flat assembler
Message board for the users of flat assembler.

Index > Windows > patching windows 2008 server R2 x64 / windows 7 x64 kernels

Author
Thread Post new topic Reply to topic
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 17 Mar 2010, 14:43
This work was done thanks to fasm board member Fyyre
http://board.flatassembler.net/profile.php?mode=viewprofile&u=3350
and his post here:
http://board.flatassembler.net/topic.php?p=110915#110915
His great work should be placed here in windows section of FASM board.
Disabling Patchguard and Driver signature is his idea and work (but some people may not like to run unknown executables).

This work applies only to windows 2008 server R2 x64 / windows 7 x64 (the same kernel) loaded through BIOS (not through UEFI, you may manually modify this to apply to UEFI systems)

We will disable necessity of digital sinature for drivers, we will disable Patchguard.
I sent 2 messages to ms (through different channels) without any answer - concerning weakness in canonical address form checking in ms windows 2008 server R2 x64 / windows 7 x64 kernel. I promissed them (in the second attempt to notify then) that if they don't answer, I'll make public the information about canonical long mode address form checking in win2008 R2 / win7.
We will patch this kind of weakness by ourselves also.

It is necessary to run the *.cmd executable from native 64 bit long mode, not from compatibility submode.
If you are using e.g. an older Total Commander version (like me), then place a shortcut of the *.cmd executable at the desktop and run it through the shortcut, or open command promt and run it from there (32-bit emulated submode doesn't know bcdedit.exe).

The *.cmd file adds necessary registry entries and disables one service to automatically statup. The *.exe file makes second copies of OS loader and ntoskrnl.exe with few bytes patches there (so when you reboot, Patchguard is not intialized, driver digital signatures are not necessary, canonical address form of long mode virtual memory is checked correctly). Because of disabling Patchguard and Digital signature for drivers, your system is more vulnerable to attacks. But if you are developping drivers without having certificate for drivers signing, you may save some time during boot because you don't need to press F8 and select Disable driver signature enforcement everytime you boot windows 2008 server R2 x64 / windows 7 x64.
I always prefer server versions because they are usually available to download earlier from official ms link. They are always trial versions, so additional work is required to have them operating longer than the trial period.
I tested this on win 2008 server R2 x64, Fyyre at windows 7 x64.

If you discovered something to fix in ms windows kernel, post it here, now we may apply patches immediately without any necessity to wait for ms response (because we are programming in assembler, our patches should be small enough to fit into ms kernel).

Code:
@ECHO OFF

ECHO.
ECHO Creating patched copies of winload, ntkrnlmp/ntoskrnl...
ECHO.
patch.exe

ECHO.
ECHO Creating BCD Entry...
ECHO.
set ENTRY_GUID={46595952-454E-4F50-4747-554944FFFFFF}
bcdedit -create %ENTRY_GUID% -d "DriverSigning&PatchGuard Disabled" -application OSLOADER
bcdedit -set %ENTRY_GUID% device partition=%SYSTEMDRIVE%
bcdedit -set %ENTRY_GUID% osdevice partition=%SYSTEMDRIVE%
bcdedit -set %ENTRY_GUID% systemroot \Windows
bcdedit -set %ENTRY_GUID% path \Windows\system32\freeload.exe
bcdedit -set %ENTRY_GUID% kernel goodkrnl.exe
bcdedit -set %ENTRY_GUID% recoveryenabled 0
bcdedit -set %ENTRY_GUID% nx OptOut
bcdedit -set %ENTRY_GUID% nointegritychecks 1
bcdedit -set %ENTRY_GUID% testsigning 1
bcdedit -displayorder %ENTRY_GUID% -addlast
bcdedit -timeout 5
bcdedit -default %ENTRY_GUID%

ECHO.
ECHO Setting PEAUTH service to manual... (avoid BSOD at login screen)
ECHO.
sc config peauth start= demand

ECHO.
ECHO Complete!
ECHO.
PAUSE    


patch.asm
Code:
; this creates patched copies of files %SystemRoot%\system32\winload.exe, %SystemRoot%\system32\ntoskrnl.exe, %SystemRoot%\system32\ntkrnlmp.exe


format PE64 console at (1 shl 32)
entry start


include '%fasminc%\win64a.inc'


section '.code' code readable executable


align 10h
start:

 push    rbx
 sub     rsp,8*(4+2)

     lea     rcx,[file0]
 call    read_system_file
    or      eax,eax
     mov     ebx,eax                         ; size of file
      jz      exit_failed
 mov     edx,ebx                         ; size of the whole file
    lea     rcx,[file0ed]                   ; pointer to patching data
  call    patch_bytes
 mov     edx,ebx
     lea     rcx,[file3ed]
       call    patch_bytes
 mov     edx,ebx
     lea     rcx,[file3ed]
       call    patch_bytes
 mov     edx,ebx
     lea     rcx,[file3ed]
       call    patch_bytes
 mov     ecx,ebx                         ; size of the whole file
    call    reconstruct_crc
     mov     edx,ebx                         ; size of the whole file
    lea     rcx,[file0n]
        call    write_system_file
   cmp     eax,ebx
     jnz     exit_delete_file0n

