Reverse Engineering Asked by zeroaceee on September 30, 2021
basically i would like to follow (system calls / internal calls) that basically lands in the kernel i would like for example to debug a specific dll ex : ntdll.dll and follow it to (NtXXX) function where its located in XXX.sys driver i hope that my question was clear also if its possible doing this with windbg would be a lot better for me instead of using a 3rd part software.
i also tried to use Rohitab api monitor but i couldn’t understand how does it actually works
Assuming You Wrote this code
This opens a file in the current Directory
Reads its contents and counts the content length and
Prints to console contents and count
This is a crt function it transistions from
crt to kernel32.dll , kernelbase.dll and ntdll.dll in user mode. and
from ntdll it transitions into kernel mode via a syscall to NtCreateFile in ntoskrnl/ntkrnlmp.exe
#include <stdio.h>
int main (void)
{
int c=0,n=0;
FILE *fp = NULL;
errno_t err = fopen_s(&fp,"test.txt","rb");
if(fp != NULL && err == 0)
{
do
{
n++;
c = fgetc(fp);
printf("%c" , c);
}while(c !=EOF);
fclose(fp);
}
printf("nfile has %d charectersn" ,n );
return n;
}
you can use windbg uf /c command to create a flow map as shown below
i use dynamic analysis as there are many indirect calls and it is easy to
find the destination dynamically
open fopen.exe in windbg set a break on call fopen_s and hit f5 to break on the call
0:000> rM0
fopen!main+0x29:
00a21029 e892a50000 call fopen!fopen_s (00a2b5c0)
enter this call and issue a uf /c . (note the .denotes current IP)
0:000> t
fopen!fopen_s:
00a2b5c0 8bff mov edi,edi
0:000> uf /c .
fopen!fopen_s (00a2b5c0)
fopen!fopen_s+0xd (00a2b5cd):
call to fopen!_errno (00a42ffd)
fopen!fopen_s+0x17 (00a2b5d7):
call to fopen!_invalid_parameter_noinfo (00a42ed6)
fopen!fopen_s+0x29 (00a2b5e9):
call to fopen!common_fsopen<char> (00a2b383) <<<<<<<<<<<<<<
fopen!fopen_s+0x37 (00a2b5f7):
call to fopen!_errno (00a42ffd)
you will notice a call to fopen!common_fsopen
get inside that function and repeat the procedure until you reach the syscall note if the function is inlined you may need to set a bm breakpoint as shown below
0:000> g fopen!common_fsopen<char>
Couldn't resolve error at 'fopen!common_fsopen<char>'
The breakpoint expression "fopen!common_fsopen<char>" evaluates to the inline function.
Please use bm command to set breakpoints first, then g.
^ Syntax error in 'g fopen!common_fsopen<char>'
0:000> bm fopen!common_fsopen<char>;g
1: 00a2b383 @!"fopen!common_fsopen<char>"
Breakpoint 1 hit
the result of procedure thus repeated until crt transitions from itself to kernel32 is shown below scroll to the end
0:000> uf /c .
fopen!common_fsopen<char> (00a2b383)
fopen!common_fsopen<char>+0x7 (00a2b38a):
call to fopen!__SEH_prolog4 (00a21b30)
fopen!common_fsopen<char>+0x13 (00a2b396):
call to fopen!_errno (00a42ffd)
fopen!common_fsopen<char>+0x1e (00a2b3a1):
call to fopen!_invalid_parameter_noinfo (00a42ed6)
fopen!common_fsopen<char>+0x38 (00a2b3bb):
call to fopen!_errno (00a42ffd)
fopen!common_fsopen<char>+0x49 (00a2b3cc):
call to fopen!__acrt_stdio_allocate_stream (00a44b46)
fopen!common_fsopen<char>+0x55 (00a2b3d8):
call to fopen!_errno (00a42ffd)
fopen!common_fsopen<char>+0x72 (00a2b3f5):
call to fopen!_openfile (00a45529)
fopen!common_fsopen<char>+0x86 (00a2b409):
call to fopen!common_fsopen<char>+0x96 (00a2b419)
fopen!common_fsopen<char>+0x8d (00a2b410):
call to fopen!__SEH_epilog4 (00a21b76)
0:000> g fopen!_openfile
eax=0016f870 ebx=7ffd5000 ecx=0016f870 edx=0017a89b esi=00a62194 edi=00a62190
eip=00a45529 esp=0016f848 ebp=0016f88c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
fopen!_openfile:
00a45529 8bff mov edi,edi
0:000> uf /c .
