counter

View My Stats

Wednesday, August 14, 2013

Windbg script to enumerate Process using ActiveProcessLinks

 

This topic is just to give simple idea on Windbg scripting. I am not employing any new technique to do this. There are lot of articles and codes on how to enumerate processes in  kernel mode using ActiveProcessLinks in EProcess Structure.Please set windows debugging symbols before using the script.

Please go through Windows Internals and windbg commands before going through the article. Also get some idea on windbg scripting things MASM and C++ syntax

Lets start:

I start with the command PsActiveProcessHead and then use the ActiveProcessLinks to traverse the processes

kd> ? nt!PsActiveProcessHead
Evaluate expression: -2141875624 = 80559258
kd> dt _eprocess ActiveProcessLinks ImageFileName 80559258-0x88-->805591D0
nt!_EPROCESS
   +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x8998a6e8 - 0x88f2f768 ]
   +0x174 ImageFileName      : [16]  "???"
kd> dt _eprocess ActiveProcessLinks ImageFileName 0x8998a6e8-0x88
nt!_EPROCESS
   +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x894ba428 - 0x80559258 ]
   +0x174 ImageFileName      : [16]  "System"
 
nt!_EPROCESS
   +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x894c91d0 - 0x8998a6e8 ]
   +0x174 ImageFileName      : [16]  "smss.exe"
kd> dt _eprocess ActiveProcessLinks ImageFileName 0x894c91d0-0x88C
nt!_EPROCESS
   +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x0 - 0x1 ]
   +0x174 ImageFileName      : [16]  "h???"
kd> dt _eprocess ActiveProcessLinks ImageFileName 0x894c91d0-0x88
nt!_EPROCESS
   +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x8962d0a8 - 0x894ba428 ]
   +0x174 ImageFileName      : [16]  "csrss.exe"



Script to do the same thing . Script can be run from windbg kernel debugger using the following commad



$$><C:\eprocessscr.txt



I have tested the script on  XP Sp2. Below is the script






r $t0 = nt!PsActiveProcessHead
.printf "process head= %p\n",@$t0
 
r? $t2 = (nt!_EPROCESS*)(@@masm(@$t0) - #FIELD_OFFSET(nt!_EPROCESS,ActiveProcessLinks))
r? $t3= @$t2->ActiveProcessLinks.Flink
 
$$storing for terminating condition 
r? $t5 = @$t3
 
$$ below starts system process pid 0
r? $t2 = (nt!_EPROCESS*)(@@masm(@$t3) - #FIELD_OFFSET(nt!_EPROCESS,ActiveProcessLinks))
r? $t3= @$t2->ActiveProcessLinks.Flink
 
    .printf "flink= %x\n",@$t3
     r? $t4 = @$t2->ImageFileName
     da @$t4
 
.while(@$t3 != @$t5) 
{
  .printf "---------\n"
 
    $$ goto next EPROCESS structure
    r? $t2 = (nt!_EPROCESS*)(@@masm(@$t3) - #FIELD_OFFSET(nt!_EPROCESS,ActiveProcessLinks))
    r? $t3= @$t2->ActiveProcessLinks.Flink
    
    .printf "flink= %x\n",@$t3
     r? $t4 = @$t2->ImageFileName
     da @$t4
    .printf "===============\n"
 
}


The script needs some more workarounds.



output:



 





process head= 80559258
flink= 894ba428
8998a7d4  "System"
---------
flink= 894c91d0
894ba514  "smss.exe"
===============
---------
flink= 8962d0a8
894c92bc  "csrss.exe"
===============
---------
flink= 897bc488
8962d194  "winlogon.exe"
===============
I would be enhancing this script to find process hidden by rootkits using other structures like HandleTable etc. This would be helpful in cases where malware does not allow tools like GMER to run on the machine.


I came across a C code on internet that uses the technique . I am not sure who the author is. Anyway thanks to the author . The site is offline so I am pasting the code here.






#include <ntddk.h>
 
extern PEPROCESS PsInitialSystemProcess;                
PEPROCESS SystemPEPROCESS;                              
PLIST_ENTRY PSystemActiveProcessLinks;                  
PLIST_ENTRY PsActiveProcessHead;                        
PLIST_ENTRY ProcessLinks;                               
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
        DbgPrint("PsInitialSystemProcess : %X\n", PsInitialSystemProcess);
        __asm
        {
                mov ebx,PsInitialSystemProcess
                mov ebx, [ebx]
                push ebx
                pop SystemPEPROCESS
        }
        DbgPrint("SystemPEPROCESS : %X\n", SystemPEPROCESS);               
        __asm
        {
                mov ebx, SystemPEPROCESS
                lea ebx, [ebx + 88h]
                push ebx
                pop PSystemActiveProcessLinks
        }
        DbgPrint("PSystemActiveProcessLinks : %X\n", PSystemActiveProcessLinks);  
        PsActiveProcessHead = PSystemActiveProcessLinks->Blink;                   
        DbgPrint("PsActiveProcessHead : %X\n", PsActiveProcessHead);
        DbgPrint("-------------------------------------------");
       
        ProcessLinks = PSystemActiveProcessLinks;
        while(ProcessLinks->Flink != PSystemActiveProcessLinks)
        {
                DbgPrint("ProcessID : %u    ImageFileName : %s\n", *(PULONG)((PULONG)ProcessLinks - 1), (char*)ProcessLinks + 0xEC);
                ProcessLinks = ProcessLinks->Flink;
        }
       
        return STATUS_DEVICE_CONFIGURATION_ERROR;
}

 


References:


http://tiny2n.tistory.com/77


http://x9090.blogspot.in/2009/09/doc-windbg-hiding-processes-with-dkom.html


Cheers.



Abhijit

No comments:

Post a Comment