![]() To begin with, at assembly level: PAGE:000000008005DAB8 sub_8005DAB8 proc near Let's illustrate the analysis methodology with the first handler executed when aes.rb: (spoiler alert) re-implementation of the peauthvbn_InitStore sub-program for debug purpose.msvm64.rb: the core component, implements the handlers analysis and symbolic execution engine.go.rb the launcher, it only passes a context to the symbolic execution engine.They allow to statically unroll the execution of the virtual machine The provided scripts are based on the Metasm framework, developed by Yoann Virtual machine are indexed based on rcx) and finally we perform a symbolicĮxecution of the result to step to the next handler and repeat these steps Inject some symbolism into it (we know the virtual registers used by the In practice, we first lift theįunction transfer of the current handler from its assembly code, then we The core idea is simple: we unroll the execution of the virtual machine, using Textbook contains a methodology that works like a charm to analyze the Warbird Happy coincidence, the fifth chapter of the Practical Reverse Engineering Not much needs to be said about the analysis of the virtual machine. The execution loop of the virtual machine look like this: for ( ctx.field_90 = value keyed_exec keyed_exec = WARBIRD_HANDLERS(&ctx, keyed_exec) ) Zero, the execution of the virtual machine stops. This key is stored in the rax native register and updated byĮach of the 0x800 different handlers. Used to parametrize the execution of the virtual machine, like a keyedĮxecution. Peauthvbn_InitStore invokes the virtual machine. Int _cdecl peauthvbn_InitStore(PVOID store_ptr, int seed) Res = ExInitializeResourceLite(&g_StoreLock) ĮxAcquireResourceExclusiveLite(&g_StoreLock, 1u) Īllocated_store = ExAllocatePoolWithTag(PagedPool, sizeof(store), 'PE') Įrrno = peauthvbn_InitStore(allocated_store, seed) KETICKCOUNT is passed to the peauthvbn_InitStore function. Please note that a random value issued from This store isĪllocated in PEAuthInitStore and then initialized in Used to initialize, query and update the CI!g_Store. These functions are all wrappers around the Warbird virtual machine. peauthvbn_SetDebugCredentialsData(x,x,x).peauthvbn_GetBootDriversVerificationData(x,x).Looking for peauthvbn prefixed function names: From ci.dll, one can easily locate the specific code by A Windbg plugin performing on-the-fly decryption/encryption of the CI!g_pStoreĪs a reminder, all the technical elements presented below have been studied on.An analysis of the virtual-machine protection implemented in ci.dll on Windows 7/8.1.Many years have passed since our research and now seems a good time to Has evolved into a scary beast protecting from arbitrary code execution. This occasion, it is deeply enlightening to discover how the Warbird framework Presented on September 27th 2017 at ekoparty conference in Buenos Aires. The Warbird framework has gone relatively unnoticed for a long time, untilĪlex Ionescu released " The "Bird" That Killed Arbitrary Code Guard" , To a larger code protection framework: Microsoft Warbird. Heavily obfuscated code using virtual-machine software protection and related ![]() Within its meanders: an encrypted memory store ( CI!g_pStore), wrapped by Still,Īn unsung great piece of software engineering stayed hidden for too long This module, and more specifically driver signatureĮnforcement code, got all the attention for obvious reasons (see ). Into their chapters, an old acquaintance reminds me of some researches I did aįew years ago on Windows 7 and Windows 8.1: ci.dll.Ĭi.dll is a cornerstone of Windows security and is involved very early in Amongst all the knowledge they have packed Precisely are in the process of releasing the final edition of their textbook Generation Threats", namely Alex Matrosov and Eugene Rodionov, who Our team recently had the opportunity to meet and exchange with two of theĪuthors of " Rootkits and Bootkits, Reversing Modern Malware and Next
0 Comments
Leave a Reply. |