fopen!_openfile (00a45529)
fopen!common_openfile<char>+0x11 (00a4519e):
call to fopen!__acrt_stdio_parse_mode<char> (00a44cef)
fopen!common_openfile<char>+0x3a (00a451c7):
call to fopen!_sopen_s (00a5320a)
0:000> g fopen!_sopen_s
eax=0016f840 ebx=7ffd5000 ecx=00a62190 edx=0017a89b esi=00a62194 edi=00a62190
eip=00a5320a esp=0016f810 ebp=0016f844 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
fopen!_sopen_s:
00a5320a 8bff mov edi,edi
0:000> uf /c .
fopen!_sopen_s (00a5320a)
fopen!_sopen_s+0x16 (00a53220):
call to fopen!common_sopen_dispatch<char> (00a528eb)
0:000> g fopen!common_sopen_dispatch<char>
Couldn't resolve error at 'fopen!common_sopen_dispatch<char>'
The breakpoint expression "fopen!common_sopen_dispatch<char>" evaluates to the inline function.
Please use bm command to set breakpoints first, then g.
^ Syntax error in 'g fopen!common_sopen_dispatch<char>'
0:000> bm fopen!common_sopen_dispatch<char>;g
2: 00a528eb @!"fopen!common_sopen_dispatch<char>"
Breakpoint 2 hit
eax=0016f840 ebx=7ffd5000 ecx=00a62190 edx=0017a89b esi=00a62194 edi=00a62190
eip=00a528eb esp=0016f7f0 ebp=0016f80c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
fopen!common_sopen_dispatch<char>:
00a528eb 6a10 push 10h
0:000> uf /c .
fopen!common_sopen_dispatch<char> (00a528eb)
fopen!common_sopen_dispatch<char>+0x7 (00a528f2):
call to fopen!__SEH_prolog4 (00a21b30)
fopen!common_sopen_dispatch<char>+0x13 (00a528fe):
call to fopen!_errno (00a42ffd)
fopen!common_sopen_dispatch<char>+0x1d (00a52908):
call to fopen!_invalid_parameter_noinfo (00a42ed6)
fopen!common_sopen_dispatch<char>+0x5d (00a52948):
call to fopen!_sopen_nolock (00a5319a)
fopen!common_sopen_dispatch<char>+0x71 (00a5295c):
call to fopen!common_sopen_dispatch<char>+0x8b (00a52976)
fopen!common_sopen_dispatch<char>+0x7f (00a5296a):
call to fopen!__SEH_epilog4 (00a21b76)
0:000> g fopen!_sopen_nolock
eax=0016f7cc ebx=7ffd5000 ecx=00a62190 edx=0017a89b esi=0016f840 edi=00a62190
eip=00a5319a esp=0016f79c ebp=0016f7ec iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
fopen!_sopen_nolock:
00a5319a 8bff mov edi,edi
0:000> uf /c .
fopen!_sopen_nolock (00a5319a)
fopen!_sopen_nolock+0x1d (00a531b7):
call to fopen!__acrt_get_utf8_acp_compatibility_codepage (00a4a841)
fopen!_sopen_nolock+0x2a (00a531c4):
call to fopen!__acrt_mbs_to_wcs_cp<__crt_win32_buffer_internal_dynamic_resizing> (00a49bea)
fopen!_sopen_nolock+0x50 (00a531ea):
call to fopen!_wsopen_nolock (00a53282)
fopen!_sopen_nolock+0x63 (00a531fd):
call to fopen!_free_base (00a430ff)
0:000> g fopen!_wsopen_nolock
eax=00000000 ebx=7ffd5000 ecx=8b190463 edx=00000009 esi=0016f840 edi=00a62190
eip=00a53282 esp=0016f75c ebp=0016f798 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
fopen!_wsopen_nolock:
00a53282 8bff mov edi,edi
0:000> uf /c .
fopen!_wsopen_nolock (00a53282)
fopen!_wsopen_nolock+0x18 (00a5329a):
call to fopen!decode_options (00a52e85)
fopen!_wsopen_nolock+0x32 (00a532b4):
call to fopen!__doserrno (00a42fea)
fopen!_wsopen_nolock+0x3f (00a532c1):
call to fopen!_errno (00a42ffd)
fopen!_wsopen_nolock+0x4b (00a532cd):
call to fopen!_alloc_osfhnd (00a4cc8a)
fopen!_wsopen_nolock+0x59 (00a532db):
call to fopen!__doserrno (00a42fea)
fopen!_wsopen_nolock+0x63 (00a532e5):
call to fopen!_errno (00a42ffd)
fopen!_wsopen_nolock+0xa4 (00a53326):
call to fopen!create_file (00a52d97)
fopen!_wsopen_nolock+0xe9 (00a5336b):
call to fopen!create_file (00a52d97)
fopen!_wsopen_nolock+0x114 (00a53396):
call to kernel32!GetLastErrorStub (75eccde0)
fopen!_wsopen_nolock+0x11b (00a5339d):
call to fopen!__acrt_errno_map_os_error (00a42fc7)
fopen!_wsopen_nolock+0x127 (00a533a9):
call to kernel32!GetFileTypeImplementation (75ed6ab4)
fopen!_wsopen_nolock+0x131 (00a533b3):
call to kernel32!GetLastErrorStub (75eccde0)
fopen!_wsopen_nolock+0x13a (00a533bc):
call to fopen!__acrt_errno_map_os_error (00a42fc7)
fopen!_wsopen_nolock+0x15a (00a533dc):
call to kernel32!CloseHandleImplementation (75ece868)
fopen!_wsopen_nolock+0x168 (00a533ea):
call to fopen!_errno (00a42ffd)
fopen!_wsopen_nolock+0x194 (00a53416):
call to fopen!__acrt_lowio_set_os_handle (00a4cbd3)
fopen!_wsopen_nolock+0x1e0 (00a53462):
call to fopen!truncate_ctrl_z_if_present (00a53096)
fopen!_wsopen_nolock+0x1ee (00a53470):
call to fopen!_close_nolock (00a45761)
fopen!_wsopen_nolock+0x215 (00a53497):
call to fopen!configure_text_mode (00a52b42)
fopen!_wsopen_nolock+0x2a7 (00a53529):
call to kernel32!CloseHandleImplementation (75ece868)
fopen!_wsopen_nolock+0x2ca (00a5354c):
call to fopen!create_file (00a52d97)
fopen!_wsopen_nolock+0x2d9 (00a5355b):
call to kernel32!GetLastErrorStub (75eccde0)
fopen!_wsopen_nolock+0x2e0 (00a53562):
call to fopen!__acrt_errno_map_os_error (00a42fc7)
fopen!_wsopen_nolock+0x300 (00a53582):
call to fopen!_free_osfhnd (00a4cd93)
0:000> g fopen!create_file
eax=0016f744 ebx=0016f840 ecx=00000000 edx=00000000 esi=0016f744 edi=0016f708
eip=00a52d97 esp=0016f6e4 ebp=0016f758 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
fopen!create_file:
00a52d97 8bff mov edi,edi
0:000> uf /c .
