Matthieu Suiche's blog » Reverse Engineering

Undocumented Windows Vista and later registry secrets

Matthieu Suiche — Sun, 07 Jun 2009 18:28:58 +0000

In fact, this new key category appearred for the first time in Windows XP, formely called Whistler, in early 2001. Yes, almost 9 years ago. But its structure CM_BIG_DATA had been removed from Microsoft Windows XP public symbols but not from Windows Vista and later symbols.

Basicaly, this “secret” registry key had been briefly introduced in Windows XP Kernel Enhancements changelog as the following:

Windows XP improves the way the registry handles big data. In versions before Windows XP, if an inefficient application constantly increased a value with a small increment, it created a sparse and wasteful registry file. Windows XP solves this problem with a big cell implementation where cells larger than 16K are split into increments of 16K chunks. This reduces fragmentation when the data length of a value is increased within a certain threshold.

If we take a closer look to CmpGetBootValueData() or CmpGetValueData() functions which handles big data keys we can notice CMHIVE.Version must greater or equal to 4. I guess, this is the Whistler registry version.

To be validated as big data key pointer, CM_KEY_VALUE cell must respect the following conditions:
- CM_KEY_VALUE.DataLength must be greater than 0×3fd8 and smaller than 0×80000000

Then CM_BIG_DATA key first chunk is retrieved using CM_KEY_VALUE.Data as cell offset.

To be validated as big data key, the CM_BIG_DATA cell must respect the following conditions:
- CM_BIG_DATA.Signature must be equal to 0×6264 (”bd”)
- CM_BIG_DATA.Count must be greater than 0
- CM_BIG_DATA.List must be different from 0

According to these information Windows do assinity check to avoid buffer overflow and re-compute CM_KEY_VALUE.DataLength for assinity check like the following:
ASSERT(CM_KEY_VALUE.DataLength < = (CM_BIG_DATA.Count * 0x3fd8))

Then, each CM_BIG_DATA.List entry are read CM_BIG_DATA.Count times as cell index, and 0×3fd8 bytes maximum are copied each time into the output buffer.

It means data chunk are not exactly 16K bytes (0×4000) but 0×3fd8. The difference of 0×28 bytes is in fact the cell header.

If you want to read further information about Windows Registry format, I suggest you to refer to Tim Morgan, Peter Norris documents and moyix blog.

Low Priority I/O Count Information – SystemLowPriorityInformation

Matthieu Suiche — Wed, 01 Apr 2009 21:24:13 +0000

Based on Windows Vista I/O priorities manager, Windows 7 provides a new class to retrieve information/statistics about about Low I/O priority counts.

Function: NtQuerySystemInformation
Class: SystemLowPriorityInformation
Privilege: None
Output size: 0×24 bytes

The output structure is the following.

typedef struct _LOW_PRIORITY_INFORMATION
{
ULONG IoLowPriorityReadOperationCount;
ULONG IoLowPriorityWriteOperationCount;
ULONG IoKernelIssuedIoBoostedCount;
ULONG IoPagingReadLowPriorityCount;
ULONG IoPagingReadLowPriorityBumpedCount;
ULONG IoPagingWriteLowPriorityCount;
ULONG IoPagingWriteLowPriorityBumpedCount;
ULONG IoBoostedThreadedIrpCount;
ULONG IoBoostedPagingIrpCount;
ULONG IoBlanketBoostCount; // Added in RC1 (build 7100)
} LOW_PRIORITY_INFORMATION, *PLOW_PRIORITY_INFORMATION;

Source + Executable are available here.

Edit: LOW_PRIORITY_INFORMATION structure updated in build 7100.

Demystifying new Windows 7 System Information Classes

Matthieu Suiche — Tue, 31 Mar 2009 21:09:32 +0000

This post is the first of a serie of articles/blogposts about new System Information Class under Windows 7 (32bits ATM) used by both NtQuerySystemInformation and extended version of this API called NtQuerySystemInformationEx introduced in Windows 7 and Windows 2008 R2.

