Hook and simulate nt!NtFlushBuffersFile for pseudo-handles
1ndahous3 opened this issue · comments
I'm trying to run a user mode application that creates a log file and actively writes to it.
So first I use g_FsHandleTable.MapNonExistingGuestFile(uR"(\??\C:\ProgramData\Logs\log1.log)");
Everything runs fine, but after re-opening and writing to my fake file, the app crashes:
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running testcase.bin
fs: Mapping previously non existing guest file \??\C:\ProgramData\Logs\log1.log with filestream(0)
fs: ntdll!NtCreateFile(FileHandle=0xf0891ff778, DesiredAccess=0x80100080, ObjectAttributes=0xf0891ff7b8 (\??\C:\ProgramData\Logs\log1.log), IoStatusBlock=0xf0891ff780, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), CreateDisposition=0x2 (FILE_CREATE), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffe for \??\C:\ProgramData\Logs\log1.log
fs: ntdll!NtClose(Handle=0x7ffffffe)
fs: Closing 0x7ffffffe
fs: ntdll!NtCreateFile(FileHandle=0xf0891ff498, DesiredAccess=0xc0100080, ObjectAttributes=0xf0891ff4d0 (\??\C:\ProgramData\Logs\log1.log), IoStatusBlock=0xf0891ff550, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x3 (FILE_OPEN_IF), CreateOptions=0x20 (FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffd for \??\C:\ProgramData\Logs\log1.log
fs: nt!NtReadFile(FileHandle=0x7ffffffd, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xf0891ff800, Buffer=0x2b82ceb5750, Length=0x38, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffd, IoStatusBlock=0xf0891ff7e0, FileInformation=0xf0891ff7d0, Length=0x8, FileInformationClass=0xe)
fs: nt!NtWriteFile(FileHandle=0x7ffffffd, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xf0891ff800, Buffer=0x2b82ceb5750, Length=0x38, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffd, IoStatusBlock=0xf0891ff800, FileInformation=0xf0891ff830, Length=0x8, FileInformationClass=0x14)
ucrash: RtlDispatchException triggered UNKNOWN @ 0x7fff10c27f3a
--------------------------------------------------
Run stats:
Instructions executed: 69763 (17335 unique)
Dirty pages: 278528 bytes (0 MB)
Memory accesses: 197532 bytes (0 MB)
#1 cov: 17335 exec/s: 1.0 lastcov: 0.0s crash: 1 timeout: 0 cr3: 0 uptime: 1.0s
After looking into rip and tenet traces, I see this happening the moment the application tries to flush changes to disk.
(Manually crafted) stack:
KERNEL32!FlushFileBuffers+0x0
KERNELBASE!FlushFileBuffers+0x26
ntdll!NtFlushBuffersFile+0x12
[...]
nt!NtFlushBuffersFile+0x11
nt!NtFlushBuffersFileEx+0x96
nt!IopReferenceFileObject+0x35
nt!ObReferenceObjectByHandle+0x29
nt!ObpReferenceObjectByHandleWithTag+0x516
nt!ExHandleLogBadReference+0x17f0f1
nt!KeRaiseUserException+0xf7
[..]
ntdll!RtlDispatchException+0x0
Make sure it was our pseudo-handle (0x7ffffffd):
I think we shouldn't honestly pass pseudo-handles to flush to disk.
Yeah that's kind of the objective of the FS layer, to not let those handle
through and emulate the relevant behavior. Can you add a hook in your
target to make NtFlushBuffersFile? I am a bit hesitant to improve the FS
layer because I am still not sure it can be made robust and I haven't
tested it extensively either - I just added it in case people want to use
it at their own risk :-D.
I am happy to help you out by creating a hook for this though.
Let me know!
Cheers
…On Tue, Sep 13, 2022 at 7:10 PM Roman ***@***.***> wrote:
I'm trying to run a user mode application that creates a log file and
actively writes to it.
So first I use
g_FsHandleTable.MapNonExistingGuestFile(uR"(\??\C:\ProgramData\Logs\log1.log)");
Everything runs fine, but after re-opening and writing to my fake file,
the app crashes:
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running testcase.bin
fs: Mapping previously non existing guest file \??\C:\ProgramData\Logs\log1.log with filestream(0)
fs: ntdll!NtCreateFile(FileHandle=0xf0891ff778, DesiredAccess=0x80100080, ObjectAttributes=0xf0891ff7b8 (\??\C:\ProgramData\Logs\log1.log), IoStatusBlock=0xf0891ff780, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), CreateDisposition=0x2 (FILE_CREATE), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffe for \??\C:\ProgramData\Logs\log1.log
fs: ntdll!NtClose(Handle=0x7ffffffe)
fs: Closing 0x7ffffffe
fs: ntdll!NtCreateFile(FileHandle=0xf0891ff498, DesiredAccess=0xc0100080, ObjectAttributes=0xf0891ff4d0 (\??\C:\ProgramData\Logs\log1.log), IoStatusBlock=0xf0891ff550, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x3 (FILE_OPEN_IF), CreateOptions=0x20 (FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffd for \??\C:\ProgramData\Logs\log1.log
fs: nt!NtReadFile(FileHandle=0x7ffffffd, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xf0891ff800, Buffer=0x2b82ceb5750, Length=0x38, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffd, IoStatusBlock=0xf0891ff7e0, FileInformation=0xf0891ff7d0, Length=0x8, FileInformationClass=0xe)
fs: nt!NtWriteFile(FileHandle=0x7ffffffd, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xf0891ff800, Buffer=0x2b82ceb5750, Length=0x38, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffd, IoStatusBlock=0xf0891ff800, FileInformation=0xf0891ff830, Length=0x8, FileInformationClass=0x14)
ucrash: RtlDispatchException triggered UNKNOWN @ 0x7fff10c27f3a
--------------------------------------------------
Run stats:
Instructions executed: 69763 (17335 unique)
Dirty pages: 278528 bytes (0 MB)
Memory accesses: 197532 bytes (0 MB)
#1 cov: 17335 exec/s: 1.0 lastcov: 0.0s crash: 1 timeout: 0 cr3: 0 uptime: 1.0s
After looking into rip and tenet traces, I see this happening the moment
the application tries to flush changes to disk.
(Manually crafted) stack:
KERNEL32!FlushFileBuffers+0x0
KERNELBASE!FlushFileBuffers+0x26
ntdll!NtFlushBuffersFile+0x12
[...]
nt!NtFlushBuffersFile+0x11
nt!NtFlushBuffersFileEx+0x96
nt!IopReferenceFileObject+0x35
nt!ObReferenceObjectByHandle+0x29
nt!ObpReferenceObjectByHandleWithTag+0x516
nt!ExHandleLogBadReference+0x17f0f1
nt!KeRaiseUserException+0xf7
[..]
ntdll!RtlDispatchException+0x0
Make sure it was our pseudo-handle (0x7ffffffd):
[image: image]
<https://user-images.githubusercontent.com/9205230/190042194-6666c97d-0dce-447b-a82b-ad0c0bd755f1.png>
[image: image]
<https://user-images.githubusercontent.com/9205230/190042042-3b571213-08a3-457d-a28c-2e20631aaace.png>
I think we shouldn't honestly pass pseudo-handles to flush to disk.
—
Reply to this email directly, view it on GitHub
<#129>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AALIORM3OU5PNJ5ET5HQENTV6EX27ANCNFSM6AAAAAAQL66LHM>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
@0vercl0k you're right, it's quite difficult to cover all functions that can work with all pseudo-handles (to execute a complex user mode application). I already hooked the set of functions (nt!NtFlushBuffersFileEx, nt!NtSetValueKey, nt!NtOpenKey, nt!NtQueryKey, nt!NtQueryKey, nt!NtQueryObject), but still got nt!ExHandleLogBadReference and a user mode exception.
@1ndahous3 what do you want me to do here? How can I help?
Cheers
Closing as no activity for a long time.
Cheers