X64 on soffensive bloghttps://soffensive.github.io/tags/x64/Recent content in X64 on soffensive blogHugoenWed, 20 Sep 2017 02:37:00 -0700Practical Reverse Engineering Exercise Solutions: Page 35 / Exercise 11https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-20-practical-reverse-engineering-exercise-solutions-page-35-exercise-11/Wed, 20 Sep 2017 02:37:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-20-practical-reverse-engineering-exercise-solutions-page-35-exercise-11/<blockquote> <p>Read the Virtual Memory chapter in Intel Software Developer Manual, Volume 3 and AMD64 Architecture Programmer’s Manual, Volume 2: System Programming. Perform a few virtual address to physical address translations yourself and verify the result with a kernel debugger. Explain how data execution prevention (DEP) works.</p></blockquote> <p>For this exercise, we first have to set up a remote kernel debugging session. (see <a href="https://codemetrix.net/windows-kernel-debugging-setup/" target="_blank" rel="noopener noreffer ">https://codemetrix.net/windows-kernel-debugging-setup/</a>, <a href="https://securityblog.gr/3253/debug-user-mode-processes-using-a-kernel-debugger/" target="_blank" rel="noopener noreffer ">https://securityblog.gr/3253/debug-user-mode-processes-using-a-kernel-debugger/</a> and <a href="http://securityblog.gr/3023/windows-kernel-debugging/" target="_blank" rel="noopener noreffer ">http://securityblog.gr/3023/windows-kernel-debugging/</a> for excellent explanations)</p>Practical Reverse Engineering Exercise Solutions: Page 35 / Exercise 10https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-17-practical-reverse-engineering-exercise-solutions-page-35-exercise-10/Sun, 17 Sep 2017 05:34:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-17-practical-reverse-engineering-exercise-solutions-page-35-exercise-10/<p>Our task:</p> <blockquote> <p>If the current privilege level is encoded in CS, which is modifiable by user-mode code, why can’t user-mode code modify CS to change CPL?</p></blockquote> <p>For a change, this is now a more theoretical than hands-on challenge. In order to address the exercise appropriately, we have to make sure we understood it correctly.</p> <p><code>CS</code> (code segment) is the CPU segment register that contains the current ring level in bits 0 and 1. This encoded level is also commonly referred to as CPL (current privilege level).</p>Practical Reverse Engineering Exercise Solutions: Page 35 / Exercise 9https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-15-practical-reverse-engineering-exercise-solutions-page-35-exercise-9/Fri, 15 Sep 2017 02:49:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-15-practical-reverse-engineering-exercise-solutions-page-35-exercise-9/<p>Our task:</p> <blockquote> <p>Sample L. Explain what function <code>sub_1000CEA0</code> does and then decompile it back to C.</p></blockquote> <p>Here we have the function&rsquo;s disassembly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">ebp</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nb">esp</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">edi</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">+</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> <span class="nf">or</span> <span class="nb">ecx</span><span class="p">,</span> <span class="mh">0FFFFFFFFh</span> </span></span><span class="line"><span class="cl"> <span class="nf">repne</span> <span class="nv">scasb</span> </span></span><span class="line"><span class="cl"> <span class="nf">add</span> <span class="nb">ecx</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="nf">neg</span> <span class="nb">ecx</span> </span></span><span class="line"><span class="cl"> <span class="nf">sub</span> <span class="nb">edi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">+</span><span class="mh">0Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">std</span> </span></span><span class="line"><span class="cl"> <span class="nf">repne</span> <span class="nv">scasb</span> </span></span><span class="line"><span class="cl"> <span class="nf">add</span> <span class="nb">edi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="nf">cmp</span> <span class="p">[</span><span class="nb">edi</span><span class="p">],</span> <span class="nb">al</span> </span></span><span class="line"><span class="cl"> <span class="nf">jz</span> <span class="nv">short</span> <span class="nv">loc_1000CEC7</span> </span></span><span class="line"><span class="cl"> <span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> <span class="nf">jmp</span> <span class="nv">short</span> <span class="nv">loc_1000CEC9</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_1000CEC7:</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_1000CEC9:</span> </span></span><span class="line"><span class="cl"> <span class="nf">cld</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">leave</span> </span></span><span class="line"><span class="cl"> <span class="nf">retn</span> </span></span><span class="line"><span class="cl"> <span class="nf">endp</span> </span></span></code></pre></td></tr></table> </div> </div><p>Firstly, the function takes two arguments, at <code>ebp+0x8</code> (arg1) and <code>ebp+0x0C</code> (arg2) respectively. It follows the <strong>stdcall</strong> convention that arguments are pushed from right to left on the stack and the callee cleaning up the stack.</p>Practical Reverse Engineering Exercise Solutions: Page 35 / Exercise 8https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-14-practical-reverse-engineering-exercise-solutions-page-35-exercise-8/Thu, 14 Sep 2017 05:12:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-14-practical-reverse-engineering-exercise-solutions-page-35-exercise-8/<p>Our task as formulated in exercise 8:</p> <blockquote> <p>Sample H. Decompile <code>sub_11732</code> and explain the most likely programming construct used in the original code.</p></blockquote> <p>The function&rsquo;s disassembly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nl">sub_1172E:</span> </span></span><span class="line"><span class="cl"><span class="nf">push</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span><span class="o">+</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nf">dec</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">jz</span> <span class="nv">short</span> <span class="nv">loc_1175F</span> </span></span><span class="line"><span class="cl"><span class="nf">dec</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">jz</span> <span class="nv">short</span> <span class="nv">loc_11755</span> </span></span><span class="line"><span class="cl"><span class="nf">dec</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">jz</span> <span class="nv">short</span> <span class="nv">loc_1174B</span> </span></span><span class="line"><span class="cl"><span class="nf">sub</span> <span class="nb">esi</span><span class="p">,</span> <span class="mi">9</span> </span></span><span class="line"><span class="cl"><span class="nf">jnz</span> <span class="nv">short</span> <span class="nv">loc_1176B</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nf">shr</span> <span class="nb">esi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0Ch</span> </span></span><span class="line"><span class="cl"><span class="nf">jmp</span> <span class="nv">short</span> <span class="nv">loc_11767</span> </span></span><span class="line"><span class="cl"><span class="c1">; ---------------------------------------------------------------------------</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_1174B:</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">3Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nf">shr</span> <span class="nb">esi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">5Eh</span> </span></span><span class="line"><span class="cl"><span class="nf">jmp</span> <span class="nv">short</span> <span class="nv">loc_11767</span> </span></span><span class="line"><span class="cl"><span class="c1">; ---------------------------------------------------------------------------</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_11755:</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">3Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nf">shr</span> <span class="nb">esi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">44h</span> </span></span><span class="line"><span class="cl"><span class="nf">jmp</span> <span class="nv">short</span> <span class="nv">loc_11767</span> </span></span><span class="line"><span class="cl"><span class="c1">; ---------------------------------------------------------------------------</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_1175F:</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">3Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nf">shr</span> <span class="nb">esi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">40h</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_11767:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="p">[</span><span class="nb">ecx</span><span class="p">],</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="p">[</span><span class="nb">edx</span><span class="p">],</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_1176B:</span> </span></span><span class="line"><span class="cl"><span class="nf">pop</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">retn</span> <span class="mi">4</span> </span></span></code></pre></td></tr></table> </div> </div><p>Obviously, the sought-after programming construct in this case is a <code>switch...case</code> statement.</p>Practical Reverse Engineering Exercise Solutions: Page 35 / Exercise 7https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-30-practical-reverse-engineering-exercise-solutions-page-35-exercise-7/Sun, 30 Jul 2017 03:55:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-30-practical-reverse-engineering-exercise-solutions-page-35-exercise-7/<p>Exercise 7 on page 35:</p> <blockquote> <p>Sample H. The function <code>sub_10BB6</code> has a loop searching for something. First recover the function prototype and then infer the types based on the context. Hint: You should probably have a copy of the PE specification nearby.</p></blockquote> <p>Due to alignment issues, our routine is located at <code>10BB2</code> and has the following disassembly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nl">sub_10BB2:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span><span class="o">+</span><span class="mi">4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">ebx</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">3Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">14h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">xor</span> <span class="nb">ebx</span><span class="p">,</span> <span class="nb">ebx</span> </span></span><span class="line"><span class="cl"> <span class="nf">cmp</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mi">6</span><span class="p">],</span> <span class="nb">bx</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">lea</span> <span class="nb">edi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="nb">esi</span><span class="o">+</span><span class="mh">18h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">jbe</span> <span class="nv">short</span> <span class="nv">loc_10BEB</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_10BCE:</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="p">[</span><span class="nb">esp</span><span class="o">+</span><span class="mh">0Ch</span><span class="o">+</span><span class="nv">arg_4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">call</span> <span class="nb">ds</span><span class="p">:</span><span class="kt">dword</span><span class="nv">_169A4</span> </span></span><span class="line"><span class="cl"> <span class="nf">test</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">ecx</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">ecx</span> </span></span><span class="line"><span class="cl"> <span class="nf">jz</span> <span class="nv">short</span> <span class="nv">loc_10BF3</span> </span></span><span class="line"><span class="cl"> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mi">6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">add</span> <span class="nb">edi</span><span class="p">,</span> <span class="mh">28h</span> </span></span><span class="line"><span class="cl"> <span class="nf">inc</span> <span class="nb">ebx</span> </span></span><span class="line"><span class="cl"> <span class="nf">cmp</span> <span class="nb">ebx</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> <span class="nf">jb</span> <span class="nv">short</span> <span class="nv">loc_10BCE</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_10BEB:</span> </span></span><span class="line"><span class="cl"> <span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_10BED:</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">ebx</span> </span></span><span class="line"><span class="cl"> <span class="nf">retn</span> <span class="mi">8</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_10BF3:</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">jmp</span> <span class="nv">short</span> <span class="nv">loc_10BED</span> </span></span></code></pre></td></tr></table> </div> </div><p>The PE file format and offsets have been described in detail here: <a href="http://www.sunshine2k.de/reversing/tuts/tut_pe.htm" target="_blank" rel="noopener noreffer ">http://www.sunshine2k.de/reversing/tuts/tut_pe.htm</a></p>Practical Reverse Engineering Exercise Solutions: Page 35 / Exercise 6https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-22-practical-reverse-engineering-exercise-solutions-page-35-exercise-6/Sat, 22 Jul 2017 23:49:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-22-practical-reverse-engineering-exercise-solutions-page-35-exercise-6/<p>Exercise 6 on page 35 of the book Practical Reverse Engineering presents us with a malware samples.</p> <p>These can be downloaded at the following page:</p> <p><a href="https://grsecurity.net/malware_research/" target="_blank" rel="noopener noreffer ">https://grsecurity.net/malware_research/</a></p> <p>In this exercise, we are expected to have a look at the following routine <code>sub_13842</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013842</span> <span class="nf">sub_13842</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013842</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">ecx</span><span class="o">+</span><span class="mh">60h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013845</span> <span class="nf">push</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013846</span> <span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span><span class="o">+</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013849</span> <span class="nf">dec</span> <span class="kt">byte</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">ecx</span><span class="o">+</span><span class="mh">23h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">0001384</span><span class="nf">C</span> <span class="nv">sub</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">24h</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">0001384</span><span class="nf">F</span> <span class="nv">mov</span> <span class="p">[</span><span class="nb">ecx</span><span class="o">+</span><span class="mh">60h</span><span class="p">],</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013852</span> <span class="nf">mov</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">14h</span><span class="p">],</span> <span class="nb">edx</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013855</span> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">byte</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013858</span> <span class="nf">push</span> <span class="nb">ecx</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013859</span> <span class="nf">push</span> <span class="nb">edx</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">0001385</span><span class="nf">A</span> <span class="nv">call</span> <span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="nb">eax</span><span class="o">*</span><span class="mi">4</span><span class="o">+</span><span class="mh">38h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">0001385</span><span class="nf">E</span> <span class="nv">pop</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">0001385</span><span class="nf">F</span> <span class="nv">retn</span> </span></span></code></pre></td></tr></table> </div> </div><p>Firstly, we see that the function prototype takes two parameters, which are not saved on the stack but in the two registers <code>ecx</code> and <code>edx</code>. This can be deducted from the fact that these two registers are immediately referenced without prior initialization.</p>Practical Reverse Engineering Exercise Solutions: RtlValidateUnicodeStringhttps://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-rtlvalidateunicodestring/Sun, 16 Jul 2017 12:50:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-rtlvalidateunicodestring/<p>This blog post contains my solution for the decompilation exercise of the <code>RtlValidateUnicodeString</code> function in the Windows Kernel. The following contains the disassembly without annotations:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nf">kd</span><span class="o">&gt;</span> <span class="nv">uf</span> <span class="nv">rtlvalidateunicodestring</span> </span></span><span class="line"><span class="cl"><span class="nf">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f6c</span> <span class="mi">8</span><span class="nv">bff</span> <span class="nv">mov</span> <span class="nb">edi</span><span class="p">,</span><span class="nb">edi</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f6e</span> <span class="mi">55</span> <span class="nv">push</span> <span class="nb">ebp</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f6f</span> <span class="mi">8</span><span class="nv">bec</span> <span class="nv">mov</span> <span class="nb">ebp</span><span class="p">,</span><span class="nb">esp</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f71</span> <span class="mi">837</span><span class="nv">d0800</span> <span class="nv">cmp</span> <span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">+</span><span class="mi">8</span><span class="p">],</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f75</span> <span class="mi">0</span><span class="nv">f85fc380300</span> <span class="nv">jne</span> <span class="nv">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="o">+</span><span class="mh">0xb</span> <span class="p">(</span><span class="mi">776</span><span class="nv">ba877</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="o">+</span><span class="mh">0x12</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f7b</span> <span class="mi">6800010000</span> <span class="nv">push</span> <span class="mh">100h</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f80</span> <span class="nv">ff750c</span> <span class="nv">push</span> <span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">+</span><span class="mh">0Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f83</span> <span class="nv">e809000000</span> <span class="nv">call</span> <span class="nv">ntdll</span><span class="err">!</span><span class="nv">RtlUnicodeStringValidateEx</span> <span class="p">(</span><span class="mi">77686</span><span class="nv">f91</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="o">+</span><span class="mh">0x1f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f88</span> <span class="mi">5</span><span class="nv">d</span> <span class="nv">pop</span> <span class="nb">ebp</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f89</span> <span class="nv">c20800</span> <span class="nv">ret</span> <span class="mi">8</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="o">+</span><span class="mh">0xb</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">776</span><span class="nf">ba877</span> <span class="nv">b80d0000c0</span> <span class="nv">mov</span> <span class="nb">eax</span><span class="p">,</span><span class="mh">0C000000Dh</span> </span></span><span class="line"><span class="cl"><span class="err">776</span><span