Finding Easter Eggs for fun but not for profit :P!
Only the most skilled ninjas are able to find out easter eggs… Even Alice needed to follow the rabbit to find them… “We are all mad here!” hihi
O.S. Version: Windows 2003 SP1 Checked only
Module: diskdump.sys
; Exported entry 10. ScsiPortGetPhysicalAddress ; SCSI_PHYSICAL_ADDRESS __stdcall ScsiPortGetPhysicalAddress ; (PVOID HwDeviceExtension, ; PSCSI_REQUEST_BLOCK Srb, ; PVOID VirtualAddress, ;ULONG *Length) _ScsiPortGetPhysicalAddress@16: ; CODE XREF: StorPortGetPhysicalAddress(x,x,x,x) mov edi, edi push ebp mov ebp, esp mov edx, [ebp+arg_4] test edx, edx push esi jz loc_1308D mov eax, _DeviceExtension cmp byte ptr [eax+2B9h], 0 ; Magic byte inside DriverExtension's Buffer :) jz short Hidden_String [...] Hidden_String: push offset aDiskdumpJeffLe ; "DISKDUMP: Jeff led me to believe this c"... push 0 call _ScsiDebugPrint [...] aDiskdumpJeffLe db 'DISKDUMP: Jeff led me to believe this code may never get executed.',0Ah,0
Never say never again :)
Patchguard 3.0 ? :)
http://www.microsoft.com/technet/security/advisory/932596.mspx
Microsoft Security Advisory (932596)
Update to Improve Kernel Patch Protection
Published: August 14, 2007
An update is available for Kernel Patch Protection included with x64-based Windows operating systems. Kernel Patch Protection protects code and critical structures in the Windows kernel from modification by unknown code or data. This update adds additional checks to this protection for increased reliability, performance, and resiliency of Windows. For more information about this release, see Microsoft Knowledge Base Article 932596. We encourage customers running x64-based Windows operating systems to install this update. For more information about Kernel Patch Protection, see the following Microsoft Web Site. For more information about the updates included in this release, see Microsoft Knowledge Base Article 932596.
Related Software Microsoft Windows XP Professional x64 Edition Microsoft Windows XP Professional x64 Edition Service Pack 2 Microsoft Windows Server 2003 x64 Edition Microsoft Windows Server 2003 x64 Edition Service Pack 2 Microsoft Windows Vista x64 Edition
To be continued…
Waldo!!
As I explained in a previous post (Here). There are some funny programmers in Redmond who like to put some hidden strings.
The following sample is from Windows 2000 Kernel.
.text:004054A0 94 7F 00 C0 4F B9 60 EE 66 19 14 06 45 72 69 63 Eric
.text:004054B0 46 2E 4E 65 6C 73 6F 6E DE B0 FE 50 6A 59 D2 11 F.Nelson
But who is Eric. F. Nelson? :)
Moreover, in NtSetVolumeInformationFile() a guy named Jess put his fingerprint too :p
PAGE:004D71BD mov esi, offset KernelConspiration PAGE:004D71C2 lea edi, [ebp+UnusedString] PAGE:004D71C5 movsd PAGE:004D71C6 movsd PAGE:004D71C7 movsd PAGE:004D71C8 movsd
As we guess, the four bytes are the name of the person, but what means the three additional dwords?
.text:00405338 KernelConspiration db 'Jess' .text:0040533C dd 11D0812Ah .text:00405340 dd 8C7BEh .text:00405344 dd 2F09E22Bh
typedef struct _KERNEL_CONSPIRATION { BYTE szName[4]; DWORD HarryKilledVoldemort; DWORD HarryGetMarriedWithGinny; DWORD AndRonWithHermione; } KERNEL_CONSPIRATION, *PKERNEL_CONSPIRATION;
Oops! I’m not a spoiler !! hahaha
Save the trees, stop Harry Potter’s publication!
Some useful commands (Memento)
If one time you want to fill a buffer (here size is 0×10000) with null bytes, and put a string inside.
Don’t forget the “a” between “>” and “< "
kd> $$>a< "FULL_SCRIPT_PATH" BASE_ADDRESS
$$ $$ Matthieu Suiche 08/2007 $$ http://www.msuiche.net $$ .if (${/d:$arg1}) { f ${$arg1} L10000 0 ea ${$arg1} "I'm a fucking string !!!! test it oon meeeeeeeeeee! haha" } .else { .printf "Usage: BUFFER_ADDRESS"; }
First steps with WinDbg scripting… (Memento)
Here is a sample of script for Windbg for people who doesn’t want to waste time because they don’t find any document.
Firstly, to declare a variable you must use the prefix “r”. Moreover, the name must be $t[0..n]
Secondly, if you use the flag “/D” after “.printf” you can use pseudo-html code inside.
Thirdly, to read the value of an address you have to use “poi()” with the prefix “@” like : poi(@$t0)
To write byte or dword, you should use “eb” or “ed”.
And… the most fun is that you can create links like the following scheme :
.printf /D “<link cmd=\”COMMAND_TO_EXECUTE\”>DISPLAY_TEXT</link>\\n”;
To execute a script use
kd> $$>< "FULL_SCRIPT_PATH"
References:
http://blogs.msdn.com/debuggingtoolbox/archive/tags/Windbg+Scripts/default.aspx
http://www.dumpanalysis.org/blog/index.php/category/windbg-scripts/
$$ $$ A sample of Windbg script: "KdDebuggerEnabled Control" $$ Matthieu Suiche 08/2007 $$ http://www.msuiche.net $$ r $t0 = nt!KdDebuggerEnabled; .if (poi(@$t0) == 1) { .printf "\\nThe debugger is enabled...\\n"; $$ $$ We display the KdDebuggerEnabled byte. $$ .printf /D " nt!KdDebuggerEnabled <b>"; db nt!KdDebuggerEnabled nt!KdDebuggerEnabled .printf /D "</b>\\n"; $$ $$ We print a link command! $$ .printf /D "<link cmd=\"eb @$t0 0x00\">Hermione! Show me how your HIDDEN talents are wonderful!</link>\\n"; } .else { .printf /D "\\nThe debugger is hidden. \\n"; $$ $$ We display the KdDebuggerEnabled byte. $$ .printf /D " nt!KdDebuggerEnabled <b>"; db nt!KdDebuggerEnabled nt!KdDebuggerEnabled .printf /D "</b>\\n"; $$ $$ We print a link command! $$ .printf /D "<link cmd=\"eb @$t0 0x01\">Oh Hermione please reset the debug flag!</link>\\n"; }
