flat assembler
Message board for the users of flat assembler.
![]() |
Author |
|
Feryno 17 Mar 2010, 14:43
This work was done thanks to fasm board member Fyyre
http://board.flatassembler.net/profile.php?mode=viewprofile&u=3350 and his post here: http://board.flatassembler.net/topic.php?p=110915#110915 His great work should be placed here in windows section of FASM board. Disabling Patchguard and Driver signature is his idea and work (but some people may not like to run unknown executables). This work applies only to windows 2008 server R2 x64 / windows 7 x64 (the same kernel) loaded through BIOS (not through UEFI, you may manually modify this to apply to UEFI systems) We will disable necessity of digital sinature for drivers, we will disable Patchguard. I sent 2 messages to ms (through different channels) without any answer - concerning weakness in canonical address form checking in ms windows 2008 server R2 x64 / windows 7 x64 kernel. I promissed them (in the second attempt to notify then) that if they don't answer, I'll make public the information about canonical long mode address form checking in win2008 R2 / win7. We will patch this kind of weakness by ourselves also. It is necessary to run the *.cmd executable from native 64 bit long mode, not from compatibility submode. If you are using e.g. an older Total Commander version (like me), then place a shortcut of the *.cmd executable at the desktop and run it through the shortcut, or open command promt and run it from there (32-bit emulated submode doesn't know bcdedit.exe). The *.cmd file adds necessary registry entries and disables one service to automatically statup. The *.exe file makes second copies of OS loader and ntoskrnl.exe with few bytes patches there (so when you reboot, Patchguard is not intialized, driver digital signatures are not necessary, canonical address form of long mode virtual memory is checked correctly). Because of disabling Patchguard and Digital signature for drivers, your system is more vulnerable to attacks. But if you are developping drivers without having certificate for drivers signing, you may save some time during boot because you don't need to press F8 and select Disable driver signature enforcement everytime you boot windows 2008 server R2 x64 / windows 7 x64. I always prefer server versions because they are usually available to download earlier from official ms link. They are always trial versions, so additional work is required to have them operating longer than the trial period. I tested this on win 2008 server R2 x64, Fyyre at windows 7 x64. If you discovered something to fix in ms windows kernel, post it here, now we may apply patches immediately without any necessity to wait for ms response (because we are programming in assembler, our patches should be small enough to fit into ms kernel). Code: @ECHO OFF ECHO. ECHO Creating patched copies of winload, ntkrnlmp/ntoskrnl... ECHO. patch.exe ECHO. ECHO Creating BCD Entry... ECHO. set ENTRY_GUID={46595952-454E-4F50-4747-554944FFFFFF} bcdedit -create %ENTRY_GUID% -d "DriverSigning&PatchGuard Disabled" -application OSLOADER bcdedit -set %ENTRY_GUID% device partition=%SYSTEMDRIVE% bcdedit -set %ENTRY_GUID% osdevice partition=%SYSTEMDRIVE% bcdedit -set %ENTRY_GUID% systemroot \Windows bcdedit -set %ENTRY_GUID% path \Windows\system32\freeload.exe bcdedit -set %ENTRY_GUID% kernel goodkrnl.exe bcdedit -set %ENTRY_GUID% recoveryenabled 0 bcdedit -set %ENTRY_GUID% nx OptOut bcdedit -set %ENTRY_GUID% nointegritychecks 1 bcdedit -set %ENTRY_GUID% testsigning 1 bcdedit -displayorder %ENTRY_GUID% -addlast bcdedit -timeout 5 bcdedit -default %ENTRY_GUID% ECHO. ECHO Setting PEAUTH service to manual... (avoid BSOD at login screen) ECHO. sc config peauth start= demand ECHO. ECHO Complete! ECHO. PAUSE patch.asm Code: ; this creates patched copies of files %SystemRoot%\system32\winload.exe, %SystemRoot%\system32\ntoskrnl.exe, %SystemRoot%\system32\ntkrnlmp.exe format PE64 console at (1 shl 32) entry start include '%fasminc%\win64a.inc' section '.code' code readable executable align 10h start: push rbx sub rsp,8*(4+2) lea rcx,[file0] call read_system_file or eax,eax mov ebx,eax ; size of file jz exit_failed mov edx,ebx ; size of the whole file lea rcx,[file0ed] ; pointer to patching data call patch_bytes mov edx,ebx lea rcx,[file3ed] call patch_bytes mov edx,ebx lea rcx,[file3ed] call patch_bytes mov edx,ebx lea rcx,[file3ed] call patch_bytes mov ecx,ebx ; size of the whole file call reconstruct_crc mov edx,ebx ; size of the whole file lea rcx,[file0n] call write_system_file cmp eax,ebx jnz exit_delete_file0n lea rcx,[file1] call read_system_file or eax,eax mov ebx,eax jnz L0 lea rcx,[file2] call read_system_file or eax,eax mov ebx,eax jz exit_failed L0: mov edx,ebx lea rcx,[file1ed] call patch_bytes mov edx,ebx lea rcx,[file2ed] call patch_bytes mov edx,ebx lea rcx,[file3ed] call patch_bytes mov edx,ebx lea rcx,[file3ed] call patch_bytes mov edx,ebx lea rcx,[file3ed] call patch_bytes mov ecx,ebx call reconstruct_crc mov edx,ebx lea rcx,[file1n] call write_system_file cmp eax,ebx jz exit_success ; jmp exit_delete_file1n_file0n exit_delete_file1n_file0n: lea rcx,[file1n] call [DeleteFileA] exit_delete_file0n: lea rcx,[file0n] call [DeleteFileA] exit_failed: lea rbx,[msg_failed] jmp exit_msg exit_success: lea rbx,[msg_success] exit_msg: ;STD_OUTPUT_HANDLE = -11 ;INVALID_HANDLE_VALUE = -1 ; mov rcx,STD_OUTPUT_HANDLE push STD_OUTPUT_HANDLE pop rcx call [GetStdHandle] push rax pop rcx if INVALID_HANDLE_VALUE = -1 inc rax else cmp rax,INVALID_HANDLE_VALUE end if jz exit and qword [rsp + 8*(4+0)],0 lea r9,[rsp + 8*(4+1)] mov r8d,msg_size ; lea rdx,[rbx] push rbx pop rdx ; lea rcx,[rcx] ; already set call [WriteFile] exit: xor eax,eax add rsp,8*(4+2) pop rbx ret align 10h read_system_file: ; in: rcx pointer to filename ; out: eax file size (0 for error) push rbx rbp rsi rdi sub rsp,8*(4+3) xor ebp,ebp ; result push rcx pop rsi ; filename lea rdi,[filename] mov ebx,MAX_PATH mov edx,ebx push rdi pop rcx call [GetSystemDirectoryA] cmp eax,ebx jnbe read_system_file_finish lea rbx,[rdi+rax*1] ; mov eax,'\' ; this is 2 bytes smaller: push '\' pop rax mov [rbx],al cmp [rbx-1],al setnz al add rbx,rax movdqu