BanMe
July 30th, 2009, 21:21
currently restructuring alot of the code to fix small bugs,revising my implementation approach to attain more dynamicly generic methods..
for instance
CallOutRecaptureRoutine's 2nd call bug fixed when thread resumed in RecaptureThread..
ie it resumed at LEAVE...for all you asm'ers out there..
for all you less understanding it the thread resumed at the part where it cleaned the registers it used to pefore the function...that wasn't good..but I learned..as options I thought of to fix that mess I was going to use a third event, to wait upon signal of the parameters being ready and just after the Wait use
just after the wait to ensure no registers where modified or stack cleaning happened.. but I didnt like 'all of' that idea..
so I trudged on..almost arriving to 'not' implementing a recycler..
as can be seen by this code..that was going to Replace RecaptureThread..
a sad sad day for me..but then things brightened..It might've been the laptop and the late night..But I put something together that hasnt been tested or fully implemented in the Dispatcher Routine yet... but it should fix the bugs and it also cleans up after itself...it's a beneficial evil i guess..Im going to present the code here..with only comments..it prolly has bugs..as it could, but thats all the fun of it..isn't it?
if you understood the CallOutRecaptureRoutine original this is no far step..
here is the New CallOutRecaptureRoutine..
revised version here..
fixed RtlIsValidIndexHandle Bug..
heres how I solved it, cant believe I missed this before.
I kept the 'Force' Routines as backups..
This obviously mangles RTL_HANDLE_TABLE_ENTRY.Next,and Im not sure I like that..but there is no other way to do it
I think my original way was better, but I am aiming for no bruteforcing unless absolutly necessary..
added a 'new' method for Debug Output, THANKS and Props to Drizz!!! I am using a 'host' process created File Stream..
In Other words While Sin32 is running it creates
SIN32.exe
EBUG_STREAM and uses that to write Debug Output to..I know this code is pretty specific to my project but heres the working release that can be easily adapted if you know what your doing (I guess if your still reading this.. your probably in the know..)
trying to develop multiple methods to separate the Initialization Routines that call LdrpCallInitRoutine so that i can handle each object by type..more on that in a blog post sometime.. :d
toying some with ideas of building PE substructures in the memory of my shared section and writing them to identifiable locations within a preruntime PE, as hinted at by piotr..
updated hkHook with hotpatch_uprnops and hotpatch_lwrnops,also still in process of coding out some of the other things mentioned.. in the concepts thread..
also ppl can look on my skydrive..for some stuff..might be newer..but not newest source..im gonna update that too eventually..
Seems to be a new bug sponsored by a recent security update to XPSP3 involving RtlCreateHeap..preventing me from calling RtlInitialzeHandleTable properly..alternitives include VirtualMemory..File Mapped Sections..FileMappedStreams(a maybe on this one..still testing....)
BanMe
for instance
CallOutRecaptureRoutine's 2nd call bug fixed when thread resumed in RecaptureThread..
ie it resumed at LEAVE...for all you asm'ers out there..
for all you less understanding it the thread resumed at the part where it cleaned the registers it used to pefore the function...that wasn't good..but I learned..as options I thought of to fix that mess I was going to use a third event, to wait upon signal of the parameters being ready and just after the Wait use
Code:
__asm
{
push CalloutRecaptureRoutine
ret
}
just after the wait to ensure no registers where modified or stack cleaning happened.. but I didnt like 'all of' that idea..
so I trudged on..almost arriving to 'not' implementing a recycler..
as can be seen by this code..that was going to Replace RecaptureThread..
Code:
void ReCreateThread()
{
NTSTATUS Status = 0;
HANDLE Thread = INVALID_HANDLE_VALUE;
CLIENT_ID Cid = {0};
SIN32_HANDLE_TABLE_ENTRY *HandleEntry = {0};
Status = RtlCreateUserThread(NtCurrentProcess(),0,true,0,0x4096,0x4096,(PUSER_THREAD_START_ROUTINE)CallOutHan dlerRoutine,0,&Thread,&Cid);
Native_GetCurrentEntry(HandleEntry);
Native_AddEntry((void*)NtCurrentTeb()->ProcessEnvironmentBlock->ProcessParameters->ShowWindowFlags,Thread,ObThread,ObTSuspended,HandleEntry);
Thread = Native_GetHandleTableHandle((void*)NtCurrentTeb()->ProcessEnvironmentBlock->ProcessParameters->ShowWindowFlags,ObThread,ObTRunning);
NtClose(Thread);
Native_DeleteEntry((void*)NtCurrentTeb()->ProcessEnvironmentBlock->ProcessParameters->ShowWindowFlags,ObThread,ObTRunning);
LoadedApi.RtlExitThread(0);
}
a sad sad day for me..but then things brightened..It might've been the laptop and the late night..But I put something together that hasnt been tested or fully implemented in the Dispatcher Routine yet... but it should fix the bugs and it also cleans up after itself...it's a beneficial evil i guess..Im going to present the code here..with only comments..it prolly has bugs..as it could, but thats all the fun of it..isn't it?
if you understood the CallOutRecaptureRoutine original this is no far step..
here is the New CallOutRecaptureRoutine..
