Monthly Archives: August 2007

Finding Easter Eggs for fun but not for profit :P!

Only the most skilled ninjas are able to find out easter eggs… Even Alice needed to follow the rabbit to find them… “We are all mad here!” hihi

O.S. Version: Windows 2003 SP1 Checked only
Module: diskdump.sys

; Exported entry  10. ScsiPortGetPhysicalAddress
; SCSI_PHYSICAL_ADDRESS __stdcall ScsiPortGetPhysicalAddress
; (PVOID HwDeviceExtension,
; PSCSI_REQUEST_BLOCK Srb,
; PVOID VirtualAddress,
;ULONG *Length)

 _ScsiPortGetPhysicalAddress@16: ; CODE XREF: StorPortGetPhysicalAddress(x,x,x,x)
                 mov     edi, edi
                 push    ebp
                 mov     ebp, esp
                 mov     edx, [ebp+arg_4]
                 test    edx, edx
                 push    esi
                 jz      loc_1308D
                 mov     eax, _DeviceExtension
                 cmp     byte ptr [eax+2B9h], 0 ; Magic byte inside DriverExtension's Buffer :)
                 jz      short Hidden_String
[...]
 Hidden_String:
                 push    offset aDiskdumpJeffLe ; "DISKDUMP: Jeff led me to believe this c"...
                 push    0
                 call    _ScsiDebugPrint
[...]
 aDiskdumpJeffLe  db 'DISKDUMP: Jeff led me to believe this code may never get executed.',0Ah,0

Never say never again :)

Patchguard 3.0 ? :)

http://www.microsoft.com/technet/security/advisory/932596.mspx

Microsoft Security Advisory (932596)
Update to Improve Kernel Patch Protection
Published: August 14, 2007

An update is available for Kernel Patch Protection included with x64-based Windows operating systems. Kernel Patch Protection protects code and critical structures in the Windows kernel from modification by unknown code or data. This update adds additional checks to this protection for increased reliability, performance, and resiliency of Windows. For more information about this release, see Microsoft Knowledge Base Article 932596. We encourage customers running x64-based Windows operating systems to install this update. For more information about Kernel Patch Protection, see the following Microsoft Web Site. For more information about the updates included in this release, see Microsoft Knowledge Base Article 932596.

Related Software Microsoft Windows XP Professional x64 Edition Microsoft Windows XP Professional x64 Edition Service Pack 2 Microsoft Windows Server 2003 x64 Edition Microsoft Windows Server 2003 x64 Edition Service Pack 2 Microsoft Windows Vista x64 Edition


To be continued…

Waldo!!

As I explained in a previous post (Here). There are some funny programmers in Redmond who like to put some hidden strings.

The following sample is from Windows 2000 Kernel.

.text:004054A0 94 7F 00 C0 4F B9 60 EE 66 19 14 06 45 72 69 63 Eric
.text:004054B0 46 2E 4E 65 6C 73 6F 6E DE B0 FE 50 6A 59 D2 11 F.Nelson

But who is Eric. F. Nelson? :)

Moreover, in NtSetVolumeInformationFile() a guy named Jess put his fingerprint too :p

PAGE:004D71BD                 mov     esi, offset KernelConspiration 
PAGE:004D71C2                 lea     edi, [ebp+UnusedString]
PAGE:004D71C5                 movsd
PAGE:004D71C6                 movsd
PAGE:004D71C7                 movsd
PAGE:004D71C8                 movsd

As we guess, the four bytes are the name of the person, but what means the three additional dwords?

.text:00405338 KernelConspiration db 'Jess'
.text:0040533C                          dd 11D0812Ah
.text:00405340                          dd 8C7BEh
.text:00405344                          dd 2F09E22Bh

typedef struct _KERNEL_CONSPIRATION {
BYTE    szName[4];
DWORD HarryKilledVoldemort;
DWORD HarryGetMarriedWithGinny;
DWORD AndRonWithHermione;
} KERNEL_CONSPIRATION, *PKERNEL_CONSPIRATION;

Oops! I’m not a spoiler !! hahaha

Save the trees, stop Harry Potter’s publication!

Some useful commands (Memento)

If one time you want to fill a buffer (here size is 0x10000) with null bytes, and put a string inside.

Don’t forget the “a” between “>” and “< " kd> $$>a< "FULL_SCRIPT_PATH" BASE_ADDRESS

$$
$$ Matthieu Suiche 08/2007
$$ http://www.msuiche.net
$$


.if (${/d:$arg1})
{
    f ${$arg1} L10000 0

    ea ${$arg1} "I'm a fucking string !!!! test it oon meeeeeeeeeee! haha"
}
.else
{
    .printf "Usage: BUFFER_ADDRESS";
}

First steps with WinDbg scripting… (Memento)

Here is a sample of script for Windbg for people who doesn’t want to waste time because they don’t find any document.

Firstly, to declare a variable you must use the prefix “r”. Moreover, the name must be $t[0..n]
Secondly, if you use the flag “/D” after “.printf” you can use pseudo-html code inside.
Thirdly, to read the value of an address you have to use “poi()” with the prefix “@” like : poi(@$t0)
To write byte or dword, you should use “eb” or “ed”.

And… the most fun is that you can create links like the following scheme :
.printf /D “<link cmd=\”COMMAND_TO_EXECUTE\”>DISPLAY_TEXT</link>\\n”;

To execute a script use
kd> $$>< "FULL_SCRIPT_PATH" References: http://blogs.msdn.com/debuggingtoolbox/archive/tags/Windbg+Scripts/default.aspx
http://www.dumpanalysis.org/blog/index.php/category/windbg-scripts/


$$
$$ A sample of Windbg script: "KdDebuggerEnabled Control"
$$ Matthieu Suiche 08/2007
$$ http://www.msuiche.net
$$

r $t0 = nt!KdDebuggerEnabled;

.if (poi(@$t0) == 1)
{
    .printf "\\nThe debugger is enabled...\\n";
    
    $$
    $$ We display the KdDebuggerEnabled byte.
    $$
    .printf /D "      nt!KdDebuggerEnabled <b>";
    db nt!KdDebuggerEnabled nt!KdDebuggerEnabled
    .printf /D "</b>\\n";
    
    $$
    $$ We print a link command!
    $$
    .printf /D "<link cmd=\"eb @$t0 0x00\">Hermione! Show me how your HIDDEN talents are wonderful!</link>\\n";

}
.else
{
    .printf /D "\\nThe debugger is hidden. \\n";
    
    $$
    $$ We display the KdDebuggerEnabled byte.
    $$
    .printf /D "      nt!KdDebuggerEnabled <b>";
    db nt!KdDebuggerEnabled nt!KdDebuggerEnabled
    .printf /D "</b>\\n";
    
    $$
    $$ We print a link command!
    $$
    .printf /D "<link cmd=\"eb @$t0 0x01\">Oh Hermione please reset the debug flag!</link>\\n";
}