Page 1 of 2 12 LastLast
Results 1 to 15 of 25

Thread: CSP patching problem

  1. #1

    CSP patching problem

    Hi all,I'mback again by some question...
    Perhaps everybody knows what is CSP and how we need to sign it by Micro$oft.
    For testing proposes we can patch CryptAcquireContext in advapi32.dll,in order to disabling sign check,so every CSP will be assumed to be a valid one.
    After I saw this patching, I decided to patch it in another way, it means I decided to check CSP dll names too then only bypass CSP checking if the names are identical.
    I add my codes to advapi32.dll(expanded .text section Virtual Size and used unused space there) and still everything is OK,But it still needs a JMP command to jump into my codes from main codes of advapi32.dll. OK, at first I tried this JMP patching in memory. I have been boot up computer and run my little test program in olly and patched codes in advapi32.dll to jump into my codes.
    hurray!!!everything is ok!!!k,now its time to do SAME patch staticaly in advapi32.dll for using it... OK,I patch it and reboot computer.....
    What happened? Computer is not booting up!!!!
    it seems half of driver and services are starting,but computer stops booting up(almost near time you need to see logon window).
    OK,now what we have?
    1-adding some code at end of .text section of advapi32.dll makes no problem and computer boots up.
    2-patching needed JMP to our added code in memory make no problem and everything runs normally.
    3-patching needed JMP to our added code staticaly prevents computer boot up.
    4-in simple tutorial I seen that bypass every CSP validation(it is attached), we do patching statically too, but computer boots up with no problem in that patching...
    OK,now what you think about this problem?Why computer is not booting up after my patching?

    Note:My OS is Windows XP SP2

    Regards
    Attached Images Attached Images
    I should look out my posts,Or JMI will get mad at me! ;)

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Hero:
    A few suggestions:
    Try making some inconsequential changes in advapi32.dll header, and in the code segment (Change a single letter in the string "This program cannot be run in DOS mode" or an alignment byte between functions, see if windows boots. You will figure out if the problem is an integrity check for advapi32 code or a specific side effect of your patch/injected code that only happens at boot time.

    Check if the boot failure produces a crash dump. If so, analyze it with windbg. It may point out the module and the instruction that crashed your little injected code.
    See if you system with the modif advapi32 boots in safe mode or in boot log mode. At least you will see the last driver(s)/modules that loads before the boot up freeze, which are likely to be the ones not liking your improved advapi32.

    Finally lateral thinking solution: leave the original advapi32.dll alone at boot time then code a little program that renames it to "advapi32.dll.spare", replaces it with your modif advapi32.dll, and runs automatically at the end of the boot sequence. But, someone else has to restore advapi32 to its original self at powerdown or after a crash.

  3. #3
    Quote Originally Posted by naides View Post
    Hero:
    A few suggestions:
    Try making some inconsequential changes in advapi32.dll header, and in the code segment (Change a single letter in the string "This program cannot be run in DOS mode" or an alignment byte between functions, see if windows boots. You will figure out if the problem is an integrity check for advapi32 code or a specific side effect of your patch/injected code that only happens at boot time.
    i think if it was an integrity check, then the patch that is learnt in tutorial should not boot pc too,isn't it?in addtion i tried to do my patch really near to patch in tutorial(position only defers in 1 ASM instruction).
    Quote Originally Posted by naides View Post
    Check if the boot failure produces a crash dump. If so, analyze it with windbg. It may point out the module and the instruction that crashed your little injected code.
    if from crash you mean getting BSOD,i don't get it,and OS ALMOST boots up.
    for example mouse driver comes up and mouse works well,it seems system stops working right before reaching Login Window(no crash,only stopping completely... :P)
    Quote Originally Posted by naides View Post
    See if you system with the modif advapi32 boots in safe mode or in boot log mode. At least you will see the last driver(s)/modules that loads before the boot up freeze, which are likely to be the ones not liking your improved advapi32.
    i have checked boo logs,but i couldn't find out something usefull from it.
    Quote Originally Posted by naides View Post
    Finally lateral thinking solution: leave the original advapi32.dll alone at boot time then code a little program that renames it to "advapi32.dll.spare", replaces it with your modif advapi32.dll, and runs automatically at the end of the boot sequence. But, someone else has to restore advapi32 to its original self at powerdown or after a crash.
    you cannot do this.you can replace advapi32.dll(and canel SFC too in order to keep files),but this change only affect system after computer reboots.

    I can provide you with my tampered advapi32.dll if you like.you can check if you find somethign special in it...

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by Hero View Post
    I can provide you with my tampered advapi32.dll if you like.
    Please do. It should be small enough to fit on a add-on zip file to a post or a PM

  5. #5
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    Relocations maybe?
    A picture worth 1K words (or .5K DWORDS).

