check read access when dump file name in _FILE_OBJECT

2020-05-29 01:39:32 +07:00
parent ecc476c604
commit 4bf2bb71ff
6 changed files with 51116 additions and 12 deletions
--- a/src/bin/eprocess_scan.rs
+++ b/src/bin/eprocess_scan.rs
@ -62,7 +62,7 @@ fn main() -> Result<(), Box<dyn Error>> {

        driver.deref_addr(try_eprocess_ptr + eprocess_name_offset, &mut image_name);
        driver.deref_addr(try_eprocess_ptr + eprocess_image_file_ptr_offset, &mut file_object_ptr);
-        let filename = if file_object_ptr != 0 { driver.get_unicode_string(file_object_ptr + fob_filename_offset)? }
+        let filename = if file_object_ptr != 0 { driver.get_unicode_string(file_object_ptr + fob_filename_offset, true)? }
                       else { "".to_string() };

        if let Ok(name) = from_utf8(&image_name) {
--- a/src/bin/file_object_scan.rs
+++ b/src/bin/file_object_scan.rs
@ -13,6 +13,7 @@ fn main() -> Result<(), Box<dyn Error>> {

        let fob_size = driver.pdb_store.get_offset_r("_FILE_OBJECT.struct_size")?;
        let fob_size_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.Size")?;
+        let fob_read_access_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.ReadAccess")?;
        let fob_filename_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.FileName")?;

        let valid_end = (pool_addr + chunk_size) - fob_size;
@ -29,13 +30,20 @@ fn main() -> Result<(), Box<dyn Error>> {
            try_ptr += 0x4;        // search exhaustively
        }
        if try_ptr > valid_end {
+            println!("pool: 0x{:x} cannot detect file object", pool_addr);
            return Ok(false);
        }
        let fob_addr = try_ptr;
-        // println!("pool: 0x{:x} | file object: 0x{:x} | offsetby: {}", pool_addr, fob_addr, fob_addr - pool_addr);
-        if let Ok(filename) = driver.get_unicode_string(fob_addr + fob_filename_offset) {
-            println!("pool: 0x{:x} | file object: 0x{:x} | offsetby: {} | {}",
-                    pool_addr, fob_addr, fob_addr - pool_addr, filename);
+        let mut read_ok = 0u8;
+        driver.deref_addr(fob_addr + fob_read_access_offset, &mut read_ok);
+
+        println!("pool: 0x{:x} | file object: 0x{:x} | offsetby: 0x{:x}", pool_addr, fob_addr, fob_addr - pool_addr);
+        if read_ok == 0 {
+            println!("      [NOT READABLE]");
+            return Ok(true);
+        }
+        if let Ok(filename) = driver.get_unicode_string(fob_addr + fob_filename_offset, true) {
+            println!("      {}", filename);
            return Ok(true);
        }
        Ok(false)
--- a/src/driver_state.rs
+++ b/src/driver_state.rs
@ -161,14 +161,12 @@ impl DriverState {
                scan_range: ScanPoolData::new(&[ptr, end_address], tag)
            };
            self.windows_ffi.device_io(code, &mut input, &mut ptr);
+            // println!("found: 0x{:x}", ptr);
            if ptr >= end_address {
                break;
            }

            let pool_addr = ptr;
-            // println!("chunk: 0x{:x}", pool_addr);
-            // ptr += 0x4;
-            // continue;
            let mut header = vec![0u8; pool_header_size as usize];
            self.deref_addr_ptr(pool_addr, header.as_mut_ptr(), pool_header_size);
            let chunk_size = (header[2] as u64) * 16u64;
@ -184,11 +182,10 @@ impl DriverState {
                continue;
            }

-            // ptr += 0x4;
-            // continue;
            let success = handler(pool_addr, &header, pool_addr + pool_header_size)?;
            if success {
                ptr += chunk_size; /* pass this chunk */
+                // ptr += 0x4;
            }
            else {
                ptr += 0x4; /* search next */
@ -243,7 +240,7 @@ impl DriverState {
                                       outptr as *mut c_void, output_len as DWORD);
    }

-    pub fn get_unicode_string(&self, unicode_str_addr: u64) -> BoxResult<String> {
+    pub fn get_unicode_string(&self, unicode_str_addr: u64, deref: bool) -> BoxResult<String> {
        let mut strlen = 0u16;
        let mut capacity = 0u16;
        let mut bufaddr = 0u64;
@ -254,10 +251,15 @@ impl DriverState {
        self.deref_addr(capacity_addr, &mut capacity);
        self.deref_addr(buffer_ptr, &mut bufaddr);

-        if bufaddr == 0 || strlen > capacity || strlen == 0 {
+        // println!("unicode str: 0x{:x} size: 0x{:x} capacity: 0x{:x}", bufaddr, strlen, capacity);
+        if bufaddr == 0 || strlen > capacity || strlen == 0 || strlen % 2 != 0 {
            return Err("Unicode string is empty".into());
        }

+        if !deref {
+            return Ok("".to_string());
+        }
+
        let mut buf = vec![0u16; (strlen / 2) as usize];
        self.deref_addr_ptr(bufaddr, buf.as_mut_ptr(), strlen as u64);