First of all, here is the prototype of these functions.

NTSTATUS (WINAPI *NtQuerySystemInformationEx)(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PULONG QueryType,
ULONG Alignment,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);

NTSTATUS (WINAPI *NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);

As you can see there is two further arguments in NtQuerySystemInformationEx: QueryType and Alignment.

And here are new (and undocumented) system information classes added to Windows 7 that will be discussed in next blogposts.

typedef enum _SYSTEM_INFORMATION_CLASS
{
// NtQueryEx
SystemLogicalProcessorAndGroupInformation = 107,
SystemLogicalGroupInformation = 108,

SystemStoreInformation = 109,
SystemVhdBootInformation = 112,
SystemCpuQuotaInformation = 113,

// Removed in build 7100
SystemHardwareCountersInformation = 115, // uses KeQueryHardwareCounterConfiguration() instead

SystemLowPriorityInformation = 116,
SystemTpmBootEntropyInformation = 117,
SystemVerifierInformation = 118,

// NtQueryEx
SystemNumaNodesInformation = 121,
//
// Added in build 7100
//
SystemHalInformation = 122, // 8 bytes size
SystemCommittedMemoryInformation = 123,
MaxSystemInfoClass = 124
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

PS. For interested people the first issue of the Debugged! MZ/PE: MagaZine is available on Amazon.

Twitt This!

Edit: SYSTEM_INFORMATION_CLASS structure updated in build 7100.

Few words about Microsoft interoperability initiative.

Matthieu Suiche — Sun, 06 Apr 2008 21:23:05 +0000

As you probably know, Microsoft released last month several thousands pages of documentation about office file format and Windows protocols.

It means numerous hundreds(thousands?) of functions/algorithms documentation and pseudo-code. But, are these pseudo-function right? It looks not.

While I was reading [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol Specification, I was a bit curious to see the DecompressWin2k3() function (Thanks Aaron, Stefan , and Brendan).

This function is in fact the decompression algorithm called Xpress implemented for the first time in Windows XP and not Windows 2003 as say the name. Xpress algorithm works on 64kb chunks and is used in Windows hibernation file format, Windows Imaging Format (WIM) , Outlook, Exchange, and… LDAP replication service of Active Directory.

I’m quoting below, errors I found in the pseudo-code of DecompressWin2k3(). Here is the C implementation.

while (outputIndex < = outputSize) 
should be:
while (outputIndex < outputSize) 
    if (indicatorBit = 0) then
        indicatorBit := copy inputBuffer[inputIndex] as 32-bit integer in
        little-endian format 
        should be:
        indicator := copy inputBuffer[inputIndex] as 32-bit integer in
        little-endian format 
        inputIndex := inputIndex + 4
        indicatorBit := 32
    endif 

    indicatorBit := indicatorBit - 1 

//* check whether the bit specified by indicatorBit is set or not
//* set in indicator. For example, if indicatorBit has value 4
//* check whether the 4th bit of the value in indicator is set  

    if indicatorBit bit in indicator is not set then
        inputBuffer[inputIndex] := outputBuffer[outputIndex]
        should be:
        outputBuffer[outputIndex] := inputBuffer[inputIndex] 
        inputIndex := inputIndex + 1
        outputIndex := outputIndex + 1
    else
        length := copy inputBuffer[inputIndex] as 16-bit integer in
        little-endian format
        inputIndex := inputIndex + 2
        offset := length /8
        length := length mod 8 

        if (length = 7) then 

            if (nibbleIndex = 0) then
                nibbleIndex := inputIndex
                length := inputBuffer[inputIndex] mod 16
                inputIndex := inputIndex + 1
            else
                length := inputBuffer[inputIndex] / 16 
                should be:
                length := inputBuffer[nibbleIndex ] / 16 
                nibbleIndex := 0
            endif 