class="nf">ba87c</span> <span class="nv">e907c7fcff</span> <span class="nv">jmp</span> <span class="nv">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="o">+</span><span class="mh">0x1f</span> <span class="p">(</span><span class="mi">77686</span><span class="nv">f88</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>The function prototype is given <a href="https://github.com/CaledoniaProject/kekeo-with-asn-vs2013/blob/d926de6096d6f6d797e38ced1b5cbdf56d1734b9/modules/kull_m_string.h" target="_blank" rel="noopener noreffer ">here</a>:</p>Practical Reverse Engineering Exercise Solutions: LiveKd / WinDbg Cheat Sheethttps://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-livekd-windbg-cheat-sheet/Sun, 16 Jul 2017 05:45:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-livekd-windbg-cheat-sheet/<p>Here are a couple of commands I regularly use for reverse engineering:</p> <ul> <li><code>uf &lt;function&gt;</code>: Unassemble function</li> <li><code>dt nt!_ktss</code>: Show the definition of the data structure <code>_ktss</code></li> <li><code>?? sizeof(_ktss)</code>: Show the size the data structure <code>_ktss</code> occupies in memory</li> <li><code>.hh uf</code>: Show help for the function <code>uf</code></li> <li><code>x nt!*createfile*</code>: Search all functions having the string <code>createfile</code> in its name</li> <li><code>!vtop &lt;PDPT-pointer&gt; &lt;virtualAddress&gt;</code>: Compute physical address of given virtual address and the pointer to the page directory pointer table</li> </ul>Practical Reverse Engineering Exercise Solutions: KiInitializeTSShttps://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-kiinitializetss/Sun, 16 Jul 2017 05:33:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-kiinitializetss/<p>Another exercise for us is the decompilation of the <code>KiInitializeTSS</code> function:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nf">nt</span><span class="err">!</span><span class="nv">KiInitializeTSS</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">82847359</span> <span class="err">8</span><span class="nf">bff</span> <span class="nv">mov</span> <span class="nb">edi</span><span class="p">,</span><span class="nb">edi</span> </span></span><span class="line"><span class="cl"><span class="err">8284735</span><span class="nf">b</span> <span class="mi">55</span> <span class="nv">push</span> <span class="nb">ebp</span> </span></span><span class="line"><span class="cl"><span class="err">8284735</span><span class="nf">c</span> <span class="mi">8</span><span class="nv">bec</span> <span class="nv">mov</span> <span class="nb">ebp</span><span class="p">,</span><span class="nb">esp</span> </span></span><span class="line"><span class="cl"><span class="err">8284735</span><span class="nf">e</span> <span class="mi">8</span><span class="nv">b4508</span> <span class="nv">mov</span> <span class="nb">eax</span><span class="p">,</span><span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">+</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">82847361</span> <span class="nf">b9ac200000</span> <span class="nv">mov</span> <span class="nb">ecx</span><span class="p">,</span><span class="mh">20ACh</span> </span></span><span class="line"><span class="cl"><span class="err">82847366</span> <span class="err">66894866</span> <span class="nf">mov</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">66h</span><span class="p">],</span><span class="nb">cx</span> </span></span><span class="line"><span class="cl"><span class="err">8284736</span><span class="nf">a</span> <span class="mi">33</span><span class="nv">c9</span> <span class="nv">xor</span> <span class="nb">ecx</span><span class="p">,</span><span class="nb">ecx</span> </span></span><span class="line"><span class="cl"><span class="err">8284736</span><span class="nf">c</span> <span class="mi">6</span><span class="nv">a10</span> <span class="nv">push</span> <span class="mh">10h</span> </span></span><span class="line"><span class="cl"><span class="err">8284736</span><span class="nf">e</span> <span class="mi">66894864</span> <span class="nv">mov</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">64h</span><span class="p">],</span><span class="nb">cx</span> </span></span><span class="line"><span class="cl"><span class="err">82847372</span> <span class="err">66894860</span> <span class="nf">mov</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">60h</span><span class="p">],</span><span class="nb">cx</span> </span></span><span class="line"><span class="cl"><span class="err">82847376</span> <span class="err">59</span> <span class="nf">pop</span> <span class="nb">ecx</span> </span></span><span class="line"><span class="cl"><span class="err">82847377</span> <span class="err">66894808</span> <span class="nf">mov</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mi">8</span><span class="p">],</span><span class="nb">cx</span> </span></span><span class="line"><span class="cl"><span class="err">8284737</span><span class="nf">b</span> <span class="mi">5</span><span class="nv">d</span> <span class="nv">pop</span> <span class="nb">ebp</span> </span></span><span class="line"><span class="cl"><span class="err">8284737</span><span class="nf">c</span> <span class="nv">c20400</span> <span class="nv">ret</span> <span class="mi">4</span> </span></span></code></pre></td></tr></table> </div> </div><p>We obtain the function prototype: (<a href="https://github.com/hoangduit/reactos/blob/63682957b86d77c7d82e7b887797ef82ea92d271/reactos/ntoskrnl/ke/powerpc/cpu.c" target="_blank" rel="noopener noreffer ">source</a>)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">VOID</span> </span></span><span class="line"><span class="cl"><span class="n">NTAPI</span> </span></span><span class="line"><span class="cl"><span class="nf">KiInitializeTSS</span><span class="p">(</span><span class="n">IN</span> <span class="n">PKTSS</span> <span class="n">Tss</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Structure of <code>_KTSS</code>:</p>Practical Reverse Engineering Exercise Solutions: KeReadyThreadhttps://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-kereadythread/Sun, 16 Jul 2017 03:44:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-kereadythread/<p>Unfortunately I had no time in the past days to continue with the exercises. We continue with the decompilation of the KeReadyThread function in Windows 7.</p> <p>The following listing shows the disassembly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nf">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8125</span> <span class="mi">8</span><span class="nv">bff</span> <span class="nv">mov</span> <span class="nb">edi</span><span class="p">,</span><span class="nb">edi</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8127</span> <span class="mi">56</span> <span class="nv">push</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8128</span> <span class="mi">8</span><span class="nv">bf0</span> <span class="nv">mov</span> <span class="nb">esi</span><span class="p">,</span><span class="nb">eax</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a812a</span> <span class="mi">8</span><span class="nv">b4650</span> <span class="nv">mov</span> <span class="nb">eax</span><span class="p">,</span><span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">50h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a812d</span> <span class="mi">8</span><span class="nv">b4874</span> <span class="nv">mov</span> <span class="nb">ecx</span><span class="p">,</span><span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">74h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8130</span> <span class="nv">f6c107</span> <span class="nv">test</span> <span class="nb">cl</span><span class="p">,</span><span class="mi">7</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8133</span> <span class="mi">7409</span> <span class="nv">je</span> <span class="nv">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="o">+</span><span class="mh">0x19</span> <span class="p">(</span><span class="mi">828</span><span class="nv">a813e</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="o">+</span><span class="mh">0x10</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8135</span> <span class="nv">e8b74af8ff</span> <span class="nv">call</span> <span class="nv">nt</span><span class="err">!</span><span class="nv">KiInSwapSingleProcess</span> <span class="p">(</span><span class="mi">8282</span><span class="nv">cbf1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a813a</span> <span class="mi">84</span><span class="nv">c0</span> <span class="nv">test</span> <span class="nb">al</span><span class="p">,</span><span class="nb">al</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a813c</span> <span class="mi">7505</span> <span class="nv">jne</span> <span class="nv">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="o">+</span><span class="mh">0x1e</span> <span class="p">(</span><span class="mi">828</span><span class="nv">a8143</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="o">+</span><span class="mh">0x19</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a813e</span> <span class="nv">e892ef0000</span> <span class="nv">call</span> <span class="nv">nt</span><span class="err">!</span><span class="nv">KiFastReadyThread</span> <span class="p">(</span><span class="mi">828</span><span class="nv">b70d5</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="o">+</span><span class="mh">0x1e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8143</span> <span class="mi">5</span><span class="nv">e</span> <span class="nv">pop</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8144</span> <span class="nv">c3</span> <span class="nv">ret</span> </span></span></code></pre></td></tr></table> </div> </div><p>According to <a href="https://github.com/Zer0Mem0ry/ntoskrnl/blob/1ba25701dc670d5f63610b75b593c5841d291e7f/Ke/thredobj.c" target="_blank" rel="noopener noreffer ">this source</a>, it has the following prototype:</p>Practical Reverse Engineering Exercise Solutions: KeInitializeQueuehttps://soffensive.github.io/posts/practical-reverse-engineering/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue/Sat, 01 Jul 2017 05:39:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue/<p>We are tasked with decompiling the Windows Kernel routine KeInitializeQueue.