So 'Process Duplication' is a knock off of the 'dual mapping' which I Think g3niun3 touched on this a little a while back in a crackme or something like that..using it as a distraction to the reverser..so after client is loaded its first command is to suspend all 'other' running threads in the process. My Next Step is to map out chunks of code of main exe,its current threads and there current locations, thier stack data, and then finally thier ObjectTables..having this info available would allow for greater tasks to be accomplished..so lets start by reimplementing SinSrvLocateClientByPid() so that it has access to csrss's processes and threads list.. :]
For those who have not looked at CsrWalker by ep_xoff its a good time to read this great piece of code
Even though orkblutt technically beat this code, the ideas and methods are easily adaptable..
So first thing we need is the address of CsrRootProcess which is of the struct CSR_PROCESS of which the best I've found is by Alex Ionescu located here..http://doxygen.reactos.org/d8/dc3/server_8h_source.html
so to find CsrRootProcess
you should see if(x86) something similar to
Code:
CsrSrv!CsrLockProcessByClientId
75B45390 |. BF A089B475 MOV EDI,csrsrv.75B489A0
75B45395 |. 57 PUSH EDI
75B45396 |. FF15 1811B475 CALL DWORD PTR DS:[<&ntdll.RtlEnterCriti>; ntdll.RtlEnterCriticalSection
75B4539C 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
75B4539F 8322 00 AND DWORD PTR DS:[EDX],0
75B453A2 8B35 1C89B475 MOV ESI,DWORD PTR DS:[75B4891C]<-here
75B453A8 |. 83C6 08 ADD ESI,8
75B453AB |. C745 0C 010000>MOV DWORD PTR SS:[EBP+C],C0000001
So after retrieving I can loop (most)Processes and Threads so we now have our processes CSRSS_PROCESS struct and now the mischief can commence with calling the (Base\Win\Csr)Srv Api's more on this is coming.. soon..but next up is lets say we want to 'hook' a certain function of these 'now' vaguely documented api tables..we need the address of CSR_SERVER_DLL.. this can be found here.
Code:
csrsrv!CsrCallServerFromServer
75B4415F CC INT3
75B44160 > $ 6A 0C PUSH 0C
75B44162 . 68 7818B475 PUSH csrsrv.75B41878
75B44167 . E8 F4260000 CALL csrsrv.75B46860
75B4416C . 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
75B4416F . 0FB746 1E MOVZX EAX,WORD PTR DS:[ESI+1E]
75B44173 . 83F8 04 CMP EAX,4
75B44176 . 73 5A JNB SHORT csrsrv.75B441D2
75B44178 . 8B0C85 F088B47>MOV ECX,DWORD PTR DS:[EAX*4+75B488F0]<-here
75B4417F . 85C9 TEST ECX,ECX
75B44181 . 74 4F JE SHORT csrsrv.75B441D2
here is a snip
(THIS CODE WILL
NOT WORK ANYWHERE OTHER THEN INSIDE CSRSS!)
Code:
CSR_PROCESS*SinSrvLocateCsrClientByPid(HANDLE UniqueProcess)
{
CSR_PROCESS *RootProcess = {0};
CSR_PROCESS *TempProcess = {0};
BYTE FindThis[] = {0x83,0xc6,0x0,0x4};
RootProcess = FindCode(Native_GetApi(L"csrsrv.dll","CsrLockProcessByClientId"
,&FindThis);
TempProcess = (CSR_PROCESS*)RootProcess->ListLink.flink
do
{
if(TempProcess->ClientId.UniqueProcess == UniqueProcess)
{
return TempProcess;
}
TempProcess = (TempTable->ListLink.Flink == (LIST_ENTRY*)&RootProcess) ? (CSR_PROCESS*)TempTable->ListLink.Flink : 0;
}while(TempProcess);
return TempProcess;
}
Well I guess I have to continue in order for ppl to know what I am actually on about..
This is still about duplicating a suspended process and dumping the exact duplicate from memory using either a injected client, or through the more intersting methods, such as a trampoline right after the return from wait to check for connection requests or use a much more untouched on method, but more on that later.
I plan to duplicate the Image of a running process to a Mapped Section dump it with as much supporting and and documented information as is needed for easy analyse, but the means are much more intersting then the ends.. :}
First lets examine the structure of a CSR_SERVER_DLL (kayaker's not so legthy version..)
Code:
typedef struct _CSR_SERVER_DLL
{
ULONG Length;
HANDLE Event;
ANSI_STRING Name;
HANDLE ServerHandle;
ULONG ServerId;
ULONG Unknown;
ULONG ApiBase;
ULONG HighestApiSupported;
ULONG *DispatchTable;
PBOOLEAN ValidTable;
PCHAR *NameTable;
ULONG SizeOfProcessData;
ULONG *ConnectCallback;
ULONG *DisconnectCallback;
ULONG *HardErrorCallback;
PVOID SharedSection;
ULONG *NewProcessCallback;
ULONG *ShutdownProcessCallback;
ULONG Unknown2[3];
} CSR_SERVER_DLL, *PCSR_SERVER_DLL;
There are some definite intersting fields listed in this structure. NewProcessCallback or ShutdownProcessCallback being of interest in this particular case, if we are hooking the structs in memory, which we are not going to do this time we are going to fill out our own CSR_SERVER_DLL structure and build a Dll loaded into csrss.
So as we've seen earlier I can suppend processes and threads in many different ways, I can also check the handles of each thread and whether there GUI or not all from Csrss.. and not have to do any injection of any code or dll..So its coming together very slowly with the aditional GUI to consider and this new restructuring of code to include both interactions,but the benefits and possibilities for action are vastly improved by this little beast of a structure..more to come on the mechanisms that call these api's and when they are called...
much more to come tommorow.
