wtf
wtf copied to clipboard
0vercl0k
Harnessing w/ file-system hooks
After solving the 0vercl0k/wtf#101, I made a harness and tried fuzzing.
However, in each test case, it did not reach the address I intended.
Test Environment
- Host: VMware
- Windows 10 Pro 21H2 (OS build 19044.1706)
- Memory 8GB, Processors 4
- Guest: Hyper-V in VMware
- Windows 10 Pro 21H2 (OS build 19044.1288)
- Hyper-V generation 1
- Memory 4GB, Processors 1
- Disabled KVA shadow via
disable-kva.cmd - Disabled paging file via sysdm.cpl
- WinDbg (X64)
- KDNET
- Targeting 32bit binary
Attachment
- Target dll file, and exe file which loads it (+some other files): target.zip
-
mem.dmp®s.json: dump - inputs: inputs.zip
Issue
These are commands I used for wtf.
# Starting a server node
..\..\src\build\wtf.exe master --name abc --max_len=80000 --runs=10000000 --target .
# Fuzzing nodes
..\..\src\build\wtf.exe fuzz --name abc --backend=bochscpu --limit 10000000
# Running a test-case
..\..\src\build\wtf.exe run --name abc --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx
Below steps were used to generate the dump.
kd> !gflag +ksl
kd> sxe ld xlsxrw.dll
kd> g
Make et.exe loads xlsxrw.dll through user interaction. (=double click wtf_input.xlsx)
kd> bp xlsxrw+12aec2
kd> g
32.kd:x86> .scriptload C:\Users\user\Desktop\tools\bdump\bdump.js
32.kd:x86> !wow64exts.sw
32.kd> !bdump_full "C:\\Users\\user\\Downloads\\dump"
And this is the harness.
#include "backend.h"
#include "crash_detection_umode.h"
#include "fshandle_table.h"
#include "fshooks.h"
#include "targets.h"
#include <fmt/format.h>
namespace Abc {
constexpr bool LoggingOn = true;
template <typename... Args_t>
void DebugPrint(const char *Format, const Args_t &...args) {
if constexpr (LoggingOn) {
fmt::print("Abc: ");
fmt::print(fmt::runtime(Format), args...);
}
}
bool InsertTestcase(const uint8_t *Buffer, const size_t BufferSize) {
g_FsHandleTable.MapExistingGuestFile(
uR"(\??\C:\Users\user\Desktop\wtf_input.xlsx)", Buffer, BufferSize);
return true;
}
bool Init(const Options_t &Opts, const CpuState_t &State) {
//
// Stop the test-case once we return back from the call [sub_100B1010]
//
// ...
// .text:1012AEBF lea ecx, [ebp+var_1C]
// .text:1012AEC2 call sub_100B1010
// .text:1012AEC7 mov edi, eax
// ...
//
const Gva_t Rip = Gva_t(g_Backend->Rip());
const Gva_t AfterCall = Rip + Gva_t(5);
if (!g_Backend->SetBreakpoint(AfterCall, [](Backend_t *Backend) {
DebugPrint("Back from sub_100B1010!\n");
Backend->Stop(Ok_t());
})) {
fmt::print("Failed to SetBreakpoint AfterCall\n");
return false;
}
if (!SetupFilesystemHooks()) {
fmt::print("Failed to SetupFilesystemHooks\n");
return false;
}
if (!SetupUsermodeCrashDetectionHooks()) {
fmt::print("Failed to SetupUsermodeCrashDetectionHooks\n");
return false;
}
return true;
}
Target_t Abc("abc", Init, InsertTestcase);
}
1st Try
> ..\..\src\build\wtf.exe run --name abc --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running wtf_input.xlsx
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0x466e380, DesiredAccess=0x80100080, ObjectAttributes=0x466ec50 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x466e398, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffffffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466ec60, Length=0x18, FileInformationClass=0x5)
fs: Unrecognized file handle.
fs: ntdll!NtSetInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466e3a8, Length=0x8, FileInformationClass=0xe)
fs: Unrecognized file handle.
fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x9a7d2f8, Length=0x18, FileInformationClass=0x5)
fs: Unrecognized file handle.
fs: ntdll!NtCreateFile(FileHandle=0x466e380, DesiredAccess=0x80100080, ObjectAttributes=0x466ec50 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x466e398, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x3 (FILE_SHARE_READ | FILE_SHARE_WRITE), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffffffffffd for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryAttributesFile(ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\Local\Temp\), FileInformation=0x466e3a8)
fs: Unknown file.
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\Local\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
--------------------------------------------------
Run stats:
Instructions executed: 821563 (61510 unique)
Dirty pages: 1482752 bytes (0 MB)
Memory accesses: 2435116 bytes (0 MB)
#1 cov: 61510 exec/s: 0.2 lastcov: 0.0s crash: 0 timeout: 0 cr3: 1 uptime: 4.0s
It did not reach DebugPrint("Back from sub_100B1010!\n");.
When I loaded aggregate.cov as a result of fuzzing through Lighthouse, I could see that the execution was stopped at SpreadsheetDocument::Open(wchar_t const *)(presumed to be related to file-system operations).
2nd Try
After reading the wtf code a little, I changed one line of code of handle_table.h as below.
- static const uint64_t LastGuestHandle = 0x7ffffffffffffffeULL;
+ static const uint64_t LastGuestHandle = 0xfffffffffffffffeULL;
> ..\..\src\build\wtf.exe run --name abc --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running wtf_input.xlsx
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0x466e380, DesiredAccess=0x80100080, ObjectAttributes=0x466ec50 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x466e398, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0xfffffffffffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466ec60, Length=0x18, FileInformationClass=0x5)
filestream: FileStandardInformation(AllocationSize=0x3000, EndOfFile=0x2180).
fs: ntdll!NtSetInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466e3a8, Length=0x8, FileInformationClass=0xe)
filestream: FilePositionInformation.
filestream: Moving cursor to offset 0x0.
fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x9a7d2f8, Length=0x18, FileInformationClass=0x5)
filestream: FileStandardInformation(AllocationSize=0x3000, EndOfFile=0x2180).
fs: ntdll!NtSetInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466e3a8, Length=0x8, FileInformationClass=0xe)
filestream: FilePositionInformation.
filestream: Moving cursor to offset 0x180.
fs: ntdll!NtSetInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466e3a8, Length=0x8, FileInformationClass=0xe)
filestream: FilePositionInformation.
filestream: Moving cursor to offset 0x0.
fs: ntdll!NtCreateFile(FileHandle=0x466e380, DesiredAccess=0x80100080, ObjectAttributes=0x466ec50 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x466e398, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x3 (FILE_SHARE_READ | FILE_SHARE_WRITE), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0xfffffffffffffffd for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryAttributesFile(ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\Local\Temp\), FileInformation=0x466e3a8)
fs: Unknown file.
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\Local\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
--------------------------------------------------
Run stats:
Instructions executed: 905056 (61554 unique)
Dirty pages: 1486848 bytes (0 MB)
Memory accesses: 2457468 bytes (0 MB)
#1 cov: 61554 exec/s: 1.0 lastcov: 0.0s crash: 0 timeout: 0 cr3: 1 uptime: 1.0s
Again, it did not reach DebugPrint("Back from sub_100B1010!\n");.
And result of the Lighthouse haven't changed.
Hello, How about running the target with the process monitor? It is helpful to check if any library is loaded or if any accessing the registry key exists. Some windows library functions access the registry key internally. In my case, they are the most likely cause of failure. And if your problem is the former when the target is running in GUI, you can solve the library loading problem by dumping the second file open (all libraries are loaded as the first file is opened).
@donghyunlee00,
apologies I completely missed / forgot this issue - let me try to investigate / get back to you about this this weekend :) I originally developed the filesystem hooks to fuzz IDA and that part of the code hasn't been tested extensively in different conditions (just mine).
Cheers
On Thu, Jun 23, 2022 at 3:45 AM chan hee Park @.***> wrote:
Hello, How about running the target with the process monitor? It is helpful to check if any library is loaded or if any accessing the registry key exists. Some windows library functions access the registry key internally. In my case, they are the most likely cause of failure. And if your problem is the former when the target is running in GUI, you can solve the library loading problem by dumping the second file open (all libraries are loaded as the first file is opened).
โ Reply to this email directly, view it on GitHub https://github.com/0vercl0k/wtf/issues/106#issuecomment-1164256058, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORKPCQ6XZJ4Z66I6KLLVQQ53BANCNFSM5YWPEBAA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
After long time of analysing Lighthouse and Tenet(infinite scrolling..), I found that the target program (which is 32bit-program) didn't invoke ntdll!NtReadFile. So I added some codes to hook KERNEL32!ReadFile directly.
I added the following codes to fskooks.cc.
if (!g_Backend->SetBreakpoint("KERNEL32!ReadFile", [](Backend_t *Backend) {
// BOOL ReadFile(
// [in] HANDLE hFile,
// [out] LPVOID lpBuffer,
// [in] DWORD nNumberOfBytesToRead,
// [out, optional] LPDWORD lpNumberOfBytesRead,
// [in, out, optional] LPOVERLAPPED lpOverlapped
// );
const Gva_t Rsp = Gva_t(Backend->Rsp());
Gva_t ArgPtr = Rsp + Gva_t(4 + (0 * 4));
const HANDLE hFile = HANDLE(uint64_t(Backend->VirtRead4(ArgPtr)));
const HANDLE hFile64 = HANDLE(uint64_t(int32_t(Backend->VirtRead4(ArgPtr))));
ArgPtr = Rsp + Gva_t(4 + (1 * 4));
const Gva_t GuestlpBuffer = Gva_t(Backend->VirtRead4(ArgPtr));
ArgPtr = Rsp + Gva_t(4 + (2 * 4));
const uint32_t nNumberOfBytesToRead = Backend->VirtRead4(ArgPtr);
ArgPtr = Rsp + Gva_t(4 + (3 * 4));
const Gva_t GuestlpNumberOfBytesRead = Gva_t(Backend->VirtRead4(ArgPtr));
ArgPtr = Rsp + Gva_t(4 + (4 * 4));
const uint32_t lpOverlapped = Backend->VirtRead4(ArgPtr);
FsDebugPrint(
"KERNEL32!ReadFile(hFile={}, lpBuffer={:#x}, "
"nNumberOfBytesToRead={:#x}, lpNumberOfBytesRead={:#x}, lpOverlapped={:#x})\n",
fmt::ptr(hFile), GuestlpBuffer,
nNumberOfBytesToRead, GuestlpNumberOfBytesRead, lpOverlapped);
//
// If we don't know this handle, let's bail.
//
if (!g_FsHandleTable.Known(hFile64)) {
FsDebugPrint("Unrecognized file handle.\n");
return;
}
//
// Ensure that the GuestBuffer is faulted-in memory.
//
if (GuestlpBuffer &&
Backend->PageFaultsMemoryIfNeeded(GuestlpBuffer, nNumberOfBytesToRead)) {
return;
}
//
// Grab the host stream.
//
GuestFile_t *GuestFile = g_FsHandleTable.GetGuestFile(hFile64);
//
// Read the lpOverlapped parameter if specified.
//
if (lpOverlapped) {
fmt::print("Need to implement lpOverlapped?\n");
__debugbreak();
ExitProcess(0);
}
//
// Allocate memory for the buffer.
//
auto HostlpBuffer = std::make_unique<uint8_t[]>(nNumberOfBytesToRead);
//
// Invoke the syscall.
//
uint32_t HostlpNumberOfBytesRead;
const bool SyscallSuccess = GuestFile->ReadFile(
HostlpNumberOfBytesRead, HostlpBuffer.get(), nNumberOfBytesToRead);
//
// If it failed, we want to know.
//
if (!SyscallSuccess) {
fmt::print("KERNEL32!ReadFile failed?\n");
__debugbreak();
}
//
// Write back the buffer as well as the lpNumberOfBytesRead.
//
Backend->VirtWriteDirty(GuestlpBuffer, HostlpBuffer.get(),
HostlpNumberOfBytesRead);
Backend->VirtWriteStructDirty(GuestlpNumberOfBytesRead,
&HostlpNumberOfBytesRead);
Backend->SimulateReturnFrom32bitFunction(true, 5);
return;
})) {
return false;
}
I added following code to guestfile.h.
bool ReadFile(uint32_t &HostlpNumberOfBytesRead, uint8_t *lpBuffer,
const uint32_t nNumberOfBytesToRead) {
if (BufferStart_ == nullptr) {
FileStreamDebugPrint("Cannot read on file with empty stream.\n");
return false;
}
const uint64_t MaxRead = BufferEnd_ - Current_;
uint32_t Size2Read = std::min(uint32_t(MaxRead), nNumberOfBytesToRead);
if (Current_ > BufferEnd_) {
Size2Read = 0;
} else {
memcpy(lpBuffer, Current_, Size2Read);
FileStreamDebugPrint("Reading {:#x} ({:#x} asked)\n", Size2Read, nNumberOfBytesToRead);
#ifdef FILESTREAM_SNOOP_READS
Hexdump(0, Current_, Size2Read);
#endif
Current_ += Size2Read;
}
//
// Populate the lpNumberOfBytesRead.
//
HostlpNumberOfBytesRead = Size2Read;
return true;
}
Then, I ran the fuzzer again, and the problem related to ntdll!NtReadFile seemed to have been solved, but it stopped running due to an error. (Thus, the file size of aggregate.cov was 0 KB and the outputs directory was empty.)
This attachment(edited 220628) is Lighthouse log and Tenet log for the code before I added KERNEL32!ReadFile hook.
I found that nt!KiPageFault is called (not ntdll!NtReadFile) when KERNEL32!ReadFile is invoked.
-
KERNEL32!ReadFile->KERNELBASE!ReadFile->nt!KiPageFault
...
rip=0x779f1b88
rip=0x779f1b8a
rip=0x779f1b90,mw=0x9bdf864:00000000
rbx=0xfffffffe,rip=0x779f1b93,mr=0x9bdf84c:FEFFFFFF
(KERNELBASE!ReadFile+0x56) rip=0x779f1b96
(nt!KiPageFault) rsp=0xfffffd8202876c60,rip=0xfffff80718e05b00,mr=0xfffff8071ef620e0:005B1000008EE018,mr=0xfffff8071ef620e8:07F8FFFF00000000,mr=0xfffff8071ef64fc0:00000000009B2000,mr=0xfffff8071ef63004:906C870282FDFFFF,mw=0xfffffd8202876c88:2B00000000000000,mw=0xfffffd8202876c80:0CF8BD0900000000,mw=0xfffffd8202876c78:0602010000000000,mw=0xfffffd8202876c70:2300000000000000,mw=0xfffffd8202876c68:195DA27700000000,mw=0xfffffd8202876c60:1400000000000000
rsp=0xfffffd8202876c58,rip=0xfffff80718e05b01,mw=0xfffffd8202876c58:44F8BD0900000000
rsp=0xfffffd8202876b00,rip=0xfffff80718e05b08
rbp=0xfffffd8202876b80,rip=0xfffff80718e05b10
rip=0xfffff80718e05b14,mw=0xfffffd8202876b2b:01
...
Hi.
As you can see in here, WTF's server node save testcase only if it finds new coverage. And if your testcase didn't find new coverage after mutation phase, fuzzer will abort on here.
So, you have to analyze your target application to find any sanitize routine or something like that which prevent fuzzer's data flow goes to real data process procedure, OR define your own custom mutator like this if you think your target needs structure-awareness or havoc mutation.
P.S. I suggest you to provide symbolized execution trace using symbolizer next time if you need more precise help.
@y0ny0ns0n, thank you for your clear explanation. I should try to define my own custom mutator.
But yet, any idea about nt!KiPageFault(not ntdll!NtReadFile) being called for KERNEL32!ReadFile?
Let's try to read KERNELBASE!ReadFile function first. It looks like jnb instruction( jmp to kernelbase!ReadFile+30b4c if true ). I suspect kernelbase!ReadFile+30b4c is not mapped, because I encountered similar issue when I tried to fuzz win32k component( https://github.com/0vercl0k/wtf/issues/21 ).
You mean, KERNELBASE!ReadFile+0x341d9?
I already disabled pagefile as in #21,
I have no idea why KERNELBASE!ReadFile+0x341d9 is not mapped..
Is there currently any method to map the entire KERNELBASE!ReadFile? @0vercl0k
@donghyunlee00 I personally use lockmem before grabbing a dump - I haven't tried disabling the pagefile myself but I would expect that to work, so that's odd ๐ฎ
I also apologies I haven't forgot about this issue, I just haven't a chance to have a closer look, but I will ๐
Thanks @y0ny0ns0n / @ch4rli3kop for helping out ๐๐ฝ
Cheers
I made two attempts,
- lockmem
- Increase memory 4GB -> 5GB
and KERNELBASE!ReadFile was dumped normally (which was not when just disabling the pagefile -> idk why yet,)
However, ntdll!NtReadFile is still not hooked, even though KERNEL32!ReadFile was called.
So I meticulously followed the function call flow again, to create call stacks (manually).
Then I found a difference between ReadFile and others such as CreateFile and OpenFile.
| Call Stack for ReadFile | Call Stack for CreateFile | Call Stack for OpenFile |
|---|---|---|
nt!NtReadFilent!KiSystemServiceCopyEndnt!KiSystemServiceCopyStart+0x48nt!KiSystemServiceGdiTebAccess+0x49nt!KiSystemServiceRepeatnt!KiSystemServiceStartnt!KiSystemServiceUsernt!KiSystemCall64wow64cpu!CpupSyscallStubwow64cpu!ReadWriteFileFaultwow64cpu!ReadWriteFilewow64cpu!TurboDispatchJumpAddressStartwow64cpu!CpupReturnFromSimulatedCodewow64cpu!KiFastSystemCallntdll_77440000!Wow64SystemServiceCallntdll_77440000!NtReadFileKERNELBASE!ReadFileKERNEL32!ReadFile |
ntdll!NtCreateFilewow64!whNtCreateFilewow64!Wow64SystemServiceExwow64cpu!ServiceNoTurbowow64cpu!TurboDispatchJumpAddressStartwow64cpu!CpupReturnFromSimulatedCodewow64cpu!KiFastSystemCallntdll_77440000!Wow64SystemServiceCallntdll_77440000!NtCreateFileKERNELBASE!CreateFileInternalKERNELBASE!CreateFileKERNEL32!CreateFileW |
nt!NtOpenFilent!KiSystemServiceCopyEndnt!KiSystemServiceCopyStart+0x60nt!KiSystemServiceGdiTebAccess+0x49nt!KiSystemServiceRepeatnt!KiSystemServiceStartnt!KiSystemServiceUsernt!KiSystemCall64ntdll!NtOpenFilewow64!whNtOpenFilewow64!Wow64SystemServiceExwow64cpu!ServiceNoTurbowow64cpu!TurboDispatchJumpAddressStartwow64cpu!CpupReturnFromSimulatedCodewow64cpu!KiFastSystemCallntdll_77440000!Wow64SystemServiceCallntdll_77440000!NtOpenFileKERNELBASE!FindFirstFileExWKERNELBASE!FindFirstFileWKERNEL32!GetLongPathNameW |
CreateFile and OpenFile call wow64cpu!ServiceNoTurbo, wow64!Wow64SystemServiceEx after wow64cpu!TurboDispatchJumpAddressStart, and finally ntdll!NtCreateFile and ntdll!NtOpenFile, respectively.
ReadFile, on the other hand, calls wow64cpu!ReadWriteFile after wow64cpu!TurboDispatchJumpAddressStart, and calls nt!KiSystemCall64 directly without ntdll!NtReadFile.
I think that if the branch in the photo above had progressed to the left, it would have been possible to finally call ntdll!NtReadFile with the same flow as CreateFile or OpenFile while passing through wow64!Wow64SystemServiceEx instead of wow64cpu!ReadWriteFileFault...(?)
This is the tenet, cov, rip logs corresponding to the current comment.
And this is mem.dmp and regs.json. (-> uploaded 220711)
BTW, @y0ny0ns0n, did your target 32bit-program do a file read and ntdll!NtReadFile was hooked normally when fuzzing?
I usually just use other fuzz tools for file based fuzzing( for various reason ), so I never seen these kinds of issue.
But I think some ntapi functions switched to 64bit mode directly in wow64cpu!ServiceNoTurbo and the others are not( maybe WIP feature or any other reasons? ). Maybe you can write 32bit version of fshooks.cc or just hook KERNELASE!ReadFile instead ntdll one.
Okay @donghyunlee00 I started to look at your issue; thanks for the detailed report it helps a lot to understand what could be wrong.
Let me give you an idea of how the fshook subsystem works. Basically wtf tries to implement filesystem accesses by emulating them. Because the NT filesystem layers uses handle, wtf also needs to know which handle it needs to emulate or the ones it shouldn't emulate. It also was made to be able to handle the case where a file is getting opened (no handle created by the kernel yet) in which case wtf returns a 'fake handle' starting from the maximum value decrementing.
HANDLE AllocateGuestHandle() {
HANDLE GuestHandle = nullptr;
while (1) {
GuestHandle = HANDLE(LatestGuestHandle_);
const uint32_t LowerDword = uint32_t(LatestGuestHandle_);
LatestGuestHandle_--;
if (PseudoHandles_.contains(LowerDword) ||
ReservedHandles_.contains(GuestHandle)) {
continue;
}
break;
}
return GuestHandle;
}
This works this way to avoid clashing with maybe already opened handle by the target. The other case is if the kernel already created a handle, you can tell wtf to associate a handle to a file and hook those as well. This means that you should revert the following diff you made as it's not gonna help you:
- static const uint64_t LastGuestHandle = 0x7ffffffffffffffeULL;
+ static const uint64_t LastGuestHandle = 0xfffffffffffffffeULL;
Let's now start by checking out your first trace:
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0x466e380, DesiredAccess=0x80100080, ObjectAttributes=0x466ec50 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x466e398, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffffffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466ec60, Length=0x18, FileInformationClass=0x5)
fs: Unrecognized file handle.
fs: ntdll!NtSetInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466e3a8, Length=0x8, FileInformationClass=0xe)
fs: Unrecognized file handle.
You can see several things:
- The
fshookssuccessfully hookedNtCreateFileand it is sees that the target is trying to open\??\C:\Users\user\Desktop\wtf_input.xlsxwhich it knows it needs to hook. It needs to create an artificial handle and according to the log it returned0x7ffffffffffffffewhich makes sense. So far so good. - Then you have
fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466ec60, Length=0x18, FileInformationClass=0x5). This is also ok; it means that there is an access made to a file that have already been opened before you took the snapshot. It also looks like this might be a pseudo handle (fake handle, likeGetCurrentProcess()for process). You could even check what this handle is by using!handlein your dump:
32.kd:x86> !wow64exts.sw
The context is partially valid. Only x86 user-mode context is available.
Switched to Host mode
32.kd> !handle 0xfffffffffffffffe
PROCESS ffffab8f71988340
SessionId: 1 Cid: 1558 Peb: 00f8c000 ParentCid: 1fd0
DirBase: 27969000 ObjectTable: ffffd78cb395f500 HandleCount: 591.
Image: et.exe
Kernel handle table at ffffd78ca6832c40 with 2567 entries in use
Invalid Handle: 0x7ffffffe
So basically, this is probably a special handle (pseudo-handle) but I am not sure what it is.
Also you can see the below which makes sense - the fshooks subsystem doesn't know about the handle so it will not emulate; it'll just let the kernel handle it:
fs: Unrecognized file handle.
What I'd expect to see is a file access that is being done with the handle 0x7ffffffffffffffe in which case the fshooks layer would emulate whatever API call.
Does this make more sense? I'll look some more at your traces and whatnot to see if I can help more on the Wow64 front.
Cheers
@0vercl0k thanks for looking at:)
With reference to this doc, I made a 32-bit program that does a simple ReadFile to verify what you said.
Code
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <strsafe.h>
#define BUFFERSIZE 5
DWORD g_BytesTransferred = 0;
void DisplayError(LPTSTR lpszFunction);
VOID CALLBACK FileIOCompletionRoutine(
__in DWORD dwErrorCode,
__in DWORD dwNumberOfBytesTransfered,
__in LPOVERLAPPED lpOverlapped
);
VOID CALLBACK FileIOCompletionRoutine(
__in DWORD dwErrorCode,
__in DWORD dwNumberOfBytesTransfered,
__in LPOVERLAPPED lpOverlapped)
{
_tprintf(TEXT("Error code:\t%x\n"), dwErrorCode);
_tprintf(TEXT("Number of bytes:\t%x\n"), dwNumberOfBytesTransfered);
g_BytesTransferred = dwNumberOfBytesTransfered;
}
//
// Note: this simplified sample assumes the file to read is an ANSI text file
// only for the purposes of output to the screen. CreateFile and ReadFile
// do not use parameters to differentiate between text and binary file types.
//
int __cdecl _tmain(int argc, TCHAR* argv[])
{
HANDLE hFile;
DWORD dwBytesRead = 0;
char ReadBuffer[BUFFERSIZE] = { 0 };
OVERLAPPED ol = { 0 };
printf("\n");
if (argc != 2)
{
printf("Usage Error: Incorrect number of arguments\n\n");
_tprintf(TEXT("Usage:\n\t%s <text_file_name>\n"), argv[0]);
return 0;
}
int tmp;
scanf("%d", &tmp);
hFile = CreateFile(argv[1], // file to open
GENERIC_READ, // open for reading
FILE_SHARE_READ, // share for reading
NULL, // default security
OPEN_EXISTING, // existing file only
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, // normal file
NULL); // no attr. template
if (hFile == INVALID_HANDLE_VALUE)
{
DisplayError(const_cast<LPTSTR>(TEXT("CreateFile")));
_tprintf(TEXT("Terminal failure: unable to open file \"%s\" for read.\n"), argv[1]);
return 0;
}
// Read one character less than the buffer size to save room for
// the terminating NULL character.
if (FALSE == ReadFileEx(hFile, ReadBuffer, BUFFERSIZE - 1, &ol, FileIOCompletionRoutine))
{
DisplayError(const_cast<LPTSTR>(TEXT("ReadFile")));
printf("Terminal failure: Unable to read from file.\n GetLastError=%08x\n", GetLastError());
CloseHandle(hFile);
return 0;
}
SleepEx(5000, TRUE);
dwBytesRead = g_BytesTransferred;
// This is the section of code that assumes the file is ANSI text.
// Modify this block for other data types if needed.
if (dwBytesRead > 0 && dwBytesRead <= BUFFERSIZE - 1)
{
ReadBuffer[dwBytesRead] = '\0'; // NULL character
_tprintf(TEXT("Data read from %s (%d bytes): \n"), argv[1], dwBytesRead);
printf("%s\n", ReadBuffer);
}
else if (dwBytesRead == 0)
{
_tprintf(TEXT("No data read from file %s\n"), argv[1]);
}
else
{
printf("\n ** Unexpected value for dwBytesRead ** \n");
}
// It is always good practice to close the open file handles even though
// the app will exit here and clean up open handles anyway.
CloseHandle(hFile);
}
void DisplayError(LPTSTR lpszFunction)
// Routine Description:
// Retrieve and output the system error message for the last-error code
{
LPVOID lpMsgBuf;
LPVOID lpDisplayBuf;
DWORD dw = GetLastError();
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&lpMsgBuf,
0,
NULL);
lpDisplayBuf =
(LPVOID)LocalAlloc(LMEM_ZEROINIT,
(lstrlen((LPCTSTR)lpMsgBuf)
+ lstrlen((LPCTSTR)lpszFunction)
+ 40) // account for format string
* sizeof(TCHAR));
if (FAILED(StringCchPrintf((LPTSTR)lpDisplayBuf,
LocalSize(lpDisplayBuf) / sizeof(TCHAR),
TEXT("%s failed with error code %d as follows:\n%s"),
lpszFunction,
dw,
lpMsgBuf)))
{
printf("FATAL ERROR: Unable to output error code.\n");
}
_tprintf(TEXT("ERROR: %s\n"), (LPCTSTR)lpDisplayBuf);
LocalFree(lpMsgBuf);
LocalFree(lpDisplayBuf);
}
Harness
#include "backend.h"
#include "crash_detection_umode.h"
#include "fshandle_table.h"
#include "fshooks.h"
#include "targets.h"
#include <fmt/format.h>
namespace ReadFileTest {
constexpr bool LoggingOn = true;
template <typename... Args_t>
void DebugPrint(const char *Format, const Args_t &...args) {
if constexpr (LoggingOn) {
fmt::print("readfile_test: ");
fmt::print(fmt::runtime(Format), args...);
}
}
bool InsertTestcase(const uint8_t *Buffer, const size_t BufferSize) {
g_FsHandleTable.MapExistingGuestFile(
uR"(\??\C:\Users\user\Desktop\wtf_input.xlsx)", Buffer, BufferSize);
return true;
}
bool Init(const Options_t &Opts, const CpuState_t &State) {
// .text:004011E9 push 80000000h ; dwDesiredAccess
// .text:004011EE push dword ptr [esi+4] ; lpFileName --> Rip
// .text:004011F1 call ds:__imp__CreateFileW@28 ; CreateFileW(x,x,x,x,x,x,x)
// ...
// .text:004012E4 pop ebp
// .text:004012E5 retn --> AfterCalls
const Gva_t Rip = Gva_t(g_Backend->Rip());
const Gva_t AfterCalls = Rip + Gva_t(0xf7); // 0x004012E5 - 0x004011EE = 0xf7
if (!g_Backend->SetBreakpoint(AfterCalls, [](Backend_t *Backend) {
DebugPrint("Back!\n");
Backend->Stop(Ok_t());
})) {
fmt::print("Failed to SetBreakpoint AfterCalls\n");
return false;
}
if (!SetupFilesystemHooks()) {
fmt::print("Failed to SetupFilesystemHooks\n");
return false;
}
if (!SetupUsermodeCrashDetectionHooks()) {
fmt::print("Failed to SetupUsermodeCrashDetectionHooks\n");
return false;
}
return true;
}
Target_t ReadFileTest("readfile_test", Init, InsertTestcase);
}
The fuzz result was as below.
>..\..\src\build\wtf.exe run --name readfile_test --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running wtf_input.xlsx
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0x56e1b0, DesiredAccess=0x80100080, ObjectAttributes=0x56ea80 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x56e1c8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x40 (FILE_NON_DIRECTORY_FILE), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffffffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtReadFile(FileHandle=0xfffffffffffffffe, Event=0x0, ApcRoutine=0xfffffffe25ba4480, ApcContext=0x891130, IoStatusBlock=0x56e1f0, Buffer=0x99fc10, Length=0x4, ByteOffset=0x99fbc8, Key=0x0)
fs: Unrecognized file handle.
--------------------------------------------------
Run stats:
Instructions executed: 133116 (20903 unique)
Dirty pages: 454656 bytes (0 MB)
Memory accesses: 330369 bytes (0 MB)
#1 cov: 20903 exec/s: 0.0 lastcov: 0.0s crash: 0 timeout: 0 cr3: 1 uptime: 21.0s
The result after applying diff was as follows.
- static const uint64_t LastGuestHandle = 0x7ffffffffffffffeULL;
+ static const uint64_t LastGuestHandle = 0xfffffffffffffffeULL;
>..\..\src\build\wtf.exe run --name readfile_test --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running wtf_input.xlsx
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0x56e1b0, DesiredAccess=0x80100080, ObjectAttributes=0x56ea80 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x56e1c8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x40 (FILE_NON_DIRECTORY_FILE), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0xfffffffffffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtReadFile(FileHandle=0xfffffffffffffffe, Event=0x0, ApcRoutine=0xfffffffe25ba4480, ApcContext=0x891130, IoStatusBlock=0x56e1f0, Buffer=0x99fc10, Length=0x4, ByteOffset=0x99fbc8, Key=0x0)
Need to implement ByteOffset?
The program is so simple, and CreateFile and ReadFile must handle the same file in order.
This is the program and this is dump.
By the way, why did you use ntdll instead of the nt for fshook? @0vercl0k
Okay, this is an amazing testcase; let me look at this tomorrow! Also, I
can't quite remember why I picked ntdll and not nt ๐คI think it'd work
the same way!
Cheers
On Mon, Jul 11, 2022 at 8:04 PM Donghyun Lee @.***> wrote:
By the way, why did you use ntdll instead of the nt for fshook? @0vercl0k https://github.com/0vercl0k
โ Reply to this email directly, view it on GitHub https://github.com/0vercl0k/wtf/issues/106#issuecomment-1181261318, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORO2NWJ2NVIN72WWP2TVTTODZANCNFSM5YWPEBAA . You are receiving this because you were mentioned.Message ID: @.***>
Oh I think this is the clue,,,
- static const uint64_t LastGuestHandle = 0x7ffffffffffffffeULL;
+ static const uint64_t LastGuestHandle = 0x7ffffffeULL;
I applied the above diff and hooked nt!NtReadFile instead of ntdll!NtReadFile.
(The dump I used is same as I used in https://github.com/0vercl0k/wtf/issues/106#issuecomment-1172164605.)
Fuzz Result
>..\..\src\build\wtf.exe run --name wps --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running wtf_input.xlsx
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0xcdde6e0, DesiredAccess=0x80100080, ObjectAttributes=0xcddefb0 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0xcdde6f8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefc0, Length=0x18, FileInformationClass=0x5)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf1727c8, Length=0x8, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xde2d5c0, Length=0x18, FileInformationClass=0x5)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2d688, Length=0x2016, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xde2f640, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf32fde8, Length=0x16, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3578, Length=0x13, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf1727c8, Length=0x6, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566d00, Length=0xb, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566bc8, Length=0x9, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566ad8, Length=0x10, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3578, Length=0x11, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3338, Length=0x13, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf1727a8, Length=0x3, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566b68, Length=0x9, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc556638, Length=0x1a, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3418, Length=0x14, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566b38, Length=0xd, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566d60, Length=0x9, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3418, Length=0x13, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566b08, Length=0xf, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566bc8, Length=0xe, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3458, Length=0x18, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f870, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc5d407d, Length=0x167, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f874, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc5d407d, Length=0xff, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f808, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc5d407d, Length=0xed, ByteOffset=0x0, Key=0x0)
--------------------------------------------------
Run stats:
Instructions executed: 2929481 (55741 unique)
Dirty pages: 1474560 bytes (0 MB)
Memory accesses: 5626078 bytes (0 MB)
#1 cov: 55741 exec/s: 1.0 lastcov: 0.0s crash: 0 timeout: 0 cr3: 1 uptime: 1.0s
Progress has been made compared to the beginning(when I opened this issue), but the fuzzing has been stopped elsewhere.
The target program pushes 0x578fb488(which points the string) to the stack and soon accesses the address(0x578fb488).
However, as I checked with WinDbg, there is nothing in 0x578fb488. -> Incomplete dump?
Push 0x578fb488 before kso!WStr::WStr call.
Access 0x578fb488 in kso!WStr::WStr.
OK I understand the issue and why your patch seems to work ๐
The mistake I made is to forget you are dealing with a 32-bit application and that when the fshooks breakpoints get hit you are still running in 32-bit mode. This means that the size of the arguments is different than what the code is expecting.
One issue it creates is that when it generates a 64-bit handle 0x7f'ff'ff'ff'ff'ff'ff'fe it also writes a 64-bit handle into a 32-bit slot. This means we actually are overwriting the adjacent 32-bit (overflow) and we are also writing only the lower 32-bit of the handle value into the output handle. This means that the program will pass ff'ff'ff'ffe to NtReadFile and this gets sign extended by the fmt::print call to 0xff'ff'ff'ff'ff'ff'ff'fe which is why your patch seems to work. The truth is that it gets lucky and work on this case but will create more issues in the future.
To verify the above I've made the following quick fix:
static const uint64_t LastGuestHandle = 0x7ffffffeULL;
And it 'works' as expected:
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(1807)
fs: ntdll!NtCreateFile(FileHandle=0x56e1b0, DesiredAccess=0x80100080, ObjectAttributes=0x56ea80 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x56e1c8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x40 (FILE_NON_DIRECTORY_FILE), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0xfffffffe25ba4480, ApcContext=0x891130, IoStatusBlock=0x56e1f0, Buffer=0x99fc10, Length=0x4, ByteOffset=0x99fbc8, Key=0x0)
Need to implement ByteOffset?
Now, this is not the correct fix because the code still overflows the neighboring memory ๐
One way to fix that might to actually turn the ntdll breakpoints into nt which would allow them to work for both 64-bit programs as well as Wow64 bit programs; assuming there's no other issues. I think we need to address this issue before making some more progress!
Does this make sense ๐?
Cheers
Thanks to you, I can better understand handling the file system in 32-bit and 64-bit๐
But,, any idea about incomplete dump that still exist? (https://github.com/0vercl0k/wtf/issues/106#issuecomment-1181516878)
(Several problems seem to be mixed in one issue. It would have been nice to discuss it by dividing it into several issues, I'm sorry I didn't know in advance.)
Ha sorry I missed that other question - will take a look on Saturday!
Cheers
On Tue, Jul 12, 2022 at 6:24 PM Donghyun Lee @.***> wrote:
Thanks to you, I can better understand handling the file system in 32-bit and 64-bit๐
But,, any idea about incomplete dump that still exist? (#106 (comment) https://github.com/0vercl0k/wtf/issues/106#issuecomment-1181516878)
(Several problems seem to be mixed in one issue. It would have been nice to discuss it by dividing it into several issues, I'm sorry I didn't know in advance.)
โ Reply to this email directly, view it on GitHub https://github.com/0vercl0k/wtf/issues/106#issuecomment-1182658018, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORJLK6CUBPU6RLRBNPTVTYLD5ANCNFSM5YWPEBAA . You are receiving this because you were mentioned.Message ID: @.***>
Okay, based on what you are seeing it looks like some of the code isn't included in your dump. I wrote lockmem to address that class of issue; you can run it against your target before you acquire the dump and this should be fixed.
Cheers
I put up #108 for you @donghyunlee00 - I have tried it against my old testcases for IDA and it looks to behave the same than when the hooks were at the ntdll level so it looks good.
Will merge in a few days if I don't hear feedback!
Cheers
hey @donghyunlee00,
I haven't heard back from you in a little while so I'm going to consider this issue closed ๐
Please feel free to re-open at any point if you have any other questions!
Cheers
Okay, based on what you are seeing it looks like some of the code isn't included in your dump. I wrote lockmem to address that class of issue; you can run it against your target before you acquire the dump and this should be fixed.
Cheers
Sorry for late comment.
If I double-clicked wtf_input.xlsx directly, I could see procexp result as follows.
And it seems that ABC.exe and XXX.exe use some dlls together, so I applied lockmem to both.
lockmem (XXX and then ABC)
lockmem (ABC and then XXX)
The dump was still incomplete.
And you are grabbing the dump from et.exe or wps.exe? And the xlsxrw DLL is already loaded when you are running lockmem or it gets loaded after?
Cheers
I'm grabbing the dump from XXX.exe. And the YYY.dll gets loaded after running lockmem.
Details
!gflag +ksl
sxe ld xlsxrw.dll
g
Run wps.exe and create empty file(et.exe invoked)
Run lockmem for wps.exe and et.exe
Open wtf_input.xlsx(xlsxrw.dll loaded)
bp xlsxrw+12aec2
g
.scriptload C:\Users\user\Desktop\tools\bdump\bdump.js
!wow64exts.sw
!bdump_full "C:\\Users\\user\\Downloads\\dump"
Okay so you need to invoke lockmem after your module has been loaded, otherwise the tool doesn't get a chance to lock in the memory regions. One thing you can do is to attach a debugger, wait for the load module to happen, freeze the threads or make them loop, and invoke lockmem.
Cheers
On Mon, Aug 15, 2022 at 7:15 PM Donghyun Lee @.***> wrote:
I'm grabbing the dump from et.exe. And the xlsxrw.dll gets loaded after running lockmem. Details
!gflag +ksl sxe ld xlsxrw.dll g
Run wps.exe and create empty file(et.exe invoked) Run lockmem for wps.exe and et.exe Open wtf_input.xlsx(xlsxrw.dll loaded)
bp xlsxrw+12aec2 g .scriptload C:\Users\user\Desktop\tools\bdump\bdump.js !wow64exts.sw !bdump_full "C:\Users\user\Downloads\dump"
โ Reply to this email directly, view it on GitHub https://github.com/0vercl0k/wtf/issues/106#issuecomment-1216065444, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORNSLFGX3I4WBDLT7QTVZL2S7ANCNFSM5YWPEBAA . You are receiving this because you modified the open/close state.Message ID: @.***>
Oh, I'll try it, thanks!
And so after YYY.dll is loaded, I don't have to run lockmem for XXX.exe and ABC.exe, I just have to run for XXX.exe, right?