</p> <p>Firstly, we obtain its disassembly:</p> <p><a href="../images/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png" rel=""><img class="lazyload" src="https://soffensive.github.io/svg/loading.min.svg" data-src="../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png" data-srcset="../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png, ../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png 1.5x, ../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png 2x" data-sizes="auto" alt="../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png" title="../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png" /></a> </p> <p>Secondly, we consult <a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff549547%28v=vs.85%29.aspx" target="_blank" rel="noopener noreffer ">MSDN</a> for its signature:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">VOID</span> <span class="nf">KeInitializeQueue</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">_Out_</span> <span class="n">PRKQUEUE</span> <span class="n">Queue</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">_In_</span> <span class="n">ULONG</span> <span class="n">Count</span> </span></span><span class="line"><span class="cl"><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>The routine itself does not return anything. </p> <p>We learn it takes two parameters and as the assembly contains the <code>ret 8</code> instruction, the <code>KeInitializeQueue</code> function cleans up the stack and thus, it uses the <strong>stdcall</strong> convention.</p>Practical Reverse Engineering Exercise Solutions: ObFastDereferenceObjecthttps://soffensive.github.io/posts/practical-reverse-engineering/2017-06-29-practical-reverse-engineering-exercise-solutions-obfastdereferenceobject/Thu, 29 Jun 2017 09:46:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-06-29-practical-reverse-engineering-exercise-solutions-obfastdereferenceobject/<p>First of all a quick reminder: This series of blog posts relates to exercises from the book Practical Reverse Engineering by Dang et al. Although it is called reverse engineering in general, it actually is mostly relevant to Microsoft Windows operating systems. This is simply due to the fact that Microsoft Windows is closed source in contrast to the Linux/Unix families, which means its source code is publicly available and so no reverse engineering endeavours are necessary.</p>Practical Reverse Engineering Exercise Solutions: KeInitializeApc Routinehttps://soffensive.github.io/posts/practical-reverse-engineering/2017-06-19-practical-reverse-engineering-exercise-solutions-keinitializeapc-routine/Mon, 19 Jun 2017 02:36:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-06-19-practical-reverse-engineering-exercise-solutions-keinitializeapc-routine/<p>To keep me motivated and document my progress, I will create a series of blog posts with answers to some of the exercises from the book &ldquo;Practical Reverse Engineering&rdquo; by Dang, Gazet and Bachaalany.</p> <p>In the last post, we introduced the Windows Kernel Debugger (KD) and some of the functions. I have learned that rather than using KD directly, we can use WinDbg&rsquo;s interface which is more user-friendly. When calling livekd, simply append the &ldquo;-w&rdquo; parameter and WinDbg will start up:</p>Practical Reverse Engineering Exercise Solutions: Windows Kernel Routineshttps://soffensive.github.io/posts/practical-reverse-engineering/2017-06-17-practical-reverse-engineering-exercise-solutions-windows-kernel-routines/Sat, 17 Jun 2017 00:01:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-06-17-practical-reverse-engineering-exercise-solutions-windows-kernel-routines/<p>I am currently developing my reverse engineering skills and want to keep some important parts of this journey as well in this blog.</p> <p>The first step of this series relates to disassembling Windows kernel routines, in my case Windows 7.</p> <p>What are the prerequisites for this exercise?</p> <ul> <li>Ideally, install Windows inside a virtual machine</li> <li>From Windows Vista onwards, the Kernel debugging mode has to be enabled with: <code>bcdedit /debug on</code></li> <li>Install Debugging Tools for Windows (for example, as part of the Windows SDK - <a href="https://www.microsoft.com/en-us/download/details.aspx?id=3138" target="_blank" rel="noopener noreffer ">https://www.microsoft.com/en-us/download/details.aspx?id=3138</a> for Windows 7, which contains the Kernel Debugger (KD))</li> <li>Install LiveKD from the SysInternals Suite  <ul> <li><strong>IMPORTANT: the livekd.exe file should be placed in the system32 folder</strong></li> </ul> </li> </ul> <p>Notice that since we use LiveKD, we are essentially debugging the Kernel locally without a second system. With this approach, functions cannot be debugged as LiveKD uses a Kernel read-only memory dump as a basis.</p>