investigate new Ki export on Win8.1 x64: KiUserInvertedFunctionTable

[derekbruening]

From bruen...@google.com on October 24, 2013 10:25:26

winsysnums on ntdll.dll 6.3.9600.16408 x64 says;

KiUserInvertedFunctionTable

WARNING! UNKNOWN Ki ROUTINE!

disassembly: 0x0000000000000000 add %eax (%rax) -> (%rax) 0x0000000000000000 add %al (%rax) -> (%rax) 0x0000000000000000 add %al (%rdx) -> (%rdx) ... 0x0000000000000000 add %al (%eax) -> (%eax) ERROR: hit max instr limit 256

Neither x86 nor wow64 ntdll has this Ki routine.

At runtime on calc it is filled in:

0:004> dp ntdll!KiUserInvertedFunctionTable 00007ff998e79c50 0000020000000021 0000000000000044 00007ff998e79c60 00007ff998e82000 00007ff998d50000 00007ff998e79c70 0000c1d4001a9000 00007ff62e7ad000 00007ff998e79c80 00007ff62e730000 000050ac000e6000 00007ff998e79c90 00007ff98ba94000 00007ff98ba70000 00007ff998e79ca0 00001c380002a000 00007ff98bad5000 00007ff998e79cb0 00007ff98bac0000 00000f0c0001f000 00007ff998e79cc0 00007ff98e697000 00007ff98e620000

With pdb, it turns into: 0:004> ln 00007ff998e79c50 (00007ff998e79c50) ntdll!LdrpInvertedFunctionTable | (00007ff9`98e7cc60) ntdll!RtlpLockedSectionList

