Harnessing w/ file-system hooks #106

donghyunlee00 · 2022-06-14T06:18:22Z

After solving the 0vercl0k/wtf#101, I made a harness and tried fuzzing.

However, in each test case, it did not reach the address I intended.

Test Environment

Host: VMware
- Windows 10 Pro 21H2 (OS build 19044.1706)
- Memory 8GB, Processors 4
Guest: Hyper-V in VMware
- Windows 10 Pro 21H2 (OS build 19044.1288)
- Hyper-V generation 1
- Memory 4GB, Processors 1
- Disabled KVA shadow via disable-kva.cmd
- Disabled paging file via sysdm.cpl
WinDbg (X64)
- KDNET
Targeting 32bit binary

Attachment

Target dll file, and exe file which loads it (+some other files): target.zip
mem.dmp & regs.json: dump
inputs: inputs.zip

Issue

These are commands I used for wtf.

# Starting a server node
..\..\src\build\wtf.exe master --name abc --max_len=80000 --runs=10000000 --target .
# Fuzzing nodes
..\..\src\build\wtf.exe fuzz --name abc --backend=bochscpu --limit 10000000
# Running a test-case
..\..\src\build\wtf.exe run --name abc --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx

Below steps were used to generate the dump.

kd> !gflag +ksl
kd> sxe ld YYY.dll
kd> g

Make XXX.exe loads YYY.dll through user interaction. (=double click wtf_input.xlsx)

kd> bp YYY+12aec2
kd> g
32.kd:x86> .scriptload C:\Users\user\Desktop\tools\bdump\bdump.js
32.kd:x86> !wow64exts.sw
32.kd> !bdump_full "C:\\Users\\user\\Downloads\\dump"

And this is the harness.

#include "backend.h"
#include "crash_detection_umode.h"
#include "fshandle_table.h"
#include "fshooks.h"
#include "targets.h"
#include <fmt/format.h>

namespace Abc {

constexpr bool LoggingOn = true;

template <typename... Args_t>
void DebugPrint(const char *Format, const Args_t &...args) {
  if constexpr (LoggingOn) {
    fmt::print("Abc: ");
    fmt::print(fmt::runtime(Format), args...);
  }
}

bool InsertTestcase(const uint8_t *Buffer, const size_t BufferSize) {
  g_FsHandleTable.MapExistingGuestFile(
      uR"(\??\C:\Users\user\Desktop\wtf_input.xlsx)", Buffer, BufferSize);

  return true;
}

bool Init(const Options_t &Opts, const CpuState_t &State) {
  //
  // Stop the test-case once we return back from the call [sub_100B1010]
  //
  // ...
  // .text:1012AEBF                 lea     ecx, [ebp+var_1C]
  // .text:1012AEC2                 call    sub_100B1010
  // .text:1012AEC7                 mov     edi, eax
  // ...
  //

  const Gva_t Rip = Gva_t(g_Backend->Rip());
  const Gva_t AfterCall = Rip + Gva_t(5);
  if (!g_Backend->SetBreakpoint(AfterCall, [](Backend_t *Backend) {
        DebugPrint("Back from sub_100B1010!\n");
        Backend->Stop(Ok_t());
      })) {
    fmt::print("Failed to SetBreakpoint AfterCall\n");
    return false;
  }

  if (!SetupFilesystemHooks()) {
    fmt::print("Failed to SetupFilesystemHooks\n");
    return false;
  }

  if (!SetupUsermodeCrashDetectionHooks()) {
    fmt::print("Failed to SetupUsermodeCrashDetectionHooks\n");
    return false;
  }

  return true;
}

Target_t Abc("abc", Init, InsertTestcase);

}

1st Try

> ..\..\src\build\wtf.exe run --name abc --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running wtf_input.xlsx
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0x466e380, DesiredAccess=0x80100080, ObjectAttributes=0x466ec50 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x466e398, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffffffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466ec60, Length=0x18, FileInformationClass=0x5)
fs: Unrecognized file handle.
fs: ntdll!NtSetInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466e3a8, Length=0x8, FileInformationClass=0xe)
fs: Unrecognized file handle.
fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x9a7d2f8, Length=0x18, FileInformationClass=0x5)
fs: Unrecognized file handle.
fs: ntdll!NtCreateFile(FileHandle=0x466e380, DesiredAccess=0x80100080, ObjectAttributes=0x466ec50 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x466e398, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x3 (FILE_SHARE_READ | FILE_SHARE_WRITE), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffffffffffd for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryAttributesFile(ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\Local\Temp\), FileInformation=0x466e3a8)
fs: Unknown file.
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\Local\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
--------------------------------------------------
Run stats:
Instructions executed: 821563 (61510 unique)
          Dirty pages: 1482752 bytes (0 MB)
      Memory accesses: 2435116 bytes (0 MB)
#1 cov: 61510 exec/s: 0.2 lastcov: 0.0s crash: 0 timeout: 0 cr3: 1 uptime: 4.0s

It did not reach DebugPrint("Back from sub_100B1010!\n");.

When I loaded aggregate.cov as a result of fuzzing through Lighthouse, I could see that the execution was stopped at SpreadsheetDocument::Open(wchar_t const *)(presumed to be related to file-system operations).

2nd Try

After reading the wtf code a little, I changed one line of code of handle_table.h as below.

-  static const uint64_t LastGuestHandle = 0x7ffffffffffffffeULL;
+  static const uint64_t LastGuestHandle = 0xfffffffffffffffeULL;

> ..\..\src\build\wtf.exe run --name abc --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running wtf_input.xlsx
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0x466e380, DesiredAccess=0x80100080, ObjectAttributes=0x466ec50 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x466e398, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0xfffffffffffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466ec60, Length=0x18, FileInformationClass=0x5)
filestream: FileStandardInformation(AllocationSize=0x3000, EndOfFile=0x2180).
fs: ntdll!NtSetInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466e3a8, Length=0x8, FileInformationClass=0xe)
filestream: FilePositionInformation.
filestream: Moving cursor to offset 0x0.
fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x9a7d2f8, Length=0x18, FileInformationClass=0x5)
filestream: FileStandardInformation(AllocationSize=0x3000, EndOfFile=0x2180).
fs: ntdll!NtSetInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466e3a8, Length=0x8, FileInformationClass=0xe)
filestream: FilePositionInformation.
filestream: Moving cursor to offset 0x180.
fs: ntdll!NtSetInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466e3a8, Length=0x8, FileInformationClass=0xe)
filestream: FilePositionInformation.
filestream: Moving cursor to offset 0x0.
fs: ntdll!NtCreateFile(FileHandle=0x466e380, DesiredAccess=0x80100080, ObjectAttributes=0x466ec50 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x466e398, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x3 (FILE_SHARE_READ | FILE_SHARE_WRITE), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0xfffffffffffffffd for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryAttributesFile(ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\Local\Temp\), FileInformation=0x466e3a8)
fs: Unknown file.
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
fs: ntdll!NtOpenFile(FileHandle=0x466e3f8, DesiredAccess=0x100001, ObjectAttributes=0x466ec50 (\??\C:\Users\user\AppData\Local\), IoStatusBlock=0x466e398, ShareAccess=0x7 (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), OpenOptions=0x4021 (FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT))
--------------------------------------------------
Run stats:
Instructions executed: 905056 (61554 unique)
          Dirty pages: 1486848 bytes (0 MB)
      Memory accesses: 2457468 bytes (0 MB)
#1 cov: 61554 exec/s: 1.0 lastcov: 0.0s crash: 0 timeout: 0 cr3: 1 uptime: 1.0s

Again, it did not reach DebugPrint("Back from sub_100B1010!\n");.