xmm0,dqword [rsi] movdqu [rbx],xmm0 ; and qword [rsp+8*(4+2)],0 ; hTemplateFile mov dword [rsp+8*(4+1)],FILE_ATTRIBUTE_NORMAL ; dwFlagsAndAttributes mov dword [rsp+8*(4+0)],OPEN_EXISTING ; dwCreationDistribution xor r9,r9 ; lpSecurityAttributes xor r8,r8 ; dwShareMode mov edx,GENERIC_READ ; dwDesiredAccess push rdi pop rcx ; lpFileName mov [rsp+8*(4+2)],r9 ; hTemplateFile call [CreateFileA] push rax pop rsi if INVALID_HANDLE_VALUE = -1 inc rax else cmp rax,INVALID_HANDLE_VALUE end if jz read_system_file_finish mov edi,file_buf_size and qword [rsp + 8*(4+0)],0 ; lpOverlapped lea r9,[rsp + 8*(4+2)] ; lpNumberOfBytesRead mov r8d,edi ; nNumberOfBytesToRead lea rdx,[file_buf] push rsi pop rcx ; hFile call [ReadFile] or eax,eax jz read_system_file_close_finish mov ebp,[rsp + 8*(4+2)] ; NumberOfBytesRead read_system_file_close_finish: push rsi pop rcx call [CloseHandle] read_system_file_finish: mov eax,ebp ; result into EAX add rsp,8*(4+3) pop rdi rsi rbp rbx ret align 10h patch_bytes: push rbx rsi rdi push rcx pop rsi cld lodsb ; load size of bytes to find movzx ebx,al lea rdi,[file_buf] lea r8,[rdi+rdx] ; end of file align 10h patch_bytes_L0: push rsi rdi mov ecx,ebx repz cmpsb pop rdi rsi jz patch_bytes_L4 scasb ; rdi+1 in 1-byte instruction lea rax,[rdi+rbx*1] cmp rax,r8 jbe patch_bytes_L0 ; end of file reached jmp patch_bytes_L9 patch_bytes_L4: ; matching bytes found, patch them add rsi,rbx lodsb ; load size of bytes to be written movzx ecx,al repz movsb patch_bytes_L9: pop rdi rsi rbx ret align 10h reconstruct_crc: ; in: ecx = size of file struct IMAGE_DOS_HEADER e_magic rw 1 ; Magic number e_cblp rw 1 ; Bytes on last page of file e_cp rw 1 ; Pages in file e_crlc rw 1 ; Relocations e_cparhdr rw 1 ; Size of header in paragraphs e_minalloc rw 1 ; Minimum extra paragraphs needed e_maxalloc rw 1 ; Maximum extra paragraphs needed e_ss rw 1 ; Initial (relative) SS value e_sp rw 1 ; Initial SP value e_csum rw 1 ; Checksum e_ip rw 1 ; Initial IP value e_cs rw 1 ; Initial (relative) CS value e_lfarlc rw 1 ; File address of relocation table e_ovno rw 1 ; Overlay number e_res rw 4 ; Reserved words e_oemid rw 1 ; OEM identifier (for e_oeminfo) e_oeminfo rw 1 ; OEM information; e_oemid specific e_res2 rw 10 ; Reserved words e_lfanew rd 1 ; File address of new exe header ends IMAGE_DOS_SIGNATURE = 'MZ' struct IMAGE_FILE_HEADER Machine rw 1 NumberOfSections rw 1 TimeDateStamp rd 1 PointerToSymbolTable rd 1 NumberOfSymbols rd 1 SizeOfOptionalHeader rw 1 Characteristics rw 1 ends IMAGE_SIZEOF_FILE_HEADER = sizeof.IMAGE_FILE_HEADER ; = 20 IMAGE_FILE_MACHINE_AMD64 = 8664h ; AMD64 (K the patch.exe changes this: Code: winload.exe .text:00000000004057E8 OslInitializeCodeIntegrity proc near ; CODE XREF: OslpMain+61Cp .text:00000000004057E8 ; DATA XREF: .pdata:00000000004B2168o .text:00000000004057E8 .text:00000000004057E8 var_58 = qword ptr -58h .text:00000000004057E8 var_50 = dword ptr -50h .text:00000000004057E8 var_48 = dword ptr -48h .text:00000000004057E8 var_38 = qword ptr -38h .text:00000000004057E8 arg_8 = qword ptr 10h .text:00000000004057E8 arg_18 = qword ptr 20h .text:00000000004057E8 .text:00000000004057E8 mov rax, rsp ; db 48h,8Bh,0C4h -> db 0B0,01h,0C3h = mov al,1 \ ret .text:00000000004057EB push rbx .text:00000000004057EC push rbp .text:00000000004057ED push rdi .text:00000000004057EE push r12 .text:00000000004057F0 push r13 .text:00000000004057F2 sub rsp, 50h .text:00000000004057F6 xor r13d, r13d .text:00000000004057F9 mov r12d, ecx .text:00000000004057FC lea r8, [rax+18h] .text:0000000000405800 lea rcx, BlpApplicationEntry .text:0000000000405807 lea rdx, [rax+10h] .text:000000000040580B mov [rax+20h], r13 .text:000000000040580F mov rdi, r13 .text:0000000000405812 mov [rax-38h], r13 .text:0000000000405816 call BlImgQueryCodeIntegrityBootOptions ntoskrnl.exe PAGE:00000001403EAA60 SepInitializeCodeIntegrity proc near ; CODE XREF: SepInitializationPhase1+231p PAGE:00000001403EAA60 PAGE:00000001403EAA60 arg_0 = qword ptr 8 PAGE:00000001403EAA60 PAGE:00000001403EAA60 mov [rsp+arg_0], rbx PAGE:00000001403EAA65 push rdi PAGE:00000001403EAA66 sub rsp, 20h PAGE:00000001403EAA6A xor ebx, ebx PAGE:00000001403EAA6C cmp cs:InitIsWinPEMode, bl PAGE:00000001403EAA72 jnz loc_1403EAB0C ; db 0Fh,85h,94h,0,0,0 -> db 90,0E9h,94h,0,0,0 = nop \ jmp loc_1403EAB0C PAGE:00000001403EAA78 xor eax, eax PAGE:00000001403EAA7A mov cs:g_CiEnabled, 1 PAGE:00000001403EAA81 lea edi, [rbx+6] PAGE:00000001403EAA84 mov cs:g_CiCallbacks, rax PAGE:00000001403EAA8B mov cs:qword_14021EE48, rax PAGE:00000001403EAA92 mov cs:qword_14021EE50, rax PAGE:00000001403EAA99 mov rax, cs:qword_1402A8120 PAGE:00000001403EAAA0 cmp rax, rbx PAGE:00000001403EAAA3 jz short loc_1403EAAF7 PAGE:00000001403EAAA5 cmp [rax+98h], rbx PAGE:00000001403EAAAC jz short loc_1403EAAEE PAGE:00000001403EAAAE mov rcx, [rax+98h] PAGE:00000001403EAAB5 lea rdx, ??_C@_0BJ@KFBEEMJI@DISABLE_INTEGRITY_CHECKS?$AA@NNGAKEGL@ PAGE:00000001403EAABC call SepIsOptionPresent PAGE:00000001403EAAC1 mov rcx, cs:qword_1402A8120 PAGE:00000001403EAAC8 lea rdx, ??_C@_0M@LNFBLGLD@TESTSIGNING?$AA@NNGAKEGL@ PAGE:00000001403EAACF mov rcx, [rcx+98h] PAGE:00000001403EAAD6 cmp eax, ebx PAGE:00000001403EAAD8 cmovnz edi, ebx PAGE:00000001403EAADB call SepIsOptionPresent PAGE:00000001403EAAE0 cmp eax, ebx PAGE:00000001403EAAE2 mov rax, cs:qword_1402A8120 PAGE:00000001403EAAE9 jz short loc_1403EAAEE PAGE:00000001403EAAEB or edi, 8 PAGE:00000001403EAAEE PAGE:00000001403EAAEE loc_1403EAAEE: ; CODE XREF: SepInitializeCodeIntegrity+4Cj PAGE:00000001403EAAEE ; SepInitializeCodeIntegrity+89j PAGE:00000001403EAAEE cmp rax, rbx PAGE:00000001403EAAF1 jz short loc_1403EAAF7 PAGE:00000001403EAAF3 lea rbx, [rax+30h] PAGE:00000001403EAAF7 PAGE:00000001403EAAF7 loc_1403EAAF7: ; CODE XREF: SepInitializeCodeIntegrity+43j PAGE:00000001403EAAF7 ; SepInitializeCodeIntegrity+91j PAGE:00000001403EAAF7 lea r8, g_CiCallbacks PAGE:00000001403EAAFE mov rdx, rbx PAGE:00000001403EAB01 mov ecx, edi PAGE:00000001403EAB03 call CiInitialize PAGE:00000001403EAB08 mov ebx, eax PAGE:00000001403EAB0A jmp short loc_1403EAB12 PAGE:00000001403EAB0C ; --------------------------------------------------------------------------- PAGE:00000001403EAB0C PAGE:00000001403EAB0C