Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PspCidTable address #41

Open
oiramario opened this issue Jul 5, 2022 · 9 comments
Open

PspCidTable address #41

oiramario opened this issue Jul 5, 2022 · 9 comments

Comments

@oiramario
Copy link

oiramario commented Jul 5, 2022
edited

PBYTE PspCidTableAddress = FindPatternImage(base, "\x48\x8B\x0D\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x49\x89", "xxx????x????xx");

Disasm could be removed.
hidden.sys size from 400KB reduce to 50KB.
@JKornev
Copy link
Owner

JKornev commented Jul 5, 2022

I thought about a pattern matching vs disasm on a design step and from my point of view a pattern matching has a much bigger chance to miss a signature or receive a wrong object. In case of disasm you scan exact place where the object should appears and it decreases a chance to get a wrong object. That is more important for me than a binary size because I do want to make a stable driver (not a PoC quality) even if it makes a tricky stuff in a kernel.

@oiramario
Copy link
Author

Disasm cannot find PspCidTable on my win10 pro 21H1. Pattern matching is such stable in ntoskrnl on win10, okay I dont care about win7/8. Even you dont want that, switch with win ver is an other option like this:
https://github.com/inc-Majdev/Blackbone/blob/master/src/BlackBoneDrv/BlackBoneDrv.c

@JKornev
Copy link
Owner

JKornev commented Jul 6, 2022

I don't think my approach is bad just because it doesn't work on 21H1, I expect it should be easy to fix. A process hiding feature isn't completed right now and it's possible to have issues on the latest NT versions. I'm planning complete a feature soon and pretty sure it will work good enough with CidTable. I'm really don't care about it cuz there are another unsolved challenges for instance looking for a PspActiveProcessLock that is needed to respect an ActiveProcessLink synchronization to avoid list corruptions during a manipulation over it. Disasm can't find it because such object is too small and requires to trace too deep (with sub calls etc) and I even checked an ability to find it via pattern matching but as far as I remember binary pattern wasn't good enough too.

@oiramario
Copy link
Author

Thanks for your great work again and again.
I added some code for use kdmapper to load hidden. In this progress, I see these things what your said. Maintain an offsets of these addresses with different windows version is better I think. It avoid pattern searching or disasm.

@JKornev
Copy link
Owner

JKornev commented Jul 18, 2022

@oiramario could you please provide ntoskrnl.exe from the machine where injection doesn't work

@oiramario
Copy link
Author

ntoskrnl.zip
as you wish :)

@JKornev
Copy link
Owner

JKornev commented Jul 19, 2022

@oiramario it seems strange, I verified kernels you provided and even checked 21H1 on a VM and an analyzer should find PspCidTable without any issue. Do you have additional components on your systems that might install splicing\EAT hooks to PsLookupProcessByProcessId or PspReferenceCidTableEntry routines?

@oiramario
Copy link
Author

oiramario commented Jul 19, 2022
edited

log.zip
I compiled latest hidden from github and install them on hyper-V, logs and shot attached.

@JKornev
Copy link
Owner

JKornev commented Jul 19, 2022

@oiramario if you have attached debugger to VM could you please run the following commands:

uf nt!PsLookupProcessByProcessId
uf nt!PspReferenceCidTableEntry

and provide here an output

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JKornev @oiramario