mimikatz : notifications Kernel

youdidntseeanything

Prochainement documenté :

mimikatz # [...]
kListNotifyProcesses

[00] FFFFF80002C971E0 [ntoskrnl.exe+295392]
[01] FFFFF880017D91E0 [ksecdd.sys+74208]
[02] FFFFF8800126A3D0 [cng.sys+50128]
[03] FFFFF88001AE9950 [tcpip.sys+469328]
[04] FFFFF88000E8DBA0 [CI.dll+97184]
[05] FFFFF88004516D10 [MpFilter.sys+146704]
[06] FFFFF88006AE3954 [vmci.sys+35156]
[07] FFFFF8800681CD2C [peauth.sys+101676]
[08] FFFFF880071D2EF4 [PROCMON20.SYS+12020]

mimikatz # [...]
kListNotifyThreads

[00] FFFFF88004517584 [MpFilter.sys+148868]
[01] FFFFF880071D3094 [PROCMON20.SYS+12436]

mimikatz # [...]
kListNotifyImages

[00] FFFFF80002FE87C0 [ntoskrnl.exe+3774400]
[01] FFFFF880045172D4 [MpFilter.sys+148180]
[02] FFFFF880071D3338 [PROCMON20.SYS+13112]

mimikatz # [...]
kListNotifyRegistry

[00] FFFFF8800450E9B8 [MpFilter.sys+113080] - alt 425000 - cookie 0x1ccc334922c6342
[01] FFFFF880071D69D0 [PROCMON20.SYS+27088] - alt 425000 - cookie 0x1ccc334922c6343

mimikatz # [...]
kMiniFiltersList

PROCMON20
[...]
 Instance 1 @ \Device\HarddiskVolume2
  [0x16 CREATE                  ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x17 CREATE_NAMED_PIPE       ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x18 CLOSE                   ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x19 READ                    ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1a WRITE                   ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1b QUERY_INFORMATION       ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1c SET_INFORMATION         ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1d QUERY_EA                ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1e SET_EA                  ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x1f FLUSH_BUFFERS           ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x20 QUERY_VOLUME_INFORMATION] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x21 SET_VOLUME_INFORMATION  ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x22 DIRECTORY_CONTROL       ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x23 FILE_SYSTEM_CONTROL     ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x24 DEVICE_CONTROL          ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x25 INTERNAL_DEVICE_CONTROL ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x26 SHUTDOWN                ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / 0000000000000000 [?]
  [0x27 LOCK_CONTROL            ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x28 CLEANUP                 ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x29 CREATE_MAILSLOT         ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x2a QUERY_SECURITY          ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x2b SET_SECURITY            ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x2f QUERY_QUOTA             ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x30 SET_QUOTA               ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
  [0x31 PNP                     ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184]
[...]
MpFilter
[...]
 Instance 1 @ \Device\HarddiskVolume2
  [0x16 CREATE                  ] FFFFF88004500E90 [MpFilter.sys+56976] / FFFFF88004503BBC [MpFilter.sys+68540]
  [0x1a WRITE                   ] FFFFF8800450B0D0 [MpFilter.sys+98512] / FFFFF880044F5778 [MpFilter.sys+10104]
  [0x1c SET_INFORMATION         ] FFFFF88004505144 [MpFilter.sys+74052] / FFFFF88004505428 [MpFilter.sys+74792]
  [0x23 FILE_SYSTEM_CONTROL     ] FFFFF88004514D88 [MpFilter.sys+138632] / FFFFF88004514F10 [MpFilter.sys+139024]
  [0x28 CLEANUP                 ] FFFFF880044FBD54 [MpFilter.sys+36180] / 0000000000000000 [?]
[...]
luafv
 Instance 0 @ \Device\HarddiskVolume2
  [0x16 CREATE                  ] FFFFF88000DE8DAC [luafv.sys+73132] / FFFFF88000DE9474 [luafv.sys+74868]
  [0x17 CREATE_NAMED_PIPE       ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x18 CLOSE                   ] FFFFF88000DE984C [luafv.sys+75852] / 0000000000000000 [?]
  [0x19 READ                    ] FFFFF88000DD833C [luafv.sys+4924] / FFFFF88000DD83CC [luafv.sys+5068]
  [0x1a WRITE                   ] FFFFF88000DD8414 [luafv.sys+5140] / FFFFF88000DD83CC [luafv.sys+5068]
  [0x1b QUERY_INFORMATION       ] FFFFF88000DE9E68 [luafv.sys+77416] / FFFFF88000DD8570 [luafv.sys+5488]
  [0x1c SET_INFORMATION         ] FFFFF88000DE9C84 [luafv.sys+76932] / FFFFF88000DD851C [luafv.sys+5404]
  [0x1d QUERY_EA                ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x1e SET_EA                  ] FFFFF88000DD8414 [luafv.sys+5140] / 0000000000000000 [?]
  [0x1f FLUSH_BUFFERS           ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x20 QUERY_VOLUME_INFORMATION] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x21 SET_VOLUME_INFORMATION  ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x22 DIRECTORY_CONTROL       ] FFFFF88000DE9FA4 [luafv.sys+77732] / FFFFF88000DD85D8 [luafv.sys+5592]
  [0x23 FILE_SYSTEM_CONTROL     ] FFFFF88000DEA0FC [luafv.sys+78076] / FFFFF88000DEA288 [luafv.sys+78472]
  [0x24 DEVICE_CONTROL          ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x25 INTERNAL_DEVICE_CONTROL ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x26 SHUTDOWN                ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x27 LOCK_CONTROL            ] FFFFF88000DEA2D4 [luafv.sys+78548] / 0000000000000000 [?]
  [0x28 CLEANUP                 ] FFFFF88000DE9A58 [luafv.sys+76376] / FFFFF88000DE9BAC [luafv.sys+76716]
  [0x29 CREATE_MAILSLOT         ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x2a QUERY_SECURITY          ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x2b SET_SECURITY            ] FFFFF88000DD8414 [luafv.sys+5140] / 0000000000000000 [?]
  [0x2c POWER                   ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x2d SYSTEM_CONTROL          ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x2e DEVICE_CHANGE           ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x2f QUERY_QUOTA             ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x30 SET_QUOTA               ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?]
  [0x31 PNP                     ] FFFFF88000DEA314 [luafv.sys+78612] / 0000000000000000 [?]
FileInfo
[...]
 Instance 1 @ \Device\HarddiskVolume2
  [0x16 CREATE                  ] FFFFF8800159C7B8 [fileinfo.sys+30648] / FFFFF8800159CA14 [fileinfo.sys+31252]
  [0x18 CLOSE                   ] FFFFF8800159CF5C [fileinfo.sys+32604] / FFFFF88001596980 [fileinfo.sys+6528]
  [0x19 READ                    ] FFFFF88001596078 [fileinfo.sys+4216] / FFFFF880015962F4 [fileinfo.sys+4852]
  [0x1a WRITE                   ] FFFFF88001596078 [fileinfo.sys+4216] / FFFFF880015962F4 [fileinfo.sys+4852]
  [0x1b QUERY_INFORMATION       ] FFFFF8800159689C [fileinfo.sys+6300] / FFFFF88001596980 [fileinfo.sys+6528]
  [0x1c SET_INFORMATION         ] FFFFF88001596404 [fileinfo.sys+5124] / FFFFF88001596578 [fileinfo.sys+5496]
  [0x1f FLUSH_BUFFERS           ] FFFFF8800159CFDC [fileinfo.sys+32732] / FFFFF88001596980 [fileinfo.sys+6528]
  [0x22 DIRECTORY_CONTROL       ] FFFFF8800159D020 [fileinfo.sys+32800] / FFFFF88001596980 [fileinfo.sys+6528]
  [0x23 FILE_SYSTEM_CONTROL     ] FFFFF8800159CCD4 [fileinfo.sys+31956] / FFFFF880015967D4 [fileinfo.sys+6100]
  [0x28 CLEANUP                 ] FFFFF8800159CE58 [fileinfo.sys+32344] / FFFFF8800159CE84 [fileinfo.sys+32388]
  [0x31 PNP                     ] FFFFF8800159D1C0 [fileinfo.sys+33216] / FFFFF8800159696C [fileinfo.sys+6508]
[...]