And result of the Lighthouse haven't changed.

The text was updated successfully, but these errors were encountered:

ch4rli3kop · 2022-06-23T10:44:53Z

Hello,
How about running the target with the process monitor? It is helpful to check if any library is loaded or if any accessing the registry key exists. Some windows library functions access the registry key internally. In my case, they are the most likely cause of failure. And if your problem is the former when the target is running in GUI, you can solve the library loading problem by dumping the second file open (all libraries are loaded as the first file is opened).

0vercl0k · 2022-06-23T15:49:43Z

@donghyunlee00, apologies I completely missed / forgot this issue - let me try to investigate / get back to you about this this weekend :) I originally developed the filesystem hooks to fuzz IDA and that part of the code hasn't been tested extensively in different conditions (just mine). Cheers

…

On Thu, Jun 23, 2022 at 3:45 AM chan hee Park ***@***.***> wrote: Hello, How about running the target with the *process monitor*? It is helpful to check if *any library is loaded* or if *any accessing the registry key exists.* Some windows library functions access the registry key internally. In my case, they are the most likely cause of failure. And if your problem is the former when the target is running in GUI, you can solve the library loading problem by dumping the second file open (all libraries are loaded as the first file is opened). — Reply to this email directly, view it on GitHub <#106 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORKPCQ6XZJ4Z66I6KLLVQQ53BANCNFSM5YWPEBAA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

donghyunlee00 · 2022-06-24T02:35:11Z

After long time of analysing Lighthouse and Tenet(infinite scrolling..), I found that the target program (which is 32bit-program) didn't invoke ntdll!NtReadFile. So I added some codes to hook KERNEL32!ReadFile directly.

I added the following codes to fskooks.cc.

  if (!g_Backend->SetBreakpoint("KERNEL32!ReadFile", [](Backend_t *Backend) {
        // BOOL ReadFile(
        //   [in]                HANDLE       hFile,
        //   [out]               LPVOID       lpBuffer,
        //   [in]                DWORD        nNumberOfBytesToRead,
        //   [out, optional]     LPDWORD      lpNumberOfBytesRead,
        //   [in, out, optional] LPOVERLAPPED lpOverlapped
        // );

        const Gva_t Rsp = Gva_t(Backend->Rsp());
        
        Gva_t ArgPtr = Rsp + Gva_t(4 + (0 * 4));
        const HANDLE hFile = HANDLE(uint64_t(Backend->VirtRead4(ArgPtr)));
        const HANDLE hFile64 = HANDLE(uint64_t(int32_t(Backend->VirtRead4(ArgPtr))));

        ArgPtr = Rsp + Gva_t(4 + (1 * 4));
        const Gva_t GuestlpBuffer = Gva_t(Backend->VirtRead4(ArgPtr));

        ArgPtr = Rsp + Gva_t(4 + (2 * 4));
        const uint32_t nNumberOfBytesToRead = Backend->VirtRead4(ArgPtr);

        ArgPtr = Rsp + Gva_t(4 + (3 * 4));
        const Gva_t GuestlpNumberOfBytesRead = Gva_t(Backend->VirtRead4(ArgPtr));
        
        ArgPtr = Rsp + Gva_t(4 + (4 * 4));
        const uint32_t lpOverlapped = Backend->VirtRead4(ArgPtr);

        FsDebugPrint(
            "KERNEL32!ReadFile(hFile={}, lpBuffer={:#x}, "
            "nNumberOfBytesToRead={:#x}, lpNumberOfBytesRead={:#x}, lpOverlapped={:#x})\n",
            fmt::ptr(hFile), GuestlpBuffer,
            nNumberOfBytesToRead, GuestlpNumberOfBytesRead, lpOverlapped);

        //
        // If we don't know this handle, let's bail.
        //

        if (!g_FsHandleTable.Known(hFile64)) {
          FsDebugPrint("Unrecognized file handle.\n");
          return;
        }

        //
        // Ensure that the GuestBuffer is faulted-in memory.
        //

        if (GuestlpBuffer &&
            Backend->PageFaultsMemoryIfNeeded(GuestlpBuffer, nNumberOfBytesToRead)) {
          return;
        }

        //
        // Grab the host stream.
        //

        GuestFile_t *GuestFile = g_FsHandleTable.GetGuestFile(hFile64);

        //
        // Read the lpOverlapped parameter if specified.
        //

        if (lpOverlapped) {
          fmt::print("Need to implement lpOverlapped?\n");
          __debugbreak();
          ExitProcess(0);
        }

        //
        // Allocate memory for the buffer.
        //

        auto HostlpBuffer = std::make_unique<uint8_t[]>(nNumberOfBytesToRead);

        //
        // Invoke the syscall.
        //

        uint32_t HostlpNumberOfBytesRead;
        const bool SyscallSuccess = GuestFile->ReadFile(
            HostlpNumberOfBytesRead, HostlpBuffer.get(), nNumberOfBytesToRead);

        //
        // If it failed, we want to know.
        //

        if (!SyscallSuccess) {
          fmt::print("KERNEL32!ReadFile failed?\n");
          __debugbreak();
        }

        //
        // Write back the buffer as well as the lpNumberOfBytesRead.
        //

        Backend->VirtWriteDirty(GuestlpBuffer, HostlpBuffer.get(),
                                HostlpNumberOfBytesRead);
        Backend->VirtWriteStructDirty(GuestlpNumberOfBytesRead,
                                &HostlpNumberOfBytesRead);

        Backend->SimulateReturnFrom32bitFunction(true, 5);
        return;
      })) {
    return false;
  }

I added following code to guestfile.h.

  bool ReadFile(uint32_t &HostlpNumberOfBytesRead, uint8_t *lpBuffer,
                const uint32_t nNumberOfBytesToRead) {
    if (BufferStart_ == nullptr) {
      FileStreamDebugPrint("Cannot read on file with empty stream.\n");
      return false;
    }

    const uint64_t MaxRead = BufferEnd_ - Current_;
    uint32_t Size2Read = std::min(uint32_t(MaxRead), nNumberOfBytesToRead);
    if (Current_ > BufferEnd_) {
      Size2Read = 0;
    } else {
      memcpy(lpBuffer, Current_, Size2Read);
      FileStreamDebugPrint("Reading {:#x} ({:#x} asked)\n", Size2Read, nNumberOfBytesToRead);

#ifdef FILESTREAM_SNOOP_READS
      Hexdump(0, Current_, Size2Read);
#endif

      Current_ += Size2Read;
    }

    //
    // Populate the lpNumberOfBytesRead.
    //

    HostlpNumberOfBytesRead = Size2Read;
    return true;
  }

Then, I ran the fuzzer again, and the problem related to ntdll!NtReadFile seemed to have been solved, but it stopped running due to an error. (Thus, the file size of aggregate.cov was 0 KB and the outputs directory was empty.)

donghyunlee00 · 2022-06-24T07:59:55Z

This attachment(edited 220628) is Lighthouse log and Tenet log for the code before I added KERNEL32!ReadFile hook.

I found that nt!KiPageFault is called (not ntdll!NtReadFile) when KERNEL32!ReadFile is invoked.

KERNEL32!ReadFile -> KERNELBASE!ReadFile -> nt!KiPageFault

...
rip=0x779f1b88
rip=0x779f1b8a
rip=0x779f1b90,mw=0x9bdf864:00000000
rbx=0xfffffffe,rip=0x779f1b93,mr=0x9bdf84c:FEFFFFFF
(KERNELBASE!ReadFile+0x56) rip=0x779f1b96
(nt!KiPageFault) rsp=0xfffffd8202876c60,rip=0xfffff80718e05b00,mr=0xfffff8071ef620e0:005B1000008EE018,mr=0xfffff8071ef620e8:07F8FFFF00000000,mr=0xfffff8071ef64fc0:00000000009B2000,mr=0xfffff8071ef63004:906C870282FDFFFF,mw=0xfffffd8202876c88:2B00000000000000,mw=0xfffffd8202876c80:0CF8BD0900000000,mw=0xfffffd8202876c78:0602010000000000,mw=0xfffffd8202876c70:2300000000000000,mw=0xfffffd8202876c68:195DA27700000000,mw=0xfffffd8202876c60:1400000000000000
rsp=0xfffffd8202876c58,rip=0xfffff80718e05b01,mw=0xfffffd8202876c58:44F8BD0900000000
rsp=0xfffffd8202876b00,rip=0xfffff80718e05b08
rbp=0xfffffd8202876b80,rip=0xfffff80718e05b10
rip=0xfffff80718e05b14,mw=0xfffffd8202876b2b:01
...

y0ny0ns0n · 2022-06-25T04:58:28Z

Hi.

As you can see in here, WTF's server node save testcase only if it finds new coverage. And if your testcase didn't find new coverage after mutation phase, fuzzer will abort on here.

So, you have to analyze your target application to find any sanitize routine or something like that which prevent fuzzer's data flow goes to real data process procedure, OR define your own custom mutator like this if you think your target needs structure-awareness or havoc mutation.

P.S. I suggest you to provide symbolized execution trace using symbolizer next time if you need more precise help.

donghyunlee00 · 2022-06-27T07:15:05Z

@y0ny0ns0n, thank you for your clear explanation. I should try to define my own custom mutator.

But yet, any idea about nt!KiPageFault(not ntdll!NtReadFile) being called for KERNEL32!ReadFile?

y0ny0ns0n · 2022-06-27T07:38:15Z

Let's try to read KERNELBASE!ReadFile function first. It looks like jnb instruction( jmp to kernelbase!ReadFile+30b4c if true ). I suspect kernelbase!ReadFile+30b4c is not mapped, because I encountered similar issue when I tried to fuzz win32k component( #21 ).

donghyunlee00 · 2022-06-28T03:16:35Z

You mean, KERNELBASE!ReadFile+0x341d9?

I already disabled pagefile as in #21,

I have no idea why KERNELBASE!ReadFile+0x341d9 is not mapped..

Is there currently any method to map the entire KERNELBASE!ReadFile? @0vercl0k

0vercl0k · 2022-06-28T04:45:25Z

@donghyunlee00 I personally use lockmem before grabbing a dump - I haven't tried disabling the pagefile myself but I would expect that to work, so that's odd 😮

I also apologies I haven't forgot about this issue, I just haven't a chance to have a closer look, but I will 😊

Thanks @y0ny0ns0n / @ch4rli3kop for helping out 🙏🏽

Cheers

donghyunlee00 · 2022-07-01T09:54:06Z

I made two attempts,

lockmem
Increase memory 4GB -> 5GB

and KERNELBASE!ReadFile was dumped normally (which was not when just disabling the pagefile -> idk why yet,)

However, ntdll!NtReadFile is still not hooked, even though KERNEL32!ReadFile was called.

So I meticulously followed the function call flow again, to create call stacks (manually).

Then I found a difference between ReadFile and others such as CreateFile and OpenFile.

Call Stack for ReadFile

Call Stack for CreateFile

Call Stack for OpenFile

nt!NtReadFile
nt!KiSystemServiceCopyEnd
nt!KiSystemServiceCopyStart+0x48
nt!KiSystemServiceGdiTebAccess+0x49
nt!KiSystemServiceRepeat
nt!KiSystemServiceStart
nt!KiSystemServiceUser
nt!KiSystemCall64

wow64cpu!CpupSyscallStub
wow64cpu!ReadWriteFileFault
wow64cpu!ReadWriteFile
wow64cpu!TurboDispatchJumpAddressStart
wow64cpu!CpupReturnFromSimulatedCode
wow64cpu!KiFastSystemCall
ntdll_77440000!Wow64SystemServiceCall
ntdll_77440000!NtReadFile

KERNELBASE!ReadFile
KERNEL32!ReadFile









ntdll!NtCreateFile
wow64!whNtCreateFile
wow64!Wow64SystemServiceEx
wow64cpu!ServiceNoTurbo
wow64cpu!TurboDispatchJumpAddressStart
wow64cpu!CpupReturnFromSimulatedCode
wow64cpu!KiFastSystemCall
ntdll_77440000!Wow64SystemServiceCall
ntdll_77440000!NtCreateFile
KERNELBASE!CreateFileInternal
KERNELBASE!CreateFile
KERNEL32!CreateFileW

nt!NtOpenFile
nt!KiSystemServiceCopyEnd
nt!KiSystemServiceCopyStart+0x60
nt!KiSystemServiceGdiTebAccess+0x49
nt!KiSystemServiceRepeat
nt!KiSystemServiceStart
nt!KiSystemServiceUser
nt!KiSystemCall64
ntdll!NtOpenFile
wow64!whNtOpenFile
wow64!Wow64SystemServiceEx
wow64cpu!ServiceNoTurbo
wow64cpu!TurboDispatchJumpAddressStart
wow64cpu!CpupReturnFromSimulatedCode
wow64cpu!KiFastSystemCall
ntdll_77440000!Wow64SystemServiceCall
ntdll_77440000!NtOpenFile
KERNELBASE!FindFirstFileExW
KERNELBASE!FindFirstFileW
KERNEL32!GetLongPathNameW

CreateFile and OpenFile call wow64cpu!ServiceNoTurbo, wow64!Wow64SystemServiceEx after wow64cpu!TurboDispatchJumpAddressStart, and finally ntdll!NtCreateFile and ntdll!NtOpenFile, respectively.

ReadFile, on the other hand, calls wow64cpu!ReadWriteFile after wow64cpu!TurboDispatchJumpAddressStart, and calls nt!KiSystemCall64 directly without ntdll!NtReadFile.

I think that if the branch in the photo above had progressed to the left, it would have been possible to finally call ntdll!NtReadFile with the same flow as CreateFile or OpenFile while passing through wow64!Wow64SystemServiceEx instead of wow64cpu!ReadWriteFileFault...(?)

This is the tenet, cov, rip logs corresponding to the current comment.
And this is mem.dmp and regs.json. (-> uploaded 220711)

donghyunlee00 · 2022-07-01T10:03:56Z

BTW, @y0ny0ns0n, did your target 32bit-program do a file read and ntdll!NtReadFile was hooked normally when fuzzing?

y0ny0ns0n · 2022-07-01T12:41:37Z

I usually just use other fuzz tools for file based fuzzing( for various reason ), so I never seen these kinds of issue.

But I think some ntapi functions switched to 64bit mode directly in wow64cpu!ServiceNoTurbo and the others are not( maybe WIP feature or any other reasons? ). Maybe you can write 32bit version of fshooks.cc or just hook KERNELASE!ReadFile instead ntdll one.

0vercl0k · 2022-07-02T17:24:50Z

Okay @donghyunlee00 I started to look at your issue; thanks for the detailed report it helps a lot to understand what could be wrong.

Let me give you an idea of how the fshook subsystem works. Basically wtf tries to implement filesystem accesses by emulating them. Because the NT filesystem layers uses handle, wtf also needs to know which handle it needs to emulate or the ones it shouldn't emulate. It also was made to be able to handle the case where a file is getting opened (no handle created by the kernel yet) in which case wtf returns a 'fake handle' starting from the maximum value decrementing.

  HANDLE AllocateGuestHandle() {
    HANDLE GuestHandle = nullptr;
    while (1) {
      GuestHandle = HANDLE(LatestGuestHandle_);
      const uint32_t LowerDword = uint32_t(LatestGuestHandle_);

      LatestGuestHandle_--;
      if (PseudoHandles_.contains(LowerDword) ||
          ReservedHandles_.contains(GuestHandle)) {
        continue;
      }

      break;
    }

    return GuestHandle;
  }

This works this way to avoid clashing with maybe already opened handle by the target. The other case is if the kernel already created a handle, you can tell wtf to associate a handle to a file and hook those as well. This means that you should revert the following diff you made as it's not gonna help you:

-  static const uint64_t LastGuestHandle = 0x7ffffffffffffffeULL;
+  static const uint64_t LastGuestHandle = 0xfffffffffffffffeULL;

Let's now start by checking out your first trace:

fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0x466e380, DesiredAccess=0x80100080, ObjectAttributes=0x466ec50 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x466e398, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffffffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466ec60, Length=0x18, FileInformationClass=0x5)
fs: Unrecognized file handle.
fs: ntdll!NtSetInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466e3a8, Length=0x8, FileInformationClass=0xe)
fs: Unrecognized file handle.

You can see several things:

The fshooks successfully hooked NtCreateFile and it is sees that the target is trying to open \??\C:\Users\user\Desktop\wtf_input.xlsx which it knows it needs to hook. It needs to create an artificial handle and according to the log it returned 0x7ffffffffffffffe which makes sense. So far so good.
Then you have fs: ntdll!NtQueryInformationFile(FileHandle=0xfffffffffffffffe, IoStatusBlock=0x466e398, FileInformation=0x466ec60, Length=0x18, FileInformationClass=0x5). This is also ok; it means that there is an access made to a file that have already been opened before you took the snapshot. It also looks like this might be a pseudo handle (fake handle, like GetCurrentProcess() for process). You could even check what this handle is by using !handle in your dump:

32.kd:x86> !wow64exts.sw	
The context is partially valid. Only x86 user-mode context is available.
Switched to Host mode
32.kd> !handle 0xfffffffffffffffe

PROCESS ffffab8f71988340
    SessionId: 1  Cid: 1558    Peb: 00f8c000  ParentCid: 1fd0
    DirBase: 27969000  ObjectTable: ffffd78cb395f500  HandleCount: 591.
    Image: et.exe

Kernel handle table at ffffd78ca6832c40 with 2567 entries in use

Invalid Handle: 0x7ffffffe

So basically, this is probably a special handle (pseudo-handle) but I am not sure what it is.

Also you can see the below which makes sense - the fshooks subsystem doesn't know about the handle so it will not emulate; it'll just let the kernel handle it:

fs: Unrecognized file handle.

What I'd expect to see is a file access that is being done with the handle 0x7ffffffffffffffe in which case the fshooks layer would emulate whatever API call.

Does this make more sense? I'll look some more at your traces and whatnot to see if I can help more on the Wow64 front.

Cheers

donghyunlee00 · 2022-07-12T02:21:24Z

@0vercl0k thanks for looking at:)

With reference to this doc, I made a 32-bit program that does a simple ReadFile to verify what you said.

Code

#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <strsafe.h>

#define BUFFERSIZE 5
DWORD g_BytesTransferred = 0;

void DisplayError(LPTSTR lpszFunction);

VOID CALLBACK FileIOCompletionRoutine(
	__in  DWORD dwErrorCode,
	__in  DWORD dwNumberOfBytesTransfered,
	__in  LPOVERLAPPED lpOverlapped
);

VOID CALLBACK FileIOCompletionRoutine(
	__in  DWORD dwErrorCode,
	__in  DWORD dwNumberOfBytesTransfered,
	__in  LPOVERLAPPED lpOverlapped)
{
	_tprintf(TEXT("Error code:\t%x\n"), dwErrorCode);
	_tprintf(TEXT("Number of bytes:\t%x\n"), dwNumberOfBytesTransfered);
	g_BytesTransferred = dwNumberOfBytesTransfered;
}

//
// Note: this simplified sample assumes the file to read is an ANSI text file
// only for the purposes of output to the screen. CreateFile and ReadFile
// do not use parameters to differentiate between text and binary file types.
//

int __cdecl _tmain(int argc, TCHAR* argv[])
{
	HANDLE hFile;
	DWORD  dwBytesRead = 0;
	char   ReadBuffer[BUFFERSIZE] = { 0 };
	OVERLAPPED ol = { 0 };

	printf("\n");
	if (argc != 2)
	{
		printf("Usage Error: Incorrect number of arguments\n\n");
		_tprintf(TEXT("Usage:\n\t%s <text_file_name>\n"), argv[0]);
		return 0;
	}

	int tmp;
	scanf("%d", &tmp);

	hFile = CreateFile(argv[1],               // file to open
		GENERIC_READ,          // open for reading
		FILE_SHARE_READ,       // share for reading
		NULL,                  // default security
		OPEN_EXISTING,         // existing file only
		FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, // normal file
		NULL);                 // no attr. template

	if (hFile == INVALID_HANDLE_VALUE)
	{
		DisplayError(const_cast<LPTSTR>(TEXT("CreateFile")));
		_tprintf(TEXT("Terminal failure: unable to open file \"%s\" for read.\n"), argv[1]);
		return 0;
	}

	// Read one character less than the buffer size to save room for
	// the terminating NULL character. 

	if (FALSE == ReadFileEx(hFile, ReadBuffer, BUFFERSIZE - 1, &ol, FileIOCompletionRoutine))
	{
		DisplayError(const_cast<LPTSTR>(TEXT("ReadFile")));
		printf("Terminal failure: Unable to read from file.\n GetLastError=%08x\n", GetLastError());
		CloseHandle(hFile);
		return 0;
	}
	SleepEx(5000, TRUE);
	dwBytesRead = g_BytesTransferred;
	// This is the section of code that assumes the file is ANSI text. 
	// Modify this block for other data types if needed.

	if (dwBytesRead > 0 && dwBytesRead <= BUFFERSIZE - 1)
	{
		ReadBuffer[dwBytesRead] = '\0'; // NULL character

		_tprintf(TEXT("Data read from %s (%d bytes): \n"), argv[1], dwBytesRead);
		printf("%s\n", ReadBuffer);
	}
	else if (dwBytesRead == 0)
	{
		_tprintf(TEXT("No data read from file %s\n"), argv[1]);
	}
	else
	{
		printf("\n ** Unexpected value for dwBytesRead ** \n");
	}

	// It is always good practice to close the open file handles even though
	// the app will exit here and clean up open handles anyway.

	CloseHandle(hFile);
}

void DisplayError(LPTSTR lpszFunction)
// Routine Description:
// Retrieve and output the system error message for the last-error code
{
	LPVOID lpMsgBuf;
	LPVOID lpDisplayBuf;
	DWORD dw = GetLastError();

	FormatMessage(
		FORMAT_MESSAGE_ALLOCATE_BUFFER |
		FORMAT_MESSAGE_FROM_SYSTEM |
		FORMAT_MESSAGE_IGNORE_INSERTS,
		NULL,
		dw,
		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
		(LPTSTR)&lpMsgBuf,
		0,
		NULL);

	lpDisplayBuf =
		(LPVOID)LocalAlloc(LMEM_ZEROINIT,
			(lstrlen((LPCTSTR)lpMsgBuf)
				+ lstrlen((LPCTSTR)lpszFunction)
				+ 40) // account for format string
			* sizeof(TCHAR));

	if (FAILED(StringCchPrintf((LPTSTR)lpDisplayBuf,
		LocalSize(lpDisplayBuf) / sizeof(TCHAR),
		TEXT("%s failed with error code %d as follows:\n%s"),
		lpszFunction,
		dw,
		lpMsgBuf)))
	{
		printf("FATAL ERROR: Unable to output error code.\n");
	}

	_tprintf(TEXT("ERROR: %s\n"), (LPCTSTR)lpDisplayBuf);

	LocalFree(lpMsgBuf);
	LocalFree(lpDisplayBuf);
}

Harness

#include "backend.h"
#include "crash_detection_umode.h"
#include "fshandle_table.h"
#include "fshooks.h"
#include "targets.h"
#include <fmt/format.h>

namespace ReadFileTest {

constexpr bool LoggingOn = true;

template <typename... Args_t>
void DebugPrint(const char *Format, const Args_t &...args) {
  if constexpr (LoggingOn) {
    fmt::print("readfile_test: ");
    fmt::print(fmt::runtime(Format), args...);
  }
}

bool InsertTestcase(const uint8_t *Buffer, const size_t BufferSize) {
  g_FsHandleTable.MapExistingGuestFile(
      uR"(\??\C:\Users\user\Desktop\wtf_input.xlsx)", Buffer, BufferSize);

  return true;
}

bool Init(const Options_t &Opts, const CpuState_t &State) {
  // .text:004011E9 push    80000000h       ; dwDesiredAccess
  // .text:004011EE push    dword ptr [esi+4] ; lpFileName         --> Rip
  // .text:004011F1 call    ds:__imp__CreateFileW@28 ; CreateFileW(x,x,x,x,x,x,x)
  // ...
  // .text:004012E4 pop     ebp
  // .text:004012E5 retn                                           --> AfterCalls

  const Gva_t Rip = Gva_t(g_Backend->Rip());
  const Gva_t AfterCalls = Rip + Gva_t(0xf7);   // 0x004012E5 - 0x004011EE = 0xf7
  if (!g_Backend->SetBreakpoint(AfterCalls, [](Backend_t *Backend) {
        DebugPrint("Back!\n");
        Backend->Stop(Ok_t());
      })) {
    fmt::print("Failed to SetBreakpoint AfterCalls\n");
    return false;
  }

  if (!SetupFilesystemHooks()) {
    fmt::print("Failed to SetupFilesystemHooks\n");
    return false;
  }

  if (!SetupUsermodeCrashDetectionHooks()) {
    fmt::print("Failed to SetupUsermodeCrashDetectionHooks\n");
    return false;
  }

  return true;
}

Target_t ReadFileTest("readfile_test", Init, InsertTestcase);

}

The fuzz result was as below.

>..\..\src\build\wtf.exe run --name readfile_test --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running wtf_input.xlsx
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0x56e1b0, DesiredAccess=0x80100080, ObjectAttributes=0x56ea80 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x56e1c8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x40 (FILE_NON_DIRECTORY_FILE), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffffffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtReadFile(FileHandle=0xfffffffffffffffe, Event=0x0, ApcRoutine=0xfffffffe25ba4480, ApcContext=0x891130, IoStatusBlock=0x56e1f0, Buffer=0x99fc10, Length=0x4, ByteOffset=0x99fbc8, Key=0x0)
fs: Unrecognized file handle.
--------------------------------------------------
Run stats:
Instructions executed: 133116 (20903 unique)
          Dirty pages: 454656 bytes (0 MB)
      Memory accesses: 330369 bytes (0 MB)
#1 cov: 20903 exec/s: 0.0 lastcov: 0.0s crash: 0 timeout: 0 cr3: 1 uptime: 21.0s

The result after applying diff was as follows.

-  static const uint64_t LastGuestHandle = 0x7ffffffffffffffeULL;
+  static const uint64_t LastGuestHandle = 0xfffffffffffffffeULL;

>..\..\src\build\wtf.exe run --name readfile_test --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running wtf_input.xlsx
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0x56e1b0, DesiredAccess=0x80100080, ObjectAttributes=0x56ea80 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x56e1c8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x40 (FILE_NON_DIRECTORY_FILE), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0xfffffffffffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtReadFile(FileHandle=0xfffffffffffffffe, Event=0x0, ApcRoutine=0xfffffffe25ba4480, ApcContext=0x891130, IoStatusBlock=0x56e1f0, Buffer=0x99fc10, Length=0x4, ByteOffset=0x99fbc8, Key=0x0)
Need to implement ByteOffset?

The program is so simple, and CreateFile and ReadFile must handle the same file in order.

This is the program and this is dump.

donghyunlee00 · 2022-07-12T03:04:18Z

By the way, why did you use ntdll instead of the nt for fshook? @0vercl0k

0vercl0k · 2022-07-12T04:40:26Z

Okay, this is an amazing testcase; let me look at this tomorrow! Also, I can't quite remember why I picked `ntdll` and not `nt` 🤔I think it'd work the same way! Cheers

…

On Mon, Jul 11, 2022 at 8:04 PM Donghyun Lee ***@***.***> wrote: By the way, why did you use ntdll instead of the nt for fshook? @0vercl0k <https://github.com/0vercl0k> — Reply to this email directly, view it on GitHub <#106 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORO2NWJ2NVIN72WWP2TVTTODZANCNFSM5YWPEBAA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

donghyunlee00 · 2022-07-12T06:09:39Z

Oh I think this is the clue,,,

-  static const uint64_t LastGuestHandle = 0x7ffffffffffffffeULL;
+  static const uint64_t LastGuestHandle = 0x7ffffffeULL;

donghyunlee00 · 2022-07-12T09:09:56Z

I applied the above diff and hooked nt!NtReadFile instead of ntdll!NtReadFile.
(The dump I used is same as I used in #106 (comment).)

Fuzz Result

>..\..\src\build\wtf.exe run --name wps --state state --backend=bochscpu --limit 10000000 --input wtf_input.xlsx
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Running wtf_input.xlsx
fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(8576)
fs: ntdll!NtCreateFile(FileHandle=0xcdde6e0, DesiredAccess=0x80100080, ObjectAttributes=0xcddefb0 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0xcdde6f8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x60 (FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefc0, Length=0x18, FileInformationClass=0x5)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf1727c8, Length=0x8, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xde2d5c0, Length=0x18, FileInformationClass=0x5)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2d688, Length=0x2016, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xde2f640, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf32fde8, Length=0x16, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3578, Length=0x13, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf1727c8, Length=0x6, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566d00, Length=0xb, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566bc8, Length=0x9, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566ad8, Length=0x10, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3578, Length=0x11, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3338, Length=0x13, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf1727a8, Length=0x3, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566b68, Length=0x9, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc556638, Length=0x1a, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3418, Length=0x14, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566b38, Length=0xd, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566d60, Length=0x9, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3418, Length=0x13, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566b08, Length=0xf, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xf566bc8, Length=0xe, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f5f8, Length=0x2e, ByteOffset=0x0, Key=0x0)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc6c3458, Length=0x18, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtQueryInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcddefd0, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f680, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f870, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc5d407d, Length=0x167, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f874, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc5d407d, Length=0xff, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xde2f808, Length=0x1e, ByteOffset=0x0, Key=0x0)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: ntdll!NtSetInformationFile(FileHandle=0x7ffffffe, IoStatusBlock=0xcdde6f8, FileInformation=0xcdde708, Length=0x8, FileInformationClass=0xe)
fs: nt!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0xcddf058, Buffer=0xc5d407d, Length=0xed, ByteOffset=0x0, Key=0x0)
--------------------------------------------------
Run stats:
Instructions executed: 2929481 (55741 unique)
          Dirty pages: 1474560 bytes (0 MB)
      Memory accesses: 5626078 bytes (0 MB)
#1 cov: 55741 exec/s: 1.0 lastcov: 0.0s crash: 0 timeout: 0 cr3: 1 uptime: 1.0s

Progress has been made compared to the beginning(when I opened this issue), but the fuzzing has been stopped elsewhere.

The target program pushes 0x578fb488(which points the string) to the stack and soon accesses the address(0x578fb488).

However, as I checked with WinDbg, there is nothing in 0x578fb488. -> Incomplete dump?

Push 0x578fb488 before kso!WStr::WStr call.

Access 0x578fb488 in kso!WStr::WStr.

0vercl0k · 2022-07-12T17:44:43Z

OK I understand the issue and why your patch seems to work 🙂

The mistake I made is to forget you are dealing with a 32-bit application and that when the fshooks breakpoints get hit you are still running in 32-bit mode. This means that the size of the arguments is different than what the code is expecting.

One issue it creates is that when it generates a 64-bit handle 0x7f'ff'ff'ff'ff'ff'ff'fe it also writes a 64-bit handle into a 32-bit slot. This means we actually are overwriting the adjacent 32-bit (overflow) and we are also writing only the lower 32-bit of the handle value into the output handle. This means that the program will pass ff'ff'ff'ffe to NtReadFile and this gets sign extended by the fmt::print call to 0xff'ff'ff'ff'ff'ff'ff'fe which is why your patch seems to work. The truth is that it gets lucky and work on this case but will create more issues in the future.

To verify the above I've made the following quick fix:

  static const uint64_t LastGuestHandle = 0x7ffffffeULL;

And it 'works' as expected:

fs: Mapping already existing guest file \??\C:\Users\user\Desktop\wtf_input.xlsx with filestream(1807)
fs: ntdll!NtCreateFile(FileHandle=0x56e1b0, DesiredAccess=0x80100080, ObjectAttributes=0x56ea80 (\??\C:\Users\user\Desktop\wtf_input.xlsx), IoStatusBlock=0x56e1c8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1 (FILE_SHARE_READ), CreateDisposition=0x1 (FILE_OPEN), CreateOptions=0x40 (FILE_NON_DIRECTORY_FILE), EaBuffer=0x0, EaLength=0x0)
fs: Opening 0x7ffffffe for \??\C:\Users\user\Desktop\wtf_input.xlsx
fs: ntdll!NtReadFile(FileHandle=0x7ffffffe, Event=0x0, ApcRoutine=0xfffffffe25ba4480, ApcContext=0x891130, IoStatusBlock=0x56e1f0, Buffer=0x99fc10, Length=0x4, ByteOffset=0x99fbc8, Key=0x0)
Need to implement ByteOffset?

Now, this is not the correct fix because the code still overflows the neighboring memory 😅 One way to fix that might to actually turn the ntdll breakpoints into nt which would allow them to work for both 64-bit programs as well as Wow64 bit programs; assuming there's no other issues. I think we need to address this issue before making some more progress!

Does this make sense 😊?

Cheers

donghyunlee00 · 2022-07-13T01:24:03Z

Thanks to you, I can better understand handling the file system in 32-bit and 64-bit😊

But,, any idea about incomplete dump that still exist? (#106 (comment))

(Several problems seem to be mixed in one issue. It would have been nice to discuss it by dividing it into several issues, I'm sorry I didn't know in advance.)

0vercl0k · 2022-07-15T15:22:05Z

Ha sorry I missed that other question - will take a look on Saturday! Cheers

…

On Tue, Jul 12, 2022 at 6:24 PM Donghyun Lee ***@***.***> wrote: Thanks to you, I can better understand handling the file system in 32-bit and 64-bit😊 But,, any idea about incomplete dump that still exist? (#106 (comment) <#106 (comment)>) (Several problems seem to be mixed in one issue. It would have been nice to discuss it by dividing it into several issues, I'm sorry I didn't know in advance.) — Reply to this email directly, view it on GitHub <#106 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORJLK6CUBPU6RLRBNPTVTYLD5ANCNFSM5YWPEBAA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

0vercl0k · 2022-07-19T06:06:40Z

Okay, based on what you are seeing it looks like some of the code isn't included in your dump. I wrote lockmem to address that class of issue; you can run it against your target before you acquire the dump and this should be fixed.

Cheers

0vercl0k · 2022-07-21T19:43:55Z

I put up #108 for you @donghyunlee00 - I have tried it against my old testcases for IDA and it looks to behave the same than when the hooks were at the ntdll level so it looks good.

Will merge in a few days if I don't hear feedback!

Cheers

0vercl0k · 2022-07-24T17:15:54Z

FWIW I went ahead and merged #108.

Cheers

0vercl0k · 2022-08-07T17:15:09Z

hey @donghyunlee00,

I haven't heard back from you in a little while so I'm going to consider this issue closed 😊

Please feel free to re-open at any point if you have any other questions!

Cheers

donghyunlee00 · 2022-08-12T06:28:19Z

Okay, based on what you are seeing it looks like some of the code isn't included in your dump. I wrote lockmem to address that class of issue; you can run it against your target before you acquire the dump and this should be fixed.

Cheers

Sorry for late comment.

If I double-clicked wtf_input.xlsx directly, I could see procexp result as follows.

And it seems that ABC.exe and XXX.exe use some dlls together, so I applied lockmem to both.

lockmem (XXX and then ABC)

lockmem (ABC and then XXX)

The dump was still incomplete.

0vercl0k · 2022-08-13T17:53:15Z

And you are grabbing the dump from et.exe or wps.exe? And the xlsxrw DLL is already loaded when you are running lockmem or it gets loaded after?

Cheers

donghyunlee00 · 2022-08-16T02:15:00Z

I'm grabbing the dump from XXX.exe. And the YYY.dll gets loaded after running lockmem.

Details

!gflag +ksl
sxe ld xlsxrw.dll
g

Run wps.exe and create empty file(et.exe invoked)
Run lockmem for wps.exe and et.exe
Open wtf_input.xlsx(xlsxrw.dll loaded)

bp xlsxrw+12aec2
g
.scriptload C:\Users\user\Desktop\tools\bdump\bdump.js
!wow64exts.sw
!bdump_full "C:\\Users\\user\\Downloads\\dump"

0vercl0k · 2022-08-16T02:38:49Z

Okay so you need to invoke lockmem *after* your module has been loaded, otherwise the tool doesn't get a chance to lock in the memory regions. One thing you can do is to attach a debugger, wait for the load module to happen, freeze the threads or make them loop, and invoke lockmem. Cheers

…

On Mon, Aug 15, 2022 at 7:15 PM Donghyun Lee ***@***.***> wrote: I'm grabbing the dump from et.exe. And the xlsxrw.dll gets loaded after running lockmem. Details !gflag +ksl sxe ld xlsxrw.dll g Run wps.exe and create empty file(et.exe invoked) Run lockmem for wps.exe and et.exe Open wtf_input.xlsx(xlsxrw.dll loaded) bp xlsxrw+12aec2 g .scriptload C:\Users\user\Desktop\tools\bdump\bdump.js !wow64exts.sw !bdump_full "C:\\Users\\user\\Downloads\\dump" — Reply to this email directly, view it on GitHub <#106 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORNSLFGX3I4WBDLT7QTVZL2S7ANCNFSM5YWPEBAA> . You are receiving this because you modified the open/close state.Message ID: ***@***.***>

donghyunlee00 · 2022-08-16T02:47:47Z

Oh, I'll try it, thanks!
And so after YYY.dll is loaded, I don't have to run lockmem for XXX.exe and ABC.exe, I just have to run for XXX.exe, right?

0vercl0k · 2022-08-16T03:10:39Z

Yes that's correct, if you're not dumping `et.exe` then it is not important :) Cheers

…

On Mon, Aug 15, 2022 at 7:47 PM Donghyun Lee ***@***.***> wrote: Oh, I'll try it, thanks! And so after xlsxrw.dll is loaded, I don't have to run lockmem for et.exe and wps.exe, I just have to run for et.exe, right? — Reply to this email directly, view it on GitHub <#106 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORKJWM7ADW5JU2WRSE3VZL6N3ANCNFSM5YWPEBAA> . You are receiving this because you modified the open/close state.Message ID: ***@***.***>

0vercl0k · 2022-08-17T15:48:38Z

Are we good to close @donghyunlee00 ?

Cheers

donghyunlee00 · 2022-08-18T06:11:35Z

Yup. I made a loop after the module was loaded, and invoked lockmem, as you said. Thanks a lot:)

donghyunlee00 · 2022-08-18T06:48:31Z

Oh I think this is the clue,,,

-  static const uint64_t LastGuestHandle = 0x7ffffffffffffffeULL;
+  static const uint64_t LastGuestHandle = 0x7ffffffeULL;

BTW, for 32&64bit compatibility, I think it would be nice to change the LastGuestHandle value to 0x7ffffffeULL.. What do you think??

0vercl0k · 2022-08-18T15:37:17Z

Woot, awesome! Hmmm that's a good question. Let me try to think about this and get back to you 🤔 Cheers

…

On Wed, Aug 17, 2022 at 11:48 PM Donghyun Lee ***@***.***> wrote: Oh I think this is the clue,,, - static const uint64_t LastGuestHandle = 0x7ffffffffffffffeULL;+ static const uint64_t LastGuestHandle = 0x7ffffffeULL; BTW, for 32&64bit compatibility, I think it would be better to change the LastGuestHandle value to 0x7ffffffeULL.. What do you think?? — Reply to this email directly, view it on GitHub <#106 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORK5WCT2MUPCYREFHZTVZXMETANCNFSM5YWPEBAA> . You are receiving this because you modified the open/close state.Message ID: ***@***.***>

0vercl0k · 2022-08-20T19:30:13Z

I thought about this today and I think it makes sense @donghyunlee00, thanks for suggesting that; I have sent #127.

Cheers

donghyunlee00 · 2022-08-26T06:28:32Z

Okay so you need to invoke lockmem after your module has been loaded,
otherwise the tool doesn't get a chance to lock in the memory regions. One
thing you can do is to attach a debugger, wait for the load module to
happen, freeze the threads or make them loop, and invoke lockmem.

Cheers

How can I freeze threads in kernel mode WinDbg debugging?
There seems to be a command in user mode...

I mean, without making an infinite loop(eb fe(JMP TO SELF)).
-> This method seems to cause a big overhead.

0vercl0k · 2022-08-27T20:25:42Z

That's correct. I don't know how to do this in kernel mode from Windbg. You can force the thread to enter an infinite loop but that's about it. Cheers

…

On Thu, Aug 25, 2022 at 11:28 PM Donghyun Lee ***@***.***> wrote: Okay so you need to invoke lockmem *after* your module has been loaded, otherwise the tool doesn't get a chance to lock in the memory regions. One thing you can do is to attach a debugger, wait for the load module to happen, freeze the threads or make them loop, and invoke lockmem. Cheers How can I freeze threads in kernel mode WinDbg debugging? There seems to be a command in user mode... — Reply to this email directly, view it on GitHub <#106 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORMOW32JA2JAJMUDCGDV3BPZVANCNFSM5YWPEBAA> . You are receiving this because you modified the open/close state.Message ID: ***@***.***>

0vercl0k · 2022-10-11T08:53:46Z

Okay, based on what you are seeing it looks like some of the code isn't included in your dump. I wrote [lockmem](https://github.com/0vercl0k/lockmem) to address that class of issue; you can run it against your target before you acquire the dump and this should be fixed. Cheers

…

On Fri, Jul 15, 2022 at 8:21 AM Axel Souchet ***@***.***> wrote: Ha sorry I missed that other question - will take a look on Saturday! Cheers On Tue, Jul 12, 2022 at 6:24 PM Donghyun Lee ***@***.***> wrote: > Thanks to you, I can better understand handling the file system in 32-bit > and 64-bit😊 > > But,, any idea about incomplete dump that still exist? (#106 (comment) > <#106 (comment)>) > > (Several problems seem to be mixed in one issue. It would have been nice > to discuss it by dividing it into several issues, I'm sorry I didn't know > in advance.) > > — > Reply to this email directly, view it on GitHub > <#106 (comment)>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AALIORJLK6CUBPU6RLRBNPTVTYLD5ANCNFSM5YWPEBAA> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

0vercl0k mentioned this issue Jul 21, 2022

The filesystem hooks don't play nice w/ Wow64 snapshots #107

Closed

0vercl0k closed this as completed Aug 7, 2022

0vercl0k reopened this Aug 13, 2022

0vercl0k closed this as completed Sep 11, 2022

fish3rman mentioned this issue Aug 7, 2024

It does not run successfully in a 32-bit environment and is recorded as a crash. #209

Closed

Harnessing w/ file-system hooks #106

Harnessing w/ file-system hooks #106

Comments

donghyunlee00 commented Jun 14, 2022 • edited Loading

Test Environment

Attachment

Issue

1st Try

2nd Try

ch4rli3kop commented Jun 23, 2022

0vercl0k commented Jun 23, 2022 via email

donghyunlee00 commented Jun 24, 2022 • edited Loading

donghyunlee00 commented Jun 24, 2022 • edited Loading

y0ny0ns0n commented Jun 25, 2022

donghyunlee00 commented Jun 27, 2022 • edited Loading

y0ny0ns0n commented Jun 27, 2022

donghyunlee00 commented Jun 28, 2022 • edited Loading

0vercl0k commented Jun 28, 2022

donghyunlee00 commented Jul 1, 2022 • edited Loading

donghyunlee00 commented Jul 1, 2022

y0ny0ns0n commented Jul 1, 2022 • edited Loading

0vercl0k commented Jul 2, 2022

donghyunlee00 commented Jul 12, 2022 • edited Loading

donghyunlee00 commented Jul 12, 2022

0vercl0k commented Jul 12, 2022 via email

donghyunlee00 commented Jul 12, 2022 • edited Loading

donghyunlee00 commented Jul 12, 2022 • edited Loading

0vercl0k commented Jul 12, 2022 • edited Loading

donghyunlee00 commented Jul 13, 2022

0vercl0k commented Jul 15, 2022 via email

0vercl0k commented Jul 19, 2022

0vercl0k commented Jul 21, 2022

0vercl0k commented Jul 24, 2022

0vercl0k commented Aug 7, 2022

donghyunlee00 commented Aug 12, 2022 • edited Loading

0vercl0k commented Aug 13, 2022 • edited Loading

donghyunlee00 commented Aug 16, 2022 • edited Loading

0vercl0k commented Aug 16, 2022 via email

donghyunlee00 commented Aug 16, 2022 • edited Loading

0vercl0k commented Aug 16, 2022 via email

0vercl0k commented Aug 17, 2022

donghyunlee00 commented Aug 18, 2022 • edited Loading

donghyunlee00 commented Aug 18, 2022 • edited Loading

0vercl0k commented Aug 18, 2022 via email

0vercl0k commented Aug 20, 2022

donghyunlee00 commented Aug 26, 2022 • edited Loading

0vercl0k commented Aug 27, 2022 via email

0vercl0k commented Oct 11, 2022 via email

donghyunlee00 commented Jun 14, 2022 •

edited

Loading

donghyunlee00 commented Jun 24, 2022 •

edited

Loading

donghyunlee00 commented Jun 24, 2022 •

edited

Loading

donghyunlee00 commented Jun 27, 2022 •

edited

Loading

donghyunlee00 commented Jun 28, 2022 •

edited

Loading

donghyunlee00 commented Jul 1, 2022 •

edited

Loading

y0ny0ns0n commented Jul 1, 2022 •

edited

Loading

donghyunlee00 commented Jul 12, 2022 •

edited

Loading

donghyunlee00 commented Jul 12, 2022 •

edited

Loading

donghyunlee00 commented Jul 12, 2022 •

edited

Loading

0vercl0k commented Jul 12, 2022 •

edited

Loading

donghyunlee00 commented Aug 12, 2022 •

edited

Loading

0vercl0k commented Aug 13, 2022 •

edited

Loading

donghyunlee00 commented Aug 16, 2022 •

edited

Loading

donghyunlee00 commented Aug 16, 2022 •

edited

Loading

donghyunlee00 commented Aug 18, 2022 •

edited

Loading

donghyunlee00 commented Aug 18, 2022 •

edited

Loading

donghyunlee00 commented Aug 26, 2022 •

edited

Loading