Results 1 to 8 of 8

Thread: how to Continue the execution of the win32 subsytem..

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    Continue Execution: Native Mode to win32

    the Aim of this small experiment was to see if I could act similarly to csrss, in which it loads under HKLM->SYSTEM->CurrentControlSet->Control->Session Manager->Subsystems placing the full path to the exe ie(%SystemRoot%\System32\Csrarss.exe)..then by placing that keyname in the Required keys list under windows..hmm im wondering if i load before "Windows" will csrss know im there?..(didnt test that yet..)..but anyways Its working now :)

    * This Information came from Elicz posting on www.OpenRCE.com from his Thread on W32ASAP (Win32 As Soon As Possible).. *
    Last edited by BanMe; June 6th, 2009 at 13:52.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,113
    Blog Entries
    5
    I've never built a native application, but in browsing around it looks like a fun thing to do. So are you saying that if you don't NtTerminateProcess your native app, the system essentially hangs, waiting for it to finish?

    You may have seen this already

    http://www.codeproject.com/KB/winsdk/3Steps.aspx

    but he seems to use a native app to inject a thread into svchost, as well as load a driver. Could you do something similar to "continue" your desired code execution elsewhere, and/or start up a separate gui application?

    On a related note, nrun.c seems to use a different strategy to execute NT native applications

    http://ashedel.chat.ru/source/

    Cheers,
    Kayaker

  3. #3
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Code:
    #include "ProcessProfiler.h"
    
    NTSTATUS Native_Server(void);
    NTSTATUS Native_Accept(PACCEPT_PARAMS);
    
    NTSTATUS Native_Server(void)
    {
    	OBJECT_ATTRIBUTES ObjAttr = {0};
    	UNICODE_STRING PortName = {0};
        LARGE_INTEGER SectionSize = {LARGE_MESSAGE_SIZE};
    	PORT_MESSAGE MessageHeader = {0};  
        NTSTATUS Status = 0;
        HANDLE LpcPortHandle = INVALID_HANDLE_VALUE;
        HANDLE SectionHandle = INVALID_HANDLE_VALUE;
    	ACCEPT_PARAMS Params = {0};
    	HANDLE hThread = INVALID_HANDLE_VALUE;
    	CLIENT_ID ClientId = {0}; 
        __try
    	{
    		Status = NtCreateSection(&SectionHandle,SECTION_MAP_READ | SECTION_MAP_WRITE,NULL,&SectionSize,PAGE_EXECUTE_READWRITE,SEC_COMMIT,NULL);
            if(!NT_SUCCESS(Status))
                __leave;
    		RtlInitUnicodeString(&PortName, LpcPortName);
            InitializeObjectAttributes(&ObjAttr, &PortName, 0, NULL, NULL);
            Status = NtCreatePort(&LpcPortHandle,&ObjAttr,NULL,sizeof(PORT_MESSAGE),0);
            if(!NT_SUCCESS(Status))
                __leave;
    ContinueListening:
    		 Status = NtListenPort(LpcPortHandle, &MessageHeader);
            if(!NT_SUCCESS(Status))
                __leave;
    		else
    		{
    			Params.LpcPortHandle = LpcPortHandle;
    			Params.SectionHandle = SectionHandle;
    			Params.MessageHeader = MessageHeader;
    			Status = RtlCreateUserThread(NtCurrentProcess(),0,0,0,0,0,(PUSER_THREAD_START_ROUTINE)Native_Accept,&Params,&hThread,&ClientId);
    			if(!NT_SUCCESS(Status))
    				__leave;
    			__asm jmp ContinueListening;
    		}
    	}
        __finally
        {
            if(LpcPortHandle != NULL)
                NtClose(LpcPortHandle);
            if(SectionHandle != NULL)
                NtClose(SectionHandle);
    		_ultow(Status,PortName.Buffer,10);
    		NtDisplayString(&PortName);
        }
        return Status;
    }
    NTSTATUS Native_Accept(PACCEPT_PARAMS Accept)
    {
    	UNICODE_STRING Err = {0};
    	HANDLE ServerHandle = NULL;
    	PORT_VIEW ServerView = {0};
    	REMOTE_PORT_VIEW ClientView;
        NTSTATUS Status = 0;	
    	ServerView.Length        = sizeof(PORT_VIEW);
        ServerView.SectionHandle = Accept->SectionHandle;
        ServerView.SectionOffset = 0;
        ServerView.ViewSize      = LARGE_MESSAGE_SIZE;
        ClientView.Length        = sizeof(REMOTE_PORT_VIEW);
    	Status = NtAcceptConnectPort(&ServerHandle,NULL,&Accept->MessageHeader,TRUE,&ServerView,&ClientView);
    	if(!NT_SUCCESS(Status))
    	{
    		_ultow(Status,Err.Buffer,10);
    		//RtlAppendUnicodeToString(&Err,L"\nIn NtAcceptPort");
    		NtDisplayString(&Err);
    		return Status;
    	}
    	Status = NtCompleteConnectPort(ServerHandle);
    	if(!NT_SUCCESS(Status))
    	{
    		_ultow(Status,Err.Buffer,10);
    		//RtlAppendUnicodeToString(&Err,L"\nIn NtCompleteConnect");
    		NtDisplayString(&Err);
    		return Status;
    	}
    	Status = NtReplyWaitReceivePort(ServerHandle,NULL,NULL,&Accept->MessageHeader);
    	if(!NT_SUCCESS(Status))
    	{
    		_ultow(Status,Err.Buffer,10);
    		//RtlAppendUnicodeToString(&Err,L"\nIn NtReplyWaitRecievePort");
    		NtDisplayString(&Err);
    		return Status;
    	}
        //write to ClientView.ViewBase;
    	Status = NtReplyPort(Accept->LpcPortHandle, &Accept->MessageHeader);
    	{
    		_ultow(Status,Err.Buffer,10);
    		NtDisplayString(&Err);
    		return Status;
    	}
    	if(ServerHandle != 0)
    		NtClose(ServerHandle);
    	if(Accept->LpcPortHandle != 0)
    		NtClose(Accept->LpcPortHandle);
    	if(Accept->SectionHandle != 0)
    		NtClose(Accept->SectionHandle);
    	return Status;
    }
    DWORD GetUid(VOID) {
      for(;;) {
        LUID Luid;
        DWORD Uid;
        NtAllocateLocallyUniqueId(&Luid);
        Uid = Luid.LowPart + Luid.HighPart;
        if((Uid > 0x10) && (Uid != 0xFFFFFFFF)) {
          return(Uid);
        }
      } 
    }
    