Code:
__declspec(naked)void CallOutRecaptureRoutine(void *FnPointer,void* ...)
{
__asm
{
POP EBP//old stack address
CMP EBP,0//minor parameter validations..
JE Failed
POP EBX//GetReturnAddress
CMP EBX,0
JE Failed
POP EDX//GetCallSite
CMP EDX,0
JE Failed
POP ECX//GetNumberOfParameters..
JMP SetupJmpStack
CleanusFakeStack:
POP EAX//GetHandleToHeap
CMP EAX,-1
JE Failed
PUSH EAX//push heap handle
PUSH 0//push 0 heapflags
POP ECX
PUSH ECX
//GetProcessHeap
ADD ECX,0x30
MOV EAX,FS:[ECX]
SUB ECX,0x1E
MOV EAX,[EAX+ECX]
PUSH EAX//push handle to heap
POP EDI//Does Return Value Matter
CALL RtlFreeHeap//Free the Heap used for stack..
XOR ECX,ECX
JMP CallInitReady
SetupJmpStack:
CMP ECX,0//test if there
JE CleanupFakeStack
POP EAX//Get a Parameter
MOV ESI,ESP
MOV ESP,EBP
PUSH EAX//push the parameter onto real stack
PUSH ESI
DEC ECX//dec parametr counter
POP ESP
JMP SetupJmpStack
CallInitReady:
PUSHAD
PUSH EBX
JMP EDX //;call the function in EDX
PUSH EAX
POPAD
CMP EDI,0
JE ReturnNotImportant
ADD ECX,0x18 //;add 18
MOV EAX,DWORD PTR FS:[ECX] //;NtCurrentTeb to ebx
//;return the value of call of call to a generally
//;read/writable area Teb.NtTib.ArbritraryUserPointer
MOV DWORD PTR DS:[EBX+14],EAX
ReturnNotImportant:
PUSH CallOutRecaptureRoutine
JMP RecaptureThread
Failed:
ret
}
}
revised version here..
Code:
//see Indirect call thread on woodmann forums for further info..
__declspec(naked)void CallOutRecaptureRoutine(void *FnPointer,void* ...)
{
__asm
{ //Parameter_Entry..
//Threads ESP in [EAX]
//return address in [EAX+4]
//call site [EAX+8]
//number of params+3[EAX+c]
PUSH ESP
XOR ECX,ECX
MOV EDX,[EAX]
CMP EDX,0
JE Failed
MOV ESP,EDX
INC ECX
MOV EDX,[EAX+(ECX*4)]
MOV [ESP+(ECX*4)],EDX
INC ECX
MOV EDX,[EAX+(ECX*4)]
INC ECX
MOV EDI,[EAX+(ECX*4)]
CMP EDI,3
JE CallInitReady
Increment:
INC ECX
GetParameter:
MOV EBX,[EAX+(ECX*4)]
PUSH EBX
CMP EDI,ECX
JL Increment
CallInitReady:
JMP EDX //;call the function in EDX
POP ESP
XOR ECX,ECX
ADD ECX,0x18 //;add 18
MOV EBX,DWORD PTR FS:[ECX] //;NtCurrentTeb to ebx
//;return the value of call of call to a generally
//;read/writable area Teb.NtTib.ArbritraryUserPointer
MOV DWORD PTR DS:[EBX+14],EAX
PUSH CallOutRecaptureRoutine
JMP RecaptureThread
Failed:
POP ESP
ret
}
}
fixed RtlIsValidIndexHandle Bug..
heres how I solved it, cant believe I missed this before.
I kept the 'Force' Routines as backups..
Quote:
| [Originally Posted by Wines Developers] * NOTES * A valid handle must have the bit set as indicated in the code below * otherwise subsequent RtlIsValidHandle() calls will fail. * * static inline void RtlpMakeHandleAllocated(RTL_HANDLE * Handle) * { * ULONG_PTR *AllocatedBit = (ULONG_PTR *)(&Handle->Next); * *AllocatedBit = *AllocatedBit | 1; * } |
This obviously mangles RTL_HANDLE_TABLE_ENTRY.Next,and Im not sure I like that..but there is no other way to do it
I think my original way was better, but I am aiming for no bruteforcing unless absolutly necessary..
added a 'new' method for Debug Output, THANKS and Props to Drizz!!! I am using a 'host' process created File Stream..
In Other words While Sin32 is running it creates
SIN32.exe
EBUG_STREAM and uses that to write Debug Output to..I know this code is pretty specific to my project but heres the working release that can be easily adapted if you know what your doing (I guess if your still reading this.. your probably in the know..) Code:
SIN32_HANDLE_TABLE_ENTRY *Init_Debug(void)
{
wchar_t NativePath[MAX_PATH] = {0};
UNICODE_STRING Unicode = {0};
OBJECT_ATTRIBUTES oa = {0};
IO_STATUS_BLOCK IOSB = {0};
LARGE_INTEGER li = {0};
SIN32_HANDLE_TABLE_ENTRY *HandleEntry = {0};
ULONG HandleIndex = 0;
HANDLE hFile = INVALID_HANDLE_VALUE;
PEB *peb = NtCurrentPeb();
wcscpy((wchar_t*)&NativePath,L"\\??\\"
wcscat((wchar_t*)&NativePath,peb->ProcessParameters->ImagePathName.Buffer);
wcscat((wchar_t*)&NativePath,L"
RtlInitUnicodeString(&Unicode,(PCWSTR)&NativePath);
InitializeObjectAttributes(&oa,&Unicode,OBJ_CASE_INSENSITIVE|OBJ_OPENIF|OBJ_KERNEL_HANDLE,0,0);
if(NT_SUCCESS(NtCreateFile(&hFile,GENERIC_WRITE | SYNCHRONIZE,&oa,&IOSB,&li,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE,FILE_OPEN_IF,FILE_WRITE_THROUGH|FILE_SYNCHRONOUS_IO_NONALE RT|FILE_NON_DIRECTORY_FILE,0,0)))
{
HandleEntry = (SIN32_HANDLE_TABLE_ENTRY*)RtlAllocateHandle((PRTL_HANDLE_TABLE)NtCurrentTeb()->ProcessEnvironmentBlock->ProcessParameters->ShowWindowFlags,&HandleIndex);
HandleEntry->Handle = hFile;
HandleEntry->HandleIndex = HandleIndex;
HandleEntry->HandleType = ObFile;
HandleEntry->HandleState = Ob_DbgStream;
return HandleEntry;
}
return HandleEntry;
}
__checkReturn bool Write_Debug(UNICODE_STRING *UniDbg,NTSTATUS DbgStatus)
{
char Msg[MAX_PATH] = {0};
ANSI_STRING Ansi = {0};
NTSTATUS Status = 0;
IO_STATUS_BLOCK IOSB = {0};
HANDLE hFile = INVALID_HANDLE_VALUE;
PEB *peb = NtCurrentPeb();
RTL_HANDLE_TABLE *HandleTable = (RTL_HANDLE_TABLE*)peb->ProcessParameters->ShowWindowFlags;
if(HandleTable->SizeOfHandleTableEntry != sizeof(SIN32_HANDLE_TABLE_ENTRY))
{
return false;
}
hFile = Native_GetHandleTableHandle((void*)HandleTable,ObFile,Ob_DbgStream);
if(hFile != INVALID_HANDLE_VALUE)
{
if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&Ansi,UniDbg,true)))
{
strcat((char*)&Msg,Ansi.Buffer);
_ultoa(DbgStatus,(char *)&Msg + Ansi.Length,16);
strcat((char*)&Msg + Ansi.Length + 1,"\r\n"
Status = NtWriteFile(hFile,0,0,0,&IOSB,(PVOID)&Msg,strlen(Msg),0,0);
RtlFreeAnsiString(&Ansi);
return true;
}
}
return false;
}
trying to develop multiple methods to separate the Initialization Routines that call LdrpCallInitRoutine so that i can handle each object by type..more on that in a blog post sometime.. :d
toying some with ideas of building PE substructures in the memory of my shared section and writing them to identifiable locations within a preruntime PE, as hinted at by piotr..
updated hkHook with hotpatch_uprnops and hotpatch_lwrnops,also still in process of coding out some of the other things mentioned.. in the concepts thread..
also ppl can look on my skydrive..for some stuff..might be newer..but not newest source..im gonna update that too eventually..
Seems to be a new bug sponsored by a recent security update to XPSP3 involving RtlCreateHeap..preventing me from calling RtlInitialzeHandleTable properly..alternitives include VirtualMemory..File Mapped Sections..FileMappedStreams(a maybe on this one..still testing....)
BanMe