONTEXT_REGISTRATION的数组，数组的最后一个成员是FLT_CONTEXT_END。
这个结构有8个成员，而实际经常使用的有5个。认真和有留意的人是会发现的。
经过整理和分析后，可以变为下面的样子：
.rdata:00000001400020F0 ContextRegistration dw 2 ; DATA XREF: .data:00000001400030A8↓o
.rdata:00000001400020F0 ; ContextType == FLT_INSTANCE_CONTEXT
.rdata:00000001400020F2 dw 0 ; Flags
.rdata:00000001400020F4 db 0 ; 数据结构成员的内存地址的对齐/填充。
.rdata:00000001400020F5 db 0
.rdata:00000001400020F6 db 0
.rdata:00000001400020F7 db 0
.rdata:00000001400020F8 dq offset ContextCleanupCallback
.rdata:0000000140002100 dq 20h ; Size
.rdata:0000000140002108 dd 'cIxC' ; PoolTag
.rdata:000000014000210C db 0 ; 数据结构成员的内存地址的对齐/填充。
.rdata:000000014000210D db 0
.rdata:000000014000210E db 0
.rdata:000000014000210F db 0
.rdata:0000000140002110 dq 0 ; ContextAllocateCallback
.rdata:0000000140002118 dq 0 ; ContextFreeCallback
.rdata:0000000140002120 dq 0 ; Reserved1
.rdata:0000000140002128 dw 4 ; ContextType == FLT_FILE_CONTEXT
.rdata:000000014000212A dw 0
.rdata:000000014000212C db 0
.rdata:000000014000212D db 0
.rdata:000000014000212E db 0
.rdata:000000014000212F db 0
.rdata:0000000140002130 dq offset ContextCleanupCallback
.rdata:0000000140002138 dq 10h
.rdata:0000000140002140 dd 'cFxC'
.rdata:0000000140002144 db 0
.rdata:0000000140002145 db 0
.rdata:0000000140002146 db 0
.rdata:0000000140002147 db 0
.rdata:0000000140002148 dq 0
.rdata:0000000140002150 dq 0
.rdata:0000000140002158 dq 0
.rdata:0000000140002160 dw 8 ; ContextType == FLT_STREAM_CONTEXT
.rdata:0000000140002162 dw 0
.rdata:0000000140002164 db 0
.rdata:0000000140002165 db 0
.rdata:0000000140002166 db 0
.rdata:0000000140002167 db 0
.rdata:0000000140002168 dq offset ContextCleanupCallback
.rdata:0000000140002170 dq 28h
.rdata:0000000140002178 dd 'cSxC'
.rdata:000000014000217C db 0
.rdata:000000014000217D db 0
.rdata:000000014000217E db 0
.rdata:000000014000217F db 0
.rdata:0000000140002180 dq 0
.rdata:0000000140002188 dq 0
.rdata:0000000140002190 dq 0
.rdata:0000000140002198 dw 10h ; ContextType == FLT_STREAMHANDLE_CONTEXT
.rdata:000000014000219A dw 0
.rdata:000000014000219C db 0
.rdata:000000014000219D db 0
.rdata:000000014000219E db 0
.rdata:000000014000219F db 0
.rdata:00000001400021A0 dq offset ContextCleanupCallback
.rdata:00000001400021A8 dq 18h
.rdata:00000001400021B0 dd 'cHxC'
.rdata:00000001400021B4 db 0
.rdata:00000001400021B5 db 0
.rdata:00000001400021B6 db 0
.rdata:00000001400021B7 db 0
.rdata:00000001400021B8 dq 0
.rdata:00000001400021C0 dq 0
.rdata:00000001400021C8 dq 0
.rdata:00000001400021D0 dw 0FFFFh ; 结束标记：FLT_CONTEXT_END
.rdata:00000001400021D2 dw 0
.rdata:00000001400021D4 db 0
.rdata:00000001400021D5 db 0
.rdata:00000001400021D6 db 0
.rdata:00000001400021D7 db 0
.rdata:00000001400021D8 dq 0
.rdata:00000001400021E0 dq 0
.rdata:00000001400021E8 dd 0
.rdata:00000001400021EC db 0
.rdata:00000001400021ED db 0
.rdata:00000001400021EE db 0
.rdata:00000001400021EF db 0
.rdata:00000001400021F0 dq 0
.rdata:00000001400021F8 dq 0
.rdata:0000000140002200 dq 0
.rdata:0000000140002208 db 0 ; 结束，后面是多余的，对齐。
.rdata:0000000140002209 db 0
.rdata:000000014000220A db 0
.rdata:000000014000220B db 0
.rdata:000000014000220C db 0
.rdata:000000014000220D db 0
.rdata:000000014000220E db 0
.rdata:000000014000220F db 0

--------------------------------------------------------------------------------------------------

双击OperationRegistration，进入如下界面：
.data:0000000140003000 OperationRegistration db 0 ; DATA XREF: .data:00000001400030B0↓o
.data:0000000140003001 db 0
.data:0000000140003002 db 0
.data:0000000140003003 db 0
.data:0000000140003004 db 1
.data:0000000140003005 db 0
.data:0000000140003006 db 0
.data:0000000140003007 db 0
.data:0000000140003008 dq offset InstanceQueryTeardownCallback
.data:0000000140003010 dq offset sub_140005614
.data:0000000140003018 align 20h
.data:0000000140003020 db 12h
.data:0000000140003021 db 0
.data:0000000140003022 db 0
.data:0000000140003023 db 0
.data:0000000140003024 db 1
.data:0000000140003025 db 0
.data:0000000140003026 db 0
.data:0000000140003027 db 0
.data:0000000140003028 dq offset sub_140005940
.data:0000000140003030 align 20h
.data:0000000140003040 db 2
.data:0000000140003041 db 0
.data:0000000140003042 db 0
.data:0000000140003043 db 0
.data:0000000140003044 db 1
.data:0000000140003045 db 0
.data:0000000140003046 db 0
.data:0000000140003047 db 0
.data:0000000140003048 dq offset sub_1400059B4
.data:0000000140003050 align 20h
.data:0000000140003060 db 6
.data:0000000140003061 db 0
.data:0000000140003062 db 0
.data:0000000140003063 db 0
.data:0000000140003064 db 1
.data:0000000140003065 db 0
.data:0000000140003066 db 0
.data:0000000140003067 db 0
.data:0000000140003068 dq offset sub_140005A28
.data:0000000140003070 dq offset sub_1400057A8
.data:0000000140003078 align 20h
.data:0000000140003080 db 80h ; €
.data:0000000140003081 db 0
.data:0000000140003082 db 0
.data:0000000140003083 db 0
.data:0000000140003084 db 0
.data:0000000140003085 db 0
.data:0000000140003086 db 0
.data:0000000140003087 db 0
.data:0000000140003088 db 0
.data:0000000140003089 db 0
.data:000000014000308A db 0
.data:000000014000308B db 0
.data:000000014000308C db 0
.data:000000014000308D db 0
.data:000000014000308E db 0
.data:000000014000308F db 0
.data:0000000140003090 db 0
.data:0000000140003091 db 0
.data:0000000140003092 db 0
.data:0000000140003093 db 0
.data:0000000140003094 db 0
.data:0000000140003095 db 0
.data:0000000140003096 db 0
.data:0000000140003097 db 0
.data:0000000140003098 db 0
.data:0000000140003099 db 0
.data:000000014000309A db 0
.data:000000014000309B db 0
.data:000000014000309C db 0
.data:000000014000309D db 0
.data:000000014000309E db 0
.data:000000014000309F db 0

熟悉minifilter编程的人都知道，这是一个FLT_OPERATION_REGISTRATION的数组，最后一项是IRP_MJ_OPERATION_END。
经过整理和分析后，可以变为下面的样子：
.data:0000000140003000 OperationRegistration db 0 ; DATA XREF: .data:00000001400030B0↓o
.data:0000000140003000 ; MajorFunction == IRP_MJ_CREATE
.data:0000000140003001 dd 1000000h ; Flags
.data:0000000140003005 db 0 ; 数据结构成员的内存地址的对齐/填充。
.data:0000000140003006 db 0
.data:0000000140003007 db 0
.data:0000000140003008 dq offset PreCreate
.data:0000000140003010 dq offset PostCreate
.data:0000000140003018 align 20h
.data:0000000140003020 db 12h ; MajorFunction == IRP_MJ_CLEANUP
.data:0000000140003021 dd 1000000h
.data:0000000140003025 db 0
.data:0000000140003026 db 0
.data:0000000140003027 db 0
.data:0000000140003028 dq offset PreCleanUp
.data:0000000140003030 align 20h ; 这个隐藏了两个成员。
.data:0000000140003040 db 2 ; MajorFunction == IRP_MJ_CLOSE
.data:0000000140003041 dd 1000000h
.data:0000000140003045 db 0
.data:0000000140003046 db 0
.data:0000000140003047 db 0
.data:0000000140003048 dq offset PreClose
.data:0000000140003050 align 20h
.data:0000000140003060 db 6 ; MajorFunction == IRP_MJ_SET_INFORMATION
.data:0000000140003061 dd 1000000h
.data:0000000140003065 db 0
.data:0000000140003066 db 0
.data:0000000140003067 db 0
.data:0000000140003068 dq offset PreSetInfo
.data:0000000140003070 dq offset PostSetInfo
.data:0000000140003078 align 20h
.data:0000000140003080 db 80h ; € ; 结束标记：IRP_MJ_OPERATION_END
.data:0000000140003081 dd 0
.data:0000000140003085 db 0
.data:0000000140003086 db 0
.data:0000000140003087 db 0
.data:0000000140003088 dq 0
.data:0000000140003090 dq 0
.data:0000000140003098 dq 0

--------------------------------------------------------------------------------------------------

至此，可以告一个段落。
下一步就是根据这里分析出的函数，定义这些函数的类型，甚至是参数的个数（如IDA分析x64程序），特别是参数的类型。
因为发行版经常没有符号文件，有好些系统经常用的数据结构IDA没有解析出，如文件过滤驱动的minifilter和网络过滤驱动的WFP。

made by correy
made at 15:40 2018/4/28
http://correy.webs.com

订阅：博文 (Atom)