KRNL SCAN

[JMC31337]

using this

http://downloads.securityfocus.com/vulnerabilities/exploits/48179-poc.c

and this

http://blog.csdn.net/whispermemory/article/details/6754144

We could create a lil KRNL Scanner w/ Dev-C++ .. Getting the Module.ImageName is tricky, and if anyone has any suggestions?

Another thing, dunno if its because of the token adjustment but, this scanner finds a few more sys drivers in the krnl in comparison to a module scanner that uses strictly: ZwQuerySystemInformation( SystemModuleInformation

#include <windows.h> #include <stdio.h>#include <iostream>using namespace std; #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) typedef enum _SYSDBG_COMMAND {    SysDbgQueryModuleInformation,    SysDbgQueryTraceInformation,    SysDbgSetTracepoint,    SysDbgSetSpecialCall,    SysDbgClearSpecialCalls,    SysDbgQuerySpecialCalls,    SysDbgBreakPoint,    SysDbgQueryVersion,    SysDbgReadVirtual,    SysDbgWriteVirtual,    SysDbgReadPhysical,    SysDbgWritePhysical,    SysDbgReadControlSpace,    SysDbgWriteControlSpace,    SysDbgReadIoSpace,    SysDbgWriteIoSpace,    SysDbgReadMsr,    SysDbgWriteMsr,    SysDbgReadBusData,    SysDbgWriteBusData,    SysDbgCheckLowMemory,    SysDbgEnableKernelDebugger,    SysDbgDisableKernelDebugger,    SysDbgGetAutoKdEnable,    SysDbgSetAutoKdEnable,    SysDbgGetPrintBufferSize,    SysDbgSetPrintBufferSize,    SysDbgGetKdUmExceptionEnable,    SysDbgSetKdUmExceptionEnable,    SysDbgGetTriageDump,    SysDbgGetKdBlockEnable,    SysDbgSetKdBlockEnable,} SYSDBG_COMMAND, *PSYSDBG_COMMAND;typedef struct _SYSDBG_VIRTUAL{  PVOID Address;  PVOID Buffer;  ULONG Request;} SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL;typedef struct _UNICODE_STRING {   USHORT Length;   USHORT MaximumLength;   PVOID Buffer;} UNICODE_STRING, *PUNICODE_STRING; typedef unsigned long NTSTATUS; typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE {   UNICODE_STRING ModuleName; } SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE; typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG);ZWSETSYSTEMINFORMATION ZwSetSystemInformation;typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR );RTLINITUNICODESTRING RtlInitUnicodeString;typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*);int EscalatePrivileges ( void );int ReadKernelMemory ( void * , void * , unsigned int );int EscalatePrivileges ( void ){  TOKEN_PRIVILEGES new_token_privileges;  HANDLE token_handle;  int ret;  /* Ask for permission like a debugger  */  new_token_privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;  LookupPrivilegeValueA ( NULL, SE_DEBUG_NAME, &new_token_privileges.Privileges[0].Luid );  /* Open token */  //OpenProcessToken ( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, (void*) &token_handle );  if (NT_SUCCESS(OpenProcessToken(GetCurrentProcess(),  TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle)))  {  cout<<"\nOpenProcessToken FOR AdjustTokenPrivileges PASSED!!\n";  }/* New privilege values */  new_token_privileges.PrivilegeCount = 1;  new_token_privileges.Privileges [ 0 ].Attributes = SE_PRIVILEGE_ENABLED;  /* Set privileges */  ret = AdjustTokenPrivileges( (void*) token_handle, FALSE, &new_token_privileges, sizeof(new_token_privileges), NULL, NULL );  return ( ret );}int ReadKernelMemory ( void *address, void *buffer, unsigned int len ){  static int first_time = TRUE;  SYSDBG_VIRTUAL DbgMemory;  LONG Status;  int ret = FALSE;  /* If it is the first time  */  if ( first_time == TRUE )  {    /* Resolve the function symbol */    //NtSystemDebugControl = GetProcAddress( GetModuleHandle("ntdll.dll"), "NtSystemDebugControl" );    *(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl");        if ( NtSystemDebugControl == NULL )    {      cout<<"\nNtSystemDebugControl FAIL!!\n";      return ( ret );    }    first_time = FALSE;  }  /* Setup the request */  DbgMemory.Address = address;  DbgMemory.Buffer  = buffer;  DbgMemory.Request = len;  /* Do the read */  Status = NtSystemDebugControl( SysDbgReadVirtual, &DbgMemory, sizeof(DbgMemory), NULL, 0, NULL );  if ( Status >= 0 )  {    ret = TRUE;  }  return ( ret );}int main(int argc, char *argv[]){   EscalatePrivileges();  unsigned int code_address = 0;  unsigned int pos;  char buffer [ 0x2 ];  //char cmd [ 4096 ];  //char shellcode [ 256 ];  char *pattern;  int ret;    pattern = "\x4D\x5A"; /* Pattern of the code to search  */        for( pos=0x00000000; pos<0xfffff000; pos=pos+0x1000 )  {    ret = ReadKernelMemory( (void*) (pos), (void*) buffer, 2 ); /* Read the complete block */    if ( ret == TRUE )    {      if ( memcmp(buffer, pattern, 2) == 0 )      {        /* If match */        code_address = pos;        printf( "FOUND MATCHING PATTERN MZ at %x\n" , code_address );      }     }  } cout<<"\nPRESS ENTER TO EXIT\n";getchar();  return 0;}

OpenProcessToken FOR AdjustTokenPrivileges PASSED!!FOUND MATCHING PATTERN MZ at 400000FOUND MATCHING PATTERN MZ at 77c10000FOUND MATCHING PATTERN MZ at 77dd0000FOUND MATCHING PATTERN MZ at 77e70000FOUND MATCHING PATTERN MZ at 77fe0000FOUND MATCHING PATTERN MZ at 7c800000FOUND MATCHING PATTERN MZ at 7c900000FOUND MATCHING PATTERN MZ at 80062000FOUND MATCHING PATTERN MZ at 802f6000FOUND MATCHING PATTERN MZ at 80378000FOUND MATCHING PATTERN MZ at 804d7000FOUND MATCHING PATTERN MZ at 80700000FOUND MATCHING PATTERN MZ at 81f1d000FOUND MATCHING PATTERN MZ at b405a000FOUND MATCHING PATTERN MZ at b4347000FOUND MATCHING PATTERN MZ at b48b0000FOUND MATCHING PATTERN MZ at b4917000FOUND MATCHING PATTERN MZ at b4b97000FOUND MATCHING PATTERN MZ at b4d07000FOUND MATCHING PATTERN MZ at b4fb7000FOUND MATCHING PATTERN MZ at b5173000FOUND MATCHING PATTERN MZ at b526b000FOUND MATCHING PATTERN MZ at b53b8000FOUND MATCHING PATTERN MZ at b53e8000FOUND MATCHING PATTERN MZ at b553e000FOUND MATCHING PATTERN MZ at b7654000FOUND MATCHING PATTERN MZ at b766c000FOUND MATCHING PATTERN MZ at b7ad3000FOUND MATCHING PATTERN MZ at b7ae3000FOUND MATCHING PATTERN MZ at b7b31000FOUND MATCHING PATTERN MZ at b7c1c000FOUND MATCHING PATTERN MZ at b7e2d000FOUND MATCHING PATTERN MZ at b7e9d000FOUND MATCHING PATTERN MZ at b7f91000FOUND MATCHING PATTERN MZ at b7fb3000FOUND MATCHING PATTERN MZ at b7fd3000FOUND MATCHING PATTERN MZ at b7fd7000FOUND MATCHING PATTERN MZ at b7fdb000FOUND MATCHING PATTERN MZ at b8003000FOUND MATCHING PATTERN MZ at b8029000FOUND MATCHING PATTERN MZ at b803e000FOUND MATCHING PATTERN MZ at b8097000FOUND MATCHING PATTERN MZ at b810c000FOUND MATCHING PATTERN MZ at b9428000FOUND MATCHING PATTERN MZ at b9464000FOUND MATCHING PATTERN MZ at b946c000FOUND MATCHING PATTERN MZ at b9480000FOUND MATCHING PATTERN MZ at b9495000FOUND MATCHING PATTERN MZ at b9496000FOUND MATCHING PATTERN MZ at b9497000FOUND MATCHING PATTERN MZ at b94cf000FOUND MATCHING PATTERN MZ at b952d000FOUND MATCHING PATTERN MZ at b9579000FOUND MATCHING PATTERN MZ at b95f8000FOUND MATCHING PATTERN MZ at b9630000FOUND MATCHING PATTERN MZ at b9641000FOUND MATCHING PATTERN MZ at b9658000FOUND MATCHING PATTERN MZ at b966b000FOUND MATCHING PATTERN MZ at b968f000FOUND MATCHING PATTERN MZ at b98bc000FOUND MATCHING PATTERN MZ at b98df000FOUND MATCHING PATTERN MZ at b98f3000FOUND MATCHING PATTERN MZ at b990d000FOUND MATCHING PATTERN MZ at b99a8000FOUND MATCHING PATTERN MZ at b99cc000FOUND MATCHING PATTERN MZ at b99e0000FOUND MATCHING PATTERN MZ at b9c8b000FOUND MATCHING PATTERN MZ at b9cd3000FOUND MATCHING PATTERN MZ at b9d73000FOUND MATCHING PATTERN MZ at b9fea000FOUND MATCHING PATTERN MZ at b9ffa000FOUND MATCHING PATTERN MZ at b9ffe000FOUND MATCHING PATTERN MZ at ba1a9000FOUND MATCHING PATTERN MZ at ba1c9000FOUND MATCHING PATTERN MZ at ba1d9000FOUND MATCHING PATTERN MZ at ba486000FOUND MATCHING PATTERN MZ at ba48e000FOUND MATCHING PATTERN MZ at ba66d000FOUND MATCHING PATTERN MZ at ba692000FOUND MATCHING PATTERN MZ at ba695000FOUND MATCHING PATTERN MZ at ba6cd000FOUND