How To Check Export Functions Of Windows 8 NT Kernel By Using Windbg by cawan (cawan[at]ieee.

org) on 4/11/2012 In most of the time, PE viewer approach is the most well-known technique in listing the export functions from the export directory of PE file. For windows kernel, it is common to use those PE viewers to parse the header of ntoskrnl.exe or ntkrnlpa.exe in getting the contents under export directory. However, it is really cumbersome when we designing the shellcode in windbg and keep switching to PE viewer to refer the export function list. It is getting more annoying when the base address is ASLRed... So, we need to find a way do everything in windbg, because we are lazy... First of all, let us parse the PE header of the windows kernel from windbg. kd> !dh /f nt File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (i386) 14 number of sections 5010ADF0 time date stamp Thu Jul 26 10:39:44 2012 0 0 E0 122 file pointer to symbol table number of symbols size of optional header characteristics Executable App can handle >2gb addresses 32 bit word machine HEADER VALUES magic # linker version size of code size of initialized data size of uninitialized data address of entry point base of code ----- new ----image base section alignment file alignment subsystem (Native) operating system version image version subsystem version size of image size of headers checksum size of stack reserve size of stack commit size of heap reserve size of heap commit DLL characteristics [ 134CA] address [size] of [ DC] address [size] of [ 31A50] address [size] of [ 0] address [size] of [ 20F0] address [size] of [ 23A14] address [size] of [ 38] address [size] of

OPTIONAL 10B 10.10 4B3E00 CE200 2800 221310 1000 00400000 1000 200 1 6.02 6.02 6.02 58E000 800 550165 00040000 00002000 00100000 00001000 0 4BA000 20B394 538000 0 54C200 56A000 1C4AA4

Export Directory Import Directory Resource Directory Exception Directory Security Directory Base Relocation Directory Debug Directory

0 0 0 14490 0 20B000 0 0 0

[ [ [ [ [ [ [ [ [

0] 0] 0] 40] 0] 394] 0] 0] 0]

address address address address address address address address address

[size] [size] [size] [size] [size] [size] [size] [size] [size]

of of of of of of of of of

Description Directory Special Directory Thread Storage Directory Load Configuration Directory Bound Import Directory Import Address Table Directory Delay Import Directory COR20 Header Directory Reserved Directory

Well, the export directory is at 4ba000 and the size of this structure is 134ca. Let us check it further kd> dd nt+4ba000 81327000 00000000 81327010 00000001 81327020 004bc64c 81327030 000bc0d2 81327040 0007b7fb 81327050 000ba781 81327060 001708c0 81327070 00163e71

5010adf0 00000989 004bec68 000ba677 0007ba2e 000cee95 00170100 0017011c

00000000 00000987 0035e96d 000b2047 000d6718 00170874 00163ea4 00163e5c

004bff76 004ba028 000f7470 000d4a00 000d679f 00163eb9 00163e8f 00170174

We need to get the list of export functions name, from PE specification, we have this structure. public struct IMAGE_EXPORT_DIRECTORY { public UInt32 Characteristics; public UInt32 TimeDateStamp; public UInt16 MajorVersion; public UInt16 MinorVersion; public UInt32 Name; public UInt32 Base; public UInt32 NumberOfFunctions; public UInt32 NumberOfNames; public UInt32 AddressOfFunctions; public UInt32 AddressOfNames; public UInt32 AddressOfNameOrdinals; } So, from IMAGE_EXPORT_DIRECTORY structure, AddressOfNames at offset 0x20 (32 in decimal) has what we are looking for. Let us check address 0x004bc64c. kd> dd nt+004bc64c 8132964c 004bff83 8132965c 004bffe0 8132966c 004c0031 8132967c 004c0073 8132968c 004c00c6 8132969c 004c0104 813296ac 004c014a 813296bc 004c01b7

004bff95 004bfff3 004c003d 004c007f 004c00d3 004c0111 004c0169 004c01cc

004bffad 004c0005 004c005b 004c008d 004c00e2 004c0123 004c018b 004c01df

004bffcc 004c0012 004c0066 004c00a2 004c00f2 004c0133 004c01a1 004c01f4

Those are pointers to the export functions name. Verify it. kd> db nt+004bff83 8132cf83 41 6c 70 8132cf93 65 00 41 8132cfa3 41 74 74 8132cfb3 69 74 69 8132cfc3 74 74 72 8132cfd3 6c 61 79

63 6c 72 61 69 43

47 70 69 6c 62 68

65 63 62 69 75 61

74 47 75 7a 74 72

48-65 65-74 74-65 65-4d 65-00 61-63

61 4d 00 65 42 74

64 65 41 73 67 65

65 73 6c 73 6b 72

72 73 70 61 44 00

53 61 63 67 69 42

69 67 49 65 73 67

7a 65 6e 41 70 6b

AlpcGetHeaderSiz e.AlpcGetMessage Attribute.AlpcIn itializeMessageA ttribute.BgkDisp layCharacter.Bgk

8132cfe3 8132cff3

47 65 74 43 6f 6e 73 6f-6c 65 53 74 61 74 65 00 42 67 6b 47 65 74 43 75-72 73 6f 72 53 74 61 74

GetConsoleState. BgkGetCursorStat

There are a lot of strings starting from 004bff83. Check the first 2 items. kd> da nt+004bff83 8132cf83 "AlpcGetHeaderSize" kd> da nt+004bff95 8132cf95 "AlpcGetMessageAttribute" By referring the IMAGE_EXPORT_DIRECTORY structure again, the NumberOfNames at offset 0x18 shows the number of export functions in the nt kernel. So, there are 987 export functions in the nt kernel. We can write a script to dump all the exported functions now. Kd> r $t1=(nt+4bc64c); .for (r $t0=0; @$t0<987; r $t0=@$t0+1) {da poi(@$t1)+nt l20; r $t1=@$t1+4} 8132cf83 8132cf95 8132cfad 8132cfcc 8132cfe0 8132cff3 8132d005 8132d012 8132d031 8132d03d 8132d05b 8132d066 8132d073 8132d07f 8132d08d 8132d0a2 8132d0c6 8132d0d3 8132d0e2 8132d0f2 8132d104 8132d111 8132d123 8132d133 8132d14a 8132d169 8132d18b 8132d1a1 8132d1b7 8132d1cc 8132d1df 8132d1f4 8132d20e 8132d218 8132d222 8132d234 8132d244 8132d257 8132d267 8132d271 8132d283 8132d295 8132d2a9 8132d2c1 8132d2cc 8132d2d7 "AlpcGetHeaderSize" "AlpcGetMessageAttribute" "AlpcInitializeMessageAttribute" "BgkDisplayCharacter" "BgkGetConsoleState" "BgkGetCursorState" "BgkSetCursor" "CcAddDirtyPagesToExternalCache" "CcCanIWrite" "CcCoherencyFlushAndPurgeCache" "CcCopyRead" "CcCopyReadEx" "CcCopyWrite" "CcCopyWriteEx" "CcCopyWriteWontFlush" "CcDeductDirtyPagesFromExternalCa" "CcDeferWrite" "CcFastCopyRead" "CcFastCopyWrite" "CcFastMdlReadWait" "CcFlushCache" "CcFlushCacheToLsn" "CcGetDirtyPages" "CcGetFileObjectFromBcb" "CcGetFileObjectFromSectionPtrs" "CcGetFileObjectFromSectionPtrsRe" "CcGetFlushedValidData" "CcGetLsnForFileObject" "CcInitializeCacheMap" "CcIsThereDirtyData" "CcIsThereDirtyDataEx" "CcIsThereDirtyLoggedPages" "CcMapData" "CcMdlRead" "CcMdlReadComplete" "CcMdlWriteAbort" "CcMdlWriteComplete" "CcPinMappedData" "CcPinRead" "CcPrepareMdlWrite" "CcPreparePinWrite" "CcPurgeCacheSection" "CcRegisterExternalCache" "CcRemapBcb" "CcRepinBcb" "CcScheduleReadAhead"

8132d2eb ... ...

"CcScheduleReadAheadEx"

How about if we need to know that an function name is included in the export functions list or not ? Simple, let's say we need to know HalDispatchTable is in the export functions list or not... kd> .shell -ci "r $t1=(nt+4bc64c); .for (r $t0=0; @$t0<987; r $t0=@$t0+1) {da poi(@$t1)+nt l20; r $t1=@$t1+4}" find /I "haldispatchtable" 8132fed0 "HalDispatchTable" .shell: Process exited Yes, it is included. How about we want to dump the list of native api of windows 8 ? Simple. kd> .shell -ci "r $t1=(nt+4bc64c); .for (r $t0=0; @$t0<987; r $t0=@$t0+1) {da poi(@$t1)+nt l20; r $t1=@$t1+4}" find /I "zw" 81338eac 81338ec7 81338ed6 81338ee7 81338eff 81338f0d 81338f27 81338f3f 81338f57 81338f6b 81338f7d 81338f91 81338fa2 81338fba 81338fd6 81338fee 8133900a 81339022 8133903e 81339056 81339072 81339087 8133909e 813390b8 813390cd 813390e8 813390f7 81339105 81339112 8133911a 81339132 81339143 81339156 8133916a 81339178 81339190 813391a3 813391b1 813391be 813391d3 813391e5 813391f1 81339207 "ZwAccessCheckAndAuditAlarm" "ZwAddBootEntry" "ZwAddDriverEntry" "ZwAdjustPrivilegesToken" "ZwAlertThread" "ZwAllocateLocallyUniqueId" "ZwAllocateVirtualMemory" "ZwAlpcAcceptConnectPort" "ZwAlpcCancelMessage" "ZwAlpcConnectPort" "ZwAlpcConnectPortEx" "ZwAlpcCreatePort" "ZwAlpcCreatePortSection" "ZwAlpcCreateResourceReserve" "ZwAlpcCreateSectionView" "ZwAlpcCreateSecurityContext" "ZwAlpcDeletePortSection" "ZwAlpcDeleteResourceReserve" "ZwAlpcDeleteSectionView" "ZwAlpcDeleteSecurityContext" "ZwAlpcDisconnectPort" "ZwAlpcQueryInformation" "ZwAlpcSendWaitReceivePort" "ZwAlpcSetInformation" "ZwAssignProcessToJobObject" "ZwCancelIoFile" "ZwCancelTimer" "ZwClearEvent" "ZwClose" "ZwCloseObjectAuditAlarm" "ZwCommitComplete" "ZwCommitEnlistment" "ZwCommitTransaction" "ZwConnectPort" "ZwCreateDirectoryObject" "ZwCreateEnlistment" "ZwCreateEvent" "ZwCreateFile" "ZwCreateIoCompletion" "ZwCreateJobObject" "ZwCreateKey" "ZwCreateKeyTransacted" "ZwCreateResourceManager"

