A forum for reverse engineering, OS internals and malware analysis 

Patching HalDispatchTable

Discussion on reverse-engineering and debugging.

Patching HalDispatchTable

 #16751  by _MAX_
 Wed Nov 21, 2012 4:20 pm
Hi

Im playing with some ring0 exploits on windows7 x64, for executing payload first it patched nt!HalDispatchTable+8
this is my HalDispatchTable before running exploit:
Code: Select all
Before:
lkd> dd nt!HalDispatchTable
	fffff800`02a3bc30  00000004 00000000 028418e8 fffff800  <<---- Here!
	fffff800`02a3bc40  02842470 fffff800 02c36fa0 fffff800
	fffff800`02a3bc50  00000000 00000000 0290db90 fffff800
	fffff800`02a3bc60  02be52d0 fffff800 02be4dbc fffff800
	fffff800`02a3bc70  02d24860 fffff800 028e8f00 fffff800
	fffff800`02a3bc80  028a1af0 fffff800 028a1af0 fffff800
	fffff800`02a3bc90  02840ca4 fffff800 02841e88 fffff800
	fffff800`02a3bca0  02817418 fffff800 02840c18 fffff800
And this is my HalDispatchTabel after running exploit:
Code: Select all
After:
lkd> dd nt!HalDispatchTable
	fffff800`02a3bc30  00000004 00000000 0027f83c 00000000  <<---- Here!
	fffff800`02a3bc40  02842470 fffff800 02c36fa0 fffff800
	fffff800`02a3bc50  00000000 00000000 0290db90 fffff800
	fffff800`02a3bc60  02be52d0 fffff800 02be4dbc fffff800
	fffff800`02a3bc70  02d24860 fffff800 028e8f00 fffff800
	fffff800`02a3bc80  028a1af0 fffff800 028a1af0 fffff800
	fffff800`02a3bc90  02840ca4 fffff800 02841e88 fffff800
	fffff800`02a3bca0  02817418 fffff800 02840c18 fffff800
now i want to track my payload in memory before running exploit i can disassemble address which HalDispatchTable pointer point to fffff800`028418e8, But now when i replaced this entry of dispatch table with my payload address i cannot disassemble 000000000027f83c or 0027f83c i always have "^ Memory access error in 000000000027f83c"
*But exploit works just fine and it execute payload

Whats wrong with this , i know that im replacing HalDispatchTable entry with user-space address but why i cannot access that address?
and How can i fix this problem?

thanks

Re: Patching HalDispatchTable

 #16753  by rossetoecioccolato
 Wed Nov 21, 2012 5:34 pm
dd nt!HalDispatchTable
Try:

.process /p /r <EPROCESS of your user mode process> <Enter>
dqs nt!HalDispatchTable <Enter>

You will be able to translate the user mode address and the debugger output will be easier to read as well.

Re: Patching HalDispatchTable

 #16754  by _MAX_
 Wed Nov 21, 2012 6:13 pm
this is what i got....
lkd> .process /p /r fffffa801a62a060
Code: Select all
Implicit process is now fffffa80`1a62a060
Loading User Symbols
.....
Cannot read PEB32 from WOW64 TEB32 08000000 - Win32 error 0n31
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
lkd> dqs nt!HalDispatchTable
Code: Select all
fffff800`02a00c30  00000000`00000004
fffff800`02a00c38  00000000`0025f2bc
fffff800`02a00c40  fffff800`02e2d470
fffff800`02a00c48  fffff800`02bfbfa0 nt!ArbAddReserved
fffff800`02a00c50  00000000`00000000
fffff800`02a00c58  fffff800`028d2b90 nt!HalExamineMBR
fffff800`02a00c60  fffff800`02baa2d0 nt!IoReadPartitionTable
fffff800`02a00c68  fffff800`02ba9dbc nt!IoSetPartitionInformation
fffff800`02a00c70  fffff800`02ce9860 nt!IoWritePartitionTable
fffff800`02a00c78  fffff800`028adf00 nt!xKdMapPhysicalMemory64
fffff800`02a00c80  fffff800`02866af0 nt!FsRtlpNopStackOverflowRoutine
fffff800`02a00c88  fffff800`02866af0 nt!FsRtlpNopStackOverflowRoutine
fffff800`02a00c90  fffff800`02e2bca4
fffff800`02a00c98  fffff800`02e2ce88
fffff800`02a00ca0  fffff800`02e02418
fffff800`02a00ca8  fffff800`02e2bc18
But now u 00000000`0025f2b only return NOP
i think this is problem with Microsoft symbols but im using online symbol server And Compile my user-spcae file with debug-mode on Host machine and run it on Guest in vmware

Re: Patching HalDispatchTable

 #16755  by rossetoecioccolato
 Thu Nov 22, 2012 12:15 am
Cannot read PEB32 from WOW64 TEB32 08000000
You can't jump from x64 kernel mode directly into a WoW64 process. You need some thunk code which I seriously doubt you are going to be able to write. Compile your exploit code using the 64-bit compiler to exploit 64-bit kernels.

To disassemble your 32-bit exploit code switch the debugger to an x86 machine type:

.process /p /r fffffa801a62a060
.effmach x86 <Enter>
u 25f2bc
i think this is problem with Microsoft symbols but im using online symbol server
Why would you expect MS to have symbols for your exploit code?
lkd>
Compile my user-spcae file with debug-mode on Host machine and run it on Guest in vmware
Do yourself a huge favor and enable kernel debugging between your VM and the host partition. See e.g. http://www.ndis.com/ndis-debugging/virt ... esetup.htm. Local kernel debugging doesn't allow you to set breakpoints.

Re: Patching HalDispatchTable

 #16769  by _MAX_
 Thu Nov 22, 2012 7:48 pm
I solved the problem i download symbol package not using symbol server and now it works fine
thanks for you replies :)
 Return to “Reverse Engineering and Debugging”