From 5f2734a8880e328a80e94f6ac22b8aa0280b03b2 Mon Sep 17 00:00:00 2001 From: Viking Date: Sun, 27 Nov 2022 18:42:15 +0100 Subject: [PATCH 1/4] Add g_CiOptions offset extract "feature" Here is an example : ExtractOffsets.py ci -i C:\Windows\System32\ci.dll --- Offsets/ExtractOffsets.py | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/Offsets/ExtractOffsets.py b/Offsets/ExtractOffsets.py index 733246e..e28e057 100644 --- a/Offsets/ExtractOffsets.py +++ b/Offsets/ExtractOffsets.py @@ -13,8 +13,8 @@ import threading CSVLock = threading.Lock() machineType = dict(x86=332, x64=34404) -knownImageVersions = dict(ntoskrnl=list(), wdigest=list()) -extensions_by_mode = dict(ntoskrnl="exe", wdigest="dll") +knownImageVersions = dict(ntoskrnl=list(), wdigest=list(),ci=list()) +extensions_by_mode = dict(ntoskrnl="exe", wdigest="dll",ci="dll") def run(args, **kargs): """Wrap subprocess.run to works on Windows and Linux""" @@ -41,7 +41,12 @@ def downloadSpecificFile(entry, pe_basename, pe_ext, knownPEVersions, output_fol virtual_size = entry['fileInfo']['virtualSize'] file_id = hex(timestamp).replace('0x','').zfill(8).upper() + hex(virtual_size).replace('0x','') url = 'https://msdl.microsoft.com/download/symbols/' + pe_name + '/' + file_id + '/' + pe_name - version = entry['fileInfo']['version'].split(' ')[0] + # fix download error, sometimes version does not exist + try: + version = entry['fileInfo']['version'].split(' ')[0] + except KeyError: + print(f"{url} version is unknown.") + return "SKIP" # Output file format: _build-revision. output_version = '-'.join(version.split('.')[-2:]) @@ -126,6 +131,9 @@ def extractOffsets(input_file, output_file, mode): elif "wdigest.dll" in line: imageType = "wdigest" break + elif "CI.dll" in line: + imageType = "ci" + break else: print(f"[*] File {input_file} unrecognized") return @@ -170,6 +178,10 @@ def extractOffsets(input_file, output_file, mode): ("g_fParameter_UseLogonCredential",get_symbol_offset), ("g_IsCredGuardEnabled",get_symbol_offset) ] + elif imageType == "ci": + symbols = [ + ("g_CiOptions",get_symbol_offset), + ] symbols_values = list() @@ -219,18 +231,18 @@ def loadOffsetsFromCSV(loadedVersions, CSVPath): if __name__ == '__main__': parser = argparse.ArgumentParser() - parser.add_argument('mode', help='ntoskrnl or wdigest. Mode to download and extract offsets for either ntoskrnl or wdigest') + parser.add_argument('mode', help='ntoskrnl or wdigest or ci. Mode to download and extract offsets for either ntoskrnl or wdigest or ci') parser.add_argument('-i', '--input', dest='input', required=True, - help='Single file or directory containing ntoskrnl.exe / wdigest.dll to extract offsets from. If in download mode, the PE downloaded from MS symbols servers will be placed in this folder.') + help='Single file or directory containing ntoskrnl.exe / wdigest.dll / ci.dll to extract offsets from. If in download mode, the PE downloaded from MS symbols servers will be placed in this folder.') parser.add_argument('-o', '--output', dest='output', - help='CSV file to write offsets to. If the specified file already exists, only new ntoskrnl versions will be downloaded / analyzed. Defaults to NtoskrnlOffsets.csv / WdigestOffsets.csv in the current folder.') + help='CSV file to write offsets to. If the specified file already exists, only new ntoskrnl versions will be downloaded / analyzed. Defaults to NtoskrnlOffsets.csv / WdigestOffsets.csv / CiOffsets.csv in the current folder.') parser.add_argument('-d', '--download', dest='download', action='store_true', help='Flag to download the PE from Microsoft servers using list of versions from winbindex.m417z.com.') args = parser.parse_args() mode = args.mode.lower() if mode not in knownImageVersions: - print(f'[!] ERROR : unsupported mode "{args.mode}", supported mode are: "ntoskrnl" and "wdigest"') + print(f'[!] ERROR : unsupported mode "{args.mode}", supported mode are: "ntoskrnl" and "wdigest" and "ci"') exit(1) # check R2 version @@ -269,6 +281,8 @@ if __name__ == '__main__': output.write('ntoskrnlVersion,PspCreateProcessNotifyRoutineOffset,PspCreateThreadNotifyRoutineOffset,PspLoadImageNotifyRoutineOffset,_PS_PROTECTIONOffset,EtwThreatIntProvRegHandleOffset,EtwRegEntry_GuidEntryOffset,EtwGuidEntry_ProviderEnableInfoOffset,PsProcessType,PsThreadType,CallbackList\n') elif mode == "wdigest": output.write('wdigestVersion,g_fParameter_UseLogonCredentialOffset,g_IsCredGuardEnabledOffset\n') + elif mode == "ci": + output.write('g_CiOptionsOffset\n') else: assert False # In download mode, an updated list of image versions published will be retrieved from https://winbindex.m417z.com. From 919ec7dea1e17fd0b365cdc0692d0c03fc73769e Mon Sep 17 00:00:00 2001 From: Viking Date: Sun, 11 Dec 2022 11:02:21 +0100 Subject: [PATCH 2/4] Add CiOffsets.csv It contains g_CiOptions offset for several ci.dll version --- Offsets/CiOffsets.csv | 185 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 Offsets/CiOffsets.csv diff --git a/Offsets/CiOffsets.csv b/Offsets/CiOffsets.csv new file mode 100644 index 0000000..3ae46db --- /dev/null +++ b/Offsets/CiOffsets.csv @@ -0,0 +1,185 @@ +g_CiOptionsOffset +ci_10240-17673.dll,16c10 +ci_10240-17797.dll,16c10 +ci_10240-17861.dll,16c10 +ci_10240-17831.dll,16c10 +ci_10240-17319.dll,16c10 +ci_10240-17889.dll,16c10 +ci_10240-17976.dll,16c10 +ci_10240-16384.dll,16c10 +ci_10240-19119.dll,16c10 +ci_10586-0.dll,16c30 +ci_10586-1232.dll,16c30 +ci_10586-1478.dll,16c30 +ci_14393-0.dll,19b50 +ci_10586-839.dll,16c30 +ci_10586-1540.dll,16c30 +ci_14393-2214.dll,19b50 +ci_14393-2273.dll,19b50 +ci_14393-2248.dll,19b50 +ci_14393-206.dll,19b50 +ci_14393-2312.dll,19b50 +ci_14393-2189.dll,19b50 +ci_14393-2339.dll,19b50 +ci_14393-2395.dll,19b50 +ci_14393-2485.dll,19b50 +ci_14393-3053.dll,19b50 +ci_14393-3115.dll,19b50 +ci_14393-3297.dll,19b50 +ci_14393-3323.dll,19b50 +ci_14393-2636.dll,19b50 +ci_14393-3383.dll,19b50 +ci_14393-3930.dll,19b70 +ci_14393-4350.dll,19b70 +ci_14393-4583.dll,19b70 +ci_14393-4704.dll,19b70 +ci_14393-4770.dll,19b70 +ci_14393-3986.dll,19b70 +ci_14393-5125.dll,19b70 +ci_14393-4530.dll,19b70 +ci_14393-5006.dll,19b70 +ci_14393-5501.dll,19b50 +ci_14393-726.dll,19b50 +ci_14393-953.dll,19b50 +ci_15063-0.dll,1bbb0 +ci_14393-5192.dll,19b50 +ci_15063-1058.dll,1bbb0 +ci_15063-1091.dll,1bbb0 +ci_15063-1155.dll,1bbb0 +ci_15063-1324.dll,1bbb0 +ci_15063-1235.dll,1bbb0 +ci_16299-95.dll,1cd10 +ci_15063-296.dll,1bbb0 +ci_15063-968.dll,1bbb0 +ci_16299-15.dll,1cd10 +ci_15063-877.dll,1bbb0 +ci_16299-1565.dll,1dd10 +ci_16299-246.dll,1cd10 +ci_16299-1268.dll,1dd10 +ci_16299-246.dll,1cd10 +ci_16299-246.dll,1cd10 +ci_16299-432.dll,1cd10 +ci_16299-10000.dll,1cd10 +ci_16299-64.dll,1cd10 +ci_16299-371.dll,1cd10 +ci_17134-1.dll,1dcb0 +ci_17134-1098.dll,1dc98 +ci_16299-1087.dll,1cd10 +ci_17134-1067.dll,1dc98 +ci_17134-112.dll,1dcb0 +ci_17134-228.dll,1dc98 +ci_17134-2090.dll,1dc98 +ci_17134-1130.dll,1dc98 +ci_17134-285.dll,1dc98 +ci_17134-829.dll,1dc98 +ci_17134-441.dll,1dc98 +ci_17134-80.dll,1dcb0 +ci_17134-885.dll,1dc98 +ci_17134-1006.dll,1dc98 +ci_17134-858.dll,1dc98 +ci_17763-253.dll,36d18 +ci_17134-950.dll,1dc98 +ci_17763-1131.dll,36d18 +ci_17763-1131.dll,36d18 +ci_17763-1007.dll,36d18 +ci_17763-1282.dll,36d18 +ci_17763-1554.dll,36d18 +ci_17763-1577.dll,36d18 +ci_17763-10458.dll,36d18 +ci_17763-1757.dll,36d18 +ci_17763-1971.dll,36d18 +ci_17763-2061.dll,36d18 +ci_17763-1790.dll,36d18 +ci_17763-2183.dll,36d18 +ci_17763-2090.dll,36d18 +ci_17763-2237.dll,36d18 +ci_17763-2510.dll,36d18 +ci_17763-2458.dll,36d18 +ci_17763-292.dll,36d18 +ci_17763-2330.dll,36d18 +ci_17763-2369.dll,36d18 +ci_17763-2989.dll,36d18 +ci_17763-2628.dll,36d18 +ci_17763-10877.dll,36d18 +ci_17763-3406.dll,36d18 +ci_17763-3165.dll,36d18 +ci_17763-3532.dll,36d58 +ci_17763-379.dll,36d18 +ci_17763-404.dll,36d18 +ci_17763-3650.dll,36d58 +ci_17763-592.dll,36d18 +ci_17763-557.dll,36d18 +ci_17763-615.dll,36d18 +ci_17763-55.dll,36d18 +ci_17763-719.dll,36d18 +ci_17763-802.dll,36d18 +ci_17763-678.dll,36d18 +ci_18362-53.dll,37278 +ci_18362-1171.dll,37278 +ci_18362-1556.dll,37278 +ci_18362-1593.dll,38278 +ci_18362-1020.dll,37278 +ci_18362-1171.dll,37278 +ci_18362-1734.dll,38278 +ci_18362-1049.dll,37278 +ci_18362-1801.dll,38278 +ci_18362-1854.dll,38278 +ci_18362-1679.dll,38278 +ci_18362-2337.dll,38278 +ci_18362-1027.dll,37278 +ci_18362-2039.dll,38278 +ci_18362-239.dll,37278 +ci_18362-10013.dll,37278 +ci_18362-295.dll,37278 +ci_18362-329.dll,37278 +ci_18362-387.dll,37278 +ci_18362-815.dll,37278 +ci_18362-592.dll,37278 +ci_18362-900.dll,37278 +ci_18362-1059.dll,37278 +ci_19041-208.dll,38378 +ci_19041-1157.dll,383d8 +ci_19041-1157.dll,383d8 +ci_19041-1023.dll,383d8 +ci_19041-1165.dll,383b8 +ci_19041-1165.dll,383d8 +ci_19041-1165.dll,383b8 +ci_19041-1288.dll,383b8 +ci_19041-1320.dll,383b8 +ci_19041-1371.dll,383b8 +ci_19041-1173.dll,383b8 +ci_19041-1526.dll,393b8 +ci_19041-1865.dll,393d8 +ci_19041-1826.dll,393b8 +ci_19041-1708.dll,393b8 +ci_19041-1645.dll,383b8 +ci_19041-1469.dll,383b8 +ci_19041-1682.dll,383b8 +ci_19041-2251.dll,3a438 +ci_19041-388.dll,38378 +ci_19041-488.dll,383b8 +ci_19041-2311.dll,39418 +ci_19041-870.dll,383b8 +ci_19041-423.dll,383b8 +ci_19041-606.dll,383b8 +ci_22000-132.dll,3d004 +ci_19041-985.dll,383d8 +ci_22000-1219.dll,3d004 +ci_22000-318.dll,3d004 +ci_22000-1219.dll,3d004 +ci_22000-347.dll,3d004 +ci_22000-434.dll,3d004 +ci_22000-376.dll,3d004 +ci_22000-613.dll,3d004 +ci_22000-652.dll,3d004 +ci_22000-493.dll,3d004 +ci_22000-675.dll,3d004 +ci_22000-795.dll,3d004 +ci_22000-832.dll,3d004 +ci_22000-740.dll,3d004 +ci_22000-975.dll,3d004 +ci_22621-590.dll,41004 +ci_22621-608.dll,41004 +ci_22621-815.dll,41004 +ci_22621-675.dll,41004 +ci_19041-2075.dll,3a438 From a3966d34b3e9d4c5b551832f386bb002b3983e76 Mon Sep 17 00:00:00 2001 From: Viking Date: Wed, 28 Dec 2022 17:08:06 +0100 Subject: [PATCH 3/4] Update CiOffsets.csv --- Offsets/CiOffsets.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/Offsets/CiOffsets.csv b/Offsets/CiOffsets.csv index 3ae46db..a717e54 100644 --- a/Offsets/CiOffsets.csv +++ b/Offsets/CiOffsets.csv @@ -183,3 +183,4 @@ ci_22621-608.dll,41004 ci_22621-815.dll,41004 ci_22621-675.dll,41004 ci_19041-2075.dll,3a438 +ci_19045-2364.dll,39418 From 5f82ba2efef5fab7ecf15802df23e99bda87f7fd Mon Sep 17 00:00:00 2001 From: Maxime Meignan Date: Fri, 6 Oct 2023 10:31:26 +0200 Subject: [PATCH 4/4] ExtractOffsets.py: minor syntactic, cosmetic and safety changes --- Offsets/ExtractOffsets.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/Offsets/ExtractOffsets.py b/Offsets/ExtractOffsets.py index 890579f..b0e7590 100644 --- a/Offsets/ExtractOffsets.py +++ b/Offsets/ExtractOffsets.py @@ -14,8 +14,8 @@ import threading CSVLock = threading.Lock() machineType = dict(x86=332, x64=34404) -knownImageVersions = dict(ntoskrnl=list(), wdigest=list(),ci=list()) -extensions_by_mode = dict(ntoskrnl="exe", wdigest="dll",ci="dll") +knownImageVersions = dict(ntoskrnl=list(), wdigest=list(), ci=list()) +extensions_by_mode = dict(ntoskrnl="exe", wdigest="dll", ci="dll") def find(key, value): for k, v in value.items(): @@ -144,13 +144,14 @@ def extractOffsets(input_file, output_file, mode): # check image type (ntoskrnl, wdigest, etc.) r = run(["r2", "-c", "iE", "-qq", input_file], capture_output=True) for line in r.stdout.decode().splitlines(): + line = line.lower() if "ntoskrnl.exe" in line: imageType = "ntoskrnl" break elif "wdigest.dll" in line: imageType = "wdigest" break - elif "CI.dll" in line: + elif "ci.dll" in line: imageType = "ci" break else: @@ -199,7 +200,7 @@ def extractOffsets(input_file, output_file, mode): ] elif imageType == "ci": symbols = [ - ("g_CiOptions",get_symbol_offset), + ("g_CiOptions",get_symbol_offset), ] @@ -250,7 +251,7 @@ def loadOffsetsFromCSV(loadedVersions, CSVPath): if __name__ == '__main__': parser = argparse.ArgumentParser() - parser.add_argument('mode', help='ntoskrnl or wdigest or ci. Mode to download and extract offsets for either ntoskrnl or wdigest or ci') + parser.add_argument('mode', help='"ntoskrnl", "wdigest" or "ci". Mode to download and extract offsets from either ntoskrnl.exe, wdigest.dll or ci.dll') parser.add_argument('-i', '--input', dest='input', required=True, help='Single file or directory containing ntoskrnl.exe / wdigest.dll / ci.dll to extract offsets from. If in download mode, the PE downloaded from MS symbols servers will be placed in this folder.') parser.add_argument('-o', '--output', dest='output', @@ -261,7 +262,7 @@ if __name__ == '__main__': args = parser.parse_args() mode = args.mode.lower() if mode not in knownImageVersions: - print(f'[!] ERROR : unsupported mode "{args.mode}", supported mode are: "ntoskrnl" and "wdigest" and "ci"') + print(f'[!] ERROR : unsupported mode "{args.mode}", supported mode are: "ntoskrnl", "wdigest" and "ci"') exit(1) # check R2 version