>What would you look for if you were me?
the possibilities are large, and I am not sufficiently qualified to any
this with precision.
I was hoping that a dps
might yield some known symbols (if thy
are published). Sometimes, if they are c++ objects, they have vtables and
such, and those would have known symbols.
in other times, they might represent callback functions inside of windows,
which might be exported/labled.
if it is pure code, then perhaps setting a break on access to it, and
seeing the call stack on when it is hit.
check for pool allocations (like you said) to make out which pool it is,
and see where else it is used.
>I would also want to see if it is inside a pool allocation or inside the
.sys module or none of that.
it wouldnt be inside a sys file would it? If so why would you need an
ExAllocatePool at all? yes if could be code kept as a resource inside of a
sys file and copied out once the allocation succeeds. in that case, you can
use a PE analyzer to see the resources in the binary in question so see if
that matches the contents of the allocated block. i would be careful
though, it is easy to keep encrypted blocks of resources, a simple xor
version of it will through you off track.
like i said, there are a lot of possibilities, and I am not expert in this.
BTW, is this a windows binary or is it a third party driver which is
winqual certified? if it is the later i wouldnt be surprised it is doing
such stuff, it is easy to fool winqual, as long as the allocation
logic/path is not part of regular work flow 9say triggered by an ioctl), it
is easy to pass whql, verifier wont complain at all. Even if verifier
complains, it is easy to bypass verifier and still get winqual passed.
if it is windows binary, then I dont know the reasons at all...
On Mon, Nov 21, 2016 at 2:18 PM, jc scaly wrote:
> Not yet. That should be my next step.
> What would you look for if you were me?
>
> I guess I would try to disassemble it and see how much code it contains
> and try understand it's function, at least broadly.
>
> I would also want to see if it is inside a pool allocation or inside the
> .sys module or none of that.
>
> Any more clues?
>
> I could also make the crash dump accessible to you if you'd like to
> explore it.
>
> On Nov 22, 2016 12:05 AM, "Ami Awbadhho" wrote:
>
>> >So, logically the next-in-line question should be: what is the cause
>> for ClipSp to dynamically allocate a code thunk?
>>
>> just curious, did u try analyzing the memory block? did it represent any
>> objects or known symbols? hooks come to mind when one talks about such
>> scenarios.
>>
>> On Mon, Nov 21, 2016 at 1:24 PM, jc scaly wrote:
>>
>>> It is truly remarkable to me that I've posted a question in the most
>>> relevant forum filled with best Windows kernel researchers out there and
>>> the post has gone so off-topic that my question was left unanswered.
>>>
>>> I came here to learn; discuss a problem with intelligent people and
>>> attempt at solving it, yet this is not what happened.
>>>
>>> I would very much like to leave the "are RWX pages a security flaw" talk
>>> out of this post and get back to understand: why are Windows kernel modules
>>> allocate and execute code dynamically.
>>>
>>> Back to it, with your permission, three ground facts should be set as
>>> the ground for later discussions:
>>>
>>> 1) Some of the RWX pages are (without real need) allocated with such
>>> permissions due to it being a default for the kernel allocation method -
>>> ExAllocatrPool.
>>>
>>> 2) Changing ALL kernel RWX pages to RW in Windows 10 caused an immediate
>>> blue screen, due to a (now) non-executable page being run, and the bugcheck
>>> identified it to belong to ClipSp.sys - a signed Windows driver, which PEs
>>> section are not marked as RWX.
>>>
>>> 3) Changing ALL kernel RWX pages to RX in Windows 10 did not cause a
>>> blue screen.
>>>
>>> So, logically the next-in-line question should be: what is the cause for
>>> ClipSp to dynamically allocate a code thunk?
>>>
>>> I claim that it dynamically allocated it as it's PE file did not specify
>>> to load the module with RWX permissions, and it makes no sense (for me) to
>>> change the permissions in runtime if a loadtime mechanism exists.
>>>
>>> There fore, the next logical clame would be that this is an intentional
>>> mechanism that this driver used in order to allocate run-time code. Then
>>> why is it such? And why did it need the page to stay writeable?
>>>
>>> I await your thoughts on this matter. Help me understand this better!
>>>
>>> Good week to you all.
>>>
>>> On Nov 21, 2016 2:50 PM, wrote:
>>>
>>>> > In the meantime, you aren't making any friends here by arguing a
>>>> theoretical point.
>>>>
>>>> Well, I have always been under the impression that the very purpose of
>>>> a technical NG is to discuss the technical issues, rather than "to make
>>>> friends" - after all, this is what Facebook et al are for .
>>>>
>>>> In fact, the very idea of setting up some "XYZ Sycophant Club" or "ABC
>>>> Propaganda Department"
>>>> in a technical NG seems at least strange to me, but I do realize that
>>>> most of this list's "regulars" have a different opinion on this subject...
>>>>
>>>>
>>>>
>>>> Anton Bassov
>>>>
>>>> ---
>>>> NTDEV is sponsored by OSR
>>>>
>>>> Visit the list online at: >>>> lists.cfm?list=ntdev>
>>>>
>>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>>> software drivers!
>>>> Details at
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at <
>>>> http://www.osronline.com/page.cfm?name=ListServer>
>>>>
>>> --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY
>>> seminars on crash dump analysis, WDF, Windows internals and software
>>> drivers! Details at To unsubscribe, visit the List Server section of
>>> OSR Online at
>>
>>
>> --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
>> on crash dump analysis, WDF, Windows internals and software drivers!
>> Details at To unsubscribe, visit the List Server section of OSR Online
>> at
>
> --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at
>