fopen!create_file (00a52d97)
fopen!create_file+0x1d (00a52db4):
call to kernel32!CreateFileWImplementation (75ece8a5) <<<<<<<<<<<<<<<<<
kernel32.dll to kernelbase.dll
0:000> uf /c 75ece8a5
kernel32!CreateFileWImplementation (75ece8a5)
kernel32!CreateFileWImplementation+0xe (75ece8b3):
call to ntdll!RtlInitUnicodeStringEx (77a76f0a)
kernel32!CreateFileWImplementation+0x2a (75ece8c8):
call to kernel32!BaseIsThisAConsoleName (75ece903)
kernel32!CreateFileWImplementation+0x64 (75ece8ea):
call to kernel32!CreateFileW (75ece8f8)
kernel32!CreateFileWImplementation+0x48 (75eea050):
call to kernel32!OpenConsoleW (75ec0853)
kernel32!CreateFileWImplementation+0x19 (75eebe96):
call to kernel32!BaseSetLastNTError (75ecf790)
0:000> uf /c kernel32!CreateFileW
Flow analysis was incomplete, some code may be missing
kernel32!CreateFileW (75ece8f8)
no calls found
0:000> uf kernel32!CreateFileW
Flow analysis was incomplete, some code may be missing
kernel32!_imp__CreateFileW:
75e819e0 68a7d9755e push 5E75D9A7h
75e819e5 44 inc esp
kernel32!CreateFileW:
75ece8f8 ff25e019e875 jmp dword ptr [kernel32!_imp__CreateFileW (75e819e0)]
as shown below the transition from kernelbase to ntdll and from ntdll to kernelmode since there are many indirect calls you may need to evaluate each of them using run to call (pc) command
0:000> uf /c poi(75e819e0)
KERNELBASE!CreateFileW (75d9a768)
KERNELBASE!CreateFileW+0x68 (75d9a799):
call to ntdll!RtlInitUnicodeStringEx (77a76f0a)
KERNELBASE!CreateFileW+0x9e (75d9a7d3):
call to ntdll!RtlDosPathNameToRelativeNtPathName_U_WithStatus (77a7a6a1)
KERNELBASE!CreateFileW+0x312 (75d9a8ed):
call to KERNELBASE!SbSelectProcedure (75d9a755)
KERNELBASE!CreateFileW+0x31f (75d9a8fa):
unresolvable call: call eax
KERNELBASE!CreateFileW+0x35c (75d9a937):
unresolvable call: call esi
KERNELBASE!CreateFileW+0x3c8 (75d9a94c):
call to ntdll!RtlReleaseRelativeName (77a77f7a)
KERNELBASE!CreateFileW+0x3e6 (75d9a96a):
unresolvable call: call esi
KERNELBASE!CreateFileW+0x3f8 (75d9a97c):
unresolvable call: call esi
KERNELBASE!CreateFileW+0x44e (75d9a997):
call to ntdll!RtlSetLastWin32Error (77a730fb)
KERNELBASE!CreateFileW+0x3ff (75d9a9b2):
call to KERNELBASE!BaseSetLastNTError (75d96b4d)
KERNELBASE!CreateFileW+0xb8 (75d9f441):
call to ntdll!RtlSetLastWin32Error (77a730fb)
KERNELBASE!CreateFileW+0x1a8 (75da16c6):
call to ntdll!NtQueryInformationFile (77a66058)
KERNELBASE!CreateFileW+0xc1 (75da446c):
call to KERNELBASE!BaseSetLastNTError (75d96b4d)
KERNELBASE!CreateFileW+0x423 (75da73e3):
call to ntdll!RtlSetLastWin32Error (77a730fb)
KERNELBASE!CreateFileW+0x46f (75db80bd):
call to ntdll!ZwSetInformationFile (77a66678)
KERNELBASE!CreateFileW+0x2f (75dbd130):
call to KERNELBASE!BaseSetLastNTError (75d96b4d)
KERNELBASE!CreateFileW+0x1bf (75dbd158):
call to KERNELBASE!KernelBaseGetGlobalData (75d96843)
KERNELBASE!CreateFileW+0x1d6 (75dbd16f):
call to ntdll!RtlAllocateHeap (77a72dd6)
KERNELBASE!CreateFileW+0x1f8 (75dbd18d):
call to ntdll!ZwQueryEaFile (77a66008)
KERNELBASE!CreateFileW+0x213 (75dbd1a8):
call to ntdll!RtlFreeHeap (77a72c6a)
KERNELBASE!CreateFileW+0x2c2 (75dbd1d5):
call to ntdll!RtlReleaseRelativeName (77a77f7a)
KERNELBASE!CreateFileW+0x2d8 (75dbd1eb):
call to ntdll!RtlFreeHeap (77a72c6a)
KERNELBASE!CreateFileW+0x2e3 (75dbd1f6):
call to KERNELBASE!BaseSetLastNTError (75d96b4d)
KERNELBASE!CreateFileW+0x3a2 (75dbd247):
unresolvable call: call esi
KERNELBASE!CreateFileW+0x3b8 (75dbd265):
call to KERNELBASE!AitLogFeatureUsageByApp (75dd0aef)
KERNELBASE!CreateFileW+0x47a (75dbd27e):
call to KERNELBASE!BaseSetLastNTError (75d96b4d)
KERNELBASE!CreateFileW+0x482 (75dbd286):
call to ntdll!NtClose (77a65508)
0:000> bp poi(75e819e0);g
Breakpoint 0 hit
eax=00000000 ebx=0016f840 ecx=75ece9b9 edx=00000074 esi=0016f744 edi=0016f708
eip=75d9a768 esp=0016f694 ebp=0016f6bc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
KERNELBASE!CreateFileW:
75d9a768 8bff mov edi,edi
0:000> pc
eax=0016f668 ebx=0016f840 ecx=75ece9b9 edx=00000074 esi=0017a8d8 edi=0016f708
eip=75d9a799 esp=0016f61c ebp=0016f690 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
KERNELBASE!CreateFileW+0x68:
75d9a799 ff15ec11d975 call dword ptr [KERNELBASE!_imp__RtlInitUnicodeStringEx (75d911ec)]
ds:0023:75d911ec={ntdll!RtlInitUnicodeStringEx (77a76f0a)}
0:000> pc
eax=0016f668 ebx=00000000 ecx=00000008 edx=00000000 esi=0017a8d8 edi=0016f708
eip=75d9a7d3 esp=0016f614 ebp=0016f690 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
KERNELBASE!CreateFileW+0x9e:
75d9a7d3 ff150414d975 call dword ptr [KERNELBASE!_imp__RtlDosPathNameToRelativeNtPathName_U_WithStatus
(75d91404)] ds:0023:75d91404={ntdll!RtlDosPathNameToRelativeNtPathName_U_WithStatus (77a7a6a1)}
0:000> pc
eax=00200000 ebx=00000000 ecx=00000000 edx=00000080 esi=00000020 edi=00000000
eip=75d9a8ed esp=0016f610 ebp=0016f690 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
KERNELBASE!CreateFileW+0x312:
75d9a8ed e863feffff call KERNELBASE!SbSelectProcedure (75d9a755)
0:000> pc
eax=75d9a760 ebx=00000000 ecx=0016f698 edx=00000000 esi=00000020 edi=00000000
eip=75d9a8fa esp=0016f61c ebp=0016f690 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
KERNELBASE!CreateFileW+0x31f:
75d9a8fa ffd0 call eax {KERNELBASE!CreateFileDowngrade_Vista (75d9a760)}
0:000> pc
eax=0016f688 ebx=00000000 ecx=0016f62c edx=00000000 esi=77a65608 edi=00000000
eip=75d9a937 esp=0016f5f4 ebp=0016f690 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000282
KERNELBASE!CreateFileW+0x35c:
75d9a937 ffd6 call esi {ntdll!ZwCreateFile (77a65608)}
0:000> t
eax=0016f688 ebx=00000000 ecx=0016f62c edx=00000000 esi=77a65608 edi=00000000
eip=77a65608 esp=0016f5f0 ebp=0016f690 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000282
ntdll!ZwCreateFile:
77a65608 b842000000 mov eax,42h
0:000> pc
eax=00000042 ebx=00000000 ecx=0016f62c edx=7ffe0300 esi=77a65608 edi=00000000
eip=77a65612 esp=0016f5f0 ebp=0016f690 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000282
ntdll!ZwCreateFile+0xa:
77a65612 ff12 call dword ptr [edx] ds:0023:7ffe0300={ntdll!KiFastSystemCall (77a670f0)}
0:000>
for mapping kernel mode calls you need a kernel debugging session with two machines a host and a target (physical/vm or vm /vm or physial / physical )
set a process specific Break on nt!NtCreateFile and repeat the procedure it willmost likely reach Object Manager calls ObCreateObject() etc before returning back to usermode .
Answered by blabb on September 30, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP