search

sslab-gatech / winnie

Winnie is an end-to-end system that makes fuzzing Windows applications easy
MIT License
542 stars 74 forks source link

Problem generating csrss_header.h file. #11

Closed rish9101 closed 2 years ago

rish9101 commented 3 years ago

While running the gen_csrss_offsets.py script, I am running into a KeyError for RtlpEnvironLookupTable. I'm not sure why I get this error since the PDBs from Microsoft server were downloaded correctly.

The exact error generated is. image

My configuration are: Python version - 2.7.18 - 64 bit Windows Build version - 21343.1000

stong commented 3 years ago

The link order of ntdll is not stable so the script will not work on all versions. According to the README:

The fuzzer was tested on Windows 10 x64 [1809 17763.973](tel:1809 17763.973). Any other configurations should be considered as unsupported.

Winnie is only guaranteed to be working for this exact version of Windows. You should install this version, 17763.

Could you please send me your ntdll.dll (from System32 and SysWOW64) please?

On Mon, Sep 27, 2021 at 05:43, Rishi Ranjan @.***> wrote:

While running the gen_csrss_offsets.py script, I am running into a KeyError for RtlpEnvironLookupTable. I'm not sure why I get this error since the PDBs from Microsoft server were downloaded correctly.

The exact error generated is. image

My configuration are: Python version - 2.7.18 - 64 bit Windows Build version - 21343.1000

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

rish9101 commented 3 years ago

Ok. I'll try with that.

Here's the ntdll.dll file - https://drive.google.com/file/d/1ry26kkKyhHDf9HJHUdHi7MFJBtLdO0n5/view?usp=sharing

Here's it's pdb file - https://drive.google.com/file/d/1VVYpF6AQlVfEMFL-wNKAZH4v9PXc3Cjv/view?usp=sharing

stong commented 3 years ago

Hi, try replacing RtlpEnvironLookupTable with RtlpCurDirRef in the script, see if this works. I included a modified version for you to try. gen_csrss_offsets.zip

stong commented 2 years ago

Closed due to inactivity

xenomuta commented 1 year ago

@stong first of all, thanks to you and all the team for sharing winnie and coming up with such a clever workaround to forking on Windows. I'm working some changes on forklib to make winnie work on Windows 11 and stumbled with this same issue.

Could you share the reasoning behind choosing the RtlpEnvironLookupTable function (now missing from the ntdll.dll) as bounding offset of a range?

I want to understand exactly why this symbol was chosen so I can build a generator that works with any version of ntdll.dll.

stong commented 1 year ago

Hi. Apologies for delayed response. I've been very busy lately.

If memory serves, the important fields to zero out are described in this comment here: https://github.com/sslab-gatech/winnie/blob/master/forklib/gen_csrss_offsets.py#L164

So those are the most important fields, namely the Csr related ones. RtlpCurDirRef and RtlpEnvironLookupTable also were important to zero, but I don't know why.

There were many changes from Win10 to Win11. No guarantee if Win11 can be supported, although there's a possibility.

Good luck!