Page 1 of 2 12 Last
  1. #1
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM & WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring <_<
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Full List Of Functions Protected By Patchguard

    While browsing around, I came across a Text Dump which claims to be the list of full documented/undocumented functions which are protected by PatchGuard -

    Snip2Code - Full list of functions protected by Patchguard

    I don't know if it is accurate or not but I hope it helps :)


    -Pranav
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:


    • Ad Bot

      advertising
      Beep.

        
       

  2. #2

    Re: Full List Of Functions Protected By Patchguard

    Interesting to see a list. One of the system check/DPC routines that PG actually uses is in that list - ExpTimeRefreshDpcRoutine. There are probably more.

    Edit - Yes, they're actually all there.

    Nowadays rootkits can bypass KPP by hooking the bug check function so when the kernel is modified in any way (IDT, GDT, etc), it interrupts handling of the 0x109 bug check that would be thrown normally.

  3. #3
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM & WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring <_<
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Full List Of Functions Protected By Patchguard

    Quote Originally Posted by Patrick View Post
    Nowadays rootkits can bypass KPP by hooking the bug check function so when the kernel is modified in any way (IDT, GDT, etc), it interrupts handling of the 0x109 bug check that would be thrown normally.
    I raised a similar kind of doubt in my C++ class when I was being taught the Exception Handling and I got the same reply. It is really fascinating to see the creativity behind rootkits and malware.
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

  4. #4
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,847

    Re: Full List Of Functions Protected By Patchguard

    You should also have a look at SEH (Structured Exception Handling) - Structured Exception Handling (Windows)
    blueelvis says thanks for this.
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  5. #5
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,847

    Re: Full List Of Functions Protected By Patchguard

    For the functions like nt! ?? ::FNODOBFM::`string'+0x1d1f0, there is a method which will enable you to find the actual function name.
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  6. #6
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM & WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring <_<
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Full List Of Functions Protected By Patchguard

    Quote Originally Posted by x BlueRobot View Post
    You should also have a look at SEH (Structured Exception Handling) - Structured Exception Handling (Windows)
    Thanks for that. I will take a look at it now.

    Quote Originally Posted by x BlueRobot View Post
    For the functions like nt! ?? ::FNODOBFM::`string'+0x1d1f0, there is a method which will enable you to find the actual function name.
    Really?
    If you could tell me the method, it would be really helpful since many times it is like that and it is tough to determine what exactly it is if there aren't any functions in the stack above and below such functions.
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

  7. #7

    Re: Full List Of Functions Protected By Patchguard

    Quote Originally Posted by x BlueRobot View Post
    For the functions like nt! ?? ::FNODOBFM::`string'+0x1d1f0, there is a method which will enable you to find the actual function name.
    Is there? When this happens, to my knowledge, FunctionName+Offset no longer equals FunctionAddress+Offset, therefore the output of information in the debugger isn't correct. In these specific cases, the code is moved to a location (which is random, to my knowledge) and the closest symbolic name is a string in the image. When this happens, the debugger (WinDbg) uses the string as a best guess for the return address on the stack.

  8. #8
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,847

    Re: Full List Of Functions Protected By Patchguard

    Last edited by x BlueRobot; 12-17-2014 at 08:32 AM.
    blueelvis, Patrick and Jared say thanks for this.
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  9. #9

    Re: Full List Of Functions Protected By Patchguard

    MSFT might have implemented different code optimization than BBT. Good link, by the way.

  10. #10
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM & WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring <_<
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Full List Of Functions Protected By Patchguard

    Is it possible that this same thing occurs when the MS Employees use the private symbol servers as well?

    @Patrick - Ew, who is that lady and which anime? Seems like she is drunk with blood mixed with vodka
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

  11. #11

    Re: Full List Of Functions Protected By Patchguard

    Is it possible that this same thing occurs when the MS Employees use the private symbol servers as well?
    I don't think any of us have ever seen a stack containing private MSFT symbols, so ; )

    To answer your question though, as far as I know, it only effects public symbols.

    @Patrick - Ew, who is that lady and which anime?
    Mistress 9 from Sailor Moon, my favorite anime when I was younger. I've started getting back into anime earlier this year after not watching it for a long time.

  12. #12
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM & WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring <_<
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Full List Of Functions Protected By Patchguard

    Quote Originally Posted by Patrick View Post
    I don't think any of us have ever seen a stack containing private MSFT symbols, so ; )

    To answer your question though, as far as I know, it only effects public symbols.