MATCHING PATTERN MZ at ba6ed000FOUND MATCHING PATTERN MZ at ba719000FOUND MATCHING PATTERN MZ at ba743000FOUND MATCHING PATTERN MZ at ba753000FOUND MATCHING PATTERN MZ at ba773000FOUND MATCHING PATTERN MZ at ba783000FOUND MATCHING PATTERN MZ at ba793000FOUND MATCHING PATTERN MZ at ba7a3000FOUND MATCHING PATTERN MZ at ba7b3000FOUND MATCHING PATTERN MZ at ba7c3000FOUND MATCHING PATTERN MZ at ba7d3000FOUND MATCHING PATTERN MZ at bf000000FOUND MATCHING PATTERN MZ at bf012000FOUND MATCHING PATTERN MZ at bf432000FOUND MATCHING PATTERN MZ at bf800000FOUND MATCHING PATTERN MZ at cec40000FOUND MATCHING PATTERN MZ at d3780000FOUND MATCHING PATTERN MZ at d9b40000FOUND MATCHING PATTERN MZ at dbc00000FOUND MATCHING PATTERN MZ at f740c000FOUND MATCHING PATTERN MZ at f741c000FOUND MATCHING PATTERN MZ at f742c000FOUND MATCHING PATTERN MZ at f743c000FOUND MATCHING PATTERN MZ at f744c000FOUND MATCHING PATTERN MZ at f748c000FOUND MATCHING PATTERN MZ at f749d000FOUND MATCHING PATTERN MZ at f74cb000FOUND MATCHING PATTERN MZ at f74e3000FOUND MATCHING PATTERN MZ at f75f7000FOUND MATCHING PATTERN MZ at f7607000FOUND MATCHING PATTERN MZ at f7617000FOUND MATCHING PATTERN MZ at f7627000FOUND MATCHING PATTERN MZ at f7637000FOUND MATCHING PATTERN MZ at f7647000FOUND MATCHING PATTERN MZ at f7657000FOUND MATCHING PATTERN MZ at f7667000FOUND MATCHING PATTERN MZ at f7677000FOUND MATCHING PATTERN MZ at f76a7000FOUND MATCHING PATTERN MZ at f7707000FOUND MATCHING PATTERN MZ at f770f000FOUND MATCHING PATTERN MZ at f7717000FOUND MATCHING PATTERN MZ at f771f000FOUND MATCHING PATTERN MZ at f7727000FOUND MATCHING PATTERN MZ at f7767000FOUND MATCHING PATTERN MZ at f776f000FOUND MATCHING PATTERN MZ at f7777000FOUND MATCHING PATTERN MZ at f777f000FOUND MATCHING PATTERN MZ at f7787000FOUND MATCHING PATTERN MZ at f778f000FOUND MATCHING PATTERN MZ at f7797000FOUND MATCHING PATTERN MZ at f779f000FOUND MATCHING PATTERN MZ at f77a7000FOUND MATCHING PATTERN MZ at f77ff000FOUND MATCHING PATTERN MZ at f7807000FOUND MATCHING PATTERN MZ at f780f000FOUND MATCHING PATTERN MZ at f7817000FOUND MATCHING PATTERN MZ at f781f000FOUND MATCHING PATTERN MZ at f782e000FOUND MATCHING PATTERN MZ at f7840000FOUND MATCHING PATTERN MZ at f7858000FOUND MATCHING PATTERN MZ at f7877000FOUND MATCHING PATTERN MZ at f7887000FOUND MATCHING PATTERN MZ at f7897000FOUND MATCHING PATTERN MZ at f7964000FOUND MATCHING PATTERN MZ at f7987000FOUND MATCHING PATTERN MZ at f7989000FOUND MATCHING PATTERN MZ at f79a1000FOUND MATCHING PATTERN MZ at f79d3000FOUND MATCHING PATTERN MZ at f79dd000FOUND MATCHING PATTERN MZ at f79df000FOUND MATCHING PATTERN MZ at f79e5000FOUND MATCHING PATTERN MZ at f79e7000FOUND MATCHING PATTERN MZ at f79e9000FOUND MATCHING PATTERN MZ at f79eb000FOUND MATCHING PATTERN MZ at f7a18000FOUND MATCHING PATTERN MZ at f7a2f000FOUND MATCHING PATTERN MZ at f7a4f000FOUND MATCHING PATTERN MZ at f7a87000FOUND MATCHING PATTERN MZ at f7a99000FOUND MATCHING PATTERN MZ at f7aa9000FOUND MATCHING PATTERN MZ at f7ac8000FOUND MATCHING PATTERN MZ at f7b55000PRESS ENTER TO EXIT

