Prochainement documenté :
mimikatz # [...] kListNotifyObjects [...] Process - Open : FFFFF80002DA6960 [ntoskrnl.exe+3463520] - Close : FFFFF80002D8B074 [ntoskrnl.exe+3350644] - Delete : FFFFF80002D8A330 [ntoskrnl.exe+3347248] - Security : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560] * Callback 1 : FFFFF880033083C8 [klif.sys+218056] / FFFFF880033087D4 [klif.sys+219092] * Callback 1 : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276] Token - Delete : FFFFF80002D9BED0 [ntoskrnl.exe+3419856] - Security : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560] * Callback 1 : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276] Mutant - Delete : FFFFF80002AA27E4 [ntoskrnl.exe+301028] - Security : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560] * Callback 1 : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276] File - Close : FFFFF80002DDB580 [ntoskrnl.exe+3679616] - Delete : FFFFF80002DCFEC0 [ntoskrnl.exe+3632832] - Parse : FFFFF80002DF7AF0 [ntoskrnl.exe+3795696] - Security : FFFFF80002DB3240 [ntoskrnl.exe+3514944] - QueryName : FFFFF80002DB3514 [ntoskrnl.exe+3515668] * Callback 1 : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276] Semaphore - Security : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560] * Callback 1 : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276] Section - Delete : FFFFF80002DEFFA0 [ntoskrnl.exe+3764128] - Security : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560] * Callback 1 : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276] Thread - Open : FFFFF80002DBF91C [ntoskrnl.exe+3565852] - Delete : FFFFF80002DA9030 [ntoskrnl.exe+3473456] - Security : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560] * Callback 1 : FFFFF880033083C8 [klif.sys+218056] / FFFFF880033087D4 [klif.sys+219092] * Callback 1 : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276] Event - Security : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560] * Callback 1 : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276] ALPC Port - Open : FFFFF80002DB1980 [ntoskrnl.exe+3508608] - Close : FFFFF80002D76EA0 [ntoskrnl.exe+3268256] - Delete : FFFFF80002D759D4 [ntoskrnl.exe+3262932] - Security : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560] * Callback 1 : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276]
L’activation de callbacks sur d’autre objets que les Process et Threads par Sandboxie en x64 est non supporté, mais cela reste quand même plus propre qu’en x86 où il remplace les procédures système par défaut de ces objets…
mimikatz # [...] kListNotifyObjects [...] Process - Open : 9269B070 [?] - Close : 82ABFF55 [ntkrnlpa.exe+2559829] - Delete : 82AC281C [ntkrnlpa.exe+2570268] - Security : 82AB47D6 [ntkrnlpa.exe+2512854] * Callback 3 : 87CCACB2 [MpFilter.sys+97458] / 00000000 [?] Token - Open : 9269B020 [?] - Delete : 82AA9120 [ntkrnlpa.exe+2466080] - Security : 82AB47D6 [ntkrnlpa.exe+2512854] Mutant - Open : 9269B250 [?] - Delete : 8290FFAB [ntkrnlpa.exe+790443] - Security : 82AB47D6 [ntkrnlpa.exe+2512854] File - Close : 82A8188B [ntkrnlpa.exe+2304139] - Delete : 82A809D3 [ntkrnlpa.exe+2300371] - Parse : 9269B110 [?] - Security : 82AB33BD [ntkrnlpa.exe+2507709] - QueryName : 82ABF86E [ntkrnlpa.exe+2558062] Semaphore - Open : 9269B2A0 [?] - Security : 82AB47D6 [ntkrnlpa.exe+2512854] Section - Open : 9269B2F0 [?] - Delete : 82A71981 [ntkrnlpa.exe+2238849] - Security : 82AB47D6 [ntkrnlpa.exe+2512854] Thread - Open : 9269B0C0 [?] - Delete : 82AB89BB [ntkrnlpa.exe+2529723] - Security : 82AB47D6 [ntkrnlpa.exe+2512854] Event - Open : 9269B200 [?] - Security : 82AB47D6 [ntkrnlpa.exe+2512854] ALPC Port - Open : 9269B340 [?] - Close : 82AAF0A3 [ntkrnlpa.exe+2490531] - Delete : 82AAE8AC [ntkrnlpa.exe+2488492] - Security : 82AB47D6 [ntkrnlpa.exe+2512854] Device - Delete : 82A0A338 [ntkrnlpa.exe+1815352] - Parse : 9269B160 [?] - Security : 82AB33BD [ntkrnlpa.exe+2507709] Key - Close : 82A9B2E6 [ntkrnlpa.exe+2409190] - Delete : 82A8280B [ntkrnlpa.exe+2308107] - Parse : 9269B1B0 [?] - Security : 82A4431B [ntkrnlpa.exe+2052891] - QueryName : 82A3AD00 [ntkrnlpa.exe+2014464]
Malgré le ?
indiquant l’abscence de référence pour l’adresse 0x9269b070
en ligne 6, il s’agit bien de Sandboxie qui a placé un trampoline :
9269b070 8bc0 mov eax,eax 9269b072 b88e07b191 mov eax,offset SbieDrv+0x1378e (91b1078e) 9269b077 6a00 push 0 9269b079 6a00 push 0 9269b07b ffd0 call eax
C’est pas le type 3, c’est un OR du type 1 et 2 :)
Exact, une très mauvaise lecture de la MSDN de ma part !
Cf. http://msdn.microsoft.com/library/windows/hardware/ff558718.aspx
Article modifié en ce sens ;)
Merci Alex !