A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #23036  by kmd
 Wed Jun 04, 2014 1:27 pm
Title say it all, i cant find it in kernel :(
Code: Select all
PAGE:00000001404E571C SepInitializeCodeIntegrity proc near
PAGE:00000001404E571C arg_0           = qword ptr  8
PAGE:00000001404E571C                 mov     [rsp+arg_0], rbx
PAGE:00000001404E5721                 push    rdi
PAGE:00000001404E5722                 sub     rsp, 20h
PAGE:00000001404E5726                 mov     edi, 6
PAGE:00000001404E572B                 lea     rcx, g_CiCallbacks ; void *
PAGE:00000001404E5732                 xor     edx, edx        ; int
PAGE:00000001404E5734                 lea     ebx, [rdi+3Ah]
PAGE:00000001404E5737                 mov     r8d, ebx        ; size_t
PAGE:00000001404E573A                 call    memset
PAGE:00000001404E573F                 mov     rax, cs:KeLoaderBlock_0
PAGE:00000001404E5746                 mov     cs:g_CiCallbacks, ebx
PAGE:00000001404E574C                 xor     ebx, ebx
PAGE:00000001404E574E                 test    rax, rax
PAGE:00000001404E5751                 jz      short loc_1404E57C3
PAGE:00000001404E5753                 cmp     [rax+0B8h], rbx
PAGE:00000001404E575A                 jz      short loc_1404E57BA
PAGE:00000001404E575C                 mov     rcx, [rax+0B8h]
PAGE:00000001404E5763                 lea     rdx, aDisable_integr ; "DISABLE_INTEGRITY_CHECKS"
PAGE:00000001404E576A                 call    SepIsOptionPresent
PAGE:00000001404E576F                 mov     rcx, cs:KeLoaderBlock_0
PAGE:00000001404E5776                 lea     rdx, aTestsigning ; "TESTSIGNING"
PAGE:00000001404E577D                 mov     rcx, [rcx+0B8h]
PAGE:00000001404E5784                 test    eax, eax
PAGE:00000001404E5786                 cmovnz  edi, ebx
PAGE:00000001404E5789                 call    SepIsOptionPresent
PAGE:00000001404E578E                 test    eax, eax
PAGE:00000001404E5790                 jz      short loc_1404E5795
PAGE:00000001404E5792                 or      edi, 8
PAGE:00000001404E5795 loc_1404E5795:                          ; CODE XREF: SepInitializeCodeIntegrity+74j
PAGE:00000001404E5795                 mov     rcx, cs:KeLoaderBlock_0
PAGE:00000001404E579C                 lea     rdx, aMintcbignorede ; "MINTCBIGNOREDEBUGGER"
PAGE:00000001404E57A3                 mov     rcx, [rcx+0B8h]
PAGE:00000001404E57AA                 call    SepIsOptionPresent
PAGE:00000001404E57AF                 test    eax, eax
PAGE:00000001404E57B1                 mov     rax, cs:KeLoaderBlock_0
PAGE:00000001404E57B8                 jnz     short loc_1404E57ED
PAGE:00000001404E57BA loc_1404E57BA:                          ; CODE XREF: SepInitializeCodeIntegrity+3Ej
PAGE:00000001404E57BA                                         ; SepInitializeCodeIntegrity+D8j
PAGE:00000001404E57BA                 test    rax, rax
PAGE:00000001404E57BD                 jz      short loc_1404E57C3
PAGE:00000001404E57BF                 lea     rbx, [rax+30h]
PAGE:00000001404E57C3 loc_1404E57C3:                          ; CODE XREF: SepInitializeCodeIntegrity+35j
PAGE:00000001404E57C3                                         ; SepInitializeCodeIntegrity+A1j
PAGE:00000001404E57C3                 lea     r9, g_CiCallbacks
PAGE:00000001404E57CA                 lea     r8, off_140091718
PAGE:00000001404E57D1                 mov     rdx, rbx
PAGE:00000001404E57D4                 mov     ecx, edi
PAGE:00000001404E57D6                 mov     rbx, [rsp+28h+arg_0]
PAGE:00000001404E57DB                 add     rsp, 20h
PAGE:00000001404E57DF                 pop     rdi
PAGE:00000001404E57E0                 jmp     cs:__imp_CiInitialize
PAGE:00000001404E57E0 ; ---------------------------------------------------------------------------
PAGE:00000001404E57E7                 db 6 dup(90h)
PAGE:00000001404E57ED ; ---------------------------------------------------------------------------
PAGE:00000001404E57ED loc_1404E57ED:                          ; CODE XREF: SepInitializeCodeIntegrity+9Cj
PAGE:00000001404E57ED                 or      dword ptr cs:qword_140289610, 1
PAGE:00000001404E57F4                 jmp     short loc_1404E57BA
PAGE:00000001404E57F4 SepInitializeCodeIntegrity endp
 #23037  by EP_X0FF
 Wed Jun 04, 2014 1:45 pm
I assume you want to disable/manipulate it.

There is no such thing as g_CiEnabled in anything above Windows 7. It was included as one of the flags in the variable called g_CiOptions which is located inside CI.DLL
Additionally since windows 8.1 g_CiOptions protected by KPP.

So things like was done by Turla doesn't anymore work with modern Windows.
 #23039  by kmd
 Wed Jun 04, 2014 3:52 pm
can i zero g_CiOptions? will that turn off DSE?
 #23040  by EP_X0FF
 Wed Jun 04, 2014 3:58 pm
kmd wrote:thanks
can i zero g_CiOptions? will that turn off DSE?
Yes. You can do experiment with windbg eb command. Default g_CiOptions value is 6.