Category Archives: Reverse Engineering

Undocumented Windows Vista and later registry secrets

In fact, this new key category appearred for the first time in Windows XP, formely called Whistler, in early 2001. Yes, almost 9 years ago. But its structure CM_BIG_DATA had been removed from Microsoft Windows XP public symbols but not from Windows Vista and later symbols.

Basicaly, this “secret” registry key had been briefly introduced in Windows XP Kernel Enhancements changelog as the following:

Windows XP improves the way the registry handles big data. In versions before Windows XP, if an inefficient application constantly increased a value with a small increment, it created a sparse and wasteful registry file. Windows XP solves this problem with a big cell implementation where cells larger than 16K are split into increments of 16K chunks. This reduces fragmentation when the data length of a value is increased within a certain threshold.

If we take a closer look to CmpGetBootValueData() or CmpGetValueData() functions which handles big data keys we can notice CMHIVE.Version must greater or equal to 4. I guess, this is the Whistler registry version.

To be validated as big data key pointer, CM_KEY_VALUE cell must respect the following conditions:
– CM_KEY_VALUE.DataLength must be greater than 0x3fd8 and smaller than 0x80000000

Then CM_BIG_DATA key first chunk is retrieved using CM_KEY_VALUE.Data as cell offset.

To be validated as big data key, the CM_BIG_DATA cell must respect the following conditions:
CM_BIG_DATA.Signature must be equal to 0x6264 (“bd”)
CM_BIG_DATA.Count must be greater than 0
CM_BIG_DATA.List must be different from 0

According to these information Windows do assinity check to avoid buffer overflow and re-compute CM_KEY_VALUE.DataLength for assinity check like the following:
ASSERT(CM_KEY_VALUE.DataLength < = (CM_BIG_DATA.Count * 0x3fd8))

Then, each CM_BIG_DATA.List entry are read CM_BIG_DATA.Count times as cell index, and 0x3fd8 bytes maximum are copied each time into the output buffer.

It means data chunk are not exactly 16K bytes (0x4000) but 0x3fd8. The difference of 0x28 bytes is in fact the cell header.

If you want to read further information about Windows Registry format, I suggest you to refer to Tim Morgan, Peter Norris documents and moyix blog.

Low Priority I/O Count Information – SystemLowPriorityInformation

Based on Windows Vista I/O priorities manager, Windows 7 provides a new class to retrieve information/statistics about about Low I/O priority counts.

Function: NtQuerySystemInformation
Class: SystemLowPriorityInformation
Privilege: None
Output size: 0x24 bytes

The output structure is the following.

typedef struct _LOW_PRIORITY_INFORMATION
{
ULONG IoLowPriorityReadOperationCount;
ULONG IoLowPriorityWriteOperationCount;
ULONG IoKernelIssuedIoBoostedCount;
ULONG IoPagingReadLowPriorityCount;
ULONG IoPagingReadLowPriorityBumpedCount;
ULONG IoPagingWriteLowPriorityCount;
ULONG IoPagingWriteLowPriorityBumpedCount;
ULONG IoBoostedThreadedIrpCount;
ULONG IoBoostedPagingIrpCount;
ULONG IoBlanketBoostCount; // Added in RC1 (build 7100)
} LOW_PRIORITY_INFORMATION, *PLOW_PRIORITY_INFORMATION;

systemlowiopriorityinfo

Source + Executable are available here.

Edit: LOW_PRIORITY_INFORMATION structure updated in build 7100.

Demystifying new Windows 7 System Information Classes

This post is the first of a serie of articles/blogposts about new System Information Class under Windows 7 (32bits ATM) used by both NtQuerySystemInformation and extended version of this API called NtQuerySystemInformationEx introduced in Windows 7 and Windows 2008 R2.

First of all, here is the prototype of these functions.

NTSTATUS (WINAPI *NtQuerySystemInformationEx)(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PULONG QueryType,
ULONG Alignment,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);

NTSTATUS (WINAPI *NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);

As you can see there is two further arguments in NtQuerySystemInformationEx: QueryType and Alignment.

And here are new (and undocumented) system information classes added to Windows 7 that will be discussed in next blogposts.

typedef enum _SYSTEM_INFORMATION_CLASS
{
// NtQueryEx
SystemLogicalProcessorAndGroupInformation = 107,
SystemLogicalGroupInformation = 108,

SystemStoreInformation = 109,
SystemVhdBootInformation = 112,
SystemCpuQuotaInformation = 113,

// Removed in build 7100
SystemHardwareCountersInformation = 115, // uses KeQueryHardwareCounterConfiguration() instead

SystemLowPriorityInformation = 116,
SystemTpmBootEntropyInformation = 117,
SystemVerifierInformation = 118,

// NtQueryEx
SystemNumaNodesInformation = 121,
//
// Added in build 7100
//
SystemHalInformation = 122, // 8 bytes size
SystemCommittedMemoryInformation = 123,
MaxSystemInfoClass = 124
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

PS. For interested people the first issue of the Debugged! MZ/PE: MagaZine is available on Amazon.

