How to get original dispatch function address of NTFS.SYS?

#23205 by myid
Thu Jun 26, 2014 2:51 am

Hi everyone. I have a very hard question.
If some one hook dispatch function of NTFS.SYS (IRP HOOK), how to get original address without using symbol file in kernel-mode?

For example, IRP_MJ_CREATE of NTFS.SYS is an unexported function "NtfsFsdCreate".
My question is: How to get original address of NtfsFsdCreate?

Please tell me details.

Username

myid

Posts

157

Joined

Sat Jun 09, 2012 2:54 am

Re: How to get original dispatch function address of NTFS.SY

#23206 by EP_X0FF
Thu Jun 26, 2014 3:08 am

Scan ntfs.sys DriverEntry with length disassembler and extract pointers from where they fill driver object major functions structure. They all will be each after another. Next ntfs.sys imagebase+extracted pointers to get their real address.

Code: Select all

INIT:000000000019525C                 call    cs:__imp_RtlCopyUnicodeString
INIT:0000000000195262                 lea     rax, NtfsFsdDispatch
INIT:0000000000195269                 lea     r11, NtfsFsdDispatchWait
INIT:0000000000195270                 mov     [rbp+0C8h], rax
INIT:0000000000195277                 mov     [rbp+0C0h], rax
INIT:000000000019527E                 mov     [rbp+118h], rax
INIT:0000000000195285                 mov     [rbp+110h], rax
INIT:000000000019528C                 mov     [rbp+98h], r11
INIT:0000000000195293                 mov     [rbp+140h], r11
INIT:000000000019529A                 mov     [rbp+138h], r11
INIT:00000000001952A1                 mov     [rbp+0B0h], r11
INIT:00000000001952A8                 mov     [rbp+0A8h], r11
INIT:00000000001952AF                 lea     rax, NtfsFsdLockControl
INIT:00000000001952B6                 mov     [rbp+0F8h], rax
INIT:00000000001952BD                 lea     rax, NtfsFsdDirectoryControl
INIT:00000000001952C4                 mov     [rbp+0D0h], rax
INIT:00000000001952CB                 lea     rax, NtfsFsdSetInformation
INIT:00000000001952D2                 mov     [rbp+0A0h], rax
INIT:00000000001952D9                 lea     rax, NtfsFsdCreate
INIT:00000000001952E0                 mov     [rbp+70h], rax
INIT:00000000001952E4                 lea     rax, NtfsFsdClose
INIT:00000000001952EB                 mov     [rbp+80h], rax
INIT:00000000001952F2                 lea     rax, NtfsFsdRead
INIT:00000000001952F9                 mov     [rbp+88h], rax
INIT:0000000000195300                 lea     rax, NtfsFsdWrite
INIT:0000000000195307                 mov     [rbp+90h], rax
INIT:000000000019530E                 lea     rax, NtfsFsdFlushBuffers
INIT:0000000000195315                 mov     [rbp+0B8h], rax
INIT:000000000019531C                 lea     rax, NtfsFsdFileSystemControl
INIT:0000000000195323                 mov     [rbp+0D8h], rax
INIT:000000000019532A                 lea     rax, NtfsFsdCleanup
INIT:0000000000195331                 mov     [rbp+100h], rax
INIT:0000000000195338                 lea     rax, NtfsFsdShutdown
INIT:000000000019533F                 mov     [rbp+0F0h], rax
INIT:0000000000195346                 lea     rax, NtfsFsdPnp
INIT:000000000019534D                 mov     [rbp+148h], rax
INIT:0000000000195354                 lea     rax, NtfsFsdDeviceControl
INIT:000000000019535B                 mov     [rbp+0E0h], rax
INIT:0000000000195362                 lea     rax, NtfsFastIoDispatch
INIT:0000000000195369                 mov     [rbp+50h], rax
INIT:000000000019536D                 lea     rax, NtfsFastIoCheckIfPossible
INIT:0000000000195374                 mov     dword ptr cs:NtfsFastIoDispatch, 0E0h
INIT:000000000019537E                 mov     qword ptr cs:unk_6ED88, rax
INIT:0000000000195385                 lea     rax, NtfsCopyReadA

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: How to get original dispatch function address of NTFS.SY

#23207 by t4L
Thu Jun 26, 2014 4:00 am

There're 3 methods:

+ Hardcode addresses: you can check version of NTFS.sys by checksums, strings etc,. and get the corresponding hardcoded addresses.
+ Use a disassembler engines to scan for it as EP_X0FF suggests. Kind of advanced hardcoded anyway since you still have to assume some conditions (bytes, relative offsets).
+ Use disassembler engines for cross references on specific symbols: more advanced, requires more work but would be more universal across different versions of NTFS.sys, even future version.

I recommend you should try the 3rd one, cos you wouldn't have to change too much when newer NTFS.sys drivers released.

Username

t4L

Rank

Global Moderator

Posts

139

Joined

Tue Mar 09, 2010 5:44 pm

Re: How to get original dispatch function address of NTFS.SY

#23215 by myid
Fri Jun 27, 2014 2:16 am

EP_X0FF wrote:Scan ntfs.sys DriverEntry with length disassembler and extract pointers from where they fill driver object major functions structure. They all will be each after another. Next ntfs.sys imagebase+extracted pointers to get their real address.

Code: Select all

INIT:000000000019525C                 call    cs:__imp_RtlCopyUnicodeString
INIT:0000000000195262                 lea     rax, NtfsFsdDispatch
INIT:0000000000195269                 lea     r11, NtfsFsdDispatchWait
INIT:0000000000195270                 mov     [rbp+0C8h], rax
INIT:0000000000195277                 mov     [rbp+0C0h], rax
INIT:000000000019527E                 mov     [rbp+118h], rax
INIT:0000000000195285                 mov     [rbp+110h], rax
INIT:000000000019528C                 mov     [rbp+98h], r11
INIT:0000000000195293                 mov     [rbp+140h], r11
INIT:000000000019529A                 mov     [rbp+138h], r11
INIT:00000000001952A1                 mov     [rbp+0B0h], r11
INIT:00000000001952A8                 mov     [rbp+0A8h], r11
INIT:00000000001952AF                 lea     rax, NtfsFsdLockControl
INIT:00000000001952B6                 mov     [rbp+0F8h], rax
INIT:00000000001952BD                 lea     rax, NtfsFsdDirectoryControl
INIT:00000000001952C4                 mov     [rbp+0D0h], rax
INIT:00000000001952CB                 lea     rax, NtfsFsdSetInformation
INIT:00000000001952D2                 mov     [rbp+0A0h], rax
INIT:00000000001952D9                 lea     rax, NtfsFsdCreate
INIT:00000000001952E0                 mov     [rbp+70h], rax
INIT:00000000001952E4                 lea     rax, NtfsFsdClose
INIT:00000000001952EB                 mov     [rbp+80h], rax
INIT:00000000001952F2                 lea     rax, NtfsFsdRead
INIT:00000000001952F9                 mov     [rbp+88h], rax
INIT:0000000000195300                 lea     rax, NtfsFsdWrite
INIT:0000000000195307                 mov     [rbp+90h], rax
INIT:000000000019530E                 lea     rax, NtfsFsdFlushBuffers
INIT:0000000000195315                 mov     [rbp+0B8h], rax
INIT:000000000019531C                 lea     rax, NtfsFsdFileSystemControl
INIT:0000000000195323                 mov     [rbp+0D8h], rax
INIT:000000000019532A                 lea     rax, NtfsFsdCleanup
INIT:0000000000195331                 mov     [rbp+100h], rax
INIT:0000000000195338                 lea     rax, NtfsFsdShutdown
INIT:000000000019533F                 mov     [rbp+0F0h], rax
INIT:0000000000195346                 lea     rax, NtfsFsdPnp
INIT:000000000019534D                 mov     [rbp+148h], rax
INIT:0000000000195354                 lea     rax, NtfsFsdDeviceControl
INIT:000000000019535B                 mov     [rbp+0E0h], rax
INIT:0000000000195362                 lea     rax, NtfsFastIoDispatch
INIT:0000000000195369                 mov     [rbp+50h], rax
INIT:000000000019536D                 lea     rax, NtfsFastIoCheckIfPossible
INIT:0000000000195374                 mov     dword ptr cs:NtfsFastIoDispatch, 0E0h
INIT:000000000019537E                 mov     qword ptr cs:unk_6ED88, rax
INIT:0000000000195385                 lea     rax, NtfsCopyReadA

Could you give me more tips, or code demo?

Username

myid

Posts

157

Joined

Sat Jun 09, 2012 2:54 am

Re: How to get original dispatch function address of NTFS.SY

#23216 by myid
Fri Jun 27, 2014 2:17 am

t4L wrote:There're 3 methods:

+ Hardcode addresses: you can check version of NTFS.sys by checksums, strings etc,. and get the corresponding hardcoded addresses.
+ Use a disassembler engines to scan for it as EP_X0FF suggests. Kind of advanced hardcoded anyway since you still have to assume some conditions (bytes, relative offsets).
+ Use disassembler engines for cross references on specific symbols: more advanced, requires more work but would be more universal across different versions of NTFS.sys, even future version.

I recommend you should try the 3rd one, cos you wouldn't have to change too much when newer NTFS.sys drivers released.

How to use symbol file in kernel-mode?

Username

myid

Posts

157

Joined

Sat Jun 09, 2012 2:54 am

Re: How to get original dispatch function address of NTFS.SY

#23251 by EP_X0FF
Mon Jun 30, 2014 1:02 pm

myid wrote:Could you give me more tips, or code demo?

Tips? Don't know, simple loop with conditions.
e.g. extracting g_CiOptions, g_CiEnabled http://www.kernelmode.info/forum/viewto ... =11&t=3322

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: How to get original dispatch function address of NTFS.SY

#23269 by t4L
Wed Jul 02, 2014 11:53 pm

Sorry for confusion, symbol means the routine address.

Username

t4L

Rank

Global Moderator

Posts

139

Joined

Tue Mar 09, 2010 5:44 pm