  6. #6
    Quote Originally Posted by naides View Post
    Please do. It should be small enough to fit on a add-on zip file to a post or a PM
    k,I attach 2 modified advapi32s that i modified.
    The test OS is Windows XP SP2,and please use a virtual machine for testing this and be sure to make a backup before testing this.
    'advapi32-1st patch.dll' is the one that I only have been added needed codes.if you change the windows advapi32.dll with this one,your computer boots up.
    'advapi32-2nd patch.dll' is the one that has cross jump from main advapi32.dll codes to my added codes.if you change the windows advapi32.dll with this one,your computer doesn't boot up.
    The only deference between these 2 dll is at address 77DE8812(offset 77c12):
    Code:
    Comparing files advapi32-1st patch.dll and ADVAPI32-2ND PATCH.DLL
    00017C12: E9 80
    00017C13: E9 BD
    00017C14: CA E0
    00017C15: 05 FD
    00017C16: 00 FF
    00017C17: 90 FF
    00017C18: 90 01
    and last thing,if a noob wana replace advapi32.dll:
    1-copy and replace adviapi32.dll at windows/system32/dllcache with patched one
    2-rename advapi32.dll at windows/system32 (for example to advapi32.bak),then copy patched dll there
    3-you will get a warning from SFC,only close it and press 'Yes' when he asks wana keep file or not.
    4-reboot computer.

    Quote Originally Posted by blurcode
    Relocations maybe?
    perhaps,not sure about it,but it seems that dll loads in the same address spaces each time...
    and another thing:relocations are important when you have cross section immediate addressing,isn't it?in this dll,all important sections(like .text,import table) are merged.

    Regards
    Attached Files Attached Files
    I should look out my posts,Or JMI will get mad at me! ;)

  7. #7
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    Is your added codes the compare with "Test_CSP.dll" using ntdll._strnicmp because that is in the 1rst dll?
    A picture worth 1K words (or .5K DWORDS).

  8. #8
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Quote Originally Posted by Hero View Post
    perhaps,not sure about it,but it seems that dll loads in the same address spaces each time...
    and another thing:relocations are important when you have cross section immediate addressing,isn't it?in this dll,all important sections(like .text,import table) are merged.
    No, relocations affect all opcodes that deal with full (32-bit) addresses (disregarding any sections) and (at least cross-section) offsets.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  9. #9
    tried updating / fixing the checksum in the pe header for advapi32.dll (checked on my x64 win xp sp1 machine- the dll has a checksum...) ?

  10. #10
    Quote Originally Posted by blurcode View Post
    Is your added codes the compare with "Test_CSP.dll" using ntdll._strnicmp because that is in the 1rst dll?
    yea,but you see that code in both DLLs and it is the one that makes no problem.
    I should look out my posts,Or JMI will get mad at me! ;)

  11. #11
    'system' DLLs loads always at the same address in windows (with no ASR), because they are chain-referenced, so usually they can all load at their preferred address. This is especially true for ntdll, which is mapped before anything by the OS.
    That's why the common trick of injecting a dll reading your k32 address of loadlibrary and invoking createremote thread on target address work.

    relocs are important because it can happen your module uses direct address offsets. Think, for example, of a push [funccallbakaddress]. If you dont reloc it, you crash if loaded address != preferred image base.

    try to make a 'nop string' of code, to see if you made some error in the rewritten code, or if it's your jump to cause the problem. If it is your code, you either used a not-relative address somewhere, or believed a system function were loaded where it is not. You should not rely on any other dll function being loaded, because the load sequence of DLL in windows is... evil, at last.

    If you check some advapi functions, you will discover that there are some functions that check for EVERY single api they use if the relevant system dll are already loaded as they should, or not -and in case they load them. This probably means M$ got your same problem some day

    ...it is called dll madness or such, dont remember. However, i too got stuck by it once, and it is not nice learning that in your skin
    Last edited by Maximus; April 18th, 2008 at 08:09.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  12. #12
    Quote Originally Posted by Maximus View Post
    You should not rely on any other dll function being loaded, because the load sequence of DLL in windows is... evil, at last.

    But for example i can be sure that ntdll.dll has been loaded before advapi32.dll(or will be loaded by it),because advapi32.dll is importing ntdll.dll APIs,isn't it?

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

  13. #13
    sure. But if he uses any other dll, or a not-relative ref, it could be the problem, since relocations are quite important in a DLL.
    this is, for example:
    http://blogs.msdn.com/mgrier/archive/2005/06/18/430409.aspx
    but i cant find the ref to the original, old article about it, mah.... i'm getting old :P
    Last edited by Maximus; April 20th, 2008 at 07:03.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  14. #14
    k,new change....
    I removed call to ntdll._nistrcmp,and implement it by assembly,then there is no call to any API in my added code.
    But problem still persists, and computer is not booting up after that patch to my added code,thus problem is not because of that API call.
    In addtion,all my JMPs are relative,then it doesn't seem relocations have any relation with them.

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

  15. #15
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Hero, if there were originally a relocated address at the position where you have written your patch, your patched-in code will be messed up during runtime since it is referenced from the relocation table. That is the most common problem with relocations, rather than your own instructions needing relocation to work.

    And did you try a full NOP of your patch yet, and all other suggestions above?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. patching win32k.sys
    By tlgspk in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: December 13th, 2012, 00:55
  2. Run-time patching
    By LOPAN in forum The Newbie Forum
    Replies: 11
    Last Post: March 7th, 2010, 06:30
  3. patching problem!!
    By duggydiggy in forum OllyDbg Support Forums
    Replies: 0
    Last Post: August 28th, 2009, 06:39
  4. patching
    By iFreaker in forum The Newbie Forum
    Replies: 6
    Last Post: October 5th, 2007, 01:17
  5. AOP in Java patching
    By SHaG in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: April 29th, 2006, 16:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •