UpdatedAnalysisofPatchGuardonMicrosoftWindows10RS4资源-CSDN文库

window

需积分: 16 127 浏览量 2019-03-23 00:41:54 上传评论收藏 1.65MB PDF 举报

资源推荐

资源详情

资源评论

TETRANE Updated Analysis of PatchGuard on MS Windows 10 RS4 +33 (0)3 39 25 00 45

82-86 rue Victor Hugo Luc Reginato +1 (415) 513-7474

Updated Analysis of PatchGuard on

Microsoft Windows 10 RS4

A use case of REVEN, the Timeless Analysis Tool

Author: Luc Reginato, @_YouB_

www.tetrane.com

Table of Contents
I - Introduction....................................................................................................................................................................6
A - Few words about Timeless Analysis with REVEN...............................................................................................6
B - What’s PatchGuard.................................................................................................................................................6
C - How does it work?.................................................................................................................................................7
D - Our approach: Timeless debugging.....................................................................................................................7
II - Initialization...................................................................................................................................................................9
A - Call to KiFilterFiberContext...................................................................................................................................9
1 - Triggering an exception in KiAmd64SpecificState........................................................................................9
2 - ExpLicenseWatchInitWorker.........................................................................................................................10
a - Structure passed to KiFilterFiberContext...............................................................................................11
i - KiLockServiceTable: Filling the HalReserved[] field..........................................................................11
ii - KiLockServiceTable: Checksums initializations.................................................................................12
B - KiFilterFiberContext.............................................................................................................................................12
1 - Quick Overview...............................................................................................................................................12
C - Initialization of PatchGuard contexts.................................................................................................................14
1 - PatchGuard context: Definition.....................................................................................................................14
a - Structure.....................................................................................................................................................14
i - First part.................................................................................................................................................14
ii - Second part..........................................................................................................................................16
iii - Third part..............................................................................................................................................17
2 - PatchGuard context: Initialization.................................................................................................................17
a - KiInitPatchGuardContext: Method 0, 1, 2, 3, 4, 5, 7.............................................................................17
i - Method 0 – Inserting a timer, linked with a DPC..............................................................................18
ii - Method 1 and 2 – Hidden DPC...........................................................................................................18
iii - Method 3 – System Thread...............................................................................................................19
iv - Method 4 – Asynchronous Procedure Call.......................................................................................20
v - Method 5 – Hook a regular DPC........................................................................................................20
vi - Method 7 – the new weird one.........................................................................................................21
vii - KiInitPatchGuardContext: Other arguments...................................................................................24
b - « TV » callback, first time linking PatchGuard to mssecflt.sys............................................................25
c - KiSwInterruptDispatch..............................................................................................................................27
d - Some breadcrumbs: CcInitializeBcbProfiler...........................................................................................27
e - Some breadcrumbs: PspProcessDelete..................................................................................................28
f - Some breadcrumbs: KiInitializeUserApc..................................................................................................29
g - Other call to KiInitPatchGuardContext...................................................................................................29
III - Triggering a check.....................................................................................................................................................30
A - DPC execution......................................................................................................................................................30
1 - Non-Canonical DeferredContext pointer.....................................................................................................30
2 - Triggering the exception handler: The Russian roulette trick...................................................................31
3 - PatchGuard context decryption....................................................................................................................32
a - First layer....................................................................................................................................................32
b - First layer... and a half...............................................................................................................................33
c - Second and last layer................................................................................................................................33
4 - Passing control to the verification routine..................................................................................................34
B - System Thread method.......................................................................................................................................35
1 - Triggering the Exception Handler.................................................................................................................35
2 - New Thread.....................................................................................................................................................36
© 2019 Tetrane Updated Analysis of PatchGuard on MS Windows 10 RS4 v1.00 3/61

3 - Decryption process........................................................................................................................................36
4 - Post verification for this case only...............................................................................................................36
C - APC insertion........................................................................................................................................................37
D - Global variable call...............................................................................................................................................37
E - KiSwInterruptDispatch method..........................................................................................................................38
F - Breadcrumbs.........................................................................................................................................................38
IV - Verification routines.................................................................................................................................................39
A - Prologue................................................................................................................................................................39
1 - Checksum the pg_ctx part 1, 2 and 3, with comparison...........................................................................40
2 - Re-Encrypt part 1...........................................................................................................................................40
3 - Checksum of part 2 and 3.............................................................................................................................40
4 - Wait..................................................................................................................................................................40
5 - Decrypt back the first part of the context...................................................................................................42
6 - Checksum of part 2 and 3, with comparison..............................................................................................42
7 - Checksum of part 1, with comparison.........................................................................................................42
8 - Setting the Thread Affinity group.................................................................................................................42
B - Kernel Structure Integrity Checks......................................................................................................................43
1 - Main algorithm................................................................................................................................................43
2 - Practical use-case: IDT verification with timeless debugging...................................................................44
C - Epilogue.................................................................................................................................................................45
1 - Everything's fine, go home and be safe!......................................................................................................45
2 - Die you filthy wild patch................................................................................................................................46
a - Checksum, Encryption and verifications.................................................................................................46
b - Restore Sensitive data..............................................................................................................................47
i - PTE rewrite............................................................................................................................................47
ii - Critical Routines rewrite......................................................................................................................48
iii - One more anti-debug.........................................................................................................................48
iv - Clear some entries..............................................................................................................................48
v - KeBugCheckEx or SdpbCheckDll.......................................................................................................48
V - Disabling PatchGuard................................................................................................................................................50
A - Limitations.............................................................................................................................................................50
B - Disable already launched contexts.....................................................................................................................50
C - Disable Timers from method 0...........................................................................................................................51
D - Disable hidden DPC pointer from method 1 and 2.........................................................................................51
E - Disable the hook from method 5.......................................................................................................................51
F - Disable the global pointer from mssecflt.sys...................................................................................................51
G - Disable the KiSwInterruptDispatch method.....................................................................................................51
H - Disable Breadcrumbs – KeServiceDescriptorTable check..............................................................................52
I - Disable Breadcrumbs – IDT check.......................................................................................................................52
VI - Conclusion.................................................................................................................................................................53
A - Few words.............................................................................................................................................................53
B - Remarks about this work.....................................................................................................................................53
C - References............................................................................................................................................................53
VII - About Tetrane and REVEN technology..................................................................................................................55
A - TETRANE...............................................................................................................................................................55
B - TETRANE’s technology........................................................................................................................................55
1 - Example of workflow.....................................................................................................................................56
a - Identify the scenario you want analyzed................................................................................................56
b - Capture the full system execution..........................................................................................................56
c - Generate the trace....................................................................................................................................56
d - Analyze interactively or automatically....................................................................................................57
© 2019 Tetrane Updated Analysis of PatchGuard on MS Windows 10 RS4 v1.00 4/61