    NTSTATUS WINAPI SmSsContinue(VOID)
    {
    
    	DWORD Uid;
    	HANDLE SmApiPort;
    	NTSTATUS Status;
    	Uid = GetUid();
    	SECURITY_QUALITY_OF_SERVICE QoS = {sizeof(QoS), DEFAULT_IMPERSONATION_LEVEL, SECURITY_DYNAMIC_TRACKING, TRUE};
    	UNICODE_STRING ApiPortName;
    	SB_CONNECTION_REQUEST SbConnectionRequest;
    	ULONG SbConnectionRequestSize;
    	SbConnectionRequest.SbImageType = Uid;
    	ApiPortName.MaximumLength = sizeof(L"\\SmApiPort");
    	ApiPortName.Length =  ApiPortName.MaximumLength - 2;
    	ApiPortName.Buffer =  L"\\SmApiPort";
    	memcpy(SbConnectionRequest.SbApiPortName,ApiPortName.Buffer,ApiPortName.MaximumLength);
    	SbConnectionRequestSize = sizeof(SbConnectionRequest);
    	__try
    	{
    		Status = ZwConnectPort(&SmApiPort, &ApiPortName, &QoS, NULL, NULL, NULL, &SbConnectionRequest, &SbConnectionRequestSize);
    		if(!NT_SUCCESS(Status))
    		{	
    			__leave;
    		}
    	}
    	__except(1)
    	{
    		_ultow(Status,ApiPortName.Buffer,10);
    		NtDisplayString(&ApiPortName);
    	}
    	return Status;
    }
    
    
    void NtProcessStartup( PSTARTUP_ARGUMENT Argument )
    {
    	SmSsContinue();
    	Native_Server();
    	NtTerminateProcess( NtCurrentProcess(), 0 );
    }
    ProcessProfiler.h
    Code:
    #define _X86_
    #include <windows.h>
    #include "ntdll.h"
    
    #define LARGE_MESSAGE_SIZE 0x5000
    #define LpcPortName L"\\LpcInterceptPort"
    #define DelayExecution "NtDelayExecution"
    
    BOOL NtDelayExecutionEx(DWORD dwSeconds);
    
    typedef struct {
           ULONG            Unknown[21];
           UNICODE_STRING   CommandLine;
           UNICODE_STRING   ImageFile;
    } ENVIRONMENT_INFORMATION, *PENVIRONMENT_INFORMATION;
    
    typedef struct {
           ULONG                     Unknown[3];
           PENVIRONMENT_INFORMATION  Environment;
    } STARTUP_ARGUMENT, *PSTARTUP_ARGUMENT;
    
    typedef struct {
    	HANDLE LpcPortHandle;
    	HANDLE SectionHandle;
    	PORT_MESSAGE MessageHeader;
    }ACCEPT_PARAMS,*PACCEPT_PARAMS;
    
    typedef struct _SB_CONNECTION_REQUEST {
      ULONG SbImageType; /* Windows - 2, OS/2 - 5, POSIX - 7 */
      WCHAR SbApiPortName[120];
    } SB_CONNECTION_REQUEST, *PSB_CONNECTION_REQUEST;
    
    
    
    typedef NTSTATUS (NTAPI*NTDELAYEXECUTION)(BOOL,PLARGE_INTEGER);
    BOOL NtDelayExecutionEx(DWORD dwSeconds)
    {
    	ANSI_STRING FnName = {0};
    	PVOID DllHandle = 0;
    	NTDELAYEXECUTION Delay;
    	LARGE_INTEGER Interval = {0};
        Interval.QuadPart = -(__int64)dwSeconds * 10000 * 1000;
    	if(!NT_SUCCESS(LdrLoadDll(0,0,(PUNICODE_STRING)L"ntdll.dll",&DllHandle)))
    	{
    		return FALSE;
    	}
    	RtlInitAnsiString(&FnName,DelayExecution);
    	if(!NT_SUCCESS(LdrGetProcedureAddress(DllHandle,&FnName,0,(PVOID*)&Delay)))
    	{
    		return FALSE;
    	}
    	if(NT_SUCCESS(Delay(FALSE, &Interval)))
    	{
    		return TRUE;
    	}
    	else
    	{
    		return FALSE;
    	}
    }
    1 word of warning to everyone that connects to smss.. use GetUid dont use some made up number..
    i tried 2 and it crashs winlogon o_0..i can differentiate my crashs where it says "Subsystem Process" on crash and "Winlogon"..so yea, dont do that.. xD
    Last edited by BanMe; June 5th, 2009 at 22:19. Reason: It Makes it to user mode...now ;)

  4. #4
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    included in the post above is a Native Code Application that loads directly after csrss.. also included in this post is entire source (for Visual Studio 2k5 ) it can be compiled and run with either with Subsystem:Windows or Subsytem:Native (windows has more benefits,But Native is funner)

    1 small step in the right direction xD
    this is the Server that will Intercept Csrss's LPC Communications and forward them or w/e ..
    this Server will also be responsible for handling Code chunks sent by my BaseProcessStartThunk and BaseThreadStartThunk for analysis to the server..this is where I think im gonna need to compile it as a Subsystem:Windows in order to do symbol analysis.. or do it in the hooks and then communicate the code..

    this is the beggining of Csrarss
    Csr active reversing subsystem..though much is still needed..deciding on a disasmbler is not to fun.. Olly's older one doesnt recognize data(though i suppose i could) and syser requires a driver..but adds the benefit of being able to disasmble drivers to the subsystem..Much more to Come..

    to install and test it use the method provided in w32asap

    Mad Props To:
    Elicz for providing the Framework for my SmSsContinue ..
    Kayaker for Teaching,Not Flaming
    and many others..

    Regards BanMe.
    Last edited by BanMe; June 11th, 2009 at 18:06.

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,113
    Blog Entries
    5
    This is going to take a bit of study to get a handle on, but it's nice to see something wicked new and innovative. I'm going to try to compile it and see wtf this is and what it can do. Props and thanks for the source and info.

