check read access when dump file name in _FILE_OBJECT

nganhkhoa · May 28, 2020 · 4bf2bb7 · 4bf2bb7
1 parent ecc476c
commit 4bf2bb7
Show file tree

Hide file tree

Showing 6 changed files with 51,116 additions and 12 deletions.
diff --git a/logs/eprocess_scan_log_2.txt b/logs/eprocess_scan_log_2.txt
diff --git a/logs/file_object_scan_log_2.txt b/logs/file_object_scan_log_2.txt
diff --git a/other/parse_file_scan_result.py b/other/parse_file_scan_result.py
@@ -0,0 +1,20 @@
+import sys
+import re
+
+s = list(filter(lambda x: "unicode" in x, open(sys.argv[1], 'r').read().split('\n')))
+
+
+m = re.compile(r"unicode str: (0x[0-9a-f]+) size: (0x[0-9a-f]+) capacity: (0x[0-9a-f]+)")
+
+ss = list(filter(lambda x: int(x[0], 16) != 0 and int(x[1], 16) <= int(x[2], 16) and int(x[1], 16) != 0 and int(x[1], 16) % 2 == 0,
+                 map(lambda x: m.match(x).group(1,2,3), s)))
+
+aa = set()
+bb = set()
+
+for (a, s, c) in ss:
+    if a in aa or a in bb:
+        continue
+    aa.add(a)
+    # print("du", a, "|", s, c)
+    print("du", a)
diff --git a/src/bin/eprocess_scan.rs b/src/bin/eprocess_scan.rs
@@ -62,7 +62,7 @@ fn main() -> Result<(), Box<dyn Error>> {
 
         driver.deref_addr(try_eprocess_ptr + eprocess_name_offset, &mut image_name);
         driver.deref_addr(try_eprocess_ptr + eprocess_image_file_ptr_offset, &mut file_object_ptr);
-        let filename = if file_object_ptr != 0 { driver.get_unicode_string(file_object_ptr + fob_filename_offset)? }
+        let filename = if file_object_ptr != 0 { driver.get_unicode_string(file_object_ptr + fob_filename_offset, true)? }
                        else { "".to_string() };
 
         if let Ok(name) = from_utf8(&image_name) {

diff --git a/src/bin/file_object_scan.rs b/src/bin/file_object_scan.rs
@@ -13,6 +13,7 @@ fn main() -> Result<(), Box<dyn Error>> {
 
         let fob_size = driver.pdb_store.get_offset_r("_FILE_OBJECT.struct_size")?;
         let fob_size_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.Size")?;
+        let fob_read_access_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.ReadAccess")?;
         let fob_filename_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.FileName")?;
 
         let valid_end = (pool_addr + chunk_size) - fob_size;
@@ -29,13 +30,20 @@ fn main() -> Result<(), Box<dyn Error>> {
             try_ptr += 0x4;        // search exhaustively
         }
         if try_ptr > valid_end {
+            println!("pool: 0x{:x} cannot detect file object", pool_addr);
             return Ok(false);
         }
         let fob_addr = try_ptr;
-        // println!("pool: 0x{:x} | file object: 0x{:x} | offsetby: {}", pool_addr, fob_addr, fob_addr - pool_addr);
-        if let Ok(filename) = driver.get_unicode_string(fob_addr + fob_filename_offset) {
-            println!("pool: 0x{:x} | file object: 0x{:x} | offsetby: {} | {}",
-                    pool_addr, fob_addr, fob_addr - pool_addr, filename);
+        let mut read_ok = 0u8;
+        driver.deref_addr(fob_addr + fob_read_access_offset, &mut read_ok);
+
+        println!("pool: 0x{:x} | file object: 0x{:x} | offsetby: 0x{:x}", pool_addr, fob_addr, fob_addr - pool_addr);
+        if read_ok == 0 {
+            println!("      [NOT READABLE]");
+            return Ok(true);
+        }
+        if let Ok(filename) = driver.get_unicode_string(fob_addr + fob_filename_offset, true) {
+            println!("      {}", filename);
             return Ok(true);
         }
         Ok(false)

diff --git a/src/driver_state.rs b/src/driver_state.rs
@@ -161,14 +161,12 @@ impl DriverState {
                 scan_range: ScanPoolData::new(&[ptr, end_address], tag)
             };
             self.windows_ffi.device_io(code, &mut input, &mut ptr);
+            // println!("found: 0x{:x}", ptr);
             if ptr >= end_address {
                 break;
             }
 
             let pool_addr = ptr;
-            // println!("chunk: 0x{:x}", pool_addr);
-            // ptr += 0x4;
-            // continue;
             let mut header = vec![0u8; pool_header_size as usize];
             self.deref_addr_ptr(pool_addr, header.as_mut_ptr(), pool_header_size);
             let chunk_size = (header[2] as u64) * 16u64;
@@ -184,11 +182,10 @@ impl DriverState {
                 continue;
             }
 
-            // ptr += 0x4;
-            // continue;
             let success = handler(pool_addr, &header, pool_addr + pool_header_size)?;
             if success {
                 ptr += chunk_size; /* pass this chunk */
+                // ptr += 0x4;
             }
             else {
                 ptr += 0x4; /* search next */
@@ -243,7 +240,7 @@ impl DriverState {
                                        outptr as *mut c_void, output_len as DWORD);
     }
 
-    pub fn get_unicode_string(&self, unicode_str_addr: u64) -> BoxResult<String> {
+    pub fn get_unicode_string(&self, unicode_str_addr: u64, deref: bool) -> BoxResult<String> {
         let mut strlen = 0u16;
         let mut capacity = 0u16;
         let mut bufaddr = 0u64;
@@ -254,10 +251,15 @@ impl DriverState {
         self.deref_addr(capacity_addr, &mut capacity);
         self.deref_addr(buffer_ptr, &mut bufaddr);
 
-        if bufaddr == 0 || strlen > capacity || strlen == 0 {
+        // println!("unicode str: 0x{:x} size: 0x{:x} capacity: 0x{:x}", bufaddr, strlen, capacity);
+        if bufaddr == 0 || strlen > capacity || strlen == 0 || strlen % 2 != 0 {
             return Err("Unicode string is empty".into());
         }
 
+        if !deref {
+            return Ok("".to_string());
+        }
+
         let mut buf = vec![0u16; (strlen / 2) as usize];
         self.deref_addr_ptr(bufaddr, buf.as_mut_ptr(), strlen as u64);