View Full Version : MmGetSystemRoutineAddress : forwards on vista
deroko
December 31st, 2007, 10:51
Very frustrating when you figure that this export can't resolve forwarded APIs. Here is one example from Vista:
Code:
.edata:8002F485 ; Exported entry 1. ExAcquireFastMutex
.edata:8002F485 public ExAcquireFastMutex
.edata:8002F485 ExAcquireFastMutex db 'ntoskrnl.ExiAcquireFastMutex',0
.edata:8002F4A2 aExreleasefastm db 'ExReleaseFastMutex',0
.edata:8002F4B5 ; Exported entry 2. ExReleaseFastMutex
.edata:8002F4B5 public ExReleaseFastMutex
.edata:8002F4B5 ExReleaseFastMutex db 'ntoskrnl.ExiReleaseFastMutex',0
.edata:8002F4D2 aExtrytoacquire db 'ExTryToAcquireFastMutex',0
.edata:8002F4EA ; Exported entry 3. ExTryToAcquireFastMutex
.edata:8002F4EA public ExTryToAcquireFastMutex
.edata:8002F4EA ExTryToAcquireFastMutex db 'ntoskrnl.ExiTryToAcquireFastMutex',0
When you use MmGetSystemRoutineAddress it will return to you address of string. It won't resolve forwarded API properly.
The best way is to use own MmGetSystemRoutineAddress instead of the one provided by windows kernel...
blabberer
December 31st, 2007, 12:00
MmGetSystemRoutineAddress is broken in many windows version it can cause bsods
it was said that this bug was fixed in vista
i came to know of this bug while checking out kayakers disassembler sysdasm
osronline recommended using AuxKlibQueryModuleInformation which is supposed to return the same information
Quote:
Another possible work-around (and the one we've chosen to use here at OSR) is to write your own version of MmGetSystemRoutineAddress. Believe it or not, you can even do it with documented DDIs... Check out the AuxKlibQueryModuleInformation (which is implemented in a static library that's only present in the Vista build environment of the WDK) the comment in bracket was thrown down by doron holon stating that this ddi is backward compatible upto w2k (used a lot in kmdf framework search osronline mailing lists).
http://kernelmustard.com/2007/06/05/a-documented-way-to-get-loaded-modules/
|
deroko
December 31st, 2007, 20:02
yup, while I was trying to resolve this problem a month ago I stumbled accross this article : http://www.osronline.com/article.cfm?article=494 , but they only mention that MmGetSystemRoutineAddress won't return NULL on failure. But the problem I've faced was when I searched for ExAcquireFastMutex on Vista, it returned entry in hal.dll, but on Vista hal.dll!ExAcquireFastMutex is forwarded to ntoskrnl.exe, and MmGetSystemRoutineAddress couldn't resolve it

instead I received : ntoskrnl.ExiAcquireFastMutex string which caused bsod when trying to call retrived pointer

dELTA
January 1st, 2008, 08:50
"Kayakers disassembler sysdasm"?
Exactly what is that, and why isn't it in the collaborative RCE tool library?

blabberer
January 1st, 2008, 10:41
Quote:
"Kayakers disassembler sysdasm"?
Exactly what is that,
|
so you only preach dont practise
what happened to the favourite search function
Quote:
Showing results 1 to 3 of 3
Search took 0.06 seconds. Search: Key Word(s): sysdasm
Thread / Thread Starter Last Post Replies Views Forum
MmGetSystemRoutineAddress : forwards on vista
deroko 01-01-2008 08:50 AM
by dELTA 3 65 Blogs Forum
Detouring DriverEntry / Self Debugging
naides 12-07-2006 06:34 AM
by blabberer 3 597 Advanced reversing and programming
Ring 0 anti-debugger code in Daemon Tools? ( 1 2 3 4)
dELTA 11-20-2006 08:28 AM
by autarky 63 8,665 Advanced reversing and programming
|
http://www.woodmann.com/forum/showpost.php?p=61447&postcount=33
google
http://rootkit.com/newsread.php?newsid=208
dELTA
January 1st, 2008, 12:31
Actually, Google only gave me two results, out of which one was this thread, and the other was something irrelevant. Guess I shouldn't always trust Google over the local search engine then, but I still don't know where you got that rootkit URL from?
blabberer
January 2nd, 2008, 12:41
google = all search engines
try dicy.com or gigablast
JMI
January 2nd, 2008, 13:09
Hey, more search engines. Who'd a thunk it.
Regards,
Kayaker
January 2nd, 2008, 17:56
dicy.com
I never thought I'd see my nick next to a fricken flower petal on a search engine. How truly bizarre.
That's a nice search engine though, definitely bookmark material.
naides
January 2nd, 2008, 18:48
JMI
January 2nd, 2008, 18:50
What if he wears a flower in his hair? As in the song from the "60's.
Regards,
dELTA
January 3rd, 2008, 04:33
It's posted on CRCETL now, and updates should be possible to follow from there:
http://www.woodmann.com/collaborative/tools/SysDasm
Btw Kayaker, in the rootkit.com article you mention a similar user mode library of yours, also based on NDISASM, would you mind adding this to CRCETL too?
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.