using the ZwQuerySystemInformation( SystemModuleInformation method

0x804D7000 ntoskrnl.exe

0x80700000 hal.dll

0xF7987000 KDCOM.DLL

0xF7897000 BOOTVID.dll

.... etc etc

whereas, the krnl in this case has some other (ermmmmm ermmmm) "modules" loaded in the 80000000 range

FOUND MATCHING PATTERN MZ at 80062000

FOUND MATCHING PATTERN MZ at 802f6000

FOUND MATCHING PATTERN MZ at 80378000

FOUND MATCHING PATTERN MZ at 804d7000

FOUND MATCHING PATTERN MZ at 80700000

FOUND MATCHING PATTERN MZ at 81f1d000

.. etc etc

Gotta make this scanner , better... Suggestions on other implementations?

Edited January 1, 2014 by JMC31337

[evlncrn8]

isnt the 80000000 range memory maps?

[JMC31337]

not sure to be honest, but for instance in the case of ntoskrnl.exe, its always going to be loaded at the 804d7000 kernel address for SP3, so i would say its hard "loaded" that way all the other drivers wont conflict when they get loaded themselves.. It would keep a driver from interfering with another drivers space.. Espescially in cases of windows drivers that come with the system.. theyre loaded at their own specific addresses and ntoskrnl wont let any other driver (or shouldnt) get loaded in that particular driver's space...

 

When I reviewed http://www.openrce.org/blog/view/354

"Putting ZwSystemDebugControl to good use"

SYSDBG_VIRTUAL  does seem to be a memory mapping structure

 

My experience with mapping is that if i run user mode code to map a portion of memory im still storing that mapped data in "user mode"

Taking the kernel memory and mapping it to user mode doesnt do anything but help read it... Unless of course their is a bug in the kernel driver and some kinda kernel memory is given read-write-execute privs... 

 

And this http://pastebin.com/LQnhSLw3

 

Attempts to uses SYSDBG_VIRTUAL to hide a process from task manager....

 

I would say no, they are true addresses for those drivers and the only thing getting mapped is their data into a handle of Virtual Memory that i can read. But i could read the kernel mem without mapping its data.. The POS variable is the true position of the loaded sys drivers... If i am wrong please explain.. After all im just getting into true kernel scanning and exploit attempts... Creating a driver is one thing, loading a driver is one thing but this is another....

 

Using NtSystemDebugControl for dumping

For control code 10 we use a struct with the following layout as input buffer:    DWORD PhysicalAddress;
    DWORD Reserved1;
    void *Buffer;
    DWORD Length; 

 

thats physical address...

 

http://ntsecurity.nu/onmymind/2007/2007-02-04.html

Edited January 1, 2014 by JMC31337

[JMC31337]

iight so using C# to sit thru and iterate all files in the SP3 

system32 and drivers directory i found one of the hidden kernel sys drivers (one of em that is not named in SystemInformation Modules but using a byte scanner i see MZ)

 

 

FOUND MATCHING PATTERN MZ at 80062000  was a modem driver or sptd.sys  (but sptd.sys was LOCKED no matter what i tried)

 

if it was  sptd.sys - SCSI pass thru direct-  by Duplex Secure and Verisigned Certificate

... had to go into SAFE MODE to copy this thing.. their was in no way ANY ACCESS whatsoever... couldnt even use XVi32  to read this file...

"It is known to be incompatible with kernel-mode debugging including WinDbgand Microsoft's other command line debuggers as well as SoftICE."

wondering 

a) if its possible to use this type of trickery to keep Windbg and SoftICe and whatever else from reading ANYTHING

b ) why/how does it lock the system out from getting any info about it?

Edited January 10, 2014 by JMC31337

[JohnWho]

About SoftICE and sptd.sys theres some info here -> http://www.woodmann.com/collaborative/tools/index.php/Antisptd

[JMC31337]

About SoftICE and sptd.sys theres some info here -> http://www.woodmann.com/collaborative/tools/index.php/Antisptd

 

takes a sys driver to outsmart a sys driver module... that's wonderful.. 

 

 

"by removing the notifyroutine sptd sets to prevent ntice.sys to load. After ntice.sys gets loaded, it restores the notifyroutine and the keyboard hooks in i8042prt.sys that have been screwed by the sptd.sys"

Edited January 12, 2014 by JMC31337