            if (length = 15) then 

                length := inputBuffer[inputIndex]
                inputIndex := inputIndex + 1 

                    if (length = 255) then
                        length := copy inputBuffer[inputIndex] as 16-bit integer in little-endian format
                        inputIndex := inputIndex + 2
                        length := length - (15 + 7)
                    endif
                length := length + 15
            endif 

            length := length + 7 

        endif 

    length := length + 3 

        while (not length = 0) 
        should be:
        while (length != 0) 
            outputBuffer[outputIndex] := outputBuffer[outputIndex - offset - 1]
            outputIndex := outputIndex + 1
            length := length - 1
        endwhile
    endif 

endwhile 

return

SandMan 1.0.080226 is out!

Matthieu Suiche — Tue, 26 Feb 2008 19:31:18 +0000

Since Windows 2000, Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine. One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.

The hibernation file opens two valuable doors: The first one is (live?) forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? That’s how the idea of SandMan born. The second one is a new (ou pas) concept we will be introduced and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.

SandMan was firstly introduced at PacSec, Japan in November 2007, slides are available in the SandMan section.

* SandMan provides a C Library and a Python portage.

Here is a sample of implementation in Python.

#!/usr/bin/python
#
#
#Module Name:
#
# sample1.py
#
#Abstract:
#
# - Display target version.
# - Build a physical memory dump from a hibernation file.
#
#Environment:
#
# - Python
#
#Revision History:
#
# - Matthieu Suiche
#
import sys
import sandman
if len(sys.argv) != 3:
print "Matthieu Suiche – http://sandman.msuiche.net/"
print "Usage: sample.py hiberfil.sys physical_dump.vmem"
sys.exit(1)
s = sandman.hiber_open(sys.argv[1])
ver = sandman.hiber_get_version(s);
print "Windows version %d.%d.%d\n" % (ver & 0xFF, (ver & 0xFF00) >> 8, ver >> 16)
print "Generate physical memory dump…"
sandman.hiber_dump(s, sys.argv[2])
print "Done."
sandman.hiber_close(s)

* Furthermore, SandMan is open-source and released under GNU General Public License v3, you can have further information on the Google SVN at the following link:
http://code.google.com/p/sandmanlib/.

* Actually, SandMan supports 32bits version of the hibernation file from Windows XP to Windows 2008 Server

To download SandMan, go to the section dedicaced to SandMan here:
http://sandman.msuiche.net/.

Enter sandman… :)

Matthieu Suiche — Mon, 22 Oct 2007 19:08:04 +0000

Everyone knows that Dumbledore is homosexual but there is a most important thing you have to know!

The PacSec Agenda had been released! http://www.securityfocus.com/archive/1/482602/30/0/threaded
Speaker list:
http://www.pacsec.jp/speakers.html

Talk selections for PacSec 2007 - November 29 and 30 - Aoyama Diamond Hall


-------

- Programmed I/O accesses: a threat to virtual machine monitors? -

 Loic Duflot,
- Developing Fuzzers with Peach -

Michael Eddington, Leviathan Security
- Cyber Attacks Against Japan -

 Hiroshi Kawaguchi, LAC
- Windows Localization: Owning Asian Windows Versions -

 Kostya Kortchinsky, Immunity
- TOMOYO Linux -

Toshiharu Harada, NTT Data 
- IPV6 Demystified -

Jun-ichiro itojun Hagino , IPv6Samurais
- Automated JavaScript Deobfuscation -

Alex Rice, Websense Security Labs
- Enter Sandman (why you should never go to sleep) -

 Nicolas Ruff & Matthieu Suiche, EADS
- Agent-oriented SQL Abuse -

 Fernando Russ & Diego Tiscornia, Core
- Bad Ideas: Using a JVM/CLR for Intellectual Property Protection

 Marc Schoenefeld, University of Bamberg
- Heap exploits are dead. Heap exploits remain dead. And we have killed them.

Nicolas Waisman, Immunity
- Deploying and operating a Global Distributed Honeynet

David Watson, Honeynet Project
- Office 0days and the people who love them

TBA, Microsoft

.

(I would also like to thank Colin Delaney and Stephen Ridley as standby

presenters)

------

The topic is talking about forensic/hiberation under Windows. More information will be available in November…

Interrupt Debug Service (0×2D), Boot loader, Vista 64bits (On the fly)

Matthieu Suiche — Sat, 10 Mar 2007 17:32:24 +0000

 DebugPrint      proc near
                 mov     r9d, r8d
                 mov     r8d, edx
                 mov     dx, [rcx]
                 mov     rcx, [rcx+8]
                 mov     eax, 1
                 int     2Dh             ; Internal routine for MSDOS (IRET)
                 int     3               ; Trap to Debugger
                 retn
 DebugPrint      endp

 DebugPrompt     proc near
                 mov     r9w, [rdx+2]
                 mov     r8, [rdx+8]
                 mov     dx, [rcx]
                 mov     rcx, [rcx+8]
                 mov     eax, 2
                 int     2Dh             ; Internal routine for MSDOS (IRET)
                 int     3               ; Trap to Debugger
                 retn
 DebugPrompt     endp

 DebugService2   proc near
                 mov     eax, r8d
                 int     2Dh             ; Internal routine for MSDOS (IRET)
                 int     3               ; Trap to Debugger
                 retn
 DebugService2   endp

 BlBdStart+11C:
                 lea     rdx, [rsp+78h+var_28]
                 lea     rcx, [rsp+78h+var_58]
                 mov     r8d, 3
                 call    DebugService2

BlBdStop        proc near
                 lea     rdx, [rax-28h]
                 mov     r8d, 4
                 xor     ecx, ecx
		[...]
                 call    DebugService2

typedef enum _STATUS_DEBUG_SERVICE {
STATUS_PRINT = 1,
STATUS_PROMPT = 2,
STATUS_START = 3,
STATUS_STOP = 4
} STATUS_DEBUG_SERVICE;

Interrupts, Boot Loader, Vista 64bits (On the fly)

Matthieu Suiche — Sat, 10 Mar 2007 16:21:49 +0000

I’ve to do something to save me from idling while a software is rescuing my HDD.

That’s why I’m gonna write short post about the boot loader and the interrupts initialization.
By the way, I add a new category called “On the fly” for post like that which are more or less RCE Memento (interessting or not ::)).
If I had to explain it I’d answer “no blabla just code. don’t read but analyse.”

This article covers where the interrupts 0×1, 0×3, 0×6, 0xD, 0xE, 0×2C, 0×2D are initialized inside the bootloader.

For reminding, I’ve rewritten some things :


//
// 63                             32            16               0
// +------------------------------+------------------------------+
// +           OffsetLow          +   HighLow    +   HighHigh    +
// +------------------------------+------------------------------+
//

typedef struct _KIDT_ENTRY {     // (sizeof=0x10)
	unsigned short wOffsetHighHigh;  // +0x00
	unsigned short Reserved02;       // +0x02
	unsigned short Reserved04;       // +0x04
	unsigned short wOffsetHighLow;   // +0x06
	unsigned long dwOffsetLow;       // +0x08
	unsigned long Reserved0C;        // +0x0C
} KIDT_ENTRY;

typedef enum _INTERRUPT_ID{
    NONE=-1,
   DIVIDE_ERROR=0,			// 0x00
   SINGLE_STEP,				// 0x01
   NMI_INTERRUPT,				// 0x02
   BREAKPOINT,				// 0x03
   OVERFLOW,				// 0x04
   BOUND,					// 0x05
   INVALID_OPCODE,			// 0x6
   NPX_NOT_AVAILABLE,			// 0x07
   DOUBLE_FAULT,				// 0x08
   NPX_SEGMENT_OVERRUN,			// 0x09
   INVALID_TSS,				// 0x0A
   SEGMENT_NOT_PRESENT,			// 0x0B
   STACK,					// 0x0C
   GENERAL_PROTECTION,			// 0x0D
   PAGE,					// 0x0E
   RESERVED,				// 0x0F
   FLOATING_ERROR,			// 0x10
   ALIGNMENT,				// 0x11
   MACHINE_CHECK,				// 0x12
   XMM_EXCEPTION,				// 0x13
   //
   // Other Critical Interrupts
   //
   APC=0x1F,				// 0x1F
   RAISE_ASSERTION=0x2C,		// 0x2C
   DEBUG_SERVICE=0x2D,			// 0x2D
   DPC=0x2F,				// 0x2F
   IPI=0xE1					// 0xE1
} INTERRUPT_ID;

Firstly, we have to know these to function inside the “.text” section.

Function : ArchGetIdtRegister
XREF: BdInstallTrapVectors, BlpArchInitialize


ArchGetIdtRegister proc near
                 sidt    qword ptr [rcx]
                 retn
ArchGetIdtRegister endp

Function : ArchSetIdtRegister
XREF: BdInstallTrapVectors, BlpArchInitialize


ArchSetIdtRegister proc near
                 lidt    qword ptr [rcx]
                 retn
ArchGetIdtRegister endp

Let’s look at the XREF’s functions.

BdInstallTrapVectors


BdInstallTrapVectors proc near          ; CODE XREF: BlBdInitialize+20D

 var_18          = qword ptr -18h

                 sub     rsp, 38h
                 lea     rcx, [rsp+38h+var_18]
                 call    ArchGetIdtRegister
                 mov     r11, [rsp+38h+var_18+2]
                 mov     r9w, 10h
                 mov     [r11+12h], r9w
                 mov     r8w, 8E00h
                 lea     rax, BdTrap01
                 mov     [r11+10h], ax   ; 0x10/(16 = sizeof(_KIDT_ENTRY)) = 0x1
                 mov     [r11+14h], r8w
                 mov     rcx, rax
                 shr     rcx, 10h
                 shr     rax, 20h
                 mov     [r11+16h], cx
                 mov     [r11+18h], eax
                 mov     rdx, [rsp+38h+var_18+2]
                 mov     [rdx+32h], r9w
                 mov     [rdx+34h], r8w
                 lea     rax, BdTrap03
                 mov     [rdx+30h], ax   ; 0x30/(16 = sizeof(_KIDT_ENTRY)) = 0x3
                 mov     rcx, rax
                 shr     rax, 20h
                 mov     [rdx+38h], eax
                 shr     rcx, 10h
                 lea     rax, BdTrap0d
                 mov     [rdx+36h], cx
                 mov     rdx, [rsp+38h+var_18+2]
                 mov     rcx, rax
                 mov     [rdx+0D0h], ax  ; 0x0D/(16 = sizeof(_KIDT_ENTRY)) = 0x0D
                 mov     [rdx+0D2h], r9w
                 mov     [rdx+0D4h], r8w
                 shr     rcx, 10h
                 shr     rax, 20h
                 mov     [rdx+0D6h], cx
                 mov     [rdx+0D8h], eax
                 mov     rdx, [rsp+38h+var_18+2]
                 mov     [rdx+0E2h], r9w
                 mov     [rdx+0E4h], r8w
                 lea     rax, BdTrap0e
                 mov     [rdx+0E0h], ax  ; 0xE0/(16 = sizeof(_KIDT_ENTRY)) = 0x0E
                 mov     rcx, rax
                 shr     rax, 20h
                 mov     [rdx+0E8h], eax
                 shr     rcx, 10h
                 lea     rax, BdTrap2c
                 mov     [rdx+0E6h], cx
                 mov     rdx, [rsp+38h+var_18+2]
                 mov     rcx, rax
                 mov     [rdx+2C0h], ax  ; 0x2C0/(16 = sizeof(_KIDT_ENTRY)) = 0x2C
                 mov     [rdx+2C2h], r9w
                 mov     [rdx+2C4h], r8w
                 shr     rcx, 10h
                 shr     rax, 20h
                 mov     [rdx+2C6h], cx
                 mov     [rdx+2C8h], eax
                 mov     rdx, [rsp+38h+var_18+2]
                 lea     rax, BdTrap2d
                 mov     [rdx+2D2h], r9w
                 mov     [rdx+2D4h], r8w
                 mov     rcx, rax
                 mov     [rdx+2D0h], ax  ; 0x2D0/(16 = sizeof(_KIDT_ENTRY)) = 0x2D
                 shr     rax, 20h
                 shr     rcx, 10h
                 mov     [rdx+2D8h], eax
                 mov     [rdx+2D6h], cx
                 lea     rcx, [rsp+38h+var_18]
                 call    ArchSetIdtRegister
                 add     rsp, 38h
                 retn
BdInstallTrapVectors endp

