Matthieu Suiche's blog » SandMan

Demystifying new Windows 7 System Information Classes

Matthieu Suiche — Tue, 31 Mar 2009 21:09:32 +0000

This post is the first of a serie of articles/blogposts about new System Information Class under Windows 7 (32bits ATM) used by both NtQuerySystemInformation and extended version of this API called NtQuerySystemInformationEx introduced in Windows 7 and Windows 2008 R2.

First of all, here is the prototype of these functions.

NTSTATUS (WINAPI *NtQuerySystemInformationEx)(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PULONG QueryType,
ULONG Alignment,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);

NTSTATUS (WINAPI *NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);

As you can see there is two further arguments in NtQuerySystemInformationEx: QueryType and Alignment.

And here are new (and undocumented) system information classes added to Windows 7 that will be discussed in next blogposts.

typedef enum _SYSTEM_INFORMATION_CLASS
{
// NtQueryEx
SystemLogicalProcessorAndGroupInformation = 107,
SystemLogicalGroupInformation = 108,

SystemStoreInformation = 109,
SystemVhdBootInformation = 112,
SystemCpuQuotaInformation = 113,

// Removed in build 7100
SystemHardwareCountersInformation = 115, // uses KeQueryHardwareCounterConfiguration() instead

SystemLowPriorityInformation = 116,
SystemTpmBootEntropyInformation = 117,
SystemVerifierInformation = 118,

// NtQueryEx
SystemNumaNodesInformation = 121,
//
// Added in build 7100
//
SystemHalInformation = 122, // 8 bytes size
SystemCommittedMemoryInformation = 123,
MaxSystemInfoClass = 124
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

PS. For interested people the first issue of the Debugged! MZ/PE: MagaZine is available on Amazon.

Twitt This!

Edit: SYSTEM_INFORMATION_CLASS structure updated in build 7100.

Your hibernation file in a nutshell – Part II

Matthieu Suiche — Sat, 13 Dec 2008 19:33:49 +0000

>> Part I < <
As I said in MoonSols blog, I decided to release the actual version of hibrshell as a free non-opensource tool. The current version is alpha, this means the project is still in developpement.

You can find hibrshell at the following link: http://www.msuiche.net/hibrshell/

Present:
* The actual version can read the hibernation file from a hibernated or resumed computer — this means hibrshell don’t mind if the first page (header) had been wiped or not.
* Moreover, Windows XP, 2003, Vista and 2008 hibernation file are compliant with hibrshell. Probably Windows Seven too — but I donnot have tested it.
* hibrshell uses Microsoft Debugging Symbols technology this explains why it is able to list process regardless of the target version.
* Only few basis features are actually provided.

Future:
* hibr2dmp command. To convert Microsoft hibernation file to an Microsoft crash dump file. I guess I’d be easier and more powerful to proceed to an advanced analysis with WinDbg than with my little swissknife.
* Support for Microsoft crash dump files, and raw memory snapshot will be added.

X-Files. Episode 2. Squeeze

Matthieu Suiche — Wed, 30 Apr 2008 14:18:41 +0000

As said previously, it’s really easy to find proof of plagiarism when an open-source tool is released and whan this source is reimplemented into a commercial software without compliance. Andreas published a new article called The implementation by Vendor “S”. In this article, he has explained what are the differences between the implementation of XpressDecode in SandMan and the Microsoft OS Loader’s one.

Few words about Microsoft interoperability initiative.

Matthieu Suiche — Sun, 06 Apr 2008 21:23:05 +0000

As you probably know, Microsoft released last month several thousands pages of documentation about office file format and Windows protocols.

It means numerous hundreds(thousands?) of functions/algorithms documentation and pseudo-code. But, are these pseudo-function right? It looks not.

While I was reading [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol Specification, I was a bit curious to see the DecompressWin2k3() function (Thanks Aaron, Stefan , and Brendan).

This function is in fact the decompression algorithm called Xpress implemented for the first time in Windows XP and not Windows 2003 as say the name. Xpress algorithm works on 64kb chunks and is used in Windows hibernation file format, Windows Imaging Format (WIM) , Outlook, Exchange, and… LDAP replication service of Active Directory.

I’m quoting below, errors I found in the pseudo-code of DecompressWin2k3(). Here is the C implementation.

while (outputIndex < = outputSize) 
should be:
while (outputIndex < outputSize) 
    if (indicatorBit = 0) then
        indicatorBit := copy inputBuffer[inputIndex] as 32-bit integer in
        little-endian format 
        should be:
        indicator := copy inputBuffer[inputIndex] as 32-bit integer in
        little-endian format 
        inputIndex := inputIndex + 4
        indicatorBit := 32
    endif 

    indicatorBit := indicatorBit - 1 

//* check whether the bit specified by indicatorBit is set or not
//* set in indicator. For example, if indicatorBit has value 4
//* check whether the 4th bit of the value in indicator is set  

    if indicatorBit bit in indicator is not set then
        inputBuffer[inputIndex] := outputBuffer[outputIndex]
        should be:
        outputBuffer[outputIndex] := inputBuffer[inputIndex] 
        inputIndex := inputIndex + 1
        outputIndex := outputIndex + 1
    else
        length := copy inputBuffer[inputIndex] as 16-bit integer in
        little-endian format
        inputIndex := inputIndex + 2
        offset := length /8
        length := length mod 8 

        if (length = 7) then 

            if (nibbleIndex = 0) then
                nibbleIndex := inputIndex
                length := inputBuffer[inputIndex] mod 16
                inputIndex := inputIndex + 1
            else
                length := inputBuffer[inputIndex] / 16 
                should be:
                length := inputBuffer[nibbleIndex ] / 16 
                nibbleIndex := 0
            endif 

            if (length = 15) then 

                length := inputBuffer[inputIndex]
                inputIndex := inputIndex + 1 

                    if (length = 255) then
                        length := copy inputBuffer[inputIndex] as 16-bit integer in little-endian format
                        inputIndex := inputIndex + 2
                        length := length - (15 + 7)
                    endif
                length := length + 15
            endif 

            length := length + 7 

        endif 

    length := length + 3 

        while (not length = 0) 
        should be:
        while (length != 0) 
            outputBuffer[outputIndex] := outputBuffer[outputIndex - offset - 1]
            outputIndex := outputIndex + 1
            length := length - 1
        endwhile
    endif 

endwhile 

return

New attack released – Windows has been vulnerable for 8 years.

Matthieu Suiche — Tue, 18 Mar 2008 19:15:57 +0000

In November 2007 at PacSec'07, Tokyo, Japan, Nicolas Ruff and I (Matthieu Suiche) presented how to create a readable physical memory dump from the undocumented Microsoft hibernation file.

Last month, I published an open-source public version of this project called SandMan Framework. This framework allows manipulating the hibernation file for offensics (malicious) or forensics uses.

Today, I am going to release a Proof of Concept of the sandman attack using SandMan Framework. This PoC consists in elevating a user CMD shell to SYSTEM level under Windows XP SP3 RC1.

Sandman Framework offers a wide range of possibilities, both offensive and defensive. Like cryptographic keys retrieving in popular encryption software (e.g. TrueCrypt, GPG), privilege
escalation (cf. PoC), login without any password, and so on.

All Windows versions are concerned, from Windows 2000 up to Windows 2008, Windows Vista SP1 included (and possibly Windows Seven).

The following video shows how the system can be subverted in a few minutes. The following points are highlighted:

* Deactivating hibernation feature does not solve the problem.
* The sandman attack affects every Windows version, from Windows 2000 to Windows 2008, 32- and 64-bit alike.
* We can read and write everything everywhere in the physical memory (RAM).
* This attack is feasible in real life on every computer with no hardware requirements.
* The attack has no time limitation. If a computer has been hibernated one
week ago, extracting his physical memory is still possible.

This is far more powerful than other recently demonstrated attacks against physical memory, like Cold Boot and FireWire attacks.

New attack released – Windows has been vulnerable for 8 years.
Generic Privilege Escalation under Windows XP SP3 RC1.

“keep you free from sin, till the sandman he comes”
(Enter SandMan — Metallica)