      lea     rcx,[file1]
 call    read_system_file
    or      eax,eax
     mov     ebx,eax
     jnz     L0
  lea     rcx,[file2]
 call    read_system_file
    or      eax,eax
     mov     ebx,eax
     jz      exit_failed
L0:  mov     edx,ebx
     lea     rcx,[file1ed]
       call    patch_bytes
 mov     edx,ebx
     lea     rcx,[file2ed]
       call    patch_bytes
 mov     edx,ebx
     lea     rcx,[file3ed]
       call    patch_bytes
 mov     edx,ebx
     lea     rcx,[file3ed]
       call    patch_bytes
 mov     edx,ebx
     lea     rcx,[file3ed]
       call    patch_bytes
 mov     ecx,ebx
     call    reconstruct_crc
     mov     edx,ebx
     lea     rcx,[file1n]
        call    write_system_file
   cmp     eax,ebx
     jz      exit_success
;       jmp     exit_delete_file1n_file0n

exit_delete_file1n_file0n:
     lea     rcx,[file1n]
        call    [DeleteFileA]

exit_delete_file0n:
        lea     rcx,[file0n]
        call    [DeleteFileA]

exit_failed:
       lea     rbx,[msg_failed]
    jmp     exit_msg

exit_success:
   lea     rbx,[msg_success]

exit_msg:
;STD_OUTPUT_HANDLE            = -11
;INVALID_HANDLE_VALUE          = -1
;       mov     rcx,STD_OUTPUT_HANDLE
       push    STD_OUTPUT_HANDLE
   pop     rcx
 call    [GetStdHandle]
      push    rax
 pop     rcx
if INVALID_HANDLE_VALUE = -1
 inc     rax
else
 cmp     rax,INVALID_HANDLE_VALUE
end if
  jz      exit

    and     qword [rsp + 8*(4+0)],0
     lea     r9,[rsp + 8*(4+1)]
  mov     r8d,msg_size
;       lea     rdx,[rbx]
   push    rbx
 pop     rdx
;        lea     rcx,[rcx]       ; already set
       call    [WriteFile]

exit:    xor     eax,eax
     add     rsp,8*(4+2)
 pop     rbx
 ret


align 10h
read_system_file:
;  in: rcx pointer to filename
; out: eax file size (0 for error)
   push    rbx rbp rsi rdi
     sub     rsp,8*(4+3)

     xor     ebp,ebp                         ; result
    push    rcx
 pop     rsi                             ; filename

      lea     rdi,[filename]
      mov     ebx,MAX_PATH

    mov     edx,ebx
     push    rdi
 pop     rcx
 call    [GetSystemDirectoryA]
       cmp     eax,ebx
     jnbe    read_system_file_finish

 lea     rbx,[rdi+rax*1]

;        mov     eax,'\'
; this is 2 bytes smaller:
        push    '\'
      pop     rax

     mov     [rbx],al
    cmp     [rbx-1],al
  setnz   al
  add     rbx,rax

 movdqu  xmm0,dqword [rsi]
   movdqu  [rbx],xmm0

;     and     qword [rsp+8*(4+2)],0                           ; hTemplateFile
     mov     dword [rsp+8*(4+1)],FILE_ATTRIBUTE_NORMAL       ; dwFlagsAndAttributes
      mov     dword [rsp+8*(4+0)],OPEN_EXISTING               ; dwCreationDistribution
    xor     r9,r9                                           ; lpSecurityAttributes
      xor     r8,r8                                           ; dwShareMode
       mov     edx,GENERIC_READ                                ; dwDesiredAccess
   push    rdi
 pop     rcx                                             ; lpFileName
        mov     [rsp+8*(4+2)],r9                                ; hTemplateFile
     call    [CreateFileA]

   push    rax
 pop     rsi

if INVALID_HANDLE_VALUE = -1
     inc     rax
else
 cmp     rax,INVALID_HANDLE_VALUE
end if
  jz      read_system_file_finish

 mov     edi,file_buf_size

       and     qword [rsp + 8*(4+0)],0         ; lpOverlapped
      lea     r9,[rsp + 8*(4+2)]              ; lpNumberOfBytesRead
       mov     r8d,edi                         ; nNumberOfBytesToRead
      lea     rdx,[file_buf]
      push    rsi
 pop     rcx                             ; hFile
     call    [ReadFile]
  or      eax,eax
     jz      read_system_file_close_finish

   mov     ebp,[rsp + 8*(4+2)]             ; NumberOfBytesRead

read_system_file_close_finish:
       push    rsi
 pop     rcx
 call    [CloseHandle]

read_system_file_finish:
   mov     eax,ebp                         ; result into EAX
   add     rsp,8*(4+3)
 pop     rdi rsi rbp rbx
     ret


align 10h
patch_bytes:
        push    rbx rsi rdi
 push    rcx
 pop     rsi
 cld
 lodsb                                   ; load size of bytes to find
        movzx   ebx,al
      lea     rdi,[file_buf]
      lea     r8,[rdi+rdx]                    ; end of file

