Monday, January 26, 2015

ARM Exception Handling and an IDAPython Script

Windows RT has differences in several points, and implementation of SEH is one of them. To sort out my understanding of ARM exception handling, I wrote an IDAPython script that interprets SEH information in an Windows RT PE file and applies it to an IDB. Here is an example of how this script helps you (I use one of PatchGuard routines uses SEH to obfuscate its code flow):
Image1: Before Use (plain output of IDA)
Image2: After Use
 In the image2, comments show that there is a __try/__except block around a call to __rt_sdiv().
Image3: Exception Filter
If you look at the location of an exception filter, you will find that the exception filter is calling another interesting looking function, which is actually authentic PatchGuard code flow. You could miss this path if you were just looking at plain output of IDA like the image1. This script will help you tell existence of SEH handlers.

About the internal of ARM exception handling, I do not explain it here as there is detailed enough explanations on MSDN[1] to understand it, but in short, it is fairly similar to one on x64. For instance, each function in a file is dictated by a RUNTIME_FUNCTION structure located in a .pdata section, and the structure points to an .xdata record consists of a SCOPE_TABLE structure and an array of its entries describing ranges of __try blocks, addresses of except filters and body blocks (or finally blocks). These are all essentially the same design as x64. 

As a note, I listed some references below which may complement your understanding of ARM exception handing[2][3][4][5]. Hope you enjoy them and my script too. 

  1. ARM Exception Handling
  2. Exceptional behavior: the Windows 8.1 X64 SEH Implementation
    References listed at the top of the articles are all exceptionally good, apart from this article.
  3. RtlLookupFunctionEntry function
    Returns a corresponding .pdata entry for a given address.
  4. .fnent (Display Function Data)
    You can dump .pdata/.xdata information with it.
  5. Improving IDA Analysis of x64 Exception Handling
    An x64 version of my script. Very handy.

Wednesday, January 21, 2015

A List of PatchGuard v8.1 Related Functions on x64 and ARM

I was working on analyzing PatchGuard on Windows RT 8.1 (which runs on ARM) last two months and got that work done recently. Analysis tuned out to be a lot easier than I expected mostly because PatchGuard's code was written in C and had the almost same structure on both x64 which I had already analyzed and ARM.

In order to look at PatchGuard on Window RT 8.1, almost all I had to do was to identify PatchGuard related functions and map them with corresponding functions on x64.

Here is a table showing that mapping (ones have different names between platforms are highlighted).

x64 ARM
CcAdjustBcbDepth CcUnmapBehindLazyReader
CcBcbProfiler CcDelayedFlushTimer
CcInitializeBcbProfiler CcPrepareDelayedFlushTimers
CmpAppendDllSection ExpWnfAcquireNameInstanceShared
CmpEnableLazyFlushDpcRoutine CmpEnableLazyFlushDpcRoutine
CmpLazyFlushDpcRoutine CmpLazyFlushDpcRoutine
DeferredRoutine <NoSymbol>
ExInitSystemPhase2 ExInitSystemPhase2
ExpCenturyDpcRoutine ExpCenturyDpcRoutine
ExpTimerDpcRoutine ExpTimerDpcRoutine
ExpTimeRefreshDpcRoutine ExpTimeRefreshDpcRoutine
ExpTimeZoneDpcRoutine ExpTimeZoneDpcRoutine
FsRtlMdlReadCompleteDevEx RtlpExecuteHandlerForUnwind_xdata_compact
FsRtlUninitializeSmallMcb ExpPrefetchPushLock
IopTimerDispatch IopTimerDispatch
KeCompactServiceTable KeCompactServiceTable
KeInitAmd64SpecificState KeArmDiscoverCacheTopology
KiBalanceSetManagerDeferredRoutine KiBalanceSetManagerDeferredRoutine
KiDispatchCallout CcDelayedFlushTimer
KiDpcDispatch <NoSymbol>
KiFastGetCallersAddress KiFastGetCallersAddress
KiFatalExceptionFilter KiFatalExceptionFilter
KiFilterFiberContext KiArmDiscoverCacheTopology
KiGetGdtIdt <NoSymbol>
KiLockExtendedServiceTable KiLockExtendedServiceTable
KiLockServiceTable KiLockServiceTable
KiMcaDeferredRecoveryService KiInitializeExternalCacheController
KiScbQueueScanWorker PopPdcSampleIdleTimeouts
KiServiceTablesLocked KiServiceTablesLocked
KiTimerDispatch <NoSymbol>
PopPoCoalescinCallback PopPoCoalescinCallback
PopThermalZoneDpc PopThermalZoneDpc
PsQueryThreadTerminationPort PspGetReaperLink
RtlLookupFunctionEntryEx CmpFlushLockedHives
SdbpCheckDll PspInitDeferredResourceReservation
<NoSymbol> CmpDelayFreeTMWorker
<NoSymbol> FsRtlPrivateResetHighestLockOffset
<NoSymbol> FsRtlReInitializeTunnelCache
<NoSymbol> FsRtlRemovePerStreamContextEx
<NoSymbol> KiCheckForDivideOverflow
<NoSymbol> KiRundownScbQueue
<NoSymbol> RtlInsertSmallIndex

These functions were taken from an ntoskrnl.exe version 6.3.9600.17476 and either only used by PatchGuard or have some importance from the point of view of analysis. For example, IopTimerDispatch() is not a PatchGuard dedicated function but can be used as one of its DPC routines, while KeInitAmd64SpecificState() and KeArmDiscoverCacheTopology() are dedicated and only used to initiate PatchGuard.

It seemed that some more functions were added for PatchGuard since Windows 10, but most, if not all, of these functions still remain the same name, so though this list is unlikely to be perfect, it would help you start your own analysis on both x64 and ARM.