loc_1403EAB0C: ; CODE XREF: SepInitializeCodeIntegrity+12j PAGE:00000001403EAB0C mov cs:g_CiEnabled, bl PAGE:00000001403EAB12 PAGE:00000001403EAB12 loc_1403EAB12: ; CODE XREF: SepInitializeCodeIntegrity+AAj PAGE:00000001403EAB12 mov eax, ebx PAGE:00000001403EAB14 mov rbx, [rsp+28h+arg_0] PAGE:00000001403EAB19 add rsp, 20h PAGE:00000001403EAB1D pop rdi PAGE:00000001403EAB1E retn PAGE:00000001403EAB1E SepInitializeCodeIntegrity endp PAGE:00000001403EAB1E PAGE:00000001403EAB1E ; --------------------------------------------------------------------------- ntoskrnl.exe INIT:0000000140561340 ; =============== S U B R O U T I N E ======================================= INIT:0000000140561340 INIT:0000000140561340 INIT:0000000140561340 sub_140561340 proc near ; CODE XREF: KiFilterFiberContext+FFp INIT:0000000140561340 ; KiFilterFiberContext+187p INIT:0000000140561340 INIT:0000000140561340 var_F78 = qword ptr -0F78h INIT:0000000140561340 var_F70 = qword ptr -0F70h INIT:0000000140561340 var_F68 = qword ptr -0F68h INIT:0000000140561340 var_F60 = qword ptr -0F60h INIT:0000000140561340 var_F58 = dword ptr -0F58h ... ... ... INIT:0000000140561340 var_48 = byte ptr -48h INIT:0000000140561340 arg_0 = dword ptr 8 INIT:0000000140561340 arg_8 = dword ptr 10h INIT:0000000140561340 arg_10 = dword ptr 18h INIT:0000000140561340 arg_18 = qword ptr 20h INIT:0000000140561340 INIT:0000000140561340 mov [rsp+arg_10], r8d INIT:0000000140561345 mov [rsp+arg_8], edx INIT:0000000140561349 mov [rsp+arg_0], ecx INIT:000000014056134D push rbx INIT:000000014056134E push rbp INIT:000000014056134F push rsi INIT:0000000140561350 push rdi INIT:0000000140561351 push r12 INIT:0000000140561353 push r13 INIT:0000000140561355 push r14 INIT:0000000140561357 push r15 INIT:0000000140561359 sub rsp, 0F58h INIT:0000000140561360 xor edi, edi INIT:0000000140561362 cmp cs:InitSafeBootMode, edi INIT:0000000140561368 jz short loc_140561371 ; db 74h,7 -> db 90h,90h = nop \ nop INIT:000000014056136A mov al, 1 INIT:000000014056136C jmp loc_1405640D9 INIT:0000000140561371 ; --------------------------------------------------------------------------- INIT:0000000140561371 INIT:0000000140561371 loc_140561371: ; CODE XREF: sub_140561340+28j INIT:0000000140561371 lea rbx, FsRtlUninitializeSmallMcb INIT:0000000140561378 lea rdx, [rsp+0F98h+var_E40] INIT:0000000140561380 mov rcx, rbx INIT:0000000140561383 call RtlPcToFileHeader INIT:0000000140561388 cmp rax, rdi INIT:000000014056138B jz loc_1405640D7 INIT:0000000140561391 mov rcx, [rsp+0F98h+var_E40] INIT:0000000140561399 call RtlImageNtHeader INIT:000000014056139E cmp rax, rdi INIT:00000001405613A1 jz loc_1405640D7 ... ... ... INIT:00000001405640D9 loc_1405640D9: ; CODE XREF: sub_140561340+2Cj INIT:00000001405640D9 ; sub_140561340+9C36j INIT:00000001405640D9 add rsp, 0F58h INIT:00000001405640E0 pop r15 INIT:00000001405640E2 pop r14 INIT:00000001405640E4 pop r13 INIT:00000001405640E6 pop r12 INIT:00000001405640E8 pop rdi INIT:00000001405640E9 pop rsi INIT:00000001405640EA pop rbp INIT:00000001405640EB pop rbx INIT:00000001405640EC retn ntoskrnl.exe .text:0000000140123C50 public MmIsAddressValid .text:0000000140123C50 MmIsAddressValid proc near ; CODE XREF: KeValidateBugCheckCallbackRecord+58p .text:0000000140123C50 ; KeValidateBugCheckCallbackRecord+9Ep ... .text:0000000140123C50 xor edx, edx .text:0000000140123C52 jmp MiIsAddressValid .text:0000000140123C52 MmIsAddressValid endp ... ... ... .text:00000001400AAE20 MiIsAddressValid proc near ; CODE XREF: RtlpWalkFrameChain+13Ap .text:00000001400AAE20 ; MmAccessFault-6DB6Dp ... .text:00000001400AAE20 mov rax, rcx .text:00000001400AAE23 sar rax, 30h ; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check ; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48 .text:00000001400AAE27 inc rax .text:00000001400AAE2A cmp rax, 1 .text:00000001400AAE2E ja loc_1400AAEC3 ntoskrnl.exe .text:0000000140042BDC MmIsSpecialPoolAddress proc near ; CODE XREF: ExReturnPoolQuota:loc_140026DF6p .text:0000000140042BDC ; ExProtectPool+25p ... .text:0000000140042BDC .text:0000000140042BDC ; FUNCTION CHUNK AT .text:00000001400C76C7 SIZE 0000006B BYTES .text:0000000140042BDC .text:0000000140042BDC sub rsp, 28h .text:0000000140042BE0 mov rax, 98000000000h .text:0000000140042BEA mov rdx, rcx .text:0000000140042BED add rax, rcx .text:0000000140042BF0 mov rcx, 7FFFFFFFFFh .text:0000000140042BFA cmp rax, rcx .text:0000000140042BFD jbe short loc_140042C70 .text:0000000140042BFF mov rax, rdx .text:0000000140042C02 sar rax, 30h ; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check ; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48 .text:0000000140042C06 inc rax .text:0000000140042C09 cmp rax, 1 .text:0000000140042C0D ja short loc_140042C70 ntoskrnl.exe .text:000000014008BBE0 MmAccessFault proc near ; CODE XREF: MiCheckProtoPtePageState-5BA2Cp .text:000000014008BBE0 ; MiDeletePerSessionProtos+85p ... .text:000000014008BBE0 ... ... ... .text:000000014008BBE0 mov [rsp-8+var_B8], rbx .text:000000014008BBE5 push rbp .text:000000014008BBE6 push rsi .text:000000014008BBE7 push rdi .text:000000014008BBE8 push r12 .text:000000014008BBEA push r13 .text:000000014008BBEC push r14 .text:000000014008BBEE push r15 .text:000000014008BBF0 sub rsp, 120h .text:000000014008BBF7 lea rbp, [rsp+80h] .text:000000014008BBFF and rbp, 0FFFFFFFFFFFFFFC0h .text:000000014008BC03 mov rax, rdx .text:000000014008BC06 mov r12, r9 .text:000000014008BC09 mov r13, rdx .text:000000014008BC0C sar rax, 30h ; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check ; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48 .text:000000014008BC10 mov r15, rcx .text:000000014008BC13 inc rax .text:000000014008BC16 cmp rax, 1 .text:000000014008BC1A ja loc_1400EF63C
|
|||||||||||
![]() |
|
alorent 17 Mar 2010, 15:03
Thanks for sharing it Feryno! Very interesting!
![]() |
|||
![]() |
|
DOS386 18 Mar 2010, 07:05
> flat assembler > OS Construction > Control registers analisys with C.R.A.D.
> http://board.flatassembler.net/topic.php?t=11028 > I made a NT kernel driver that analize all the > His great work should be placed here in windows section of FASM Just move the other thread ![]() |
|||
![]() |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.