    @Patrick - Ew, who is that lady and which anime?
    Mistress 9 from Sailor Moon, my favorite anime when I was younger. I've started getting back into anime earlier this year after not watching it for a long time.
    I am stuck with Naruto and Detective Conan. If you haven't watched Death Note, then make sure you watch it ^_^

    So, now using the above method, I analysed a dump file for which the stack is given below -
    Code:
    1: kd> k
    Child-SP          RetAddr           Call Site
    ffffd000`239d8a08 fffff800`5940cbd2 nt!KeBugCheckEx
    ffffd000`239d8a10 fffff800`592e62b9 nt! ?? ::FNODOBFM::`string'+0x1dd22
    ffffd000`239d8ab0 fffff800`593e8c2f nt!MmAccessFault+0x769
    ffffd000`239d8c70 fffff800`597dc333 nt!KiPageFault+0x12f
    ffffd000`239d8e00 fffff800`59679c39 nt! ?? ::NNGAKEGL::`string'+0x20183
    ffffd000`239d9130 fffff800`59677a63 nt!ObpLookupObjectName+0x6b9
    ffffd000`239d92b0 fffff801`c547f33a nt!ObOpenObjectByName+0x1e3
    ffffd000`239d93e0 ffffe001`00000001 JIUMSLYRBO+0x533a
    ffffd000`239d93e8 ffffc000`fac88000 0xffffe001`00000001
    ffffd000`239d93f0 00000000`00000000 0xffffc000`fac88000
    If I use .fnent on the Red Address -
    Code:
    1: kd> .fnent fffff800`5940cbd2
    Debugger function entry 00000022`a87b62b8 for:
    (fffff800`593eeeb0)   nt! ?? ::FNODOBFM::`string'+0x1dd22   |  (fffff800`59453eec)   nt!DisplayFilter
    BeginAddress      = 00000000`0017e553
    EndAddress        = 00000000`0017ed66
    UnwindInfoAddress = 00000000`00259450
    Unwind info at fffff800`594e7450, 1c bytes
      version 2, flags 4, prolog 0, codes 6
      00: offs 0, unwind op 4, op info d UWOP_SAVE_NONVOL FrameOffset: 60 reg: r13.
      02: offs 0, unwind op 4, op info 6 UWOP_SAVE_NONVOL FrameOffset: 68 reg: rsi.
      04: offs 0, unwind op 4, op info 3 UWOP_SAVE_NONVOL FrameOffset: a8 reg: rbx.
    Chained info:
    BeginAddress      = 00000000`0017e47c
    EndAddress        = 00000000`0017e506
    UnwindInfoAddress = 00000000`00259428
    Unwind info at fffff800`594e7428, 10 bytes
      version 2, flags 4, prolog 0, codes 0
    Chained info:
    BeginAddress      = 00000000`00074800
    EndAddress        = 00000000`00074954
    UnwindInfoAddress = 00000000`002592a8
    Unwind info at fffff800`594e72a8, 10 bytes
      version 2, flags 0, prolog 16, codes 6
      00: offs 16, unwind op 2, op info d UWOP_ALLOC_SMALL.
      01: offs 12, unwind op 0, op info f UWOP_PUSH_NONVOL reg: r15.
      02: offs 10, unwind op 0, op info e UWOP_PUSH_NONVOL reg: r14.
      03: offs e, unwind op 0, op info c UWOP_PUSH_NONVOL reg: r12.
      04: offs c, unwind op 0, op info 7 UWOP_PUSH_NONVOL reg: rdi.
      05: offs b, unwind op 0, op info 5 UWOP_PUSH_NONVOL reg: rbp.
    So, in this case, I got two sections of Chained Info. If I do ln on the beginning address of the first section, I get the below output -
    Code:
    1: kd> ln nt+00000000`0017e47c
    (fffff800`593eeeb0)   nt! ?? ::FNODOBFM::`string'+0x1d5cc   |  (fffff800`59453eec)   nt!DisplayFilter
    But, if I run the ln on second beginning address, I get the below output which seems to be the missing piece in the stack -
    Code:
    1: kd> ln nt+00000000`00074800
    (fffff800`59302800)   nt!MiSystemFault   |  (fffff800`59303404)   nt!MiNoFaultFound
    Exact matches:
        nt!MiSystemFault (<no parameter info>)
    Any idea, why there might be two sections like these? Also, how do I find a clue on what the function "MiSystemFault" does actually because there doesn't seem to be any documentation available on it : (


    -Pranav
    Last edited by blueelvis; 12-18-2014 at 04:38 AM.
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

  13. #13

    Re: Full List Of Functions Protected By Patchguard

    MiSystemFault is an most likely an undocumented WMI function, assuming MI is the WMI prefix.

    Any idea, why there might be two sections like these?
    Good question, I'm not entirely sure. It's the same with my example:

    Code:
    0: kd> k
    Child-SP          RetAddr           Call Site
    fffff880`0c372378 fffff800`02edfc53 nt!KeBugCheckEx
    fffff880`0c372380 fffff800`02efe473 nt! ?? ::FNODOBFM::`string'+0x4a13
    fffff880`0c3723c0 fffff800`02ebe9c9 nt! ?? ::FNODOBFM::`string'+0x32c3b
    fffff880`0c372580 fffff800`0319fe90 nt!MiRemoveMappedView+0xd9
    fffff880`0c3726a0 fffff880`04137aef nt!MiUnmapViewOfSection+0x1b0
    fffff880`0c372760 fffff880`04132523 dxgmms1!VIDMM_GLOBAL::CloseLocalAllocation+0xa7
    fffff880`0c372810 fffff880`04118ecc dxgmms1!VIDMM_GLOBAL::CloseOneAllocation+0x19b
    fffff880`0c3728e0 fffff880`0405accc dxgmms1!VidMmCloseAllocation+0x44
    fffff880`0c372910 fffff880`0405b3ac dxgkrnl!DXGDEVICE::DestroyAllocations+0x248
    fffff880`0c372a00 fffff880`0405a651 dxgkrnl!DXGDEVICE::DestroyResource+0x84
    fffff880`0c372a30 fffff880`0406024b dxgkrnl!DXGDEVICE::ProcessTerminationList+0x95
    fffff880`0c372a80 fffff960`001a0d32 dxgkrnl!DxgkCreateAllocation+0x40b
    fffff880`0c372bb0 fffff800`02e8aad3 win32k!NtGdiDdDDICreateAllocation+0x12
    fffff880`0c372be0 00000000`72ca13fa nt!KiSystemServiceCopyEnd+0x13
    00000000`000cdc58 00000000`00000000 0x72ca13fa
    Code:
    0: kd> .fnent fffff800`02edfc53
    Debugger function entry 000000df`96da8968 for:
    (fffff800`02ec9820)   nt! ?? ::FNODOBFM::`string'+0x4a13   |  (fffff800`02ec9858)   nt!vDbgPrintExWithPrefixInternal
    
    BeginAddress      = 00000000`000c3bb0
    EndAddress        = 00000000`000c3c64
    UnwindInfoAddress = 00000000`001bfa64
    
    Unwind info at fffff800`02fdba64, 1c bytes
      version 1, flags 4, prolog 0, codes 6
      00: offs 0, unwind op 4, op info 7    UWOP_SAVE_NONVOL FrameOffset: 30 reg: rdi.
      02: offs 0, unwind op 4, op info 6    UWOP_SAVE_NONVOL FrameOffset: 48 reg: rsi.
      04: offs 0, unwind op 4, op info 3    UWOP_SAVE_NONVOL FrameOffset: 40 reg: rbx.
    
    Chained info:
    BeginAddress      = 00000000`000953f0
    EndAddress        = 00000000`0009543b
    UnwindInfoAddress = 00000000`001b65d8
    
    Unwind info at fffff800`02fd25d8, 6 bytes
      version 1, flags 0, prolog 4, codes 1
      00: offs 4, unwind op 2, op info 6    UWOP_ALLOC_SMALL.
    Code:
    0: kd> ln nt+000953f0
    (fffff800`02eb13f0)   nt!MiLocateWsle   |  (fffff800`02eb1540)   nt!MiResolveProtoPteFault
    Exact matches:
        nt!MiLocateWsle (<no parameter info>)
    I suppose you'll just run the list nearest symbol command on the beginaddress field values until you find the one with the 'Exact matches:', and then that's the right one.

  14. #14
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,847

    Re: Full List Of Functions Protected By Patchguard

    Wmi is the WMI prefix, and I'm assuming that the M = Memory Management and the i = internal. Internal in terms of publicly undocumented, and since the function is only reserved for system use. There's also Ki which is another private prefix.
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  15. #15
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,847

    Re: Full List Of Functions Protected By Patchguard

    Pranav, do you still have the dump file? I would like to test if the string is resolved across different debugger versions.
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  16. #16
    Jared's Avatar
    Join Date
    Feb 2014
    Age
    21
    Posts
    1,570
    • specs System Specs
      • Manufacturer:
        Custom
      • Motherboard:
        ASUS Maximus VII Ranger
      • CPU:
        i7 4790K @ 4.4GHz
      • Memory:
        Corsair Vengeance 16GB 1866MHz
      • Graphics:
        MSI Gaming 4G GTX 980
      • Sound Card:
        Creative Soundblaster ZxR
      • Hard Drives:
        Samsung 850 SSD 250GB
      • Disk Drives:
        Western Digital Black Caviar 2TB
      • Power Supply:
        Corsair RM650 Modular 650 Watts
      • Case:
        Fractal Design Define R5 Window
      • Cooling:
        Corsair H100i GTX
      • Display:
        Dell U2515H 25inch 2560x1440 + LG Flatron M2262D 22inch 1920x1080
      • Operating System:
        Windows 10 Professional x64

    Re: Full List Of Functions Protected By Patchguard

    Quote Originally Posted by Patrick View Post
    MiSystemFault is an most likely an undocumented WMI function, assuming MI is the WMI prefix.
    Quote Originally Posted by x BlueRobot View Post
    Wmi is the WMI prefix, and I'm assuming that the M = Memory Management and the i = internal. Internal in terms of publicly undocumented, and since the function is only reserved for system use. There's also Ki which is another private prefix.
    The Mi prefix is as Harry stated, it's an undocumented private function. Ki stands for Kernel Internal and it private, therefore, almost entirely undocumented.

  17. #17
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM &amp; WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring &lt;_&lt;
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Full List Of Functions Protected By Patchguard

    Quote Originally Posted by x BlueRobot View Post
    Pranav, do you still have the dump file? I would like to test if the string is resolved across different debugger versions.
    Yup, I have the dump with me. Here is the link -
    https://onedrive.live.com/redir?resi...int=file%2cdmp

    So, the function KeBugcheck() , has a prefix of K meaning Kernel and E meaning it is external and documented, right?

    -Pranav
    Last edited by blueelvis; 12-18-2014 at 04:54 PM. Reason: Now find the mistake :D
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

  18. #18
    Jared's Avatar
    Join Date
    Feb 2014
    Age
    21
    Posts
    1,570
    • specs System Specs
      • Manufacturer:
        Custom
      • Motherboard:
        ASUS Maximus VII Ranger
      • CPU:
        i7 4790K @ 4.4GHz
      • Memory:
        Corsair Vengeance 16GB 1866MHz
      • Graphics:
        MSI Gaming 4G GTX 980
      • Sound Card:
        Creative Soundblaster ZxR
      • Hard Drives:
        Samsung 850 SSD 250GB
      • Disk Drives:
        Western Digital Black Caviar 2TB
      • Power Supply:
        Corsair RM650 Modular 650 Watts
      • Case:
        Fractal Design Define R5 Window
      • Cooling:
        Corsair H100i GTX
      • Display:
        Dell U2515H 25inch 2560x1440 + LG Flatron M2262D 22inch 1920x1080
      • Operating System:
        Windows 10 Professional x64

    Re: Full List Of Functions Protected By Patchguard

    Quote Originally Posted by blueelvis View Post
    Quote Originally Posted by x BlueRobot View Post
    Pranav, do you still have the dump file? I would like to test if the string is resolved across different debugger versions.
    Yup, I have the dump with me. Here is the link -
    https://onedrive.live.com/redir?resi...int=file%2cdmp

    So, the function KeBugcheck() , has a suffix of K meaning Kernel and E meaning it is external and documented, right?

    -Pranav
    Ke just means Kernel, it's mostly documented, yes.
    blueelvis says thanks for this.

  19. #19
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,847

    Re: Full List Of Functions Protected By Patchguard

    You mean prefix, suffix denotes a common ending of a word; sorry I'm being a grammar Nazi

    Thanks for the dump file!
    Jared says thanks for this.
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  20. #20
    Jared's Avatar
    Join Date
    Feb 2014
    Age
    21
    Posts
    1,570
    • specs System Specs
      • Manufacturer:
        Custom
      • Motherboard:
        ASUS Maximus VII Ranger
      • CPU:
        i7 4790K @ 4.4GHz
      • Memory:
        Corsair Vengeance 16GB 1866MHz
      • Graphics:
        MSI Gaming 4G GTX 980
      • Sound Card:
        Creative Soundblaster ZxR
      • Hard Drives:
        Samsung 850 SSD 250GB
      • Disk Drives:
        Western Digital Black Caviar 2TB
      • Power Supply:
        Corsair RM650 Modular 650 Watts
      • Case:
        Fractal Design Define R5 Window
      • Cooling:
        Corsair H100i GTX
      • Display:
        Dell U2515H 25inch 2560x1440 + LG Flatron M2262D 22inch 1920x1080
      • Operating System:
        Windows 10 Professional x64

    Re: Full List Of Functions Protected By Patchguard

    Quote Originally Posted by x BlueRobot View Post
    You mean prefix, suffix denotes a common ending of a word; sorry I'm being a grammar Nazi

    Thanks for the dump file!
    How did I miss that? I'm usually the one who corrects grammar.

Page 1 of 2 12 Last

Similar Threads

  1. Replies: 0
    Last Post: 08-10-2014, 03:11 AM
  2. Replies: 0
    Last Post: 10-15-2013, 05:46 PM
  3. Replies: 0
    Last Post: 05-10-2012, 05:41 PM

Log in

Log in