Cf: http://blog.gentilkiwi.com/retro-ingenierie/windbg-notifications-kernel

WinDBG : Process et son Token

petite utilisation de WinDbg…

Par extensions

Processus ‘system’

lkd> !process 0 1 system
PROCESS 82da3648  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00e02000  ObjectTable: e1001c58  HandleCount: 614.
    Image: System
    VadRoot 82a6e0f0 Vads 4 Clone 0 Private 3. Modified 11050. Locked 0.
    DeviceMap e10000a8
    Token                             e1000758
[...]

Jeton de sécurité du processus

lkd> !token -n 0xe1000758
_TOKEN e1000758
TS Session ID: 0
User: S-1-5-18 (Well Known Group: AUTORITE NT\SYSTEM)
[...]
Authentication ID:         (0,3e7)
Impersonation Level:       Anonymous
TokenType:                 Primary
Source: *SYSTEM*           TokenFlags: 0x89 ( Token NOT in use ) 
Token ID: 3ea              ParentToken ID: 0
Modified ID:               (0, 3e9)
RestrictedSidCount: 0      RestrictedSids: 00000000
OriginatingLogonSession: 0

Par accès direct en mémoire

Processus ‘system’

lkd> dt nt!_eprocess poi(PsInitialSystemProcess)
[...]
   +0x094 UniqueProcessId  : 0x00000004 Void
[...]
   +0x0d8 Token            : _EX_FAST_REF
[...]
   +0x164 ImageFileName    : [16]  "System"
[...]

Référence au token de sécurité par structure ‘ex_fast_ref’

lkd> dt nt!_ex_fast_ref poi(PsInitialSystemProcess)+0x0d8
   +0x000 Object           : 0xe100075d Void
   +0x000 RefCnt           : 0y101
   +0x000 Value            : 0xe100075d

Jeton de sécurité du processus (avec application du masque sur le compteur)

  • En x86, masque de 3 bits : dt nt!_token -r1 @@(0xe100075d & ~7)
  • En x64, masque de 4 bits : dt nt!_token -r1 @@(0xfffff8a000004048 & ~15)
lkd> dt nt!_token -r1 @@(0xe100075d & ~7)
   +0x000 TokenSource      : _TOKEN_SOURCE
      +0x000 SourceName       : [8]  "*SYSTEM*"
      +0x008 SourceIdentifier : _LUID
   +0x010 TokenId          : _LUID
      +0x000 LowPart          : 0x3ea
      +0x004 HighPart         : 0n0
   +0x018 AuthenticationId : _LUID
      +0x000 LowPart          : 0x3e7
      +0x004 HighPart         : 0n0
   +0x020 ParentTokenId    : _LUID
      +0x000 LowPart          : 0
      +0x004 HighPart         : 0n0
[...]
   +0x040 ModifiedId       : _LUID
      +0x000 LowPart          : 0x3e9
      +0x004 HighPart         : 0n0
   +0x048 SessionId        : 0
[...]
   +0x080 TokenType        : 1 ( TokenPrimary )
   +0x084 ImpersonationLevel : 0 ( SecurityAnonymous )
   +0x088 TokenFlags       : 0x89 ''
   +0x089 TokenInUse       : 0 ''
[...]