标题: DynamoRIO 9无法捕捉UWP数据的终级原因 创建: 2022-11-14 09:44 更新: 2023-07-19 13:32 链接: https://scz.617.cn/windows/202211140944.txt 参看 《MSDN系列(47)--Lighthouse/DynamoRIO/Coverage Diff入门》 https://scz.617.cn/windows/202202101230.txt 只说这个版本,DynamoRIO-Windows-9.0.19181。 calc tasklist | findstr Calculator DynamoRIO-Windows-9.0.19181\bin64\drrun.exe -verbose -64 -attach -t drcov DynamoRIO-Windows-9.0.19181\bin64\drrun.exe -verbose -64 -t drcov -- calc 一种attach,一种直接run,这两种方式均无法捕捉Win10计算器的数据,在Ring3用 Process Monitor发现dynamorio.dll加载失败,已经处理过 "ALL APPLICATION PACKAGES (S-1-15-2-1)"的读取和执行权限。 云海用内核调试器跟了一下为何dynamorio.dll加载失败,找到终极原因。加载 dynamorio.dll时,LdrpMapViewOfSection返回0xC0000269,其值含义如下 STATUS_ILLEGAL_DLL_RELOCATION {Illegal System DLL Relocation} The system DLL %hs was relocated in memory. The application will not run properly. The relocation occurred because the DLL %hs occupied an address range that is reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL. Calculator开了这个 [+0x000 ( 4: 4)] ForceRelocateImages : 0x1 [Type: unsigned long] 在内核调试器中直接改_EPROCESS的MitigationFlags,去掉Calculator的 ForceRelocateImages,就可以加载dynamorio.dll;后者设置了 IMAGE_FILE_RELOCS_STRIPPED,过不了ForceRelocateImages的检查。 TokenIsAppContainer时会调用nt!PspHardenMitigationOptions修改 MitigationOptions,修改的参照值为nt!PspHardenedMitigationOptionsMap,这个 全局变量硬编码初始化成0x00111311,其中0x300就是ForceRelocateImages。 用ProcessHacker查看Calculator的"Mitigation Policies",第一行是 ASLR (high entropy, force relocate, disallow stripped) 下面有解释 Address Space Layout Randomization is enabled for this process. High entropy randomization is enabled. All images are being forcibly relocated (regardless of whether they support ASLR). Images with stripped relocation data are disallowed. 参看 -------------------------------------------------------------------------- IMAGE_FILE_HEADER structure (winnt.h) https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_file_header #define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file. -------------------------------------------------------------------------- IMAGE_FILE_RELOCS_STRIPPED置位时,解释如下 Relocation information was stripped from the file. The file must be loaded at its preferred base address. If the base address is not available, the loader reports an error. 用CFF Explorer查看dynamorio.dll -------------------------------------------------------------------------- File Header Characateristics Relocation info stripped from file On Data Directories Relocation Directory RVA 0 Relocation Directory Size 0 -------------------------------------------------------------------------- dynamorio.dll不只是设置了IMAGE_FILE_RELOCS_STRIPPED,也实际抹除了重定位信 息。 用livekd查看ForceRelocateImages "X:\Windows Kits\10\x64\Debuggers\x64\livekd.exe" -k "X:\Windows Kits\10\x64\Debuggers\x64\kd.exe" kd> !process 0 0 Calculator.exe PROCESS ffff8c040d4f5340 kd> .process /p /r ffff8c040d4f5340 kd> dt nt!_EPROCESS ImageFileName MitigationFlags MitigationFlagsValues. ffff8c040d4f5340 +0x5a8 ImageFileName : [15] "Calculator.exe" +0x9d0 MitigationFlags : 0x38 +0x9d0 MitigationFlagsValues : ... +0x000 ForceRelocateImages : 0y1 ... kd> dt nt!_EPROCESS MitigationFlagsValues.ForceRelocateImages ffff8c040d4f5340 +0x9d0 MitigationFlagsValues : +0x000 ForceRelocateImages : 0y1 kd> dx ((nt!_EPROCESS *)0xffff8c040d4f5340)->MitigationFlags : 0x38 [Type: unsigned long] kd> dx ((nt!_EPROCESS *)0xffff8c040d4f5340)->MitigationFlagsValues ... [+0x000 ( 4: 4)] ForceRelocateImages : 0x1 [Type: unsigned long] ... kd> dx ((nt!_EPROCESS *)0xffff8c040d4f5340)->MitigationFlagsValues.ForceRelocateImages : 0x1 [Type: unsigned long] 查看系统中所有ForceRelocateImages置位的进程 kd> dx @$ForceRelocateImages = 0x10 kd> dx -r1 @$cursession.Processes.Where(p=>(p.KernelObject.MitigationFlags & @$ForceRelocateImages) != 0) [0x424] : fontdrvhost.exe [0x1560] : dllhost.exe [0x1cac] : StartMenuExperienceHost.exe ... [0x39bc] : Microsoft.Photos.exe ... [0x3de8] : SearchApp.exe [0x424c] : ShellExperienceHost.exe ... [0x375c] : Calculator.exe [0x1dbc] : RuntimeBroker.exe 或者 kd> dx -r1 @$cursession.Processes.Where(p=>(p.KernelObject.MitigationFlagsValues.ForceRelocateImages == 1)) 尝试禁用Calculator的ForceRelocateImages,无果。在管理员级PowerShell中执行 Get-Item -Path "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe" | %{ Get-ProcessMitigation -Name $_.Name } | findstr ForceRelocateImages ForceRelocateImages : NOTSET ForceRelocateImages缺省是NOTSET,尝试禁用 Get-Item -Path "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe" | %{ Set-ProcessMitigation -Name $_.Name -Disable ForceRelocateImages } ForceRelocateImages : OFF reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Calculator.exe MitigationOptions REG_BINARY 000200000000000000000000000000000000000000000000 MitigationAuditOptions REG_BINARY 000000000000000000000000000000000000000000000000 EAFModules REG_SZ MitigationOptions缺省全零,禁用ForceRelocateImages后出现02,启用后出现01。 也可以GUI -------------------------------------------------------------------------- 设置 更新和安全 Windows安全中心 应用和浏览器控制 Exploit Protection设置 程序设置 -------------------------------------------------------------------------- 禁用ForceRelocateImages后,无论是否重启OS,均无效。ProcessHacker、livekd确 认仍然启用ForceRelocateImages。或许对UWP无法真正禁用ForceRelocateImages, 内核调试器那种不算。 用IOMap64.sys在Ring3修改UWP计算器的ForceRelocateImages,这一步过去了,但后 面有其他未调试的幺蛾子,现象是目标进程异常退出。 若从源码自编译DynamoRIO,改用反射式DLL加载,应该可以加载dynamorio.dll;另 一种可能的选择是,编译时允许dynamorio.dll重定位,不清楚DynamoRIO是否要求该 DLL不得重定位。这些都停留在探讨阶段,无测试动力。 到目前为止,始终未能用DynamoRIO录制UWP。本文只是记录ForceRelocateImages的 调试结论。 参看 -------------------------------------------------------------------------- MitigationFlags in the EPROCESS https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/ntos/ps/eprocess/mitigationflags.htm Customize exploit protection https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-exploit-protection Exploit Protection Reference https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference Understanding a New Mitigation: Module Tampering Protection - Yarden Shafir [2022-08-16] https://windows-internals.com/understanding-a-new-mitigation-module-tampering-protection/ Security Features You've Never Heard of (but should) - Yarden Shafir [2022-02] https://github.com/yardenshafir/conference_talks/blob/main/Paranoia_2022_security_mitigations.pdf Software defense: mitigating common exploitation techniques - [2013-12-11] https://msrc-blog.microsoft.com/2013/12/11/software-defense-mitigating-common-exploitation-techniques/ (The Force ASLR feature has been enabled by default for UWP) Clarifying the behavior of mandatory ASLR - Matt Miller [2017-11-21] https://msrc-blog.microsoft.com/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/ --------------------------------------------------------------------------