Shifting yourself to space

April 28, 2011

Dwelling into ZwSetSystemInformation

Filed under: Uncategorized — shift32 @ 4:34 pm
Tags: , , ,

As things got a bit out of control with my simple driver, I have decided to debug and see what’s going on really inside ZwSetSystemInformation.
Perplexed by the windows architecture (so far I was used to good old Linux 2.6.x ), I’ve plugged windbg
into a session an


kd> uf nt!ZwSetSystemInformation
nt!ZwSetSystemInformation:
804fe534 b8f0000000      mov     eax,0F0h
804fe539 8d542404        lea     edx,[esp+4]
804fe53d 9c              pushfd
804fe53e 6a08            push    8
804fe540 e80ce10300      call    nt!KiSystemService (8053c651)
804fe545 c20c00          ret     0Ch
kd> x nt!ZwSetSystemInformation
804fe534 nt!ZwSetSystemInformation = <no type information>

As I’ve read beforehand, ZwSetSystemInformation is an undocumented and “stealthy” function to load drivers, so I wasn’t looking for anything special
as the “examine” command doesn’t give anything at all, I’ve kept looking a bit more – I thought about checking out where the function is defined in the official sources – aka – Microsoft
or the WDK but it seems that undocumented is indeed undocumented, the best I could find was basically the original definition I had


NSTATUS (_stdcall *ZwSetSystemInformation)(	IN DWORD functionCode,
											IN OUT PVOID driverName,
											IN LONG driverNameLength );

and nothing more than.
Well, I guess that it’s enough for a start, I’ve a set a bp in ZwSetSystemInformation and kept hoping for good.

kd> bp nt!ZwSetSystemInformation
kd> bl
 0 e 804fe534     0001 (0001) nt!ZwSetSystemInformation

Once I’ve hit it, I’ve disassembled the call and wasn’t too surprised to see that it was calling to nt!KiSystemService

nt!ZwSetSystemInformation:
804fe534 b8f0000000      mov     eax,0F0h
804fe539 8d542404        lea     edx,[esp+4]
804fe53d 9c              pushfd
804fe53e 6a08            push    8
804fe540 e80ce10300      call    nt!KiSystemService (8053c651)
804fe545 c20c00          ret     0Ch

The interesting arguments here are

804fe534 b8f0000000      mov     eax,0F0h
804fe539 8d542404        lea     edx,[esp+4]
804fe53d 9c              pushfd
804fe53e 6a08            push    8

I don’t know enough to understand what each one of them means, but it’s worth a shot investigating deeper in order to understand

Trying to figure what is the address which gets into edx didn’t give much results beside archaic thoughts


kd> dw 81dc4068 
81dc4068  0006 0070 0000 0000 4070 81dc 4070 81dc
81dc4078  4078 81dc 4078 81dc 6000 f4ca 2000 f4ca
81dc4088  d000 7ffd 0000 0000 5b10 f4ca 0200 0000
81dc4098  0a00 0800 409c 81dc 409c 81dc 40a4 81dc
81dc40a8  40a4 81dc 2da0 8201 0000 0000 076e 0000
81dc40b8  0000 0000 0000 0000 0000 0000 40d8 81dc
81dc40c8  0000 0000 8db8 8054 5c6b 0001 0008 0400
81dc40d8  bbf8 81f2 bbf8 81f2 4068 81dc 3a60 f72a
kd> db 81dc4068 
81dc4068  06 00 70 00 00 00 00 00-70 40 dc 81 70 40 dc 81  ..p.....p@..p@..
81dc4078  78 40 dc 81 78 40 dc 81-00 60 ca f4 00 20 ca f4  x@..x@...`... ..
81dc4088  00 d0 fd 7f 00 00 00 00-10 5b ca f4 00 02 00 00  .........[......
81dc4098  00 0a 00 08 9c 40 dc 81-9c 40 dc 81 a4 40 dc 81  .....@...@...@..
81dc40a8  a4 40 dc 81 a0 2d 01 82-00 00 00 00 6e 07 00 00  .@...-......n...
81dc40b8  00 00 00 00 00 00 00 00-00 00 00 00 d8 40 dc 81  .............@..
81dc40c8  00 00 00 00 b8 8d 54 80-6b 5c 01 00 08 00 00 04  ......T.k\......
81dc40d8  f8 bb f2 81 f8 bb f2 81-68 40 dc 81 60 3a 2a f7  ........h@..`:*.
kd> 
81dc4068  06 00 70 00 00 00 00 00-70 40 dc 81 70 40 dc 81  ..p.....p@..p@..
81dc4078  78 40 dc 81 78 40 dc 81-00 60 ca f4 00 20 ca f4  x@..x@...`... ..
81dc4088  00 d0 fd 7f 00 00 00 00-10 5b ca f4 00 02 00 00  .........[......
81dc4098  00 0a 00 08 9c 40 dc 81-9c 40 dc 81 a4 40 dc 81  .....@...@...@..
81dc40a8  a4 40 dc 81 a0 2d 01 82-00 00 00 00 6e 07 00 00  .@...-......n...
81dc40b8  00 00 00 00 00 00 00 00-00 00 00 00 d8 40 dc 81  .............@..
81dc40c8  00 00 00 00 b8 8d 54 80-6b 5c 01 00 08 00 00 04  ......T.k\......
81dc40d8  f8 bb f2 81 f8 bb f2 81-68 40 dc 81 60 3a 2a f7  ........h@..`:*.
kd> u 81dc4068 
81dc4068 06              push    es
81dc4069 007000          add     byte ptr [eax],dh
81dc406c 0000            add     byte ptr [eax],al
81dc406e 0000            add     byte ptr [eax],al
81dc4070 7040            jo      81dc40b2
81dc4072 dc817040dc81    fadd    qword ptr [ecx-7E23BF90h]
81dc4078 7840            js      81dc40ba
81dc407a dc817840dc81    fadd    qword ptr [ecx-7E23BF88h]
kd>

So I kept on debugging .. to be continued for now….

Advertisements

1 Comment »

  1. uf nt!NtSetSystemInformation

    Comment by waliedassar — December 8, 2012 @ 11:56 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.