0:004> dps ntdll!LdrpInvertedFunctionTable L100 00007ff998e79c50 0000020000000021 00007ff998e79c58 0000000000000044 00007ff998e79c60 00007ff998e82000 ntdll!PchSym_ (ntdll+0x132000) 00007ff998e79c68 00007ff998d50000 ntdll!NtDllUserStubs (ntdll+0x0) 00007ff998e79c70 0000c1d4001a9000 00007ff998e79c78 00007ff62e7ad000 calc!_dyn_tls_init_callback+0xe0 00007ff998e79c80 00007ff62e730000 calc!_guard_check_icall_fptr (calc+0x0) 00007ff998e79c88 000050ac000e6000 00007ff998e79c90 00007ff98ba94000 WINMMBASE!gpEmuList (WINMMBASE+0x24000) 00007ff998e79c98 00007ff98ba70000 WINMMBASE!_guard_check_icall_fptr (WINMMBASE+0x0) 00007ff998e79ca0 00001c380002a000 00007ff998e79ca8 00007ff98bad5000 WINMM!wszNull (WINMM+0x15000) 00007ff998e79cb0 00007ff98bac0000 WINMM!_guard_check_icall_fptr (WINMM+0x0) 00007ff998e79cb8 00000f0c0001f000 00007ff998e79cc0 00007ff98e697000 tiptsf!_PchSym (tiptsf+0x77000) 00007ff998e79cc8 00007ff98e620000 tiptsf!_guard_check_icall_fptr (tiptsf+0x0) 00007ff998e79cd0 00005bd400098000 00007ff998e79cd8 00007ff9930e2000 oleacc!uWM_OLEACC_HOOK (oleacc+0x52000) 00007ff998e79ce0 00007ff993090000 oleacc!_guard_check_icall_fptr (oleacc+0x0) 00007ff998e79ce8 0000535800063000 00007ff998e79cf0 00007ff993d6f000 COMCTL32!PchSym_ (COMCTL32+0x1ef000) 00007ff998e79cf8 00007ff993b80000 COMCTL32!_guard_check_icall_fptr (COMCTL32+0x0) 00007ff998e79d00 0001d6640025a000 00007ff998e79d08 00007ff993ec6000 dwmapi!objectFactoryCShowInputPaneAnimationCoordinator_COM (dwmapi+0x16000) 00007ff998e79d10 00007ff993eb0000 dwmapi!_guard_check_icall_fptr (dwmapi+0x0) 00007ff998e79d18 0000135000021000 00007ff998e79d20 00007ff99411b000 SHCORE!PchSym_+0xd60 00007ff998e79d28 00007ff994090000 SHCORE!_guard_check_icall_fptr (SHCORE+0x0) 00007ff998e79d30 0000b244000a1000 00007ff998e79d38 00007ff994a36000 WindowsCodecs!_PchSym (WindowsCodecs+0x176000) 00007ff998e79d40 00007ff9948c0000 WindowsCodecs!_guard_check_icall_fptr (WindowsCodecs+0x0) 00007ff998e79d48 0001458c00193000 00007ff998e79d50 00007ff994ea2000 UxTheme!PchSym_ (UxTheme+0x102000) 00007ff998e79d58 00007ff994da0000 UxTheme!ImageBase 00007ff998e79d60 0000ebd400122000 00007ff998e79d68 00007ff994f70000 DEVOBJ!InstallLogFilePath (DEVOBJ+0x20000) 00007ff998e79d70 00007ff994f50000 DEVOBJ!_guard_check_icall_fptr (DEVOBJ+0x0) 00007ff998e79d78 0000172800026000 00007ff998e79d80 00007ff994fa5000 kernel_appcore!PsmpProcessActivationType (kernel_appcore+0x5000) 00007ff998e79d88 00007ff994fa0000 kernel_appcore!_guard_check_icall_fptr (kernel_appcore+0x0) 00007ff998e79d90 000000e40000a000 00007ff998e79d98 00007ff996007000 bcryptPrimitives!gcDSA_TestPrimality+0x428 00007ff998e79da0 00007ff995fb0000 bcryptPrimitives!_guard_check_icall_fptr (bcryptPrimitives+0x0) 00007ff998e79da8 00003e400005e000 00007ff998e79db0 00007ff996016000 CRYPTBASE!ErrorSessionKey+0x9f0 00007ff998e79db8 00007ff996010000 CRYPTBASE!_guard_check_icall_fptr (CRYPTBASE+0x0) 00007ff998e79dc0 0000036c0000a000 00007ff998e79dc8 00007ff9961e2000 cfgmgr32!_PchSym (cfgmgr32+0x42000) 00007ff998e79dd0 00007ff9961a0000 cfgmgr32!_guard_check_icall_fptr (cfgmgr32+0x0) 00007ff998e79dd8 00003f3c0004a000 00007ff998e79de0 00007ff996571000 KERNELBASE!StateEnumerator<AtomSettingsItemFetcher>::EnumerateNextItem'::2'::tempNameBuffer (KERNELBASE+0xf1000) 00007ff998e79de8 00007ff996480000 KERNELBASE!_guard_check_icall_fptr (KERNELBASE+0x0) 00007ff998e79df0 000115980010e000 00007ff998e79df8 00007ff996685000 SHLWAPI!PchSym_ (SHLWAPI+0x45000) 00007ff998e79e00 00007ff996640000 SHLWAPI!_guard_check_icall_fptr (SHLWAPI+0x0) 00007ff998e79e08 000033d800051000 00007ff998e79e10 00007ff996734000 msvcrt!bufin+0x5a0 00007ff998e79e18 00007ff9966a0000 msvcrt!