InitializeLibrary


BlpArchInitialize proc near             ; CODE XREF: InitializeLibrary+12A

 IdtEntry        = qword ptr -18h

                 sub     rsp, 38h

                 cmp     ecx, 1
                 jnz     _exit

                 lea     rcx, [rsp+38h+IdtEntry]
                 call    ArchGetIdtRegister
                 mov     r11, [rsp+38h+IdtEntry+2]
                 lea     rax, ArchTrapNoProcess
                 mov     [r11+30h], ax   ; 0x30/(16 = sizeof(_KIDT_ENTRY)) = 0x3
                 mov     word ptr [r11+32h], 10h
                 mov     word ptr [r11+34h], 8E00h
                 mov     r8, rax
                 mov     rdx, rax
                 shr     r8, 10h
                 shr     rdx, 20h
                 mov     [r11+36h], r8w
                 mov     [r11+38h], edx
                 mov     rcx, [rsp+38h+IdtEntry+2]
                 mov     [rcx+2C0h], ax  ; 0x2C0/(16 = sizeof(_KIDT_ENTRY)) = 0x2C
                 mov     [rcx+2C6h], r8w
                 mov     [rcx+2C8h], edx
                 mov     word ptr [rcx+2C2h], 10h
                 mov     word ptr [rcx+2C4h], 8E00h
                 mov     rcx, [rsp+38h+IdtEntry+2]
                 mov     [rcx+2D0h], ax  ; 0x2D0/(16 = sizeof(_KIDT_ENTRY)) = 0x2D
                 mov     [rcx+2D6h], r8w
                 mov     [rcx+2D8h], edx
                 mov     word ptr [rcx+2D2h], 10h
                 mov     word ptr [rcx+2D4h], 8E00h
                 lea     rcx, [rsp+38h+IdtEntry]
                 call    ArchSetIdtRegister

 _exit:
                 xor     eax, eax
                 add     rsp, 38h
                 retn

BlpArchInitialize endp

Windows Vista and unexported kernel symbols (Part II, 32bits version)

Matthieu Suiche — Wed, 31 Jan 2007 21:31:22 +0000

This paper exposes part II of my previous article about Windows Vista and internals structures. This one is talking about the 32bits version and aims to show new authencity tricks.

Download it from the following link:
Windows_Vista_32bits_and_unexported_kernel_symbols.pdf

Cheers,

Windows Vista 64-bits and unexported kernel symbols.

Matthieu Suiche — Mon, 01 Jan 2007 00:00:00 +0000

Hi,

I’m gonna published my (the?) first paper of the year 2007 !! :)

This article is talking about Windows Vista 64bits and its system structures which are proteged against rootkit. I also explain how these structures can be authentified without Pathguard.

Windows Vista 64bits and unexported kernel symbols.pdf

Happy New Year !!!