Year: 2009

Everyone who has ever had some serious contact with how the Windows kernel mechanisms work, was probably in need to access a complete system call number list (together with the handlers’ definitions). As one of the most important part of the communication process between user’s applications and kernel, SSDT is commonly used for both clearly practical purposes (such as hooking  system services in order to modify the OS behavior in certain situations), as well as theoretical research or discussions.

Considering the above facts, the popularity of a (mostly) full  system call list created by the Metasploit Project shouldn’t be a surprise. Their list covers most of the modern Windows NT-family systems, from Windows NT4, up to Windows Vista SP0. What is more, apart from the syscall numbers corresponding to certain kernel functions, the table also provides complete definitions of these functions.

What should be noted is that the described table contains information about only a part of all system calls – the ones exported by the kernel executable (ntoskrnl.exe). The graphical syscalls – exported by an external module called win32k.sys – have not been taken into account, at all. During my research on how some of the Windows user interface functions work,  a need to access information about system calls IDs greater than 0x1000 (values of this kind are used to communicate with the graphical part of the kernel) appeared. Since I failed to find a list, that could be compared with what Metasploit presents, I decided to create one on my own!

The current version of the Windows Graphical System Call List can be found under the following address: https://j00ru.vexillium.org/syscalls/win32k/32/.

Read more

Today, I would like to write about finding the addresses of non-exported kernel functions (syscall handlers) from user mode. The technique I am going to write about is my very own idea, that occured to me during one of my talks regarding Windows x86 kernel exploitation (greetings to suN8Hclf!). Despite this, I cannot guarantee that it hasn’t been invented and described by some independent authors a few months/years ago. If some of you – the readers – is aware of a similar publication, please let me know (I will surely publish some supplementary material to this post). Let’s get to the point…

The subject of practical vulnerability exploitation of the system kernel or one of its modules is simply too wide to entirely talk it over here. The technical aspects of making use of such vulnerabilities have already been described by a number of researchers, and the results of their work can be found, inter alia, there:

• Kernel-mode Payloads on Windows
• Remote Windows Kernel Exploitation – Step into the Ring 0
• How to exploit Windows kernel memory pool

Read more

In one of my previous posts (check Suspending processes in Windows), I was trying to discuss the well-known and less popular techniques making it possible to suspend threads or entire processes working under Microsoft Windows OS control. I also announced that a specific way of TaskMgr.exe modification – extending it with the interesting functionality – would be described in the next post. Although, before getting straight to the point (this is – changing the executable binary code), we have to consider some  other important matters. Namely, we intend to have the modification applied to every single Task Manager instance running on the system. Right here, we have a few possible paths to go:

• Perform a one-time TaskMgr.exe system file alteration on hard disk.

• Create an additional executable file, called the loader – associated with the Task Manager and launched as its debugger.

• Leave the hard disk contents unchanged – modify only the virtual memory of all active processes, meeting some specific requirements (in our case – executable image path).

Each option presented above has it’s own set of drawbacks. When it comes to physical HDD modification, we start playing with system file data, which should be always considered dangerous and unwanted behavior. What is more, since Windows keeps many backup copies of core system applications, we would have to get rid of or modify all the existing Task Manager backups. In general, I find the method a little bit too messy to use in practice. If you would like to read more about this subjects, Windows File Protection and Windows Resource Protection should be a good place to start.

Read more

Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number – 0.0.2. Until now, the application has been designed for my own purposes – it was written to handle particular problems and work under certain conditions, although I am slowly trying to implement additional options, that might turn out to be handy for wider public.

The main purpose and used techniques remain the same – it is still all about tracing and dumping process trees marked as malware (for which TraceHook was created in the first place). The engine itself is build with a kernel driver, responsible for handling the current process list in a safe manner,receiving and managing the notify signals, regarding events such as program creation/termination, as well as a majority of other available options.

The new version has been mainly enhanced with a new dump file format – Windows MiniDump. As opposed to a full raw memory dump, performed entirely in kernel-mode, the minidump file is written to from user-mode. Moving the dumping function to user area makes it possible to extend the project with more, safe functions implementing new file formats, depending on the user’s needs.

A complete package (EXE + sources): TraceHook_v0.0.2.zip (50 kB)

Read more

Having some free time, I managed to apply some minor fixed to the TraceHook – I also decided to publish it, by the way. If there will be any bug reports / improvement suggestions, I will be more motivated to return to its development ;)

TraceHook is a tiny application keeping track over processes and dumping them when necessary. It’s main objective is to handle various types of malware samples, launched inside a virtual environment (pure malware analysis purposes). Once you choose the executable to run, TraceHook creates the process and adds its PID to the “Controlled Processes’ List”. Every single child-process created by one of these already present in our list, is also being controlled. After all the manual steps are performed (triggering the malware’s core functionality) on the virtual machine, the application dumps the memory context of all the processes inside our controlled list, to separate files inside the hardcoded C:\dump path.

The engine itself is a kernel module (device driver), having a callback routine registered using the documented PspCreateProcessNotifyRoutine API. It works in the context of all processes, thus doesn’t need to inject any additional user-mode code anywhere.

A complete package (EXE + sources): TraceHook_v0.0.1.zip (40kB)

Read more

I have been recently encountering quite a non-typical problem – playing Starcraft was hard due to the amount of active processes running on my operating system – including a few IDA instances, virtual machines and the most disturbing… Firefox web browser. As we all know, it’s not only about the memory being used by Firefox – the main problem is that the application tends to consume large amounts of CPU time (especially when having 150-200 opened tabs at once). When we add a very easily-heating processor, the aforementioned game might really have some problems with effectiveness.

The most intuitive solution to that problem seemed to be simply killing the firefox.exe process (no matter if it means closing it the right way or just terminating it) – the rest was no longer a problem, since it is possible to pause the Virtual Machine execution etc. The real problem appeared after the game, when I wanted to start working with the web browser – loading 150 sites back is always time-consuming, no matter how fast your connection is. When such a situation began taking place a number of times a day, I became pretty frustrated.

Read more

I have a pleasure to inform the blog readers about the incoming event I am taking part in – the polish SecDay conference (regarding security in a general meaning)! ;)

My presentation’s subject is the practical approach to, so called, bootkit creation. To make things clear, bootkit consists of a number of code blocks present on some kind of bootable media, being able to take complete control over the attacked machine, by simply performing some run-time memory modifications at the time of OS startup process.  To be exact, I will try to show how easy pwning a machine is, provided the potential attacker has physical access to the target. The steps taken by our bootable code to achieve specific goals (hacking the user authorization mechanism etc) will be described in detail.

The event will is going to be held in polish, but I expect my presentation stuff to be released in both PL and EN versions ;)

Welcome to the blog on my own hosting!

I have recently decided to add multi-language support to the blog, which obviously required the WordPress system to be moved to my own hosting (the one provided by wordpress.com lacks many important features, like the possibility to install plugins (which turned out to be very useful, by the way)). What is more, some other handy plugins have been installed as well, including code highlighting, modified theme and a few other, not visible to the user himself.

Right from now, every new post is supposed to be available in the polish language version first. However, I will do my best to translate them as soon as possible. Hope you will like the new features!

Aww, another month or even more has apparently passed just in front of my eyes. As some of you might have realized, the school time have already ended (something like two weeks ago), thus allowing me to carry out some more research and remember about this blog. I expect some more posts to be written in the very next days, hope this will succeed.

In this particular post, I would like to describe some curiosities I found inside the kernel32.dll (and KernelBase.dll in case of Windows 7 RC) and ntdll.dll default Windows libraries. Not only want I to share the ideas that occured to me during this small research, but also I would like to hear some new techniques of making use of what I found. Feel free to add new facts/ideas regarding this post, as I could overlook some obvious assumption or things like this. Remember this is not and shouldn’t be considered a thorough report. To make everything clear, the entire post covers the situation on x86 versions of Microsoft Windows systems.

Read more

It seems like the blog has been dead for more than two months, mainly due to kind of wrong priority hierarchy – there was always something interesting to research, even when I should be busy writing a next interesting post on my blog ;)

The recent weeks haven’t been wasted at all, as the site state might suggest. Thanks go to the SecNews admin for dropping a line about this place, a few days ago – the sudden visit rate increase was really motivational to keep on posting here. Since now, I’ll try to redesign my priorities so as to spend more time on the blog development, but life will show how will I handle it.

What I am going to describe today is not a technical subject at all (though strongly related to). During recent times I’ve been present at a few really well-organised conferences (though not every I wanted to attend), all of which I am going to mention here. The most popular one, CONFidence 2009 will be described in detail while the other ones will only be briefly introduced to the reader.

Read more