« Crash Dump Analysis AntiPatterns (Part 6)
StressPrinters in press »

Crash Dump Analysis Patterns (Part 38)

Hooking functions using trampoline method is so common on Windows and sometimes we need to check Hooked Functions in specific modules and determine which module hooked them for troubleshooting or memory forensic analysis needs. If original unhooked modules are available (via symbol server, for example) this can be done by using !chkimg WinDbg extension command:

0:002> !chkimg -lo 50 -d !kernel32 -v
Searching for module with expression: !kernel32
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\symdownstream\kernel32.dll\44C60F39102000\kernel32.dll
No range specified

Scanning section:    .text
Size: 564445
Range to scan: 77e41000-77ecacdd
    77e44004-77e44008  5 bytes - kernel32!GetDateFormatA
 [ 8b ff 55 8b ec:e9 f7 bf 08 c0 ]
    77e4412e-77e44132  5 bytes - kernel32!GetTimeFormatA (+0×12a)
 [ 8b ff 55 8b ec:e9 cd be 06 c0 ]
    77e4e857-77e4e85b  5 bytes - kernel32!FileTimeToLocalFileTime (+0xa729)
 [ 8b ff 55 8b ec:e9 a4 17 00 c0 ]
    77e56b5f-77e56b63  5 bytes - kernel32!GetTimeZoneInformation (+0×8308)
 [ 8b ff 55 8b ec:e9 9c 94 00 c0 ]
    77e579a9-77e579ad  5 bytes - kernel32!GetTimeFormatW (+0xe4a)
 [ 8b ff 55 8b ec:e9 52 86 06 c0 ]
    77e57fc8-77e57fcc  5 bytes - kernel32!GetDateFormatW (+0×61f)
 [ 8b ff 55 8b ec:e9 33 80 08 c0 ]
    77e6f32b-77e6f32f  5 bytes - kernel32!GetLocalTime (+0×17363)
 [ 8b ff 55 8b ec:e9 d0 0c 00 c0 ]
    77e6f891-77e6f895  5 bytes - kernel32!LocalFileTimeToFileTime (+0×566)
 [ 8b ff 55 8b ec:e9 6a 07 01 c0 ]
    77e83499-77e8349d  5 bytes - kernel32!SetLocalTime (+0×13c08)
 [ 8b ff 55 8b ec:e9 62 cb 00 c0 ]
    77e88c32-77e88c36  5 bytes - kernel32!SetTimeZoneInformation (+0×5799)
 [ 8b ff 55 8b ec:e9 c9 73 01 c0 ]
Total bytes compared: 564445(100%)
Number of errors: 50
50 errors : !kernel32 (77e44004-77e88c36)

0:002> u 77e44004
kernel32!GetDateFormatA:
77e44004 e9f7bf08c0      jmp     37ed0000
77e44009 81ec18020000    sub     esp,218h
77e4400f a148d1ec77      mov     eax,dword ptr [kernel32!__security_cookie (77ecd148)]
77e44014 53              push    ebx
77e44015 8b5d14          mov     ebx,dword ptr [ebp+14h]
77e44018 56              push    esi
77e44019 8b7518          mov     esi,dword ptr [ebp+18h]
77e4401c 57              push    edi

0:002> u 37ed0000
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for MyDateTimeHooks.dll -
37ed0000 e99b262f2d      jmp     MyDateTimeHooks+0×26a0 (651c26a0)
37ed0005 8bff            mov     edi,edi
37ed0007 55              push    ebp
37ed0008 8bec            mov     ebp,esp
37ed000a e9fa3ff73f      jmp     kernel32!GetDateFormatA+0×5 (77e44009)
37ed000f 0000            add     byte ptr [eax],al
37ed0011 0000            add     byte ptr [eax],al
37ed0013 0000            add     byte ptr [eax],al

- Dmitry Vostokov @ DumpAnalysis.org -

Announcements:

New Book Memory Dump Analysis Anthology, Volume 1

This entry was posted on Thursday, November 22nd, 2007 at 4:36 pm and is filed under Crash Dump Analysis, Crash Dump Patterns, Security, WinDbg Tips and Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Crash Dump Analysis Patterns (Part 38)”

  1. Dmitry Vostokov Says:
    May 21st, 2008 at 2:17 pm

    Example from the kernel:

    4: kd> !chkimg -lo 50 -d !nt
    8083351c-80833520 5 bytes - nt!NtYieldExecution
    [ 8b ff 55 8b ec:e9 5c 03 e6 73 ]
    808345d0-808345d3 4 bytes - nt!KiServiceTable+440 (+0×10b4)
    [ 9c c2 8b 80:5c d7 f1 f4 ]
    808eeb1e-808eeb22 5 bytes - nt!NtCreateFile
    [ 8b ff 55 8b ec:e9 1c 4d da 73 ]
    809233b0-809233b4 5 bytes - nt!NtUnmapViewOfSection (+0×34892)
    [ 8b ff 55 8b ec:e9 f2 04 d7 73 ]
    8092d3ae-8092d3b4 7 bytes - nt!NtMapViewOfSection (+0×9ffe)
    [ 6a 38 68 b8 41 80 80:e9 de 64 d6 73 90 90 ]
    80931c90-80931c96 7 bytes - nt!NtProtectVirtualMemory (+0×48e2)
    [ 6a 44 68 d8 43 80 80:e9 be 1b d6 73 90 90 ]
    8094af32-8094af36 5 bytes - nt!NtCreateProcess (+0×192a2)
    [ 8b ff 55 8b ec:e9 32 89 d4 73 ]
    8094c714-8094c718 5 bytes - nt!NtTerminateProcess (+0×17e2)
    [ 8b ff 55 8b ec:e9 12 71 d4 73 ]
    43 errors : !nt (8083351c-8094c718)

    4: kd> u 8094af32
    nt!NtCreateProcess:
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for 3rdPartyAVDriver.sys -
    8094af32 e93289d473 jmp 3rdPartyAVDriver+0×13869 (f4693869)
    8094af37 33c0 xor eax,eax
    8094af39 f6451c01 test byte ptr [ebp+1Ch],1
    8094af3d 7401 je nt!NtCreateProcess+0xe (8094af40)
    8094af3f 40 inc eax
    8094af40 f6452001 test byte ptr [ebp+20h],1
    8094af44 7403 je nt!NtCreateProcess+0×17 (8094af49)
    8094af46 83c802 or eax,2

  2. Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 66) Says:
    June 20th, 2008 at 1:07 pm

    […] specific component that is known to patch the process import table. Applying techniques outlined in Hooked Functions pattern we notice two different 3rd-party components that patched two different modules (kernel 32 […]

  3. Crash Dump Analysis » Blog Archive » Hooksware Says:
    August 10th, 2008 at 9:01 am

    […] - Hooked Functions  […]

Leave a Reply