Log in

View Full Version : nonintrusive tracer on x64

deroko
June 21st, 2008, 09:56
Well time has come to dig a little bit into x64 systems, and to move our lovely tools and ideas to that system.

Lets have a look at KiUserExceptionDispatcher from ntdll.dll:

Code:
.text:0000000077EF31B0                 public KiUserExceptionDispatcher

.text:0000000077EF31B0 KiUserExceptionDispatcher:              

.text:0000000077EF31B0                 mov     rax, cs:Wow64PrepareForException

.text:0000000077EF31B7                 test    rax, rax

.text:0000000077EF31BA                 jz      short loc_77EF31CB

.text:0000000077EF31BC                 mov     rcx, rsp

.text:0000000077EF31BF                 add     rcx, 4D0h

.text:0000000077EF31C6                 mov     rdx, rsp

.text:0000000077EF31C9                 call    rax ; Wow64PrepareForException

.text:0000000077EF31CB

.text:0000000077EF31CB loc_77EF31CB:                         

.text:0000000077EF31CB                 mov     rcx, rsp

.text:0000000077EF31CE                 add     rcx, 4D0h

.text:0000000077EF31D5                 mov     rdx, rsp

.text:0000000077EF31D8                 call    RtlDispatchException

.text:0000000077EF31DD                 test    al, al

.text:0000000077EF31DF                 jz      short loc_77EF31ED

.text:0000000077EF31E1                 mov     rcx, rsp

.text:0000000077EF31E4                 xor     edx, edx

.text:0000000077EF31E6                 call    RtlRestoreContext


Wow64PrepareForException is used only when loading wow64 process, so in "native x64" environment this variable is set to 0, and we can use that variable to write our own SEH handler in asm or nonintrusive tracer. Well let's cut to the point and see some real code:

Code:
                        mov     rax, KiUserExceptionDispatcher

                        xor     rbx, rbx

                        mov     ebx, dword ptr[rax+3]

                        add     rbx, rax

                        add     rbx, 7



                        mov     rax, offset __mykiuser

                        mov     [rbx], rax

                        

                        xor     rax, rax

                        mov     [rax], rax

                        

                        xor     r9, r9

                        mov     r8, offset szntdll

                        mov     rdx, offset szkiuser

                        mov     rcx, 0

                        callW   MessageBoxA

                        xor     rcx, rcx

                        callW   ExitProcess

                        

__mykiuser:             add     qword ptr[rdx+0F8h], 3

                        mov     rcx, rdx

                        xor     rdx, rdx

                        callW   RtlRestoreContext

If everything worked as planned, MessageBoxA will be shown... simple isn't it
dELTA
June 21st, 2008, 16:11
Evil stuff deroko, as usual.