soffensive blog
Posts Tags Categories About
soffensive blog

soffensive blog

Practical Reverse Engineering Exercise Solutions: RtlValidateUnicodeString

 published on  included in Practical Reverse Engineering

This blog post contains my solution for the decompilation exercise of the RtlValidateUnicodeString function in the Windows Kernel. The following contains the disassembly without annotations:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

kd> uf rtlvalidateunicodestring
ntdll!RtlValidateUnicodeString:
77686f6c 8bff            mov     edi,edi
77686f6e 55              push    ebp
77686f6f 8bec            mov     ebp,esp
77686f71 837d0800        cmp     dword ptr [ebp+8],0
77686f75 0f85fc380300    jne     ntdll!RtlValidateUnicodeString+0xb (776ba877)

ntdll!RtlValidateUnicodeString+0x12:
77686f7b 6800010000      push    100h
77686f80 ff750c          push    dword ptr [ebp+0Ch]
77686f83 e809000000      call    ntdll!RtlUnicodeStringValidateEx (77686f91)

ntdll!RtlValidateUnicodeString+0x1f:
77686f88 5d              pop     ebp
77686f89 c20800          ret     8

ntdll!RtlValidateUnicodeString+0xb:
776ba877 b80d0000c0      mov     eax,0C000000Dh
776ba87c e907c7fcff      jmp     ntdll!RtlValidateUnicodeString+0x1f (77686f88)

The function prototype is given here:

Read More
 Practical Reverse EngineeringX64X86

Practical Reverse Engineering Exercise Solutions: LiveKd / WinDbg Cheat Sheet

 published on  included in Practical Reverse Engineering

Here are a couple of commands I regularly use for reverse engineering:

  • uf <function>: Unassemble function
  • dt nt!_ktss: Show the definition of the data structure _ktss
  • ?? sizeof(_ktss): Show the size the data structure _ktss occupies in memory
  • .hh uf: Show help for the function uf
  • x nt!*createfile*: Search all functions having the string createfile in its name
  • !vtop <PDPT-pointer> <virtualAddress>: Compute physical address of given virtual address and the pointer to the page directory pointer table
Read More
 Practical Reverse EngineeringWindbgX64X86

Practical Reverse Engineering Exercise Solutions: KiInitializeTSS

 published on  included in Practical Reverse Engineering

Another exercise for us is the decompilation of the KiInitializeTSS function:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

nt!KiInitializeTSS:
82847359 8bff            mov     edi,edi
8284735b 55              push    ebp
8284735c 8bec            mov     ebp,esp
8284735e 8b4508          mov     eax,dword ptr [ebp+8]
82847361 b9ac200000      mov     ecx,20ACh
82847366 66894866        mov     word ptr [eax+66h],cx
8284736a 33c9            xor     ecx,ecx
8284736c 6a10            push    10h
8284736e 66894864        mov     word ptr [eax+64h],cx
82847372 66894860        mov     word ptr [eax+60h],cx
82847376 59              pop     ecx
82847377 66894808        mov     word ptr [eax+8],cx
8284737b 5d              pop     ebp
8284737c c20400          ret     4

We obtain the function prototype: (source)

1
2
3
4
5

VOID
NTAPI
KiInitializeTSS(IN PKTSS Tss)
{
}

Structure of _KTSS:

Read More
 Practical Reverse EngineeringX64X86

Practical Reverse Engineering Exercise Solutions: KeReadyThread

 published on  included in Practical Reverse Engineering

Unfortunately I had no time in the past days to continue with the exercises. We continue with the decompilation of the KeReadyThread function in Windows 7.

The following listing shows the disassembly:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

nt!KeReadyThread:
828a8125 8bff            mov     edi,edi
828a8127 56              push    esi
828a8128 8bf0            mov     esi,eax
828a812a 8b4650          mov     eax,dword ptr [esi+50h]
828a812d 8b4874          mov     ecx,dword ptr [eax+74h]
828a8130 f6c107          test    cl,7
828a8133 7409            je      nt!KeReadyThread+0x19 (828a813e)

nt!KeReadyThread+0x10:
828a8135 e8b74af8ff      call    nt!KiInSwapSingleProcess (8282cbf1)
828a813a 84c0            test    al,al
828a813c 7505            jne     nt!KeReadyThread+0x1e (828a8143)

nt!KeReadyThread+0x19:
828a813e e892ef0000      call    nt!KiFastReadyThread (828b70d5)

nt!KeReadyThread+0x1e:
828a8143 5e              pop     esi
828a8144 c3              ret

According to this source, it has the following prototype:

Read More
 Practical Reverse EngineeringX64X86

Practical Reverse Engineering Exercise Solutions: KeInitializeQueue

 published on  included in Practical Reverse Engineering

We are tasked with decompiling the Windows Kernel routine KeInitializeQueue.

Firstly, we obtain its disassembly:

../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png 

Secondly, we consult MSDN for its signature:

1
2
3
4

VOID KeInitializeQueue(
  _Out_ PRKQUEUE Queue,
  _In_  ULONG    Count
);

The routine itself does not return anything. 

We learn it takes two parameters and as the assembly contains the ret 8 instruction, the KeInitializeQueue function cleans up the stack and thus, it uses the stdcall convention.

Read More
 Practical Reverse EngineeringX64X86

Practical Reverse Engineering Exercise Solutions: ObFastDereferenceObject

 published on  included in Practical Reverse Engineering

First of all a quick reminder: This series of blog posts relates to exercises from the book Practical Reverse Engineering by Dang et al. Although it is called reverse engineering in general, it actually is mostly relevant to Microsoft Windows operating systems. This is simply due to the fact that Microsoft Windows is closed source in contrast to the Linux/Unix families, which means its source code is publicly available and so no reverse engineering endeavours are necessary.

Read More
 Practical Reverse EngineeringX64X86