  6. #6
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    Well, tried it (after converting to plain C and compiling from commandline, sorry) on XP both SP2 and SP3, and here are my impressions:

    (1) the debugging is painful: NtDisplayString does not work, and DbgPrint neither (using Sysinternal DebugView with the option "log boot"); the only way is to log to a file, as Elicz does

    (2) the LPC with SMSS does not work: in my tries the program hungs inside NtListenPort(), waiting from messages from SM; this is also the case of Elicz SlowTasks()

    (3) why are you using "__asm jmp label"? "goto" is supported - fortunately - in C,C++ and C#

    (4) I do not yet understand the use of LPC-ing with SM (alias creating a subsystem): the subject is not documented at all...

    I hope to find the time to make more experiments
    Best regards, bilbo
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  7. #7
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    excellent observations,

    I will try to help, and give a little more info from gathered sources..(i.e. I will try and remember where they came from..)

    there are several ways to properly execute a native application.
    SessionManager BootExecute Key..or the SessionManager->Subsystem Container(as explained above)
    there are several improper ways to load..nrun.c is one(though these methods should/will be utilized to create Helper process's in the context of the current Session..
    #Mark Russonivich's blog...www.sysinternals.com
    #Elicz Postings..OpenRce and others..


    #debugging Natives..
    Try NtDelayExecution to delay it before the main thread hits NtTerminateProcess to allow for string output to screen.
    Alternatives include Native Thread Injection (article at codeproject:Native Thread Injection, injects smss to display strings)
    im sure there are other ways, not found yet..

    SmSsContinue works.. without it win32 mode will not load.. (because of the Servers Main Thread waiting for a connection request, similar to csrss..Except im listening on L"\\LpcInterceptPort"

    If you look carefully at Elicz code on w32asap,he is not waiting on messages from smss..im pretty sure hes waiting on messages to his termination port for his subsystem...

    I like asm.. and I think goto is ugly in C.. :[

    yes subsystem development is very sparse on the internet but there are a few examples out there. Cygwin is one and im sure there are others out there, though how "documented" it is , let alone find, is what I plan on working on..

    [sidenote:]I would love to help with those experiments
    Kind Regards BanMe
    Last edited by BanMe; June 9th, 2009 at 12:44.

  8. #8
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Goals for Project
    goal 1 remedy the current error with Native_MapFile Statusone
    goal 2 add more recoverable error handling Status:Todo List
    goal 3 figure out how to redirect CsrApiPort with or without hooks I also need to integrate a secondary server to manage the
    CsrApiMessages(just log and forward) Status: I Have theoretical solution...in short a csrss loader.

    subgoals for Csrss Loader
    become the man in the middle of csrss's ports.patch all references to the port, load csrsrv,patch the check for
    serverprocess in self to also act as a server..

    goal 4 implement user process code chunk communication,implement a __stdcall function call functaion in every new loaded image by extending the last section a tiny bit.

    goal 5 implement manualmapping with the use of the peb, i.e. MapModuleQueryAlignment + Ldr Peb routines .


    many more features to add and test all on the long todo list..

    CallGate's(test calling a DriverEntry,test Managing Debug Register..more)
    Hardware\Software Breakpoint Manager
    RtlRemoteCall manager..a idea off of alex ionescue's posting..(btw if you read this alex, ive been waiting for that for a long time..get on it ..)

    alot more to do on the profiling side to.. though Piotr's recent release should help me alot in that area (thank you piotr for the wonderful paper!)

    updated source..
    Please see my blog..for Downloads

    regards BanMe
    Last edited by BanMe; June 22nd, 2009 at 16:52.

Similar Threads

  1. Logging the execution of a program
    By golden in forum OllyScript Plugin
    Replies: 2
    Last Post: June 5th, 2009, 00:29
  2. execution path
    By ike in forum Tools of Our Trade (TOT) Messageboard
    Replies: 10
    Last Post: September 11th, 2005, 09:13
  3. Breaking on execution with installshield
    By kittmaster in forum OllyDbg Support Forums
    Replies: 10
    Last Post: March 3rd, 2005, 22:56
  4. Encrypted execution engine
    By tom324 in forum Off Topic
    Replies: 2
    Last Post: August 27th, 2004, 11:58
  5. Getting SI to start upon prog execution
    By Joe Doe in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: July 8th, 2001, 06:22

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •