Shulou(Shulou.com)06/02 Report--

How to parse the Windows kernel extension mechanism, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Recently, I wrote a kernel-mode driver myself, and like a lot of code I usually write, this drive also has Bug. Specifically, this drive prevents other drives from loading properly and causing the system to crash.

In fact, many initiators default that their initialization process (DriverEntry) executes successfully, so they cannot handle it correctly when a problem occurs. J00ru mentioned several cases in his blog post a few years ago, and many of them are related to the current version of Windows, and I am only interested in one of the drives. What attracts me most here is the "Windows kernel host extension mechanism".

This drive is a new driver introduced in Bam.sys (Background Activity Moderator)-Windows 10 v1709 (RS3). When there is a problem with its DriverEntry, the call stack will cause the system to crash:

We can see from the crash message that Bam.sys registered a process creation callback and forgot to log it out before uninstalling it. Next, when a process is created / terminated, the system attempts to call the callback and reference the old pointer, causing the system to crash.

What's interesting is not that the system crashed, but how Bam.sys registered the callback. Generally speaking, the process creation callback is registered with ntfolpsSetCreateProcessNotifyRoutine (Ex), which adds this callback to the ntfoldPspCreateProcessNotifyRoutine array. Next, when the process is created / terminated, the ntfolds PspCallProcessNotifyRoutines iterates through the array and invokes all registered callbacks. However, if we run "! wdbgark.wa_systemcb / typeprocess" in WinDbg, we will see that there is no callback used by Bam.sys in this array:

It turns out that Bam.sys uses another mechanism to register its callbacks:

After looking at ntexamples PspCallProcessNotifyRoutines, we find that there is a display reference pointing to ntlegs PspBamExtensionHost. It uses this "extension host" to retrieve the so-called "extension table" and calls the first function in the extension table, bamboat BampCreateProcessCallback.

When we open Bam.sys in IDA, we can directly see bammerBampCreateProcessCallback and search for its xrefs. Fortunately, it has only one, which is in the bamboat BampRegisterKernelExtension:

I suspect that Bamboat BampCreateProcessCallback does not register through the regular callback registration mechanism. In fact, it is stored in a function table called Bamboat BampKernelCalloutTable, which is passed to the ntasking ExRegisterExtension function (not documented) along with other parameters.

The only thing I found related to this function is the ntosifs.h header file, which contains the prototype of the ntasking ExRegisterExtension function and the _ EX_EXTENSION_REGISTRATION_1 structure.

The prototype of the ntasking ExRegisterExtension function and _ EX_EXTENSION_REGISTRATION_1:

NTKERNELAPINTSTATUS ExRegisterExtension (_ Outptr_ PEX_EXTENSION * Extension, _ In_ ULONG RegistrationVersion, _ In_ PVOID RegistrationInfo); typedefstruct _ EX_EXTENSION_REGISTRATION_1 {USHORT ExtensionId; USHORT ExtensionVersion; USHORT FunctionCount; VOID * FunctionTable; PVOID * HostInterface; PVOID DriverObject;} EX_EXTENSION_REGISTRATION_1, * PEX_EXTENSION_REGISTRATION_1

Note: the pseudo code for ntasking ExRegisterExtension can be found in Appendix B.

We can see that the ntasking ExRegisterExtension searches for hosts whose names match RegistrationInfo. So the question is, where did these hosts come from?

During the initialization process, NTOS calls the ntasking ExRegisterHost multiple times. On each call, it passes a structure to identify the predefined drives in the list (the full list can be found in Appendix A). For example, Bam.sys initializes a host with the following call:

The ntasking ExRegisterHost allocates a type_HOST_LIST_ENTRY structure, initializes it with the parameters provided by the caller, and then adds it to the end of the ntasking ExpHostList. The _ HOST_LIST_ENTRY structure is not documented in the document, and its approximate structure is as follows:

Struct_HOST_LIST_ENTRY {_ LIST_ENTRY List; DWORD RefCount; USHORT ExtensionId; USHORT ExtensionVersion; USHORT FunctionCount; / / number ofcallbacks that the extension / / contains POOL_TYPE PoolType; / / where this host is allocated PVOID HostInterface; / / table of unexportednt functions, / / to be used by thedriver to which / / this extensionbelongs PVOID FunctionAddress / / optional, rarelyused. / / This callback iscalled before / / and after anextension for this / / host isregistered / unregistered PVOID ArgForFunction; / / will be sent tothe function saved here _ EX_RUNDOWN_REF RundownRef; _ EX_PUSH_LOCK Lock; PVOID FunctionTable; / / a table of thecallbacks that the / / driver "registers" DWORD Flags; / / Only uses one bit. / / Not sure about itsmeaning.} HOST_LIST_ENTRY, * PHOST_LIST_ENTRY

When one of the predefined drives loads, it registers an extension using the ntasking ExRegisterExtension and provides a RegistrationInfo structure that includes a function table. This function table is placed in the FunctionTable member that matches the host. These functions are then called by NTOS in a specific scenario, which is called a callback.

We saw earlier that some of the functions of the ntasking ExRegisterExtension are set to RegistrationInfo- > HostInterface (containing a global variable) and point to some data in the host structure.

Each registered extended drive has an initialization host for NTOS settings, which contains a HostInterface that points to the HTOS function to subscribe to a table. Different drives receive different HostInterface, but some do not.

For example, Bam.sys received the following HostInterface:

In fact, the so-called "kernel extension mechanism" here is even a two-way communication port: the driver provides a list of "callbacks" to be called in different scenarios, and then receives different sets of functions in their own internal usage scenarios.

The following is a sample callback of Bam.sys:

BampCreateProcessCallbackBampSetThrottleStateCallbackBampGetThrottleStateCallbackBampSetUserSettingsBampGetUserSettingsHandle

The host responsible for initializing Bam.sys "knows" in advance that it needs to receive a function table containing the above five functions. These functions must be provided in the above order, so they are called here through the index. We can see that the ntasking PspBamExtensionHost-> FunctionTable [4] call:

All in all, there is a mechanism in Windows that can be used to "extend" NTOS by registering some callback functions and then receiving underived functions that can be used by the driver. I am not sure whether this knowledge point can play a practical role, but I think it is more interesting and worth sharing with you. I hope I can help you. Thank you for reading.

Appendix A-NTOS initialized extension host

Appendix B-function pseudo code ExRegisterExtension.c:NTSTATUSExRegisterExtension (_ Outptr_ PEX_EXTENSION * Extension, _ In_ ULONGRegistrationVersion, _ In_ PREGISTRATION_INFO RegistrationInfo) {/ / Validate that version is ok and thatFunctionTable is not sent without FunctionCount or vise-versa. If ((RegistrationVersion & 0xFFFF0000! = 0x10000) | | (RegistrationInfo- > FunctionTable = = nullptr&& RegistrationInfo- > FunctionCount! = 0) {return STATUS_INVALID_PARAMETER;} / / Skipping over some lock-related stuff, / / Find the host with the matchingversion and id. PHOST_LIST_ENTRY pHostListEntry; pHostListEntry = ExpFindHost (RegistrationInfo- > ExtensionId,RegistrationInfo- > ExtensionVersion); / / More lock-related stuff. If (! pHostListEntry) {return STATUS_NOT_FOUND;} / / Verify that the FunctionCount in thehost doesn't exceed the FunctionCount supplied by the caller. If (RegistrationInfo- > FunctionCount)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.