align 10h
patch_bytes_L0:
       push    rsi rdi
     mov     ecx,ebx
     repz cmpsb
  pop     rdi rsi
     jz      patch_bytes_L4
      scasb                                   ; rdi+1 in 1-byte instruction
       lea     rax,[rdi+rbx*1]
     cmp     rax,r8
      jbe     patch_bytes_L0
; end of file reached
     jmp     patch_bytes_L9

patch_bytes_L4:
; matching bytes found, patch them
     add     rsi,rbx
     lodsb                                   ; load size of bytes to be written
  movzx   ecx,al
      repz movsb
patch_bytes_L9:
   pop     rdi rsi rbx
 ret


align 10h
reconstruct_crc:
; in: ecx = size of file

struct  IMAGE_DOS_HEADER
    e_magic                         rw      1       ; Magic number
      e_cblp                          rw      1       ; Bytes on last page of file
        e_cp                            rw      1       ; Pages in file
     e_crlc                          rw      1       ; Relocations
       e_cparhdr                       rw      1       ; Size of header in paragraphs
      e_minalloc                      rw      1       ; Minimum extra paragraphs needed
   e_maxalloc                      rw      1       ; Maximum extra paragraphs needed
   e_ss                            rw      1       ; Initial (relative) SS value
       e_sp                            rw      1       ; Initial SP value
  e_csum                          rw      1       ; Checksum
  e_ip                            rw      1       ; Initial IP value
  e_cs                            rw      1       ; Initial (relative) CS value
       e_lfarlc                        rw      1       ; File address of relocation table
  e_ovno                          rw      1       ; Overlay number
    e_res                           rw      4       ; Reserved words
    e_oemid                         rw      1       ; OEM identifier (for e_oeminfo)
    e_oeminfo                       rw      1       ; OEM information; e_oemid specific
 e_res2                          rw      10      ; Reserved words
    e_lfanew                        rd      1       ; File address of new exe header
ends
IMAGE_DOS_SIGNATURE                 =       'MZ'

struct    IMAGE_FILE_HEADER
   Machine                         rw      1
   NumberOfSections                rw      1
   TimeDateStamp                   rd      1
   PointerToSymbolTable            rd      1
   NumberOfSymbols                 rd      1
   SizeOfOptionalHeader            rw      1
   Characteristics                 rw      1
ends
IMAGE_SIZEOF_FILE_HEADER           =       sizeof.IMAGE_FILE_HEADER        ; = 20
IMAGE_FILE_MACHINE_AMD64              =       8664h   ; AMD64 (KCool

struct      IMAGE_DATA_DIRECTORY
        VirtualAddress                  rd      1
   Size                            rd      1
ends
IMAGE_NUMBEROF_DIRECTORY_ENTRIES   =       16

struct        IMAGE_OPTIONAL_HEADER64
; Standard fields.
       Magic                           rw      1
   MajorLinkerVersion              rb      1
   MinorLinkerVersion              rb      1
   SizeOfCode                      rd      1
   SizeOfInitializedData           rd      1
   SizeOfUninitializedData         rd      1
   AddressOfEntryPoint             rd      1
   BaseOfCode                      rd      1
; NT additional fields.
        ImageBase                       rq      1
   SectionAlignment                rd      1
   FileAlignment                   rd      1
   MajorOperatingSystemVersion     rw      1
   MinorOperatingSystemVersion     rw      1
   MajorImageVersion               rw      1
   MinorImageVersion               rw      1
   MajorSubsystemVersion           rw      1
   MinorSubsystemVersion           rw      1
   Win32VersionValue               rd      1
   SizeOfImage                     rd      1
   SizeOfHeaders                   rd      1
   CheckSum                        rd      1
   Subsystem                       rw      1
   DllCharacteristics              rw      1
   SizeOfStackReserve              rq      1
   SizeOfStackCommit               rq      1
   SizeOfHeapReserve               rq      1
   SizeOfHeapCommit                rq      1
   LoaderFlags                     rd      1
   NumberOfRvaAndSizes             rd      1
;  IMAGE_DATA_DIRECTORY    DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
    DataDirectory                   IMAGE_DATA_DIRECTORY
                                        rb      (IMAGE_NUMBEROF_DIRECTORY_ENTRIES-1)*(sizeof.IMAGE_DATA_DIRECTORY)
ends
IMAGE_SIZEOF_NT_OPTIONAL64_HEADER =       240
IMAGE_NT_OPTIONAL_HDR64_MAGIC            =       020Bh

struct     IMAGE_NT_HEADERS64
  Signature                       rd      1
   FileHeader                      IMAGE_FILE_HEADER
   OptionalHeader                  IMAGE_OPTIONAL_HEADER64
ends
IMAGE_NT_SIGNATURE                   =       'PE'


      lea     rdx,[file_buf]
      cmp     [rdx+IMAGE_DOS_HEADER.e_magic],IMAGE_DOS_SIGNATURE
  jnz     reconstruct_crc_L9
  mov     eax,[rdx+IMAGE_DOS_HEADER.e_lfanew]
 add     rax,rdx
     cmp     [rax+IMAGE_NT_HEADERS64.Signature],IMAGE_NT_SIGNATURE
       jnz     reconstruct_crc_L9
  cmp     [rax+IMAGE_NT_HEADERS64.FileHeader.Machine],IMAGE_FILE_MACHINE_AMD64
        jnz     reconstruct_crc_L9
  cmp     [rax+IMAGE_NT_HEADERS64.OptionalHeader.Magic],IMAGE_NT_OPTIONAL_HDR64_MAGIC
 jnz     reconstruct_crc_L9

; CRC
; erase original file crc
        and     [rax+IMAGE_NT_HEADERS64.OptionalHeader.CheckSum],0
; ecx = size
; rdx = file_buf
      mov     r10d,ecx
    shr     ecx,1
       xor     r9d,r9d
     xor     r8d,r8d
calculate_checksum:
  mov     r9w,[rdx]
   add     r8d,r9d
     mov     r9w,r8w
     shr     r8d,16
      add     r8d,r9d
     add     rdx,2
       loop    calculate_checksum
  add     r8d,r10d
    mov     [rax+IMAGE_NT_HEADERS64.OptionalHeader.CheckSum],r8d
; Checksum done

reconstruct_crc_L9:
      ret


write_system_file:
;  in: rcx pointer to filename
;      edx file size (0 for error)
; out: eax file size (0 for error)
 push    rbx rbp rsi rdi
     sub     rsp,8*(4+3)

     mov     ebx,edx                         ; size of file
      xor     ebp,ebp                         ; result
    push    rcx
 pop     rsi                             ; filename

      lea     rdi,[filename]

  mov     edx,MAX_PATH
        push    rdi
 pop     rcx
 call    [GetSystemDirectoryA]
       cmp     eax,MAX_PATH
        jnbe    read_system_file_finish

 lea     rdx,[rdi+rax*1]

;        mov     eax,'\'
; this is 2 bytes smaller:
        push    '\'
      pop     rax

     mov     [rdx],al
    cmp     [rdx-1],al
  setnz   al
  add     rdx,rax

 movdqu  xmm0,dqword [rsi]
   movdqu  [rdx],xmm0

;     and     qword [rsp+8*(4+2)],0                           ; hTemplateFile
     mov     dword [rsp+8*(4+1)],FILE_ATTRIBUTE_NORMAL       ; dwFlagsAndAttributes
      mov     dword [rsp+8*(4+0)],CREATE_ALWAYS               ; dwCreationDistribution
    xor     r9,r9                                           ; lpSecurityAttributes
      xor     r8,r8                                           ; dwShareMode
       mov     edx,GENERIC_WRITE                               ; dwDesiredAccess
;  lea     rcx,[rcx]                                       ; lpFileName
        mov     [rsp+8*(4+2)],r9                                ; hTemplateFile
     call    [CreateFileA]

   push    rax
 pop     rsi

if INVALID_HANDLE_VALUE = -1
     inc     rax
else
 cmp     rax,INVALID_HANDLE_VALUE
end if
  jz      write_file_finish

       and     qword [rsp + 8*(4+0)],0         ; lpOverlapped
      lea     r9,[rsp + 8*(4+2)]              ; lpNumberOfBytesWritten
    mov     r8d,ebx                         ; nNumberOfBytesToWrite
     lea     rdx,[file_buf]
      push    rsi
 pop     rcx                             ; hFile
     call    [WriteFile]
 or      eax,eax
     jz      write_file_close_finish

 mov     ebp,[rsp + 8*(4+2)]             ; NumberOfBytesWritten

write_file_close_finish:
  push    rsi
 pop     rcx
 call    [CloseHandle]

write_file_finish:
 mov     eax,ebp                         ; result into EAX
   add     rsp,8*(4+3)
 pop     rdi rsi rbp rbx
     ret

file0        db      'winload.exe',0
file0n     db      'freeload.exe',0
file1     db      'ntkrnlmp.exe',0              ; kernel for SMP system (multiprocessor)
file1n      db      'goodkrnl.exe',0
file2     db      'ntoskrnl.exe',0              ; kernel for 1 CPU system
; data to patch are the same as for file1 as for file2

file0ed      db      file0r_size
 file0r:
 db       48h, 8Bh,0C4h, 53h, 55h, 57h, 41h, 54h ; bytes to find
     file0r_size = $ - file0r
    db      file0w_size
 file0w:
 mov     al,1
        ret
 ; nop ; not necessary
       file0w_size = $ - file0w
file1ed     db      file1r_size
 file1r:
 db       0Fh, 85h, 94h, 00h, 00h, 00h, 33h,0C0h ; bytes to find
     file1r_size = $ - file1r
    db      file1w_size
 file1w:
 nop
 db      0E9h                            ; opcode for jmp
    file1w_size = $ - file1w
file2ed     db      file2r_size
 file2r:
 db       74h, 07h,0B0h, 01h,0E9h, 68h, 2Dh, 00h ; bytes to find
     file2r_size = $ - file2r
    db      file2w_size
 file2w:
 nop
 nop
 file2w_size = $ - file2w
file3ed     db      file3r_size
 file3r:
;nt!MiIsAddressValid:
;fffff800`01707e20 488bc1          mov     rax,rcx
;fffff800`01707e23 48c1f830        sar     rax,30h
;fffff800`01707e27 48ffc0          inc     rax
;fffff800`01707e2a 4883f801        cmp     rax,1
;fffff800`01707e2e 0f878f000000    ja      nt!MiIsAddressValid+0xa3 (fffff800`01707ec3)
;nt!MmIsSpecialPoolAddress+0x23:
;fffff800`0169fbff 488bc2          mov     rax,rdx
;fffff800`0169fc02 48c1f830        sar     rax,30h
;fffff800`0169fc06 48ffc0          inc     rax
;fffff800`0169fc09 4883f801        cmp     rax,1
;fffff800`0169fc0d 7761            ja      nt!MmIsSpecialPoolAddress+0x94 (fffff800`0169fc70)
;nt!MmAccessFault+0x29:
;fffff800`016e8c09 4c8bea          mov     r13,rdx
;fffff800`016e8c0c 48c1f830        sar     rax,30h
;fffff800`016e8c10 4c8bf9          mov     r15,rcx
;fffff800`016e8c13 48ffc0          inc     rax
;fffff800`016e8c16 4883f801        cmp     rax,1
;fffff800`016e8c1a 0f871c3a0600    ja      nt! ?? ::FNODOBFM::`string'+0x40990 (fffff800`0174c63c)
      sar     rax,48                  ; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check
;     inc     rax
;        cmp     rax,1
;      jnbe    noncanonical_va         ; bytes to find
     file3r_size = $ - file3r
    db      file3w_size
 file3w:
 sar     rax,47                  ; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48
    file3w_size = $ - file3w

msg_success     db      'SUCCESS',0Ah
msg_size     =       $ - msg_success
msg_failed   db      'FAILED!',0Ah
a            =       $ - msg_failed
if a > msg_size
msg_size = a
end if


section '.idata' import data readable writeable

                             dd      0,0,0,RVA kernel_name,  RVA kernel_table
                            dd      0,0,0,0,0

kernel_table:
CloseHandle                       dq      RVA _CloseHandle
CreateFileA                 dq      RVA _CreateFileA
DeleteFileA                 dq      RVA _DeleteFileA
GetStdHandle                        dq      RVA _GetStdHandle
GetSystemDirectoryA                dq      RVA _GetSystemDirectoryA
ReadFile                    dq      RVA _ReadFile
WriteFile                      dq      RVA _WriteFile
                              dq      0

kernel_name                    db      'KERNEL32.DLL',0

; kernel32.dll:
_CloseHandle                   db      0,0,'CloseHandle',0
_CreateFileA                   db      0,0,'CreateFileA',0
_DeleteFileA                   db      0,0,'DeleteFileA',0
_GetStdHandle                  db      0,0,'GetStdHandle',0
_GetSystemDirectoryA          db      0,0,'GetSystemDirectoryA',0
_ReadFile                      db      0,0,'ReadFile',0
_WriteFile                        db      0,0,'WriteFile',0


section '.data' data readable writeable

filename                        rb      (MAX_PATH+12+16)

file_buf_size                   =       16*1024*1024            ; 16 MB should be enough
file_buf                    rb      file_buf_size    



the patch.exe changes this:
Code:
winload.exe
.text:00000000004057E8 OslInitializeCodeIntegrity proc near    ; CODE XREF: OslpMain+61Cp
.text:00000000004057E8                                         ; DATA XREF: .pdata:00000000004B2168o
.text:00000000004057E8
.text:00000000004057E8 var_58          = qword ptr -58h
.text:00000000004057E8 var_50          = dword ptr -50h
.text:00000000004057E8 var_48          = dword ptr -48h
.text:00000000004057E8 var_38          = qword ptr -38h
.text:00000000004057E8 arg_8           = qword ptr  10h
.text:00000000004057E8 arg_18          = qword ptr  20h
.text:00000000004057E8
.text:00000000004057E8                 mov     rax, rsp               ; db 48h,8Bh,0C4h -> db 0B0,01h,0C3h = mov al,1 \ ret
.text:00000000004057EB                 push    rbx
.text:00000000004057EC                 push    rbp
.text:00000000004057ED                 push    rdi
.text:00000000004057EE                 push    r12
.text:00000000004057F0                 push    r13
.text:00000000004057F2                 sub     rsp, 50h
.text:00000000004057F6                 xor     r13d, r13d
.text:00000000004057F9                 mov     r12d, ecx
.text:00000000004057FC                 lea     r8, [rax+18h]
.text:0000000000405800                 lea     rcx, BlpApplicationEntry
.text:0000000000405807                 lea     rdx, [rax+10h]
.text:000000000040580B                 mov     [rax+20h], r13
.text:000000000040580F                 mov     rdi, r13
.text:0000000000405812                 mov     [rax-38h], r13
.text:0000000000405816                 call    BlImgQueryCodeIntegrityBootOptions





ntoskrnl.exe
PAGE:00000001403EAA60 SepInitializeCodeIntegrity proc near    ; CODE XREF: SepInitializationPhase1+231p
PAGE:00000001403EAA60
PAGE:00000001403EAA60 arg_0           = qword ptr  8
PAGE:00000001403EAA60
PAGE:00000001403EAA60                 mov     [rsp+arg_0], rbx
PAGE:00000001403EAA65                 push    rdi
PAGE:00000001403EAA66                 sub     rsp, 20h
PAGE:00000001403EAA6A                 xor     ebx, ebx
PAGE:00000001403EAA6C                 cmp     cs:InitIsWinPEMode, bl
PAGE:00000001403EAA72                 jnz     loc_1403EAB0C               ; db 0Fh,85h,94h,0,0,0 -> db 90,0E9h,94h,0,0,0 = nop \ jmp loc_1403EAB0C
PAGE:00000001403EAA78                 xor     eax, eax
PAGE:00000001403EAA7A                 mov     cs:g_CiEnabled, 1
PAGE:00000001403EAA81                 lea     edi, [rbx+6]
PAGE:00000001403EAA84                 mov     cs:g_CiCallbacks, rax
PAGE:00000001403EAA8B                 mov     cs:qword_14021EE48, rax
PAGE:00000001403EAA92                 mov     cs:qword_14021EE50, rax
PAGE:00000001403EAA99                 mov     rax, cs:qword_1402A8120
PAGE:00000001403EAAA0                 cmp     rax, rbx
PAGE:00000001403EAAA3                 jz      short loc_1403EAAF7
PAGE:00000001403EAAA5                 cmp     [rax+98h], rbx
PAGE:00000001403EAAAC                 jz      short loc_1403EAAEE
PAGE:00000001403EAAAE                 mov     rcx, [rax+98h]
PAGE:00000001403EAAB5                 lea     rdx, ??_C@_0BJ@KFBEEMJI@DISABLE_INTEGRITY_CHECKS?$AA@NNGAKEGL@
PAGE:00000001403EAABC                 call    SepIsOptionPresent
PAGE:00000001403EAAC1                 mov     rcx, cs:qword_1402A8120
PAGE:00000001403EAAC8                 lea     rdx, ??_C@_0M@LNFBLGLD@TESTSIGNING?$AA@NNGAKEGL@
PAGE:00000001403EAACF                 mov     rcx, [rcx+98h]
PAGE:00000001403EAAD6                 cmp     eax, ebx
PAGE:00000001403EAAD8                 cmovnz  edi, ebx
PAGE:00000001403EAADB                 call    SepIsOptionPresent
PAGE:00000001403EAAE0                 cmp     eax, ebx
PAGE:00000001403EAAE2                 mov     rax, cs:qword_1402A8120
PAGE:00000001403EAAE9                 jz      short loc_1403EAAEE
PAGE:00000001403EAAEB                 or      edi, 8
PAGE:00000001403EAAEE
PAGE:00000001403EAAEE loc_1403EAAEE:                          ; CODE XREF: SepInitializeCodeIntegrity+4Cj
PAGE:00000001403EAAEE                                         ; SepInitializeCodeIntegrity+89j
PAGE:00000001403EAAEE                 cmp     rax, rbx
PAGE:00000001403EAAF1                 jz      short loc_1403EAAF7
PAGE:00000001403EAAF3                 lea     rbx, [rax+30h]
PAGE:00000001403EAAF7
PAGE:00000001403EAAF7 loc_1403EAAF7:                          ; CODE XREF: SepInitializeCodeIntegrity+43j
PAGE:00000001403EAAF7                                         ; SepInitializeCodeIntegrity+91j
PAGE:00000001403EAAF7                 lea     r8, g_CiCallbacks
PAGE:00000001403EAAFE                 mov     rdx, rbx
PAGE:00000001403EAB01                 mov     ecx, edi
PAGE:00000001403EAB03                 call    CiInitialize
PAGE:00000001403EAB08                 mov     ebx, eax
PAGE:00000001403EAB0A                 jmp     short loc_1403EAB12
PAGE:00000001403EAB0C ; ---------------------------------------------------------------------------
PAGE:00000001403EAB0C
PAGE:00000001403EAB0C loc_1403EAB0C:                          ; CODE XREF: SepInitializeCodeIntegrity+12j
PAGE:00000001403EAB0C                 mov     cs:g_CiEnabled, bl
PAGE:00000001403EAB12
PAGE:00000001403EAB12 loc_1403EAB12:                          ; CODE XREF: SepInitializeCodeIntegrity+AAj
PAGE:00000001403EAB12                 mov     eax, ebx
PAGE:00000001403EAB14                 mov     rbx, [rsp+28h+arg_0]
PAGE:00000001403EAB19                 add     rsp, 20h
PAGE:00000001403EAB1D                 pop     rdi
PAGE:00000001403EAB1E                 retn
PAGE:00000001403EAB1E SepInitializeCodeIntegrity endp
PAGE:00000001403EAB1E
PAGE:00000001403EAB1E ; ---------------------------------------------------------------------------





ntoskrnl.exe
INIT:0000000140561340 ; =============== S U B R O U T I N E =======================================
INIT:0000000140561340
INIT:0000000140561340
INIT:0000000140561340 sub_140561340   proc near               ; CODE XREF: KiFilterFiberContext+FFp
INIT:0000000140561340                                         ; KiFilterFiberContext+187p
INIT:0000000140561340
INIT:0000000140561340 var_F78         = qword ptr -0F78h
INIT:0000000140561340 var_F70         = qword ptr -0F70h
INIT:0000000140561340 var_F68         = qword ptr -0F68h
INIT:0000000140561340 var_F60         = qword ptr -0F60h
INIT:0000000140561340 var_F58         = dword ptr -0F58h
...
...
...
INIT:0000000140561340 var_48          = byte ptr -48h
INIT:0000000140561340 arg_0           = dword ptr  8
INIT:0000000140561340 arg_8           = dword ptr  10h
INIT:0000000140561340 arg_10          = dword ptr  18h
INIT:0000000140561340 arg_18          = qword ptr  20h
INIT:0000000140561340
INIT:0000000140561340                 mov     [rsp+arg_10], r8d
INIT:0000000140561345                 mov     [rsp+arg_8], edx
INIT:0000000140561349                 mov     [rsp+arg_0], ecx
INIT:000000014056134D                 push    rbx
INIT:000000014056134E                 push    rbp
INIT:000000014056134F                 push    rsi
INIT:0000000140561350                 push    rdi
INIT:0000000140561351                 push    r12
INIT:0000000140561353                 push    r13
INIT:0000000140561355                 push    r14
INIT:0000000140561357                 push    r15
INIT:0000000140561359                 sub     rsp, 0F58h
INIT:0000000140561360                 xor     edi, edi
INIT:0000000140561362                 cmp     cs:InitSafeBootMode, edi
INIT:0000000140561368                 jz      short loc_140561371               ; db 74h,7 -> db 90h,90h = nop \ nop
INIT:000000014056136A                 mov     al, 1
INIT:000000014056136C                 jmp     loc_1405640D9
INIT:0000000140561371 ; ---------------------------------------------------------------------------
INIT:0000000140561371
INIT:0000000140561371 loc_140561371:                          ; CODE XREF: sub_140561340+28j
INIT:0000000140561371                 lea     rbx, FsRtlUninitializeSmallMcb
INIT:0000000140561378                 lea     rdx, [rsp+0F98h+var_E40]
INIT:0000000140561380                 mov     rcx, rbx
INIT:0000000140561383                 call    RtlPcToFileHeader
INIT:0000000140561388                 cmp     rax, rdi
INIT:000000014056138B                 jz      loc_1405640D7
INIT:0000000140561391                 mov     rcx, [rsp+0F98h+var_E40]
INIT:0000000140561399                 call    RtlImageNtHeader
INIT:000000014056139E                 cmp     rax, rdi
INIT:00000001405613A1                 jz      loc_1405640D7
...
...
...
INIT:00000001405640D9 loc_1405640D9:                          ; CODE XREF: sub_140561340+2Cj
INIT:00000001405640D9                                         ; sub_140561340+9C36j
INIT:00000001405640D9                 add     rsp, 0F58h
INIT:00000001405640E0                 pop     r15
INIT:00000001405640E2                 pop     r14
INIT:00000001405640E4                 pop     r13
INIT:00000001405640E6                 pop     r12
INIT:00000001405640E8                 pop     rdi
INIT:00000001405640E9                 pop     rsi
INIT:00000001405640EA                 pop     rbp
INIT:00000001405640EB                 pop     rbx
INIT:00000001405640EC                 retn





ntoskrnl.exe
.text:0000000140123C50                 public MmIsAddressValid
.text:0000000140123C50 MmIsAddressValid proc near              ; CODE XREF: KeValidateBugCheckCallbackRecord+58p
.text:0000000140123C50                                         ; KeValidateBugCheckCallbackRecord+9Ep ...
.text:0000000140123C50                 xor     edx, edx
.text:0000000140123C52                 jmp     MiIsAddressValid
.text:0000000140123C52 MmIsAddressValid endp
...
...
...
.text:00000001400AAE20 MiIsAddressValid proc near              ; CODE XREF: RtlpWalkFrameChain+13Ap
.text:00000001400AAE20                                         ; MmAccessFault-6DB6Dp ...
.text:00000001400AAE20                 mov     rax, rcx
.text:00000001400AAE23                 sar     rax, 30h        ; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check
                                                               ; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48
.text:00000001400AAE27                 inc     rax
.text:00000001400AAE2A                 cmp     rax, 1
.text:00000001400AAE2E                 ja      loc_1400AAEC3





ntoskrnl.exe
.text:0000000140042BDC MmIsSpecialPoolAddress proc near        ; CODE XREF: ExReturnPoolQuota:loc_140026DF6p
.text:0000000140042BDC                                         ; ExProtectPool+25p ...
.text:0000000140042BDC
.text:0000000140042BDC ; FUNCTION CHUNK AT .text:00000001400C76C7 SIZE 0000006B BYTES
.text:0000000140042BDC
.text:0000000140042BDC                 sub     rsp, 28h
.text:0000000140042BE0                 mov     rax, 98000000000h
.text:0000000140042BEA                 mov     rdx, rcx
.text:0000000140042BED                 add     rax, rcx
.text:0000000140042BF0                 mov     rcx, 7FFFFFFFFFh
.text:0000000140042BFA                 cmp     rax, rcx
.text:0000000140042BFD                 jbe     short loc_140042C70
.text:0000000140042BFF                 mov     rax, rdx
.text:0000000140042C02                 sar     rax, 30h        ; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check
                                                               ; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48
.text:0000000140042C06                 inc     rax
.text:0000000140042C09                 cmp     rax, 1
.text:0000000140042C0D                 ja      short loc_140042C70





ntoskrnl.exe
.text:000000014008BBE0 MmAccessFault   proc near               ; CODE XREF: MiCheckProtoPtePageState-5BA2Cp
.text:000000014008BBE0                                         ; MiDeletePerSessionProtos+85p ...
.text:000000014008BBE0
...
...
...
.text:000000014008BBE0                 mov     [rsp-8+var_B8], rbx
.text:000000014008BBE5                 push    rbp
.text:000000014008BBE6                 push    rsi
.text:000000014008BBE7                 push    rdi
.text:000000014008BBE8                 push    r12
.text:000000014008BBEA                 push    r13
.text:000000014008BBEC                 push    r14
.text:000000014008BBEE                 push    r15
.text:000000014008BBF0                 sub     rsp, 120h
.text:000000014008BBF7                 lea     rbp, [rsp+80h]
.text:000000014008BBFF                 and     rbp, 0FFFFFFFFFFFFFFC0h
.text:000000014008BC03                 mov     rax, rdx
.text:000000014008BC06                 mov     r12, r9
.text:000000014008BC09                 mov     r13, rdx
.text:000000014008BC0C                 sar     rax, 30h        ; mistake, noncanonical addresses like 0000800000000000h, FFFF7FFFFFFFFFFFh may pass the check
                                                               ; virtual memory is in canonical form if bit 47 is sign extended into bits 63-48
.text:000000014008BC10                 mov     r15, rcx
.text:000000014008BC13                 inc     rax
.text:000000014008BC16                 cmp     rax, 1
.text:000000014008BC1A                 ja      loc_1400EF63C    


Description: executables to patch ms windows 2008 R2 x64 / windows 7 x64
warning, executables are attached only for lazy people... who is unable to compile them shouldn't execute such files...

Download
Filename: patch.zip
Filesize: 8.18 KB
Downloaded: 361 Time(s)

Post 17 Mar 2010, 14:43
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
alorent



Joined: 05 Dec 2005
Posts: 221
alorent 17 Mar 2010, 15:03
Thanks for sharing it Feryno! Very interesting! Very Happy
Post 17 Mar 2010, 15:03
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1905
DOS386 18 Mar 2010, 07:05
> flat assembler > OS Construction > Control registers analisys with C.R.A.D.
> http://board.flatassembler.net/topic.php?t=11028
> I made a NT kernel driver that analize all the
> His great work should be placed here in windows section of FASM

Just move the other thread Wink
Post 18 Mar 2010, 07:05
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 19 Mar 2010, 08:34
because you do this kernel modification especially when you do drivers programming, you usually need kernel debugger to work
kernel debugger starts to work correctly only after you copy some settings from original BCD entry to the new one

at my PC, kernel debugger started to work after copying inherit, recoverysequence, resumeobject and after enabling recoveryenabled, debug
(enabling only debug was not enough, kernel debugger refused to start, so I copied more settings and then kernel debugger worked fine, I didn't study which settings were really important)

ID {1c3c86c2-91b8-11de-bec5-f004abeee140} may be different at your PC, the settings should look like:

Code:
C:\Users\Administrator>bcdedit

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {1c3c86c2-91b8-11de-bec5-f004abeee140}
displayorder            {1c3c86c3-91b8-11de-bec5-f004abeee140}
                        {current}
toolsdisplayorder       {memdiag}
timeout                 5

Windows Boot Loader
-------------------
identifier              {1c3c86c3-91b8-11de-bec5-f004abeee140}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows Server 2008 R2
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {1c3c86c4-91b8-11de-bec5-f004abeee140}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {1c3c86c2-91b8-11de-bec5-f004abeee140}
nx                      OptOut
debug                   Yes

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\freeload.exe
description             DriverSigning&PatchGuard Disabled
inherit                 {bootloadersettings}
recoverysequence        {1c3c86c2-91b8-11de-bec5-f004abeee140}
recoveryenabled         Yes
nointegritychecks       Yes
testsigning             Yes
osdevice                partition=C:
systemroot              \Windows
kernel                  goodkrnl.exe
resumeobject            {1c3c86c2-91b8-11de-bec5-f004abeee140}
nx                      OptOut
debug                   Yes    
Post 19 Mar 2010, 08:34
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.