Results 1 to 12 of 12

Thread: MmGetSystemRoutineAddress : forwards on vista

  1. #1

    MmGetSystemRoutineAddress : forwards on vista

    Very frustrating when you figure that this export can't resolve forwarded APIs. Here is one example from Vista:

    Code:
    .edata:8002F485 ; Exported entry   1. ExAcquireFastMutex
    .edata:8002F485                 public ExAcquireFastMutex
    .edata:8002F485 ExAcquireFastMutex db 'ntoskrnl.ExiAcquireFastMutex',0
    .edata:8002F4A2 aExreleasefastm db 'ExReleaseFastMutex',0
    .edata:8002F4B5 ; Exported entry   2. ExReleaseFastMutex
    .edata:8002F4B5                 public ExReleaseFastMutex
    .edata:8002F4B5 ExReleaseFastMutex db 'ntoskrnl.ExiReleaseFastMutex',0
    .edata:8002F4D2 aExtrytoacquire db 'ExTryToAcquireFastMutex',0
    .edata:8002F4EA ; Exported entry   3. ExTryToAcquireFastMutex
    .edata:8002F4EA                 public ExTryToAcquireFastMutex
    .edata:8002F4EA ExTryToAcquireFastMutex db 'ntoskrnl.ExiTryToAcquireFastMutex',0
    When you use MmGetSystemRoutineAddress it will return to you address of string. It won't resolve forwarded API properly.

    The best way is to use own MmGetSystemRoutineAddress instead of the one provided by windows kernel...

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,529
    Blog Entries
    15
    MmGetSystemRoutineAddress is broken in many windows version it can cause bsods
    it was said that this bug was fixed in vista

    i came to know of this bug while checking out kayakers disassembler sysdasm

    osronline recommended using AuxKlibQueryModuleInformation which is supposed to return the same information

    Another possible work-around (and the one we've chosen to use here at OSR) is to write your own version of MmGetSystemRoutineAddress. Believe it or not, you can even do it with documented DDIs... Check out the AuxKlibQueryModuleInformation (which is implemented in a static library that's only present in the Vista build environment of the WDK) the comment in bracket was thrown down by doron holon stating that this ddi is backward compatible upto w2k (used a lot in kmdf framework search osronline mailing lists).

    http://kernelmustard.com/2007/06/05/a-documented-way-to-get-loaded-modules/

  3. #3
    yup, while I was trying to resolve this problem a month ago I stumbled accross this article : http://www.osronline.com/article.cfm?article=494 , but they only mention that MmGetSystemRoutineAddress won't return NULL on failure. But the problem I've faced was when I searched for ExAcquireFastMutex on Vista, it returned entry in hal.dll, but on Vista hal.dll!ExAcquireFastMutex is forwarded to ntoskrnl.exe, and MmGetSystemRoutineAddress couldn't resolve it instead I received : ntoskrnl.ExiAcquireFastMutex string which caused bsod when trying to call retrived pointer
    Last edited by deroko; December 31st, 2007 at 20:05.

  4. #4
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    "Kayakers disassembler sysdasm"?

    Exactly what is that, and why isn't it in the collaborative RCE tool library?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,529
    Blog Entries
    15
    "Kayakers disassembler sysdasm"?

    Exactly what is that,
    so you only preach dont practise

    what happened to the favourite search function

    Showing results 1 to 3 of 3
    Search took 0.06 seconds. Search: Key Word(s): sysdasm
    Thread / Thread Starter Last Post Replies Views Forum
    MmGetSystemRoutineAddress : forwards on vista
    deroko 01-01-2008 08:50 AM
    by dELTA 3 65 Blogs Forum
    Detouring DriverEntry / Self Debugging
    naides 12-07-2006 06:34 AM
    by blabberer 3 597 Advanced reversing and programming
    Ring 0 anti-debugger code in Daemon Tools? ( 1 2 3 4)
    dELTA 11-20-2006 08:28 AM
    by autarky 63 8,665 Advanced reversing and programming
    http://www.woodmann.com/forum/showpost.php?p=61447&postcount=33

    google

    http://rootkit.com/newsread.php?newsid=208

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Actually, Google only gave me two results, out of which one was this thread, and the other was something irrelevant. Guess I shouldn't always trust Google over the local search engine then, but I still don't know where you got that rootkit URL from?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,529
    Blog Entries
    15
    google = all search engines

    try dicy.com or gigablast
    Attached Images Attached Images   

  8. #8
    Hey, more search engines. Who'd a thunk it.

    Regards,
    JMI

  9. #9
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,154
    Blog Entries
    5
    dicy.com

    I never thought I'd see my nick next to a fricken flower petal on a search engine. How truly bizarre.

    That's a nice search engine though, definitely bookmark material.

  10. #10
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Kayaker: I hope you realize the the flower petal deal is not a statement on the quality of your skin, your body odor or your sexual orientation.

  11. #11
    What if he wears a flower in his hair? As in the song from the "60's.

    Regards,
    JMI

  12. #12
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    It's posted on CRCETL now, and updates should be possible to follow from there:

    http://www.woodmann.com/collaborative/tools/index.php/SysDasm

    Btw Kayaker, in the rootkit.com article you mention a similar user mode library of yours, also based on NDISASM, would you mind adding this to CRCETL too?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. firewall for vista
    By WaxfordSqueers in forum Off Topic
    Replies: 12
    Last Post: November 17th, 2009, 11:19
  2. want to start cracking... comp runs 64bit vista :(
    By utter_noob in forum The Newbie Forum
    Replies: 12
    Last Post: October 8th, 2008, 09:28
  3. Reshacker saving in vista?
    By jamiemac2005 in forum The Newbie Forum
    Replies: 5
    Last Post: May 15th, 2008, 07:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •