DynamoRIO / dynamorio

Dynamic Instrumentation Tool Platform
Other
2.68k stars 566 forks source link

handle new win8 syscalls relevant to core DR #899

Open derekbruening opened 10 years ago

derekbruening commented 10 years ago

From bruen...@google.com on September 17, 2012 15:04:57

split from issue #565 # grep pdb ntdll.dll/6.2.9200.16384-wow64/syscalls | grep -v Zw | awk '{print $NF}' | sort > w8

grep pdb ntdll.dll/6.1.7601.17514-wow64/syscalls | grep -v Zw | awk '{print $NF}' | sort > w7

diff w7 w8 | grep '^>'

NtAddAtomEx NtAdjustTokenClaimsAndDeviceGroups NtAlertThreadByThreadId NtAlpcConnectPortEx NtAssociateWaitCompletionPacket NtCancelWaitCompletionPacket NtCreateDirectoryObjectEx NtCreateIRTimer NtCreateLowBoxToken NtCreateTokenEx NtCreateWaitCompletionPacket NtCreateWnfStateName NtDeleteWnfStateData NtDeleteWnfStateName NtFilterBootOption NtFilterTokenEx NtFlushBuffersFileEx NtGetCachedSigningLevel NtQueryWnfStateData NtQueryWnfStateNameInformation NtSetCachedSigningLevel NtSetInformationVirtualMemory NtSetIRTimer NtSubscribeWnfStateChange NtUnmapViewOfSectionEx NtUnsubscribeWnfStateChange NtUpdateWnfStateData NtWaitForAlertByThreadId NtWaitForWnfNotifications NtWow64AllocateVirtualMemory64

diff w7 w8 | grep '^<'

< NtGetPlugPlayEvent < NtWow64InterlockedPopEntrySList

for core DR these are the ones to look at: NtUnmapViewOfSectionEx NtSetInformationVirtualMemory NtWow64AllocateVirtualMemory64

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=899

derekbruening commented 10 years ago

From bruen...@google.com on September 19, 2012 07:47:16

NtUnmapViewOfSectionEx is called on any unmap:

0:001> kn =0x320f034 0x320f020 0x770a27a8

ChildEBP RetAddr

00 0320f01c 76baeacb ntdll!NtUnmapViewOfSectionEx+0xc 01 0320f034 76baeaae KERNELBASE!UnmapViewOfFileEx+0x14 02 0320f044 74596d94 KERNELBASE!UnmapViewOfFile+0xf 03 0320f050 74596fed uxtheme!CSection::~CSection+0x1c

0:001> Uf KERNELBASE!UnmapViewOfFile KERNELBASE!UnmapViewOfFile: 76baea9f 8bff mov edi,edi 76baeaa1 55 push ebp 76baeaa2 8bec mov ebp,esp 76baeaa4 6a00 push 0 76baeaa6 ff7508 push dword ptr [ebp+8] 76baeaa9 e809000000 call KERNELBASE!UnmapViewOfFileEx (76baeab7) 76baeaae 5d pop ebp 76baeaaf c20400 ret 4

BOOL WINAPI UnmapViewOfFile( In LPCVOID lpBaseAddress );

ZwUnmapViewOfSection( IN HANDLE ProcessHandle, IN PVOID BaseAddress );

so whatever the new 3rd arg is, the default is 0. have yet to see it called directly, and no docs on KERNELBASE!UnmapViewOfFileEx, which passes its extra arg straight through.

derekbruening commented 10 years ago

From bruen...@google.com on October 12, 2012 07:30:24

NtWow64AllocateVirtualMemory64 calls NtAllocateVirtualMemory w/ some caveats:

/* XXX issue #899: for NtWow64AllocateVirtualMemory64, the base and
 * size may be 64-bit values?  But, when allocating in wow64
 * child, the address should be in low 2GB, as only ntdll64 is up
 * high.
 */

/* XXX issue #899: NtWow64AllocateVirtualMemory64 has an extra arg after ZeroBits but
 * it's ignored in wow64!whNtWow64AllocateVirtualMemory64.  We should keep an eye
 * out: maybe a future service pack or win9 will use it.
 */
derekbruening commented 10 years ago

From bruen...@google.com on October 12, 2012 07:32:49

that extra arg may be a separate pointer to the high bits of the base addr

derekbruening commented 9 years ago

*\ TODO NtSetInformationVirtualMemory

shows up on win10 notepad Save dialog box

**\ TODO use for prefetch

 # ChildEBP RetAddr  
00 04d0ddc0 70612fb9 KERNELBASE!PrefetchVirtualMemory
01 04d0ddf4 7061305b DUI70!DirectUI::DUIXmlParser::_SetXMLFromResource+0x99
02 04d0de10 7060a9f8 DUI70!DirectUI::DUIXmlParser::SetXMLFromResource+0x1b
03 04d0de28 7085fc6e DUI70!DirectUI::DUIXmlParser::SetXMLFromResource+0x18
04 04d0de50 7085fbcd explorerframe!_DUI_CreateParserFromResourceNoCallback+0x43
05 04d0de6c 7085f787 explorerframe!CSearchBoxDUIHost::_CreateFromResource+0x2f

0:000> dds @@(mc->esp)
0051db2c  74f8d60c KERNELBASE!PrefetchVirtualMemory+0x1c
0051db30  ffffffff
0051db34  00000000
0051db38  00000001
0051db3c  0051db70
0051db40  0051db5c
0051db44  00000004
0051db48  0051db7c
0051db4c  70612fb9 DUI70!DirectUI::DUIXmlParser::_SetXMLFromResource+0x99
0051db50  ffffffff
0051db54  00000001
0051db58  0051db70
0051db5c  00000000
0051db60  0051dbf0
0051db64  00000000
0051db68  00005002
0051db6c  7095e810 explorerframe!wer_NULL_THUNK_DATA_DLA <PERF> (explorerframe+0x18e810)
0051db70  70bca460 explorerframe!wer_NULL_THUNK_DATA_DLA <PERF> (explorerframe+0x3fa460)
0051db74  000011ac
BOOL WINAPI PrefetchVirtualMemory(
  _In_ HANDLE                    hProcess,
  _In_ ULONG_PTR                 NumberOfEntries,
  _In_ PWIN32_MEMORY_RANGE_ENTRY VirtualAddresses,
  _In_ ULONG                     Flags
);
typedef struct _WIN32_MEMORY_RANGE_ENTRY {
  PVOID  VirtualAddress;
  SIZE_T NumberOfBytes;
} WIN32_MEMORY_RANGE_ENTRY, *PWIN32_MEMORY_RANGE_ENTRY;

0:000> Uf KERNELBASE!PrefetchVirtualMemory
  KERNELBASE!PrefetchVirtualMemory:
  74f8d5f0 8bff            mov     edi,edi
  74f8d5f2 55              push    ebp
  74f8d5f3 8bec            mov     ebp,esp
  74f8d5f5 6a04            push    4
  74f8d5f7 8d4514          lea     eax,[ebp+14h]
  74f8d5fa 50              push    eax
  74f8d5fb ff7510          push    dword ptr [ebp+10h]
  74f8d5fe ff750c          push    dword ptr [ebp+0Ch]
  74f8d601 6a00            push    0
  74f8d603 ff7508          push    dword ptr [ebp+8]
  74f8d606 ff15c8460375    call    dword ptr [KERNELBASE!_imp__NtSetInformationVirtualMemory (750346c8)]
  74f8d60c 85c0            test    eax,eax
  74f8d60e 790d            jns     KERNELBASE!PrefetchVirtualMemory+0x2d (74f8d61d)

6 args to syscall look like: NTSTATUS NtSetInformationVirtualMemory( In HANDLE hProcess, In SETMEMORYINFORMATIONCLASS class, 0 == prefetch In ULONG_PTR NumberOfEntries, In PWIN32_MEMORY_RANGE_ENTRY VirtualAddresses, InOut PULONG ? just reusing flags param slot, or these are flags? hardcoded 4 -- sizeof the out val? but it gets STATUS_INVALID_PARAMETER_6

I see 11 calls in this notepad save dialog sequence and they all fail w/ c00000f4 (w/ no write to 5th param). That's STATUS_INVALID_PARAMETER_6 (are these bugs?).

**\ TODO use for CFG

WINAPI SetProcessValidCallTargets(
  _In_    HANDLE                hProcess,
  _In_    PVOID                 VirtualAddress,
  _In_    SIZE_T                RegionSize,
  _In_    ULONG                 NumberOfOffsets,
  _Inout_ PCFG_CALL_TARGET_INFO OffsetInformation
);

KERNELBASE!SetProcessValidCallTargets:
74f9f150 8bff            mov     edi,edi
74f9f152 55              push    ebp
74f9f153 8bec            mov     ebp,esp
74f9f155 83ec1c          sub     esp,1Ch
74f9f158 8b450c          mov     eax,dword ptr [ebp+0Ch]
74f9f15b 8365e800        and     dword ptr [ebp-18h],0
74f9f15f 8365fc00        and     dword ptr [ebp-4],0
74f9f163 53              push    ebx
74f9f164 8b5d14          mov     ebx,dword ptr [ebp+14h]
74f9f167 56              push    esi
74f9f168 8945f4          mov     dword ptr [ebp-0Ch],eax
74f9f16b 8b4510          mov     eax,dword ptr [ebp+10h]
74f9f16e 57              push    edi
74f9f16f 8b7d18          mov     edi,dword ptr [ebp+18h]
74f9f172 8945f8          mov     dword ptr [ebp-8],eax
74f9f175 8d45fc          lea     eax,[ebp-4]
74f9f178 6a10            push    10h
74f9f17a 8945ec          mov     dword ptr [ebp-14h],eax
74f9f17d 8d45e4          lea     eax,[ebp-1Ch]
74f9f180 50              push    eax
74f9f181 8d45f4          lea     eax,[ebp-0Ch]
74f9f184 895de4          mov     dword ptr [ebp-1Ch],ebx
74f9f187 50              push    eax
74f9f188 6a01            push    1
74f9f18a 6a02            push    2
74f9f18c ff7508          push    dword ptr [ebp+8]
74f9f18f 897df0          mov     dword ptr [ebp-10h],edi
74f9f192 ff15c8460375    call    dword ptr [KERNELBASE!_imp__NtSetInformationVirtualMemory (750346c8)]

so infoclass 2

Probably we can ignore this syscall: prefetch and CFG shouldn't overlap w/ DR's concerns.