DynamoRIO 9无法捕捉UWP数据的终级原因
2022-11-14 23:59:46 Author: mp.weixin.qq.com(查看原文) 阅读量:33 收藏

创建: 2022-11-14 09:44
http://scz.617.cn:8/windows/202211140944.txt

只说这个版本,DynamoRIO-Windows-9.0.19181。

calc
tasklist | findstr Calculator
DynamoRIO-Windows-9.0.19181\bin64\drrun.exe -verbose -64 -attach <pid> -t drcov
DynamoRIO-Windows-9.0.19181\bin64\drrun.exe -verbose -64 -t drcov -- calc

一种attach,一种直接run,这两种方式均无法捕捉Win10计算器的数据,在Ring3用Process Monitor发现dynamorio.dll加载失败,已经处理过"ALL APPLICATION PACKAGES (S-1-15-2-1)"的读取和执行权限。

云海用内核调试器跟了一下为何dynamorio.dll加载失败,找到终极原因。加载dynamorio.dll时,LdrpMapViewOfSection返回0xC0000269,其值含义如下

STATUS_ILLEGAL_DLL_RELOCATION

{Illegal System DLL Relocation} The system DLL %hs was relocated in memory. The application will not run properly. The relocation occurred because the DLL %hs occupied an address range that is reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.

Calculator开了这个

[+0x000 ( 44)] ForceRelocateImages : 0x1 [Type: unsigned long]

在内核调试器中直接改_EPROCESS的MitigationFlags,去掉Calculator的ForceRelocateImages,就可以加载dynamorio.dll;后者设置了IMAGE_FILE_RELOCS_STRIPPED,过不了ForceRelocateImages的检查。

用ProcessHacker查看Calculator的"Mitigation Policies",第一行是

ASLR (high entropy, force relocate, disallow stripped)

下面有解释

Address Space Layout Randomization is enabled for this process. High entropy randomization is enabled. All images are being forcibly relocated (regardless of whether they support ASLR). Images with stripped relocation data are disallowed.

参看

IMAGE_FILE_HEADER structure (winnt.h)
https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_file_header

#define IMAGE_FILE_RELOCS_STRIPPED  0x0001  // Relocation info stripped from file.

IMAGE_FILE_RELOCS_STRIPPED置位时,解释如下

Relocation information was stripped from the file. The file must be loaded at its preferred base address. If the base address is not available, the loader reports an error.

用CFF Explorer查看dynamorio.dll

File Header
  Characateristics
    Relocation info stripped from file
      On
Data Directories
  Relocation Directory RVA  0
  Relocation Directory Size 0

dynamorio.dll不只是设置了IMAGE_FILE_RELOCS_STRIPPED,也实际抹除了重定位信息。

用livekd查看ForceRelocateImages

"X:\Windows Kits\10\x64\Debuggers\x64\livekd.exe" -k "X:\Windows Kits\10\x64\Debuggers\x64\kd.exe"

kd> !process 0 0 Calculator.exe
PROCESS ffff8c040d4f5340

kd> .process /p /r ffff8c040d4f5340

kd> dt nt!_EPROCESS ImageFileName MitigationFlags MitigationFlagsValues. ffff8c040d4f5340
   +0x5a8 ImageFileName          : [15]  "Calculator.exe"
   +0x9d0 MitigationFlags        : 0x38
   +0x9d0 MitigationFlagsValues  :
      ...
      +0x000 ForceRelocateImages    : 0y1
      ...

kd> dt nt!_EPROCESS MitigationFlagsValues.ForceRelocateImages ffff8c040d4f5340
   +0x9d0 MitigationFlagsValues                     :
      +0x000 ForceRelocateImages                       : 0y1

kd> dx ((nt!_EPROCESS *)0xffff8c040d4f5340)->MitigationFlags
 : 0x38 [Type: unsigned long]

kd> dx ((nt!_EPROCESS *)0xffff8c040d4f5340)->MitigationFlagsValues
...
    [+0x000 ( 44)] ForceRelocateImages : 0x1 [Type: unsigned long]
...

kd> dx ((nt!_EPROCESS *)0xffff8c040d4f5340)->MitigationFlagsValues.ForceRelocateImages
 : 0x1 [Type: unsigned long]

查看系统中所有ForceRelocateImages置位的进程

kd> dx @$ForceRelocateImages = 0x10
kd> dx -r1 @$cursession.Processes.Where(p=>(p.KernelObject.MitigationFlags & @$ForceRelocateImages) != 0)

    [0x424]          : fontdrvhost.exe
    [0x1560]         : dllhost.exe
    [0x1cac]         : StartMenuExperienceHost.exe
    ...
    [0x39bc]         : Microsoft.Photos.exe
    ...
    [0x3de8]         : SearchApp.exe
    [0x424c]         : ShellExperienceHost.exe
    ...
    [0x375c]         : Calculator.exe
    [0x1dbc]         : RuntimeBroker.exe

或者

kddx -r1 @$cursession.Processes.Where(p=>(p.KernelObject.MitigationFlagsValues.ForceRelocateImages == 1))

尝试禁用Calculator的ForceRelocateImages,无果。

> Get-Item -Path "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe" | %{ Get-ProcessMitigation -Name $_.Name } | findstr ForceRelocateImages
    ForceRelocateImages                : NOTSET

ForceRelocateImages缺省是NOTSET,尝试禁用

>
 Get-Item -Path "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe" | %{ Set-ProcessMitigation -Name $_.Name -Disable ForceRelocateImages }
    ForceRelocateImages                : OFF

$
 reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe
    MitigationOptions    REG_BINARY    000200000000000000000000000000000000000000000000
    MitigationAuditOptions    REG_BINARY    000000000000000000000000000000000000000000000000
    EAFModules    REG_SZ

MitigationOptions缺省全零,禁用ForceRelocateImages后出现02,启用后出现01。

也可以GUI

设置
  更新和安全
    Windows安全中心
      应用和浏览器控制
        Exploit Protection设置
          程序设置

禁用ForceRelocateImages后,不知是否要重启生效,反正不重启时,用ProcessHacker、livekd确认仍然启用ForceRelocateImages。或许对UWP无法真正禁用ForceRelocateImages,内核调试器那种不算。

若从源码自编译DynamoRIO,改用反射式DLL加载,应该可以加载dynamorio.dll;另一种可能的选择是,编译时允许dynamorio.dll重定位,不清楚DynamoRIO是否要求该DLL不得重定位。这些都停留在探讨阶段,无测试动力。

未实测加载dynamorio.dll之后是否就能捕捉UWP的数据,不排除有其他幺蛾子等着,也未测试最新版DynamoRIO是否有变化,本文只是记录云海关于ForceRelocateImages的调试结论

参看

(略,见TXT)


文章来源: https://mp.weixin.qq.com/s?__biz=MzUzMjQyMDE3Ng==&mid=2247486304&idx=1&sn=61f5e777978c12b62e7ddf4e4f7736b4&chksm=fab2c85fcdc54149468fa3e1357669b30bb26e4c650a0bb63fa2889fd9e281643d892f74aa95#rd
如有侵权请联系:admin#unsafe.sh