Wednesday, January 21, 2015

A List of PatchGuard v8.1 Related Functions on x64 and ARM

I was working on analyzing PatchGuard on Windows RT 8.1 (which runs on ARM) last two months and got that work done recently. Analysis tuned out to be a lot easier than I expected mostly because PatchGuard's code was written in C and had the almost same structure on both x64 which I had already analyzed and ARM.

In order to look at PatchGuard on Window RT 8.1, almost all I had to do was to identify PatchGuard related functions and map them with corresponding functions on x64.

Here is a table showing that mapping (ones have different names between platforms are highlighted).

x64 ARM
CcAdjustBcbDepth CcUnmapBehindLazyReader
CcBcbProfiler CcDelayedFlushTimer
CcInitializeBcbProfiler CcPrepareDelayedFlushTimers
CmpAppendDllSection ExpWnfAcquireNameInstanceShared
CmpEnableLazyFlushDpcRoutine CmpEnableLazyFlushDpcRoutine
CmpLazyFlushDpcRoutine CmpLazyFlushDpcRoutine
DeferredRoutine <NoSymbol>
ExInitSystemPhase2 ExInitSystemPhase2
ExpCenturyDpcRoutine ExpCenturyDpcRoutine
ExpTimerDpcRoutine ExpTimerDpcRoutine
ExpTimeRefreshDpcRoutine ExpTimeRefreshDpcRoutine
ExpTimeZoneDpcRoutine ExpTimeZoneDpcRoutine
FsRtlMdlReadCompleteDevEx RtlpExecuteHandlerForUnwind_xdata_compact
FsRtlUninitializeSmallMcb ExpPrefetchPushLock
IopTimerDispatch IopTimerDispatch
KeCompactServiceTable KeCompactServiceTable
KeInitAmd64SpecificState KeArmDiscoverCacheTopology
KiBalanceSetManagerDeferredRoutine KiBalanceSetManagerDeferredRoutine
KiDispatchCallout CcDelayedFlushTimer
KiDpcDispatch <NoSymbol>
KiFastGetCallersAddress KiFastGetCallersAddress
KiFatalExceptionFilter KiFatalExceptionFilter
KiFilterFiberContext KiArmDiscoverCacheTopology
KiGetGdtIdt <NoSymbol>
KiLockExtendedServiceTable KiLockExtendedServiceTable
KiLockServiceTable KiLockServiceTable
KiMcaDeferredRecoveryService KiInitializeExternalCacheController
KiScbQueueScanWorker PopPdcSampleIdleTimeouts
KiServiceTablesLocked KiServiceTablesLocked
KiTimerDispatch <NoSymbol>
PopPoCoalescinCallback PopPoCoalescinCallback
PopThermalZoneDpc PopThermalZoneDpc
PsQueryThreadTerminationPort PspGetReaperLink
RtlLookupFunctionEntryEx CmpFlushLockedHives
SdbpCheckDll PspInitDeferredResourceReservation
<NoSymbol> CmpDelayFreeTMWorker
<NoSymbol> FsRtlPrivateResetHighestLockOffset
<NoSymbol> FsRtlReInitializeTunnelCache
<NoSymbol> FsRtlRemovePerStreamContextEx
<NoSymbol> KiCheckForDivideOverflow
<NoSymbol> KiRundownScbQueue
<NoSymbol> RtlInsertSmallIndex

These functions were taken from an ntoskrnl.exe version 6.3.9600.17476 and either only used by PatchGuard or have some importance from the point of view of analysis. For example, IopTimerDispatch() is not a PatchGuard dedicated function but can be used as one of its DPC routines, while KeInitAmd64SpecificState() and KeArmDiscoverCacheTopology() are dedicated and only used to initiate PatchGuard.

It seemed that some more functions were added for PatchGuard since Windows 10, but most, if not all, of these functions still remain the same name, so though this list is unlikely to be perfect, it would help you start your own analysis on both x64 and ARM.

1 comment:

  1. Hypervisor” is simply a variant of “supervisor,” a traditional name for the software that controls task scheduling and other fundamental operations in a computer system.

    popular hypervisors

    ReplyDelete