Twitt This!

Edit: SYSTEM_INFORMATION_CLASS structure updated in build 7100.

Few words about Microsoft interoperability initiative.

As you probably know, Microsoft released last month several thousands pages of documentation about office file format and Windows protocols.

It means numerous hundreds(thousands?) of functions/algorithms documentation and pseudo-code. But, are these pseudo-function right? It looks not.

While I was reading [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol Specification, I was a bit curious to see the DecompressWin2k3() function (Thanks Aaron, Stefan , and Brendan).

This function is in fact the decompression algorithm called Xpress implemented for the first time in Windows XP and not Windows 2003 as say the name. Xpress algorithm works on 64kb chunks and is used in Windows hibernation file format, Windows Imaging Format (WIM) , Outlook, Exchange, and… LDAP replication service of Active Directory.

I’m quoting below, errors I found in the pseudo-code of DecompressWin2k3(). Here is the C implementation.

while (outputIndex < = outputSize) 
should be:
while (outputIndex < outputSize) 
    if (indicatorBit = 0) then 
        indicatorBit := copy inputBuffer[inputIndex] as 32-bit integer in 
        little-endian format 
        should be:
        indicator := copy inputBuffer[inputIndex] as 32-bit integer in 
        little-endian format 
        inputIndex := inputIndex + 4 
        indicatorBit := 32 
    endif 

    indicatorBit := indicatorBit - 1 

//* check whether the bit specified by indicatorBit is set or not 
//* set in indicator. For example, if indicatorBit has value 4 
//* check whether the 4th bit of the value in indicator is set  

    if indicatorBit bit in indicator is not set then 
        inputBuffer[inputIndex] := outputBuffer[outputIndex]
        should be:
        outputBuffer[outputIndex] := inputBuffer[inputIndex] 
        inputIndex := inputIndex + 1 
        outputIndex := outputIndex + 1 
    else 
        length := copy inputBuffer[inputIndex] as 16-bit integer in 
        little-endian format 
        inputIndex := inputIndex + 2 
        offset := length /8 
        length := length mod 8 

        if (length = 7) then 

            if (nibbleIndex = 0) then 
                nibbleIndex := inputIndex 
                length := inputBuffer[inputIndex] mod 16 
                inputIndex := inputIndex + 1 
            else 
                length := inputBuffer[inputIndex] / 16 
                should be:
                length := inputBuffer[nibbleIndex ] / 16 
                nibbleIndex := 0 
            endif 

            if (length = 15) then 

                length := inputBuffer[inputIndex] 
                inputIndex := inputIndex + 1 

                    if (length = 255) then 
                        length := copy inputBuffer[inputIndex] as 16-bit integer in little-endian format 
                        inputIndex := inputIndex + 2 
                        length := length - (15 + 7) 
                    endif 
                length := length + 15 
            endif 

            length := length + 7 

        endif 

    length := length + 3 

        while (not length = 0) 
        should be:
        while (length != 0) 
            outputBuffer[outputIndex] := outputBuffer[outputIndex - offset - 1] 
            outputIndex := outputIndex + 1 
            length := length - 1 
        endwhile 
    endif 

endwhile 

return 

SandMan 1.0.080226 is out!


Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2137

Since Windows 2000, Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine. One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.

The hibernation file opens two valuable doors: The first one is (live?) forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? That’s how the idea of SandMan born. The second one is a new (ou pas) concept we will be introduced and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.

sample 2

SandMan was firstly introduced at PacSec, Japan in November 2007, slides are available in the SandMan section.

* SandMan provides a C Library and a Python portage.

Here is a sample of implementation in Python.

  1. #!/usr/bin/python
  2. #
  3. #
  4. #Module Name:
  5. #
  6. #    sample1.py
  7. #
  8. #Abstract:
  9. #
  10. #    – Display target version.
  11. #    – Build a physical memory dump from a hibernation file.
  12. #
  13. #Environment:
  14. #
  15. #    – Python
  16. #
  17. #Revision History:
  18. #
  19. #    – Matthieu Suiche
  20. #
  21. "Matthieu Suiche – http://sandman.msuiche.net/""Usage: sample.py hiberfil.sys physical_dump.vmem""Windows version %d.%d.%d\n""Generate physical memory dump…""Done."


* Furthermore, SandMan is open-source and released under GNU General Public License v3, you can have further information on the Google SVN at the following link:
http://code.google.com/p/sandmanlib/.

* Actually, SandMan supports 32bits version of the hibernation file from Windows XP to Windows 2008 Server

To download SandMan, go to the section dedicaced to SandMan here:
http://sandman.msuiche.net/.