_guard_check_icall_fptr (msvcrt+0x0) 00007ff998e79e20 00008004000a7000 00007ff998e79e28 00007ff996776000 IMM32!CleanDate+0x38 00007ff998e79e30 00007ff996750000 IMM32!_guard_check_icall_fptr (IMM32+0x0) 00007ff998e79e38 0000486c00034000 00007ff998e79e40 00007ff99682b000 USER32!gpfnGetIMEMenuItemData+0x658 00007ff998e79e48 00007ff996790000 USER32!_guard_check_icall_fptr (USER32+0x0) 00007ff998e79e50 0000c7a400171000 00007ff998e79e58 00007ff996a30000 GDI32!PchSym_ (GDI32+0x120000) 00007ff998e79e60 00007ff996910000 GDI32!_guard_check_icall_fptr (GDI32+0x0) 00007ff998e79e68 0000f00000145000 00007ff998e79e70 00007ff996e45000 KERNEL32!FSPErrorMessages::g_pwszWMREscalatedMessageBuffer (KERNEL32+0x115000) 00007ff998e79e78 00007ff996d30000 KERNEL32!_guard_check_icall_fptr (KERNEL32+0x0) 00007ff998e79e80 00007ed800139000 00007ff998e79e88 00007ff996f85000 RPCRT4!PchSym_ (RPCRT4+0x115000) 00007ff998e79e90 00007ff996e70000 RPCRT4!_guard_check_icall_fptr (RPCRT4+0x0) 00007ff998e79e98 0001593c00136000 00007ff998e79ea0 00007ff997054000 ADVAPI32!g_Win64Registry (ADVAPI32+0x94000) 00007ff998e79ea8 00007ff996fc0000 ADVAPI32!_guard_check_icall_fptr (ADVAPI32+0x0) 00007ff998e79eb0 000060d8000a5000 00007ff998e79eb8 00007ff997108000 clbcatq!g_pfnGetProcessLogger (clbcatq+0x98000) 00007ff998e79ec0 00007ff997070000 clbcatq!_guard_check_icall_fptr (clbcatq+0x0) 00007ff998e79ec8 00004854000a4000 00007ff998e79ed0 00007ff9971c5000 OLEAUT32!PchSym_ (OLEAUT32+0xa5000) 00007ff998e79ed8 00007ff997120000 OLEAUT32!_guard_check_icall_fptr (OLEAUT32+0x0) 00007ff998e79ee0 0000a56c000b7000 00007ff998e79ee8 00007ff9972c0000 MSCTF!_PchSym (MSCTF+0xe0000) 00007ff998e79ef0 00007ff9971e0000 MSCTF!_guard_check_icall_fptr (MSCTF+0x0) 00007ff998e79ef8 0000fe5800138000 00007ff998e79f00 00007ff9974b1000 combase!bAllocateIfNeccessary (combase+0x191000) 00007ff998e79f08 00007ff997320000 combase!ImageBase 00007ff998e79f10 00026b98001d7000 00007ff998e79f18 00007ff99766e000 gdiplus!IntMap::EmptyPlane (gdiplus+0x16e000) 00007ff998e79f20 00007ff997500000 gdiplus!_guard_check_icall_fptr (gdiplus+0x0) 00007ff998e79f28 0001192800198000 00007ff998e79f30 00007ff9977ad000 sechost!_puiHead (sechost+0x4d000) 00007ff998e79f38 00007ff997760000 sechost!_guard_check_icall_fptr (sechost+0x0) 00007ff998e79f40 000043f800057000 00007ff998e79f48 00007ff9980d2000 SHELL32!CExecuteAppIDAndActivationContext::_AdjustPropStoreForImmersiveExecute'::17'::local static guard' \<PERF> (SHELL32+0x912000) 00007ff998e79f50 00007ff9977c0000 SHELL32!_guard_check_icall_fptr \<PERF> (SHELL32+0x0) 00007ff998e79f58 000869880140f000 00007ff998e79f60 00007ff998d12000 ole32!__PchSym_ <PERF> (ole32+0x142000) 00007ff998e79f68 00007ff998bd0000 ole32!__ImageBase 00007ff998e79f70 00014b2000176000 00007ff998e79f78 0000000000000000 00007ff998e79f80 0000000000000000 00007ff998e79f88 0000000000000000 00007ff998e79f90 00000000`00000000

It seems to hold records of the following format showing each library's size and .pdata section base and size:

struct { PVOID lib_pdata_section_base; PVOID lib_loaded_base; DWORD lib_pdata_section_size; DWORD lib_image_size; };

Recall that the .pdata section holds function table entries for SEH64.

!dh ntdll => 1A9000 size of image SECTION HEADER #4 .pdata name C1D4 virtual size 132000 virtual address

!dh winmm =...

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=1300

[derekbruening]

From bruen...@google.com on October 24, 2013 07:38:11

This seems to be for user-mode SEH64 so not clear why it has a Ki export: does the kernel do anything with this?