mimikatz : callbacks Kernel

pingouins

Prochainement documenté :

mimikatz # [...]
kListNotifyObjects

[...]
Process
 - Open        : FFFFF80002DA6960 [ntoskrnl.exe+3463520]
 - Close       : FFFFF80002D8B074 [ntoskrnl.exe+3350644]
 - Delete      : FFFFF80002D8A330 [ntoskrnl.exe+3347248]
 - Security    : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560]
 * Callback 1  : FFFFF880033083C8 [klif.sys+218056] / FFFFF880033087D4 [klif.sys+219092]
 * Callback 1  : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276]

Token
 - Delete      : FFFFF80002D9BED0 [ntoskrnl.exe+3419856]
 - Security    : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560]
 * Callback 1  : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276]

Mutant
 - Delete      : FFFFF80002AA27E4 [ntoskrnl.exe+301028]
 - Security    : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560]
 * Callback 1  : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276]

File
 - Close       : FFFFF80002DDB580 [ntoskrnl.exe+3679616]
 - Delete      : FFFFF80002DCFEC0 [ntoskrnl.exe+3632832]
 - Parse       : FFFFF80002DF7AF0 [ntoskrnl.exe+3795696]
 - Security    : FFFFF80002DB3240 [ntoskrnl.exe+3514944]
 - QueryName   : FFFFF80002DB3514 [ntoskrnl.exe+3515668]
 * Callback 1  : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276]

Semaphore
 - Security    : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560]
 * Callback 1  : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276]

Section
 - Delete      : FFFFF80002DEFFA0 [ntoskrnl.exe+3764128]
 - Security    : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560]
 * Callback 1  : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276]

Thread
 - Open        : FFFFF80002DBF91C [ntoskrnl.exe+3565852]
 - Delete      : FFFFF80002DA9030 [ntoskrnl.exe+3473456]
 - Security    : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560]
 * Callback 1  : FFFFF880033083C8 [klif.sys+218056] / FFFFF880033087D4 [klif.sys+219092]
 * Callback 1  : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276]

Event
 - Security    : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560]
 * Callback 1  : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276]

ALPC Port
 - Open        : FFFFF80002DB1980 [ntoskrnl.exe+3508608]
 - Close       : FFFFF80002D76EA0 [ntoskrnl.exe+3268256]
 - Delete      : FFFFF80002D759D4 [ntoskrnl.exe+3262932]
 - Security    : FFFFF80002DBDCA0 [ntoskrnl.exe+3558560]
 * Callback 1  : FFFFF88004212240 [SbieDrv.sys+74304] / FFFFF8800421742C [SbieDrv.sys+95276]

L’activation de callbacks sur d’autre objets que les Process et Threads par Sandboxie en x64 est non supporté, mais cela reste quand même plus propre qu’en x86 où il remplace les procédures système par défaut de ces objets…

mimikatz # [...]
kListNotifyObjects

[...]
Process
 - Open        : 9269B070 [?]
 - Close       : 82ABFF55 [ntkrnlpa.exe+2559829]
 - Delete      : 82AC281C [ntkrnlpa.exe+2570268]
 - Security    : 82AB47D6 [ntkrnlpa.exe+2512854]
 * Callback 3  : 87CCACB2 [MpFilter.sys+97458] / 00000000 [?]

Token
 - Open        : 9269B020 [?]
 - Delete      : 82AA9120 [ntkrnlpa.exe+2466080]
 - Security    : 82AB47D6 [ntkrnlpa.exe+2512854]

Mutant
 - Open        : 9269B250 [?]
 - Delete      : 8290FFAB [ntkrnlpa.exe+790443]
 - Security    : 82AB47D6 [ntkrnlpa.exe+2512854]

File
 - Close       : 82A8188B [ntkrnlpa.exe+2304139]
 - Delete      : 82A809D3 [ntkrnlpa.exe+2300371]
 - Parse       : 9269B110 [?]
 - Security    : 82AB33BD [ntkrnlpa.exe+2507709]
 - QueryName   : 82ABF86E [ntkrnlpa.exe+2558062]

Semaphore
 - Open        : 9269B2A0 [?]
 - Security    : 82AB47D6 [ntkrnlpa.exe+2512854]

Section
 - Open        : 9269B2F0 [?]
 - Delete      : 82A71981 [ntkrnlpa.exe+2238849]
 - Security    : 82AB47D6 [ntkrnlpa.exe+2512854]

Thread
 - Open        : 9269B0C0 [?]
 - Delete      : 82AB89BB [ntkrnlpa.exe+2529723]
 - Security    : 82AB47D6 [ntkrnlpa.exe+2512854]

Event
 - Open        : 9269B200 [?]
 - Security    : 82AB47D6 [ntkrnlpa.exe+2512854]

ALPC Port
 - Open        : 9269B340 [?]
 - Close       : 82AAF0A3 [ntkrnlpa.exe+2490531]
 - Delete      : 82AAE8AC [ntkrnlpa.exe+2488492]
 - Security    : 82AB47D6 [ntkrnlpa.exe+2512854]

Device
 - Delete      : 82A0A338 [ntkrnlpa.exe+1815352]
 - Parse       : 9269B160 [?]
 - Security    : 82AB33BD [ntkrnlpa.exe+2507709]

Key
 - Close       : 82A9B2E6 [ntkrnlpa.exe+2409190]
 - Delete      : 82A8280B [ntkrnlpa.exe+2308107]
 - Parse       : 9269B1B0 [?]
 - Security    : 82A4431B [ntkrnlpa.exe+2052891]
 - QueryName   : 82A3AD00 [ntkrnlpa.exe+2014464]

Malgré le ? indiquant l’abscence de référence pour l’adresse 0x9269b070 en ligne 6, il s’agit bien de Sandboxie qui a placé un trampoline :

9269b070 8bc0            mov     eax,eax
9269b072 b88e07b191      mov     eax,offset SbieDrv+0x1378e (91b1078e)
9269b077 6a00            push    0
9269b079 6a00            push    0
9269b07b ffd0            call    eax

mimikatz : notifications Kernel

youdidntseeanything

Prochainement documenté :

mimikatz # [...]
kListNotifyProcesses

[00] FFFFF80002C971E0 [ntoskrnl.exe+295392]
[01] FFFFF880017D91E0 [ksecdd.sys+74208]
[02] FFFFF8800126A3D0 [cng.sys+50128]
[03] FFFFF88001AE9950 [tcpip.sys+469328]
[04] FFFFF88000E8DBA0 [CI.dll+97184]
[05] FFFFF88004516D10 [MpFilter.sys+146704]
[06] FFFFF88006AE3954 [vmci.sys+35156]
[07] FFFFF8800681CD2C [peauth.sys+101676]
[08] FFFFF880071D2EF4 [PROCMON20.SYS+12020]

mimikatz # [...]
kListNotifyThreads

[00] FFFFF88004517584 [MpFilter.sys+148868]
[01] FFFFF880071D3094 [PROCMON20.SYS+12436]

mimikatz # [...]
kListNotifyImages

[00] FFFFF80002FE87C0 [ntoskrnl.exe+3774400]
[01] FFFFF880045172D4 [MpFilter.sys+148180]
[02] FFFFF880071D3338 [PROCMON20.SYS+13112]

mimikatz # [...]
kListNotifyRegistry

[00] FFFFF8800450E9B8 [MpFilter.sys+113080] - alt 425000 - cookie 0x1ccc334922c6342
[01] FFFFF880071D69D0 [PROCMON20.SYS+27088] - alt 425000 - cookie 0x1ccc334922c6343

mimikatz # [...]
kMiniFiltersList

PROCMON20
[...]
 Instance 1 @ \Device\HarddiskVolume2
  [0x16 CREATE                  ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x17 CREATE_NAMED_PIPE       ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x18 CLOSE                   ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x19 READ                    ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1a WRITE                   ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1b QUERY_INFORMATION       ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1c SET_INFORMATION         ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1d QUERY_EA                ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1e SET_EA                  ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1f FLUSH_BUFFERS           ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x20 QUERY_VOLUME_INFORMATION] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x21 SET_VOLUME_INFORMATION  ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x22 DIRECTORY_CONTROL       ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x23 FILE_SYSTEM_CONTROL     ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x24 DEVICE_CONTROL          ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x25 INTERNAL_DEVICE_CONTROL ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x26 SHUTDOWN                ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / 0000000000000000 [?]
  [0x27 LOCK_CONTROL            ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x28 CLEANUP                 ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x29 CREATE_MAILSLOT         ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x2a QUERY_SECURITY          ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x2b SET_SECURITY            ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x2f QUERY_QUOTA             ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x30 SET_QUOTA               ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x31 PNP                     ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
[...]
MpFilter
[...]
 Instance 1 @ \Device\HarddiskVolume2
  [0x16 CREATE                  ] FFFFF88004500E90 [MpFilter.sys+56976] / FFFFF88004503BBC [MpFilter.sys+68540]
  [0x1a WRITE                   ] FFFFF8800450B0D0 [MpFilter.sys+98512] / FFFFF880044F5778 [MpFilter.sys+10104]
  [0x1c SET_INFORMATION         ] FFFFF88004505144 [MpFilter.sys+74052] / FFFFF88004505428 [MpFilter.sys+74792]
  [0x23 FILE_SYSTEM_CONTROL     ] FFFFF88004514D88 [MpFilter.sys+138632] / FFFFF88004514F10 [MpFilter.sys+139024]
  [0x28 CLEANUP                 ] FFFFF880044FBD54 [MpFilter.sys+36180] / 0000000000000000 [?]
[...]
luafv
 Instance 0 @ \Device\HarddiskVolume2
  [0x16 CREATE                  ] FFFFF88000DE8DAC [luafv.sys+73132] / FFFFF88000DE9474 [luafv.sys+74868]
  [0x17 CREATE_NAMED_PIPE       ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x18 CLOSE                   ] FFFFF88000DE984C [luafv.sys+75852] / 0000000000000000 [?]
  [0x19 READ                    ] FFFFF88000DD833C [luafv.sys+4924] / FFFFF88000DD83CC [luafv.sys+5068]
  [0x1a WRITE                   ] FFFFF88000DD8414 [luafv.sys+5140] / FFFFF88000DD83CC [luafv.sys+5068]
  [0x1b QUERY_INFORMATION       ] FFFFF88000DE9E68 [luafv.sys+77416] / FFFFF88000DD8570 [luafv.sys+5488]
  [0x1c SET_INFORMATION         ] FFFFF88000DE9C84 [luafv.sys+76932] / FFFFF88000DD851C [luafv.sys+5404]
  [0x1d QUERY_EA                ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x1e SET_EA                  ] FFFFF88000DD8414 [luafv.sys+5140] / 0000000000000000 [?]
  [0x1f FLUSH_BUFFERS           ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x20 QUERY_VOLUME_INFORMATION] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x21 SET_VOLUME_INFORMATION  ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x22 DIRECTORY_CONTROL       ] FFFFF88000DE9FA4 [luafv.sys+77732] / FFFFF88000DD85D8 [luafv.sys+5592]
  [0x23 FILE_SYSTEM_CONTROL     ] FFFFF88000DEA0FC [luafv.sys+78076] / FFFFF88000DEA288 [luafv.sys+78472]
  [0x24 DEVICE_CONTROL          ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x25 INTERNAL_DEVICE_CONTROL ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x26 SHUTDOWN                ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x27 LOCK_CONTROL            ] FFFFF88000DEA2D4 [luafv.sys+78548] / 0000000000000000 [?]
  [0x28 CLEANUP                 ] FFFFF88000DE9A58 [luafv.sys+76376] / FFFFF88000DE9BAC [luafv.sys+76716]
  [0x29 CREATE_MAILSLOT         ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x2a QUERY_SECURITY          ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x2b SET_SECURITY            ] FFFFF88000DD8414 [luafv.sys+5140] / 0000000000000000 [?]
  [0x2c POWER                   ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x2d SYSTEM_CONTROL          ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x2e DEVICE_CHANGE           ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x2f QUERY_QUOTA             ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x30 SET_QUOTA               ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x31 PNP                     ] FFFFF88000DEA314 [luafv.sys+78612] / 0000000000000000 [?]
FileInfo
[...]
 Instance 1 @ \Device\HarddiskVolume2
  [0x16 CREATE                  ] FFFFF8800159C7B8 [fileinfo.sys+30648] / FFFFF8800159CA14 [fileinfo.sys+31252]
  [0x18 CLOSE                   ] FFFFF8800159CF5C [fileinfo.sys+32604] / FFFFF88001596980 [fileinfo.sys+6528]
  [0x19 READ                    ] FFFFF88001596078 [fileinfo.sys+4216] / FFFFF880015962F4 [fileinfo.sys+4852]
  [0x1a WRITE                   ] FFFFF88001596078 [fileinfo.sys+4216] / FFFFF880015962F4 [fileinfo.sys+4852]
  [0x1b QUERY_INFORMATION       ] FFFFF8800159689C [fileinfo.sys+6300] / FFFFF88001596980 [fileinfo.sys+6528]
  [0x1c SET_INFORMATION         ] FFFFF88001596404 [fileinfo.sys+5124] / FFFFF88001596578 [fileinfo.sys+5496]
  [0x1f FLUSH_BUFFERS           ] FFFFF8800159CFDC [fileinfo.sys+32732] / FFFFF88001596980 [fileinfo.sys+6528]
  [0x22 DIRECTORY_CONTROL       ] FFFFF8800159D020 [fileinfo.sys+32800] / FFFFF88001596980 [fileinfo.sys+6528]
  [0x23 FILE_SYSTEM_CONTROL     ] FFFFF8800159CCD4 [fileinfo.sys+31956] / FFFFF880015967D4 [fileinfo.sys+6100]
  [0x28 CLEANUP                 ] FFFFF8800159CE58 [fileinfo.sys+32344] / FFFFF8800159CE84 [fileinfo.sys+32388]
  [0x31 PNP                     ] FFFFF8800159D1C0 [fileinfo.sys+33216] / FFFFF8800159696C [fileinfo.sys+6508]
[...]

Cf: http://blog.gentilkiwi.com/retro-ingenierie/windbg-notifications-kernel