“Descriptor tables in kernel exploitation” – a new article

Published on January 16, 2010

Hi there!

Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, describing the actual steps taken in order to escalate the privileges through GDT/LDT. As usual, exemplary source code snippets are available (attached to the document), so that the reader can check their effectiveness on his own.

I would like to say THANK YOU to Unavowed and Agnieszka Zerka for their comments and help in the process of assembling this publication.

A complete package, including a PDF file “GDT and LDT in Windows kernel vulnerability exploitation” (with the source.zip file enclosed to the paper) can be downloaded from here (682 kB).

Content:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments

Have fun && Leave your comments!

Filed in Assembler, C, Cpp, OS Internals, Programming, Ring0, Undocumented API, Windows 7, Windows Vista, Windows XP, hacking, kernel, rootkit | 3 replies

x86 Kernel Memory Space Visualization (KernelMAP v0.0.1)

Published on January 4, 2010

What I would like to write about today is a subject I have been playing with for quite some time – Windows kernel vulnerability exploitation techniques. While digging through various articles and other materials, I appeared to find bunches of interesting facts that are worth being described here. The post presented today aims to describe various ways of obtaining kernel-mode addresses from the user-mode (application) level.

One could ask, what would we want to retrieve any internal system addresses for. Well, it is indeed a very good question – as for me, the kernel addresses become most useful in the vulnerability exploitation process. Since a majority of bugs found in device drivers belong, directly (pointer validation) or indirectly (pool buffer overflow), to the write-what-where condition family, one must know the exact address to be overwritten before performing the operation. This basically means that the more information about kernel memory layout we can gather, the more stable and effective attacks can be conducted.

The idea I am writing about is not new, for sure. A great part of kernel exploits programmers has already used such techniques in their source code. However, I haven’t ever found any publication that would thoroughly describe every possible vector of obtaining somewhat “sensitive” kernel data (addresses) from within user-mode. Hence, I would like to present a short introduction of each method I could think of – a longer article will presumably be released within a few days. Huh, let’s get to the point, already!

NtQuerySystemInformation function

Before trying to retrieve any information from the kernel, one should firstly realize, what are the possible “communication channels”, that could be used to get the desired data from. The most basic method division could look like this:

  • Kernel communication – calling some of the exported system routines and receive the data we are interested in, through the output buffer
  • Processor communication – directly using some of the processor characteristics (i.e. instruction set) in order to query for some processor-specific values that the system is obliged to fill.

All in all, the kernel isn’t meant to release too much information about itself to the user (since every leaked piece of data could potentially help the attacker to hack the machine); due to this fact, there are special routines designed to handle queries about the system state, configuration etc. As it turns out, these system calls (named NtQuery*Information) can provide very miscellaneous kinds of information that not every low-level coder is aware of. I strongly advice you to take a look and test the functions below, using many different arguments:

Even thought these syscalls are either documented very poorly or not documented at all, some independent researchers have already managed to describe a great part of them – their work is publicly available, for example here. For our purposes (global system info), the last function on the list seems to be the most useful one – it is, indeed. As one can see, the first routine parameter is _SYSTEM_INFORMATION_CLASS – a single enum containing all the possible request types, shown below:

typedef enum _SYSTEM_INFORMATION_CLASS {
SystemInformationClassMin = 0,
SystemBasicInformation = 0,
SystemProcessorInformation = 1,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemPathInformation = 4,
SystemNotImplemented1 = 4,
SystemProcessInformation = 5,
SystemProcessesAndThreadsInformation = 5,
SystemCallCountInfoInformation = 6,
SystemCallCounts = 6,
SystemDeviceInformation = 7,
SystemConfigurationInformation = 7,
SystemProcessorPerformanceInformation = 8,
SystemProcessorTimes = 8,
SystemFlagsInformation = 9,
SystemGlobalFlag = 9,
SystemCallTimeInformation = 10,
SystemNotImplemented2 = 10,
SystemModuleInformation = 11,
SystemLocksInformation = 12,
SystemLockInformation = 12,
SystemStackTraceInformation = 13,
SystemNotImplemented3 = 13,
SystemPagedPoolInformation = 14,
SystemNotImplemented4 = 14,
SystemNonPagedPoolInformation = 15,
SystemNotImplemented5 = 15,
SystemHandleInformation = 16,
SystemObjectInformation = 17,
SystemPageFileInformation = 18,
SystemPagefileInformation = 18,
SystemVdmInstemulInformation = 19,
SystemInstructionEmulationCounts = 19,
SystemVdmBopInformation = 20,
(...)
} SYSTEM_INFORMATION_CLASS;

(you can find the complete definition in the standard ddk\ntapi.h header file). As the name implies, there are really plenty of information to get – the only thing required is the knowledge of how to the input/output structures for each request looks like. At this point, we are particularly interested in three query types – SystemModuleInformation, SystemHandleInformation and SystemLocksInformation. Moreover, SystemObjectInformation could be also useful, under specific circumstances. Let’s go through these requests and find out, what information can we get.

SystemModuleInformation

As far as my observations go, this request is the most commonly used type, across kernel-mode exploits. To understand why, one should first take a look at what this operation returns:

typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
ULONG     Unknown1;
ULONG     Unknown2;
PVOID  Base;
ULONG  Size;
ULONG  Flags;
USHORT  Index;
/* Length of module name not including the path, this
field contains valid value only for NTOSKRNL module */
USHORT    NameLength;
USHORT  LoadCount;
USHORT  PathLength;
CHAR  ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG  Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

What the listing presents is a main structure, containing the number of module information entries returned. Right after this value, Count SYSTEM_MODULE_INFORMATION_ENTRY structures follow, each containing information about one, specific executable image, loaded inside the kernel-mode address space.

As the names themselves suggest, after calling NtQuerySystemInformation(SystemModuleInformation,…) and passing a properly-sized buffer, the application obtains the Name, ImageBase and ImageSize of every single device driver (excluding those that are hidden by rootkits, of course ;) ). This includes the very first Windows kernel images like ntosknrl.exe (or other types of the system core), HAL.dll (hardware support), win32k.sys (std graphic device driver) and so on. Because of the fact that most write-what-where attacks are based on modyfing the ntosknrl.exe memory regions (such as the [HalDispatchTable+4] technique), obtaining the kernel ImageBase  value is an essential part of the entire exploitation. Some very educational articles covering kernel-mode exploitation techniques can be found here (Analyzing local privilege escalations in win32k), here (Exploiting Common Flaws in Drivers) and here (Exploiting Windows Device Drivers).

SystemHandleInformation

Another interesting request type, already used by some rootkit detection mechanisms (RootkitAnalytics.com). The general purpose is providing information about all the active HANDLE objects present in the system memory. Performing a NtQuerySystemInformation(SystemHandleInformation,…) will result in filling the output buffer with structures of the following definition:

typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG  ProcessId;
UCHAR  ObjectTypeNumber;
UCHAR  Flags;
USHORT  Handle;
PVOID  Object;
ACCESS_MASK  GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

Not too many fields, this time; however, the most important part of the struct is present – PVOID Object. This is where we can find another kernel-mode pointer (inaccessible from user-mode, of course). Apart from the address itself, the HANDLE is also described with the creator process ID, type of the object and most importantly – the HANDLE value itself. Therefore, the object identification is very easy to perform and should not cause too much of a problem to the coder. More information will follow in the upcoming paper :)

SystemLocksInformation

This time, what we are getting is the information regarding locks used by the kernel. Locks in Windows are special “multiple reader single writer” synchronization mechanisms, otherwise known as “resources”.  The output structure definition follows:

typedef struct _SYSTEM_LOCK_INFORMATION {
PVOID  Address;
USHORT  Type;
USHORT  Reserved1;
ULONG  ExclusiveOwnerThreadId;
ULONG  ActiveCount;
ULONG  ContentionCount;
ULONG  Reserved2[2];
ULONG  NumberOfSharedWaiters;
ULONG  NumberOfExclusiveWaiters;
} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION;

where the PVOID Address value points to a ERESOURCE structure in the kernel memory. These structures can be initialized using the ExInitializeResourceLite routine and are said to be documented in DDK (Windows NT 2000 Native API Reference).

These are, more or less, all the places (known by me), one can request K-M addresses from. Even though only three sources could seem to be little, it is enough to create a really impressive (imho) kernel memory map, as you will see in a few minutes. If you – the blog reader – are aware of any other kind of system information request leading to kernel address “leak”, please let me know through e-mail / post comments – I will be more than happy to add it to this list.

Processor specific structures

Apart from asking the system kernel to provide some information about its memory layout, one can also use direct application -> processor communication in order to read addresses related to some of the architectural structures that the system has to implement to work correctly. To be more precise, these structures are Global Descriptor Table (per processor/core) and Interrupt Descriptor Table (per processor/core) plus structures implemented inside GDT (Task State Segment, Local Descriptor Table etc).

To start playing with these structures, one should begin by reading Intel Software Developer’s Manuals: Volume 1 (Basic Architecture) and Volume 3A, 3B (System Programming Guide) – all of these can be found here. The most interesting instructions here appear to be SGDT and SIDT, storing the GDTR and IDTR registers in user-specified memory.

What is more, the system itself also makes some segment-related API functions available; these are:

It should be noted (once more), that each processor has its own GDT/IDT structure. Hence, in order to retrieve all the addresses possible, it is necessary to make sure that a specified thread/routine is executed in the context of a chosen processor. This can be achieved by using SetThreadAffinityMask or SetProcessAffinityMask API functions. Please refer to the KernelMAP source code to get more information about how to implement it in practice.

KernelMAP v0.0.1

Despite some strictly theoretical deliberations, I would also like to present a simple program of mine. Its main purpose is to gather all (or most, at least) information about kernel-mode memory layout and show it to the user in the most attractive way possible. The application consists of two windows: the first, text window prints some basic, statistical information based on the data provided by kernel. Second, graphical window is responsible for the real visualization. Its size is equal 1024×512 (400×200 hexdecimally), and every virtual page is represented by a single pixel on the board. These pixels have various colors associated to themselves, depending on what type of data the page in consideration contains.

As the above description might not give you any idea of how it looks like on a real system, some screenshots from various systems follow:

Windows XP SP3

Windows Vista SP2

Windows 7 SP0

Some strictly technical info: this program is designed to be compiled using MinGW GCC compiler and is probably not MS VC++ compatible. In order to make it work correctly, the program needs to find the SDL.dll, libpng3.dll and zlib1.dll libraries – you can find them inside the package.

A complete ZIP file, including the source code, executable and external DLL files can be downloaded from here (387kB)

Since I am myself very curious about how the kernel memory layout looks like on different systems that I don’t have access to, you should feel encouraged to make your own shot and share (I hope this is not too much of information disclosure ;D). Furthermore, if you find any bugs in the existing code, or would like it to be extended with some additional functionalities (like new kernel addresses I don’t know about, yet), please let me know.

Every single comment is very welcome!

Have fun!

Filed in Assembler, Cpp, OS Internals, Programming, Ring0, Ring3, Undocumented API, Windows 7, Windows Vista, Windows XP, hacking, kernel | One reply

Win32k.SYS system call table

Published on November 11, 2009

Everyone who has ever had some serious contact with how the Windows kernel mechanisms work, was probably in need to access a complete system call number list (together with the handlers’ definitions). As one of the most important part of the communication process between user’s applications and kernel, SSDT is commonly used for both clearly practical purposes (such as hooking  system services in order to modify the OS behavior in certain situations), as well as theoretical research or discussions.

Considering the above facts, the popularity of a (mostly) full  system call list created by the Metasploit Project shouldn’t be a surprise. Their list covers most of the modern Windows NT-family systems, from Windows NT4, up to Windows Vista SP0. What is more, apart from the syscall numbers corresponding to certain kernel functions, the table also provides complete definitions of these functions.

What should be noted is that the described table contains information about only a part of all system calls – the ones exported by the kernel executable (ntoskrnl.exe). The graphical syscalls - exported by an external module called win32k.sys – have not been taken into account, at all. During my research on how some of the Windows user interface functions work,  a need to access information about system calls IDs greater than 0×1000 (values of this kind are used to communicate with the graphical part of the kernel) appeared. Since I failed to find a list, that could be compared with what Metasploit presents, I decided to create one on my own!

The current version of the Windows Graphical System Call List can be found under the following address: http://j00ru.vexillium.org/win32k_syscalls/.

The initial idea of the project is to cover all the x86 Microsoft Windows NT-family systems, including Windows 7. The empty holes easily noticeable inside the table are a consequence of the fact that I don’t have access to all the OS versions placed on the site. However, the list is going to be continuously filled with information retrieved from new systems as I get access to those; the final purpose is to create a syscall collation at least as good as what Metasploit presents. On the other hand, I am not yet able to provide the handling functions’ definitions – as for now, it is still in my TODO list – one must keep in mind that this project is still in its “alpha state”.

While I have done my best to ensure that the information provided by the list is accurate, it is possible that one or more mistakes might remain. I want to encourage every interested person to report any bug figured out, as well as any other kind of oversights present on the website. Furthermore, all comments (or complementary data) regarding the project are obviously very welcome!

Thanks in advance && have fun!

Filed in OS Internals, Ring0, Windows 7, Windows Vista, Windows XP, blog, kernel, rootkit | 2 replies

Unexported SSDT functions finding method

Published on November 2, 2009

Today, I would like to write about finding the addresses of non-exported kernel functions (syscall handlers) from user mode. The technique I am going to write about is my very own idea, that occured to me during one of my talks regarding Windows x86 kernel exploitation (greetings to suN8Hclf!). Despite this, I cannot guarantee that it hasn’t been invented and described by some independent authors a few months/years ago. If some of you – the readers – is aware of a similar publication, please let me know (I will surely publish some supplementary material to this post). Let’s get to the point…

The subject of practical vulnerability exploitation of the system kernel or one of its modules is simply too wide to entirely talk it over here. The technical aspects of making use of such vulnerabilities have already been described by a number of researchers, and the results of their work can be found, inter alia, there:

A basic problem, usually encountered by a newbie reverser lurking in kernel-mode bugs, is how to take advantage of them in practice. When the vuln eventually makes it possible for you to execute your own code in the kernel context and create a relatively stable environment, the question is – what now? In reality, every single functionality we would like to implement, requires some external kernel functions to be used. In 99% cases, the module being imported from is simply ntoskrnl.exe (or any other kind of the kernel executable image). Many methods of finding its base address are available (i.e. Finding Ntoskrnl.exe Base Address @ Uninformed), that are mostly suitable for our purposes – hence I will not cover this subject today.

The next step towards creating a fully functional payload is obtaining the virtual addresses of specific functions we want to use. In the simpliest scenario, where we are only about to operate on exported functions, all we need is an easy way of parsing the internal Portable Executable structures, which can be implemented in “a few” lines, in fact. A very common enhancement is introducing a hash routine, used to convert long symbol names into short 16-32 bit values (as representative as the names themselves). The hashing algorithm doesn’t have to be complex at all – one simple bit operation like shifting is fairly enough for our purposes:

; ASSUMPTIONS: ESI = string to hash (input)
;              EAX = return value (output)
;
GenerateNameHash:
xor eax, eax              ; Zero out the EAX (hash) value

@HashLoop:
  rol eax, 13               ; Rotate left by one
  xor al, byte [esi]        ; Xor with the current char

  inc esi                   ; Increment pointer
  cmp byte [esi], 0         ; Check if NULL
  jnz @HashLoop             ; If not, carry on
  ret                       ; EAX is already set, we have nothing to do - return

In most cases, we don’t even require more than the less-significant 16 bit part of the function’s result, therefore a great memory saving can be noted here. Whether such an optimization is necessary depends on the type of the vulnerability we’re dealing with, however we usually want to reduce the payload size to absolute minimum. All in all, what we are considering now is just getting access to publicly available addresses of the kernel image, which is not very hard to achieve. In my opinion, a much more interesting subject for a potential research would be searching for internal functions, not exported by the kernel in any way. In this case, we are forced to use harder techniques, based mostly on the particular operating system versions etc. Despite the fact that there aren’t too many universal problem solutions, some specific situations exist, in which we are able to get the address of a given internal function, under some special conditions.

In this particular case, the aforementioned conditions means functions belonging to SSDT (System Service Descriptor Table) – a simple array, containing pointers to functions responsible for handling various kinds of system calls triggered by user’s applications. Most of the syscall handlers are not directly exported by the kernel, though they turn out to be very useful when creating some advanced ring-0 payload. Furthermore, what should be noted, is that obtaining the address of an SSDT function is a trivial task from a driver’s level, provided we know the system call’s ID. In such case, the only “problem” is the way of retrieving the system version, in order to match a corresponding function number.

The same task is yet not so easy in user mode – here, the only solutions known by me are based on heuristic ideas, hence they cannot be considered 100% reliable regardless of the Windows version. What you can see below is a list of respective stages performed by an exemplary application, illustrating the method I am writing about:

  • Loading the kernel image into our process context – because of the fact that the ntoskrnl.exe file contents will be extensively used in the near future, we have to load it to the user-mode part of the process address space. Doing so makes it possible for us to refer “local” addresses of the exported functions in an easy and clean manner, thus lets us calculate the offset of any address, against the real kernel ImageBase. Since we are not treating the loaded image us a typical DLL library, we must ensure than no undesired operations are performed (such as calling the executable’s EntryPoint as if it was regular DllMain), but loading the file contents to memory. Thanks to the extended LoadLibraryEx functionality, we can use the DONT_RESLOVE_DLL_REFERENCES flag and avoid any unwanted side effects, as described:

If this value is used, and the executable module is a DLL, the system does not call DllMain for process and thread initialization and termination. Also, the system does not load additional executable modules that are referenced by the specified module.

  • Choosing one, specific function that can be easily found inside SSDT, as well as on the kernel export list, i.e. NtCreateFile, NtCreateEvent, NtConnectPort, NtClose. This function is considerably important for us, since we know its exact address in the kernel-side memory (based on the real and “temporary” kernel ImageBase addresses), and we are able to designate addresses of any other SSDT function, providing we know its SyscallId value (can be dynamically obtained).
  • Retrieving the ImageBase and ImageSize values of the loaded image, which can be done using one of the Process Status API function, that is – GetModuleInformation
  • Getting the real system kernel address, required to point out the place of every function we are interested in. In this case, two functions seem especially useful – EnumDeviceDrivers and GetDeviceDriverBaseName (PSAPI). Using them, we can list and filter all the active kernel modules, including the kernel itself. The following piece of code aims to illustrate how the real ImageBase value is being queried: 
    DWORD GetDriverBaseAddr(const char* BaseName)
{
  static LPVOID BaseAddresses[4096]; // XXX: let's assume there are at most 4096 active device drivers
  DWORD cbNeeded;

  /* Get a list of all the drivers' Image Base Addresses */
  if(!EnumDeviceDrivers(BaseAddresses,sizeof(BaseAddresses),&cbNeeded)) return 0;
  CHAR FileName[MAX_PATH];

  /* Go thru the entire list */
  for( int i=0;i<(int)(cbNeeded/sizeof(LPVOID));i++ )
  {
    /* For each image base, retrieve the driver's name */
    GetDeviceDriverBaseNameA(BaseAddresses[i],FileName,sizeof(FileName));

    /* In case of the current module being kernel, return its base */
    if(!_stricmp(FileName,BaseName)) return (DWORD)BaseAddresses[i];
  }

  /* Should never get here */
  return 0;
}
  • Scanning the memory of the already-loaded kernel image (user-mode) in search of the chosen function’s address (it is NtCreateFile for us). It is first – and the only – phase of the algorithm, presenting a heuristic approach. Its task is to find a place inside SSDT, where the exported function’s pointer is stored. This technique could possibly lead to false positives under certain conditions (when finding more than one matching signature), hence it is strongly advices to introduce some additional conditions to check. As we know that the only satisfying result is a place inside SSDT, we can assume that the adjacent values should also point inside the NTOSKRNL.EXE memory range. As it turns out, the above conditions are quite enough to reduce the false positives’ number to zero (on every Windows versions tested by me). Here’s the code, performing the described memory scanning:

    for( PUCHAR i=(PUCHAR)KernelImageStart;i<(PUCHAR)KernelImageEnd-sizeof(DWORD);i++ )
{
  if(( *(DWORD*)(i+0) == SearchedFunctions[0].Address ) &&
  ( *(DWORD*)(i-4) >= OrgKernelStart && *(DWORD*)(i-4) <= OrgKernelEnd ) &&
  ( *(DWORD*)(i+4) >= OrgKernelStart && *(DWORD*)(i+4) <= OrgKernelEnd ) )
  {
  printf("[+] Function pointer found at [0x%.8x]\n",(UINT)i);
    SearchedFunctions[0].SsdtAddress = (DWORD)i;
    break;
  }
}
  • Reading the system call ID numbers of the functions of interest. There is a very easy and reliable way of reading the system call number for any NTDLL wrapper, without any need to check the operating system version, or (what’s even worse), defining some static SyscallIds in the source. What we are taking advantage of is a specific build of the routines passing execution to kernel, which can be observed in the 2 following examples: 
    .text:7C90D090                ; __stdcall NtCreateFile(x, x, x, x, x, x, x, x, x, x, x)
.text:7C90D090                _NtCreateFile@44 proc near
.text:7C90D090
.text:7C90D090 B8 25 00 00 00 mov     eax, 25h
.text:7C90D095 BA 00 03 FE 7F mov     edx, 7FFE0300h
.text:7C90D09A FF 12          call    dword ptr [edx]
.text:7C90D09C C2 2C 00       retn    2Ch

    and 

    .text:7C90D580                ; __stdcall NtOpenFile(x, x, x, x, x, x)
.text:7C90D580                _NtOpenFile@24  proc near
.text:7C90D580
.text:7C90D580 B8 74 00 00 00 mov     eax, 74h
.text:7C90D585 BA 00 03 FE 7F mov     edx, 7FFE0300h
.text:7C90D58A FF 12          call    dword ptr [edx]
.text:7C90D58C C2 18 00       retn    18h

    As presented, we are able to obtain the syscall number by reading the 32-bit instruction operand from the [FunctionAddress+1] address. This is strongly related to the fact, that the first NTDLL wrapper function instruction is always

    mov eax, SYSCALL_ID

    where SYSCALL_ID is a complete, 32-bit number.
    In our case, the code responsible for retrieving the number of respective functions could look like this:

    /* Get the SyscallId values for each function from the user-mode (ntdll.dll) code
*/
for( ULONG i=0;SearchedFunctions[i].FunctionName;i++ )
{
  HMODULE hNtdll = GetModuleHandle("ntdll.dll");
  FARPROC pFunc  = GetProcAddress(hNtdll,SearchedFunctions[i].FunctionName);
  /* Ignore invalid entries
  */
  if(pFunc==NULL)
    continue;

  SearchedFunctions[i].SyscallId = *(DWORD*)(((DWORD)pFunc)+1);
}
  • Recalculating the SSDT functions’ addresses by performing the following steps:
    • Getting a pointer value from the address: 
      (BaseFunction.Address + (BaseFunction.SyscallId - CurrentFunction.SyscallId)*sizeof(PVOID))

      this is, the address constructed by moving the base routine address (NtCreateFile) back or forward, depending on the search function’s number.

    • Converting the pointer to kernel-memory address: 
      CurrentFunction.KernelAddress = CurrentFunction.Address - LocalKernelImageBase + RealKernelImageBase

By performing the above steps, we can obtain the address of any system call handling function, on the condition that we have its user-mode correspondent exported by ntdll.dll (it is not necessary if we decide to use constant SyscallId numbers). What should be noticed is that the described method only enables us to get some kernel functions’ addresses – we are still forbidden to read or modify the memory pointed by these addresses. Because of this, the technique itself is not useful in the context of i.e. SSDT table contents validation check. However, it makes it lot easier for us to calculate and integrate the addresses with our shellcode yet before the exploitation process, which in turn improves the exploit writing comfort.

Some source code illustrating, how the described technique works, is available here (3kB).

Have fun && leave some comments! ;)

Filed in C, Cpp, OS Internals, Programming, Ring0, Ring3, Windows 7, Windows Vista, Windows XP, kernel | One reply

Controlling Windows process list, part 1

Published on October 8, 2009

First of all, I would like to point out that my old bootkit presentation related stuff is available since a few weeks now. As the whole event was held in polish language, so are the slides / materials. One way or another, if some of you were interested, just take a look at the Slow kilka o SecDay 2k9 post entry.

In one of my previous posts (check Suspending processes in Windows, part 1), I was trying to discuss the well-known and less popular techniques making it possible to suspend threads or entire processes working under Microsoft Windows OS control. I also announced that a specific way of TaskMgr.exe modification – extending it with the interesting functionality – would be described in the next post. Although, before getting straight to the point (this is – changing the executable binary code), we have to consider some  other important matters. Namely, we intend to have the modification applied to every single Task Manager instance running on the system. Right here, we have a few possible paths to go:

  • Perform a one-time TaskMgr.exe system file alteration on hard disk.
  • Create an additional executable file, called the loader – associated with the Task Manager and launched as its debugger.
  • Leave the hard disk contents unchanged – modify only the virtual memory of all active processes, meeting some specific requirements (in our case – executable image path).

Each option presented above has it’s own set of drawbacks. When it comes to physical HDD modification, we start playing with system file data, which should be always considered dangerous and unwanted behavior. What is more, since Windows keeps many backup copies of core system applications, we would have to get rid of or modify all the existing Task Manager backups. In general, I find the method a little bit too messy to use in practice. If you would like to read more about this subjects, Windows File Protection and Windows Resource Protection should be a good place to start.

It is an interesting idea to create a specific loader – this is – a program executed every time, when some other application tries to launch TaskMgr.exe. If we are able to have our code executed every time the manager is about to be created, we know about all the running instances by definition. The loader’s job would be simply modifying memory in the context of a particular process, which should not cause much trouble. Associating external applications with executable files of specific name is possible using the following registry key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

In our case, the only change applied to the registry would be adding a TaskMgr.exe key, and then creating a string value in its context, named Debugger, and with the following value:

C:\Windows\system32\TaskMgr_loader.exe

More about Image File Execution Options can be found here.

In my opinion, the best choice we can make is to modify the process virtual memory itself, without writing to system critical files of any kind. This method extends our practical abilities of changing the application execution flow – we have access to all the data (and modules) used by the target process. For example, setting up an inline hook on one of the statically imported functions (such as kernel32.SetPriorityClass) is much easier to perform on a running process, then by altering the data inside TaskMgr.exe executable image itself.

Choosing the third method, we must consider the practical way of its implementation. Monitoring the list of processes running in the system is not a trivial problem. Moreover, there are many possible ways of solving it, differing not only in effectiveness, but also required user privileges and system mechanisms being used. In my opinion, all of them are worth taking a deeper look – when necessary, you will be able to choose the one best fitting your needs.

Today, I will try to describe one way of “tracing” the active applications – probably the most intuitive periodical process list updating, and comparing the results with older versions, in order to extract the interesting differences.

Some of the issues, which should draw our attention yet at the first glance:

  • The problem of choosing the correct delay time. Since the discussed technique is undoubtedly active, sending specific requests to the operating system every, say, second – creates a possibility of accidentally missing a process. This is because it is expected to be possible to create a process, do its job and close itself within the 1 second between respective requests. The author is obviously able to customize the delay value in such a way to eliminate the described bug, though one must remember that the more often a current process list is retrieved from the kernel (or wherever else), the more processor time is consumed. Because of this, it is necessary to find a value that is reliable enough for us on one hand, and doesn’t generate too much processor usage, on the other.
  • How about the source of (trusted) process list information, and the appropriate interface providing access to this info?

Even though the first problem can be solved in an experimental way, depending on the needs and habits of the programmer, the second issue requires further consideration. As it turns out, there is quite a big number of system interfaces (better or worse documented), allowing us to access the interesting information. Some of them are listed below:

  • ToolHelp32 – a set of API functions exported by kernel32.dll, which have been already introduced in Microsoft Windows 3.1. They make it possible to access information regarding heaps, modules, threads and processes. Moreover, the interface is compatible with all Windows versions since Windows 9x/Me, except Windows NT 4.0. The enumeration area (per-session, per-system) depends on the current user privileges, in whose context these functions are called.
  • Process Status API (PSAPI) – a very well described Windows help library, responsible for facilitating the access to information about processes, modules and device drivers present in the system. One of it’s exported functions is EnumProcesses, letting us obtain the identification numbers of all running processes. What should be noted here, is that the amount of information being retrieved this way is very poor – we get no additional information but the PIDs. If we wanted to get any additional data, we would be forced to open a handle to every single process (i.e. using the OpenProcess function), which is not always possible, due to some obvious security-related reasons.
  • NtQuerySystemInformation(SystemProcessInformation) – undocumented, internal function exported by ntdll.dll. It provides complete information about the process in consideration – the result of it’s execution consists of an array of SYSTEM_PROCESS_INFORMATION structures. In practice, both methods described before rely on calling the NtQuerySystemInformation function with the SystemProcessInformation parameter, and then parsing the results in a specific way. What it means, is that every time the syscall’s returned structures are altered by some 3rd party software (like rootkits), EnumProcesses and ToolHelp32 will also return modified results.
  • NtQuerySystemInformation(SystemHandleInformation) – another example of how the NtQuery~ system call can be used for our own purposes, when called with an appropriate parameter. The function is designed to enumerate all the opened object handle owned by all running processes. After proper interpretation of the provided information (such as detecting, which of the objects describe processes), we are able to create a complete list. The interesting part is that such a list is entirely independent from the kernel-mode EPROCESS linked list. The technique is commonly used as a way of rootkit detection, as some of them tend to pay too much attention on kernel-mode hiding, and  therefore forget to consider the user-mode parts of the system (like CSRSS.EXE). Some more information can be found here (HPD with CSRSS Process Handle Enumeration)
  • OpenProcess + GetLastError API – making brutal use of legitimate functions meant to get legal access to specified process object. According to the author’s research, obtaining a complete list of active processes is possible to be accomplished by trying to access every possible PID value, and – based on the OpenProcess and GetLastError return values – distinguish the PIDs associated with running processes from the “empty” ones. This technique has nothing in common with effectivenes though, hence it should not be used as a method of periodical process information gathering, under no circumstances.
  • Windows Management Instrumentation (WMI) – “a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification.” (via Wikipedia)
  • Client/Server Runtime Subsystem (CSRSS) - in this case, we take advantage of the fact, that the CSRSS.EXE process is responsible for maintaining it’s own process list, fully independent from the EPROCESS chain (kernel-mode). Keeping such a list up to date is possible because every single process being created must be “registered” by it’s parent, using standard CSRSS communication routines (such as ntdll.CsrClientCallServer). Provided we have appropriate user privileges (allowing to open and read SYSTEM process virtual memory), we are able to obtain the process list created by CSRSS (which means all the processes, in theory), based on user-mode data only. This technique was once described by the Diablo reseacher, and described here.

As for now, all the aforementioned mechanisms can be considered functional (it is possible to found at least one source code illustrating how the given technique works in practice). As can be seen, even in case of a problem as easy as listing the active processes, it is possible to find many equivalent (not in a strict sense) solutions. However, the above list might be incomplete, since it contains only the ideas that occured to me personally. As always, you should feel encouraged to share new ideas in the comments! ;>

As we already know how one can implement a periodical process list updating, I am going to describe other ways of process list management, that do not require any active performance (like sending specific requests to the system from time to time), in the future. After introducing other ways of monitoring existing applications to the reader, I will show how to alter the TaskMgr.exe memory properly.

Good night!

Links:

  1. Windows File Protection
  2. Windows Resource Protection
  3. Image File Execution Options
  4. Tool Help Library
  5. Process Status API
  6. SYSTEM_PROCESS_INFORMATION structure
  7. HPD with CSRSS Process Handle Enumeration
  8. Windows Instrumentation Management
  9. Client/Server Runtime Subsystem
  10. EPROCESS Structure
  11. CsrWalker

Filed in CSRSS, OS Internals, Programming, Ring3, Undocumented API, Windows 7, Windows Vista, Windows XP, kernel | One reply

TraceHook v0.0.2

Published on October 3, 2009

Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number – 0.0.2. Until now, the application has been designed for my own purposes – it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.

The main purpose and used techniques remain the same – it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.

The new version has been mainly enhanced with a new dump file format – Windows MiniDump. As opposed to a full raw memory dump, performed entirely in kernel-mode, the minidump file is written to from user-mode. Moving the dumping function to user area makes it possible to extend the project with more, safe functions implementing new file formats, depending on the user’s needs.

A complete package (EXE + sources): TraceHook.zip (50 kB)

Options:

-=*( TraceHook v0.0.2 by j00ru//vx )*=-
 Usage: TraceHook.exe <target executable> [options]

 Available options:
 -pPATH       Sets the dump destination directory to PATH.
              The default dump path is C:\dump.

 -iINTERVAL   Turns the counter mode on. Makes the application terminate
              and automatically dump all the monitored processes after the
              specified amount of time.
              Note: The INTERVAL value is the number of seconds to wait till
                    dumping all processes.

 -m           Activates the MiniDump mode.
 -h           Displays this message.

– CHANGELOG –

2009-10-03: TraceHook v0.0.2
 * Added dump path manipulation option.
 * Added time interval option.
 * Added additional dump file format - Windows MiniDump.
 * Fixed a Denial of Service vulnerability described at http://j00ru.vexillium.org/?p=141#comment-69
 * Fixed many other minor code issues

– TODO –

*** TraceHook v0.0.2 --> v0.0.3
 - Move the dumping process entirely to user-mode, for easier development and safer execution
 - Change the ProcessList structure to sth based on LIST_ENTRY (safer solution ?)
 - Add more dump file formats, i.e. module-only dumps
 - Add support for multiple malware process trees
 - Create some kind of GUI, user-friendly interface

Downloading and testing the application is strongly advised (as well as sending bug reports) !

Filed in C, Cpp, Ring0, Ring3, kernel, malware | 2 replies

TraceHook v0.0.1 release

Published on August 30, 2009

Having some free time, I managed to apply some minor fixed to the TraceHook – I also decided to publish it, by the way. If there will be any bug reports / improvement suggestions, I will be more motivated to return to its development ;)

TraceHook is a tiny application keeping track over processes and dumping them when necessary. It’s main objective is to handle various types of malware samples, launched inside a virtual environment (pure malware analysis purposes). Once you choose the executable to run, TraceHook creates the process and adds its PID to the “Controlled Processes’ List”. Every single child-process created by one of these already present in our list, is also being controlled. After all the manual steps are performed (triggering the malware’s core functionality) on the virtual machine, the application dumps the memory context of all the processes inside our controlled list, to separate files inside the hardcoded C:\dump path.

The engine itself is a kernel module (device driver), having a callback routine registered using the documented PspCreateProcessNotifyRoutine API. It works in the context of all processes, thus doesn’t need to inject any additional user-mode code anywhere.

A complete package (EXE + sources): TraceHook.zip (40kB)

An example of usage:

– User-mode TraceHook.EXE log –

-=*( TraceHook v0.0.1 by j00ru//vx )*=-
 [INFO]  Loading driver... Success!
 [INFO]  Opening driver... Success!
 [INFO]  Querying for the driver version...
 [INFO]  Driver Version: TraceHook driver v0.0.1 by j00ru//vx
 [INFO]  Adding the current ProcessId to the monitor list.
 [INFO]  Creating the C:\dump directory for dump files.
 [INFO]  Creating the target process...Success!
 [INFO]  TraceHook module is active, monitoring the malware processes.
 [INFO]  Press ENTER to stop the analysis.
 [INFO]  A control event has been detected!
 [INFO]  Sending a FINISH signal to the driver...
 [INFO]  Unloading the driver from operating system.

– Kernel-mode TraceHook.SYS log –

00000000    0.00000000    [+] TraceHook.SYS: DriverEntry() called.
 00000001    0.00003157    [+] TraceHook.SYS: Create notify-routine successfully set.
 00000002    0.00005196    [+] TraceHook.SYS: Registering an Unload routine.
 00000003    0.00015896    [+] TraceHook.SYS: The EPROCESS name offset is: 0x0174
 00000004    0.00037826    [+] TraceHook.SYS: Creating a named device for the driver.
 00000005    0.00046291    [+] TraceHook.SYS: Allocating initial table of 4096 DWORD elements.
 00000006    0.00048749    [+] TraceHook.SYS: Initializing synchronization spin-locks.
 00000007    0.00206144    [+] TraceHook.SYS: HandleQueryVersion() called.
 00000008    0.00248272    [+] TraceHook.SYS: HandleAddProcess() called.
 00000009    0.01245382    [+] TraceHook.SYS: NotifyRoutine() called:
 00000010    0.01246862         ParentId:  0x00000198
 00000011    0.01248092         ProcessId: 0x00000290
 00000012    0.01249265         Create:    TRUE
 00000013    0.01252142    [+] TraceHook.SYS: Adding the 0x00000290 process to malware list.
 00000014    4.90317774    [+] TraceHook.SYS: NotifyRoutine() called:
 00000015    4.90319204         ParentId:  0x00000290
 00000016    4.90320396         ProcessId: 0x00000774
 00000017    4.90321541         Create:    TRUE
 00000018    4.90324879    [+] TraceHook.SYS: Adding the 0x00000774 process to malware list.
 00000019    7.22620678    [+] TraceHook.SYS: NotifyRoutine() called:
 00000020    7.22622156         ParentId:  0x00000290
 00000021    7.22623444         ProcessId: 0x000006c8
 00000022    7.22624683         Create:    TRUE
 00000023    7.22628021    [+] TraceHook.SYS: Adding the 0x000006c8 process to malware list.
 00000024    9.93577003    [+] TraceHook.SYS: NotifyRoutine() called:
 00000025    9.93578339         ParentId:  0x00000290
 00000026    9.93579578         ProcessId: 0x00000774
 00000027    9.93580723         Create:    FALSE
 00000028    9.93584347    [+] TraceHook.SYS: Dumping the virtual memory of PID: 0x00000774.
 00000029    9.93639183    [+] TraceHook.SYS: Dump file successfully created.
 00000030    12.97541142    [+] TraceHook.SYS: Dumping done, exiting.
 00000031    17.54358864    [+] TraceHook.SYS: HandleRemoveProcess() called.
 00000032    17.54365158    [+] TraceHook.SYS: HandleFinish() called.
 00000033    17.54456329    [+] TraceHook.SYS: NotifyRoutine() called:
 00000034    17.54457664         ParentId:  0x00000290
 00000035    17.54459000         ProcessId: 0x000006c8
 00000036    17.54460335         Create:    FALSE
 00000037    17.54463768    [+] TraceHook.SYS: Dumping the virtual memory of PID: 0x000006c8.
 00000038    17.54517174    [+] TraceHook.SYS: Dump file successfully created.
 00000039    17.62910080    [+] TraceHook.SYS: NotifyRoutine() called:
 00000040    17.62911415         ParentId:  0x00000198
 00000041    17.62912750         ProcessId: 0x00000290
 00000042    17.62913895         Create:    FALSE
 00000043    17.62916946    [+] TraceHook.SYS: Dumping the virtual memory of PID: 0x00000290.
 00000044    17.62970161    [+] TraceHook.SYS: Dump file successfully created.
 00000045    23.02032471    [+] TraceHook.SYS: Dumping done, exiting.
 00000046    23.89743805    [+] TraceHook.SYS: Dumping done, exiting.
 00000047    23.90094757    [+] TraceHook.SYS: Finish signal successfully handled.
 00000048    24.23270798    [+] TraceHook.SYS: NotifyRoutine() called:
 00000049    24.23274612         ParentId:  0x00000490
 00000050    24.23275948         ProcessId: 0x00000198
 00000051    24.23279381         Create:    FALSE
 00000052    24.23301888    [+] TraceHook.SYS: DriverUnload() called.
 00000053    24.23304558    [+] TraceHook.SYS: Create notify routine removed.

– TODO –

*** TraceHook v0.0.1 –> v0.0.2

 - Add a time interval option - the application would wait i.e. 1 minute and then automatically
 dump the entire process tree, instead of waiting for the user's action
 - Add a dumping path option (instead of fixed C:\dump)
 - Change the ProcessList structure to sth based on LIST_ENTRY (safer solution ?)

As always, comments are welcome!

Filed in C, Cpp, Programming, Ring0, blog, kernel, malware | 6 replies

Suspending processes in Windows, part 1

Published on August 28, 2009

StarCraftI have been recently encountering quite a non-typical problem – playing Starcraft was hard due to the amount of active processes running on my operating system – including a few IDA instances, virtual machines and the most disturbing… Firefox web browser. As we all know, it’s not only about the memory being used by Firefox – the main problem is that the application tends to consume large amounts of CPU time (especially when having 150-200 opened tabs at once). When we add a very easily-heating processor, the aforementioned game might really have some problems with effectiveness.

The most intuitive solution to that problem seemed to be simply killing the firefox.exe process (no matter if it means closing it the right way or just terminating it) – the rest was no longer a problem, since it is possible to pause the Virtual Machine execution etc. The real problem appeared after the game, when I wanted to start working with the web browser – loading 150 sites back is always time-consuming, no matter how fast your connection is. When such a situation began taking place a number of times a day, I became pretty frustrated.

How one could guess by reading the post title, I finally decided to suspend the process instead of terminating it – after the time needed to make use of the processor for other purposes, I could resume the process and immediately enjoy working with it. This approach has some significant disadvantages, all of which are going to be described in detail here. The entire post has been divided into two major parts – in the first one, I will present all the (good and worse) ideas of how a remote process can be suspended, the second one will contain information about modyfing the Task Manager itself, a well-known administrative application, in order to make it possible to suspend a specified process right from its context menu. Straight to the point…

After taking a look at some Google results, it becomes clear that there are many tools providing the expected functionality – suspending particular threads/whole processes ([1],[2],[3]). One could guess that, if there is so much software offering what we need, writing our own program cannot be too hard (the system is perhaps providing some kind of interface for such operations) – and that’s exactly right ;)

The first, well documented tool in our hands is the  SuspendThread and ResumeThread function pair. As it turns out, it is possible to pause a specified thread (in particular, all of them) in a remote process’ context, if only we’re allowed to open a hThread handle with THREAD_SUSPEND_RESUME access. The CodeProject[1] solution is mainly based on this method. The article’s author decided to list all the threads present in given process, using a set of ToolHelp32 APIs[6]. More of a brutal solution could be trying to open and suspend all the possible ThreadId (which are usually reasonably small numbers). Despite this technique is working well in most cases, the following cons must be taken into account:

  • There are many multi-threaded applications, that take advantage of thread operations’ order. In case such a program would get suspended in a wrong execution moment, some unpredictable behaviour could be expected (in worst case – a simple deadlock or process crash) – it is practically very dangerous approach.
  • A race condition could happen under some specific circumstances. When half of the threads would have been already suspended, one of the upper-half threads could try to create a new one, being placed among these already handled. This would allow further program execution, resulting in unknown (depending on the application itself) behaviour.
  • Even though the process that has all of its threads suspended could be considered “inactive”, it is not really true.  It is still possible to create a remote thread in the target process’ context – such a situation could take place, for example, when CSRSS decides to create a callback routine in our console application (resulting in having the registered console handlers executed).

The above solution should be considered relatively stable and OS version independent since it makes use of actively supported APIs, that are for sure not going to be removed from any future Windows version. However, the MSDN documentation contains a small adnotation, saying that the described functions should be mainly used by debugger applications – the calling thread should have complete control over the target’s execution. This is not a very serious matter for us, but let’s think if there are any other, better ways to achieve our goal.

Despite the fact that no public SuspendProcess function, being able to entirely perform a suspend, is available to Win32 programmers, it is worth going one level deeper – some of the System Calls (and their wrappers inside ntdll.dll library) might turn out to be very handy, when the well-known and documented methods fail (or, when a public, stable solution doesn’t exist). The Windows System Call Table[10] provides a complete list of Windows syscalls, ranging from NT SP3, up to Windows Vista SP0. As one could observe, the NtSuspendProcess function has been introduced with Windows XP Sp0 and works on every single system version since then. It seems to be quite a good alternative for the “manual” solution, if we take into account that the kernel itself is responsible for disabling access to the dereferred threads and avoiding any undesirable consequences of the operation. As the Windows XP and Windows 2003 Server code can be found in the Windows Research Kernel package, we can take a look inside the function and find out what does the exported symbol really do:

(...)
if (ExAcquireRundownProtection (Process->RundownProtect)) {

for (Thread = PsGetNextProcessThread (Process, NULL);
Thread != NULL;
Thread = PsGetNextProcessThread (Process, Thread)) {

PsSuspendThread (Thread, NULL);
}

ExReleaseRundownProtection (Process->RundownProtect);

Status = STATUS_SUCCESS;
} else {
Status = STATUS_PROCESS_IS_TERMINATING;
}

return Status;
(...)

As can be seen, the function doesn’t perform many additional actions/checks – iterating thru all the active threads, respectively uses PsSuspendThread on each. It also makes sure the process don’t get terminated while executing the “for” loop (ExAcquireRundownProtection (&Process->RundownProtect) call). The solution is significantly better than the one before – all the work is performed by the kernel itself – we don’t have to care about what happens under any certain conditions etc. On the other hand, although widely spread, making use of undocumented functions should be avoided as long as it is possible – we can’t be sure whether the API will still exist in the future system versions (however, having it removed from Windows is also very unlikely).

After a quick debriefing of the two most intuitive methods, the time has come for more interesting ideas. As we’ve probably ran out of methods directly meeting our requirments, we have to think about other Windows mechanisms that would make it possible for us to suspend something, basing on the side effects. One of such mechanisms is the Debugging Interface provided by Microsoft, making it possible to create special debugging programs in an easy and pleasant way. As you have probably observed, when a debugger attaches itself to a remote process, all the target’s threads immediately get suspended till the debugger gives a sign to let them execute. It is a well known behaviour, described in the DebugActiveProcess[7] function’s documentation. I find these functions perfect in the context of our problem – both the performance and usage is very simple from the programmer’s point of view. What is more, there is an opposite function to the suspending one – named DebugActiveProcessStop[8], making it possible to restore the original program execution by detaching the debugger. Additionally, we’re not forced to use any other API functions – it is enough to make one call for suspension and one call for resumption (in both cases, the only parameter is the destination ProcessId!).

The following code presents how easy it is to write a tiny suspend/resume application using the currently described technique:

#define _WIN32_WINNT 0x0600
#include <cstdio>
#include <windows.h>
using namespace std;

int main(int argc, char** argv)
{
DWORD PID;
BOOL Ret;

if(argc!=2)
{
puts("Usage: suspend.exe <PID>");
return 1;
}

PID = atoi(argv[1]);
printf("[+] DebugActiveProcess: 0x%.8x\n",(Ret=DebugActiveProcess(PID)));
if(!Ret)
{
printf("[-] Function failed. LastError: 0x%.8x\n",(UINT)GetLastError());
return 1;
}

printf("[+] Click ENTER to resume the process...");
getchar();

printf("[+] DebugActiveProcessStop: 0x%.8x\n",DebugActiveProcessStop(PID));
return 0;
}

As shown above, the two functions are trivial to use and are suprisingly well meeting our requirements. Anyway, we have to keep in mind some of the disadvantages related to the method – for example, it is not possible to attach a genuine debugger to the process being paused till the DebugActiveProcessStop call is made. All in all, it is a minor drawback and should not be very disturbing in real life. Apart from this, when the debugging process gets killed (no matter if it closes itself or gets terminated by an external module), so will the processes being debugged. It would be a serious matter indeed, if not the presence of SetDebugKillOnExit[9] function, providing an option to change the default setting, so as the debugged processes are being detached and continue their execution instead of being terminated.

The last idea that occured to me was to use the system process called CSRSS.EXE and some of the side-effects caused by how the console window events are handled. Since the console applications have very restricted access to events, appearance and behaviour of the window they are operating on, one should take a look into the Client/Server Runtime Subsystem[11] disassembly – in particular, the \Windows\system32\winsrv.dll module, responsible for creating, destroying and handling standard messages of the consoles. My idea is based on a simple observation – when the user decides to turn the console into a different mode (for example, using the Mark option), access to the active console buffer is disabled until the normal mode is restored.

What should be noted is the fact, that this method can only be applied to:

  • Processes that actively make use of the console window – performing operations requiring access to the screen buffer
  • Local processes – this method is very hard (impossible?) to use in the context of a remote process

Even though it seems to be completely impractical, I decided to post it here to show a particular thinking scheme – if we want to achieve something in our system, we don’t necesarily need to find functions that are designed to do what we expect – taking advantage of the side-effects of how some functionalities present in the system work is often a better option for us, especially if we’re able to adjust them for our purposes.

The four above methods may (with better or worse result) be used to suspend a remote thread – it is still possible that other, good and interesting ideas exist . The current ZIP package containing a piece of Proof of Concept code for each technique can be downloaded from here (as I find new ways of process suspension, I will surely add new source files to keep it up to date with my current knowledge).

In the second part of the incoming post, I will show how to modify the TaskMgr.exe execution, so as to make it provide an embedded option of suspending a process – launching a special tool would be as uncomfortable as terminating/resuming the firefox.exe itself. I placed a few interesting addresses in the Links sections, that could shed some light on the subject in consideration – I would also like to encourage every reader to share his/her ideas in the Comments section! ;)

Linki:

  1. CodeProject Win32 Process Suspend/Resume tool
  2. PsSuspend v1.06
  3. Command Line Process Viewer/Killer/Suspender
  4. SuspendThread
  5. ResumeThread
  6. Tool Help Functions
  7. DebugActiveProcess
  8. DebugActiveProcessStop
  9. DebugSetProcessKillOnExit
  10. Windows System Call Table
  11. Client/Server Runtime Subsystem
  12. Windows Research Kernel

Filed in C, Cpp, Programming, Undocumented API, Windows Vista, Windows XP | 6 replies

The incoming SecDay conference

Published on August 27, 2009

I have a pleasure to inform the blog readers about the incoming event I am taking part in – the polish SecDay conference (regarding security in a general meaning)! ;)

My presentation’s subject is the practical approach to, so called, bootkit creation. To make things clear, bootkit consists of a number of code blocks present on some kind of bootable media, being able to take complete control over the attacked machine, by simply performing some run-time memory modifications at the time of OS startup process.  To be exact, I will try to show how easy pwning a machine is, provided the potential attacker has physical access to the target. The steps taken by our bootable code to achieve specific goals (hacking the user authorization mechanism etc) will be described in detail.

The event will is going to be held in polish, but I expect my presentation stuff to be released in both PL and EN versions ;)

Filed in Bootkits, Conferences | No replies

Blog management changes

Published on August 18, 2009

Welcome to the blog on my own hosting!

I have recently decided to add multi-language support to the blog, which obviously required the Wordpress system to be moved to my own hosting (the one provided by wordpress.com lacks many important features, like the possibility to install plugins (which turned out to be very useful, by the way)). What is more, some other handy plugins have been installed as well, including code highlighting, modified t heme and a few other, not visible to the user himself.

Right from now, every new post is supposed to be available in the polish language version first. However, I will do my best to translate them as soon as possible. Hope you will like the new features!

Filed in blog | One reply