soffensive blog

Practical Reverse Engineering Exercise Solutions: Page 35 / Exercise 6

soffensive published on 2017-07-22 included in Practical Reverse Engineering

Exercise 6 on page 35 of the book Practical Reverse Engineering presents us with a malware samples.

These can be downloaded at the following page:

https://grsecurity.net/malware_research/

In this exercise, we are expected to have a look at the following routine sub_13842:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
.text:00013842 sub_13842      
.text:00013842                 mov     eax, [ecx+60h]
.text:00013845                 push    esi
.text:00013846                 mov     esi, [edx+8]
.text:00013849                 dec     byte ptr [ecx+23h]
.text:0001384C                 sub     eax, 24h
.text:0001384F                 mov     [ecx+60h], eax
.text:00013852                 mov     [eax+14h], edx
.text:00013855                 movzx   eax, byte ptr [eax]
.text:00013858                 push    ecx
.text:00013859                 push    edx
.text:0001385A                 call    dword ptr [esi+eax*4+38h]
.text:0001385E                 pop     esi
.text:0001385F                 retn

Firstly, we see that the function prototype takes two parameters, which are not saved on the stack but in the two registers ecx and edx. This can be deducted from the fact that these two registers are immediately referenced without prior initialization.

Practical Reverse Engineering Exercise Solutions: RtlValidateUnicodeString

soffensive published on 2017-07-16 included in Practical Reverse Engineering

This blog post contains my solution for the decompilation exercise of the RtlValidateUnicodeString function in the Windows Kernel. The following contains the disassembly without annotations:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
kd> uf rtlvalidateunicodestring
ntdll!RtlValidateUnicodeString:
77686f6c 8bff            mov     edi,edi
77686f6e 55              push    ebp
77686f6f 8bec            mov     ebp,esp
77686f71 837d0800        cmp     dword ptr [ebp+8],0
77686f75 0f85fc380300    jne     ntdll!RtlValidateUnicodeString+0xb (776ba877)

ntdll!RtlValidateUnicodeString+0x12:
77686f7b 6800010000      push    100h
77686f80 ff750c          push    dword ptr [ebp+0Ch]
77686f83 e809000000      call    ntdll!RtlUnicodeStringValidateEx (77686f91)

ntdll!RtlValidateUnicodeString+0x1f:
77686f88 5d              pop     ebp
77686f89 c20800          ret     8

ntdll!RtlValidateUnicodeString+0xb:
776ba877 b80d0000c0      mov     eax,0C000000Dh
776ba87c e907c7fcff      jmp     ntdll!RtlValidateUnicodeString+0x1f (77686f88)

The function prototype is given here:

Practical Reverse Engineering Exercise Solutions: LiveKd / WinDbg Cheat Sheet

soffensive published on 2017-07-16 included in Practical Reverse Engineering

Here are a couple of commands I regularly use for reverse engineering:

uf <function>: Unassemble function
dt nt!_ktss: Show the definition of the data structure _ktss
?? sizeof(_ktss): Show the size the data structure _ktss occupies in memory
.hh uf: Show help for the function uf
x nt!*createfile*: Search all functions having the string createfile in its name
!vtop <PDPT-pointer> <virtualAddress>: Compute physical address of given virtual address and the pointer to the page directory pointer table

Practical Reverse Engineering Exercise Solutions: KiInitializeTSS

soffensive published on 2017-07-16 included in Practical Reverse Engineering

Another exercise for us is the decompilation of the KiInitializeTSS function:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
nt!KiInitializeTSS:
82847359 8bff            mov     edi,edi
8284735b 55              push    ebp
8284735c 8bec            mov     ebp,esp
8284735e 8b4508          mov     eax,dword ptr [ebp+8]
82847361 b9ac200000      mov     ecx,20ACh
82847366 66894866        mov     word ptr [eax+66h],cx
8284736a 33c9            xor     ecx,ecx
8284736c 6a10            push    10h
8284736e 66894864        mov     word ptr [eax+64h],cx
82847372 66894860        mov     word ptr [eax+60h],cx
82847376 59              pop     ecx
82847377 66894808        mov     word ptr [eax+8],cx
8284737b 5d              pop     ebp
8284737c c20400          ret     4

We obtain the function prototype: (source)

1
2
3
4
5
VOID
NTAPI
KiInitializeTSS(IN PKTSS Tss)
{
}

Structure of _KTSS:

Practical Reverse Engineering Exercise Solutions: KeReadyThread

soffensive published on 2017-07-16 included in Practical Reverse Engineering

Unfortunately I had no time in the past days to continue with the exercises. We continue with the decompilation of the KeReadyThread function in Windows 7.

The following listing shows the disassembly:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
nt!KeReadyThread:
828a8125 8bff            mov     edi,edi
828a8127 56              push    esi
828a8128 8bf0            mov     esi,eax
828a812a 8b4650          mov     eax,dword ptr [esi+50h]
828a812d 8b4874          mov     ecx,dword ptr [eax+74h]
828a8130 f6c107          test    cl,7
828a8133 7409            je      nt!KeReadyThread+0x19 (828a813e)

nt!KeReadyThread+0x10:
828a8135 e8b74af8ff      call    nt!KiInSwapSingleProcess (8282cbf1)
828a813a 84c0            test    al,al
828a813c 7505            jne     nt!KeReadyThread+0x1e (828a8143)

nt!KeReadyThread+0x19:
828a813e e892ef0000      call    nt!KiFastReadyThread (828b70d5)

nt!KeReadyThread+0x1e:
828a8143 5e              pop     esi
828a8144 c3              ret

According to this source, it has the following prototype:

Practical Reverse Engineering Exercise Solutions: KeInitializeQueue

soffensive published on 2017-07-01 included in Practical Reverse Engineering

We are tasked with decompiling the Windows Kernel routine KeInitializeQueue.

Firstly, we obtain its disassembly:

Secondly, we consult MSDN for its signature:

1
2
3
4
VOID KeInitializeQueue(
  _Out_ PRKQUEUE Queue,
  _In_  ULONG    Count
);

The routine itself does not return anything.

We learn it takes two parameters and as the assembly contains the ret 8 instruction, the KeInitializeQueue function cleans up the stack and thus, it uses the stdcall convention.