8133921f 8133922f 8133924a 81339258 8133926c 81339287 8133929c 813392ae 813392c2 813392cf 813392db 813392ec 81339301 81339316 8133932c 8133933c 8133934e 8133935f 81339376 8133938f 8133939e 813393bb 813393cf 813393e2 813393f7 8133940f 8133941a 8133942f 81339443 81339453 81339474 81339490 813394a6 813394b7 813394c4 813394ce 813394da 813394e5 81339501 81339517 8133952a 8133953c 81339550 81339562 81339578 8133958e 8133959f 813395ab 813395b6 813395c6 813395d0 813395dc 813395f0 81339606 81339614 81339627 8133963c 81339652 81339660 8133966e 81339687 81339694 813396a6

"ZwCreateSection" "ZwCreateSymbolicLinkObject" "ZwCreateTimer" "ZwCreateTransaction" "ZwCreateTransactionManager" "ZwCreateWnfStateName" "ZwDeleteBootEntry" "ZwDeleteDriverEntry" "ZwDeleteFile" "ZwDeleteKey" "ZwDeleteValueKey" "ZwDeleteWnfStateData" "ZwDeleteWnfStateName" "ZwDeviceIoControlFile" "ZwDisplayString" "ZwDuplicateObject" "ZwDuplicateToken" "ZwEnumerateBootEntries" "ZwEnumerateDriverEntries" "ZwEnumerateKey" "ZwEnumerateTransactionObject" "ZwEnumerateValueKey" "ZwFlushBuffersFile" "ZwFlushBuffersFileEx" "ZwFlushInstructionCache" "ZwFlushKey" "ZwFlushVirtualMemory" "ZwFreeVirtualMemory" "ZwFsControlFile" "ZwGetNotificationResourceManager" "ZwImpersonateAnonymousToken" "ZwInitiatePowerAction" "ZwIsProcessInJob" "ZwLoadDriver" "ZwLoadKey" "ZwLoadKeyEx" "ZwLockFile" "ZwLockProductActivationKeys" "ZwMakeTemporaryObject" "ZwMapViewOfSection" "ZwModifyBootEntry" "ZwModifyDriverEntry" "ZwNotifyChangeKey" "ZwNotifyChangeSession" "ZwOpenDirectoryObject" "ZwOpenEnlistment" "ZwOpenEvent" "ZwOpenFile" "ZwOpenJobObject" "ZwOpenKey" "ZwOpenKeyEx" "ZwOpenKeyTransacted" "ZwOpenKeyTransactedEx" "ZwOpenProcess" "ZwOpenProcessToken" "ZwOpenProcessTokenEx" "ZwOpenResourceManager" "ZwOpenSection" "ZwOpenSession" "ZwOpenSymbolicLinkObject" "ZwOpenThread" "ZwOpenThreadToken" "ZwOpenThreadTokenEx"

813396ba 813396c6 813396d8 813396f1 81339704 81339719 81339730 81339742 81339756 8133976c 81339780 8133978d 813397a3 813397b6 813397cb 813397e4 813397f9 81339810 81339828 81339836 81339850 8133986d 81339884 813398a0 813398ba 813398dc 813398f5 8133990d 8133992b 81339950 81339969 81339974 81339988 81339996 813399b2 813399c1 813399e0 813399f6 81339a10 81339a30 81339a49 81339a59 81339a6e 81339a8b 81339a9f 81339abe 81339ac9 81339ade 81339af2 81339b0b 81339b27 81339b3c 81339b53 81339b5f 81339b6c 81339b7a 81339b91 81339b9e 81339bab 81339bbe 81339bd3 81339be9 81339bf3

"ZwOpenTimer" "ZwOpenTransaction" "ZwOpenTransactionManager" "ZwPowerInformation" "ZwPrePrepareComplete" "ZwPrePrepareEnlistment" "ZwPrepareComplete" "ZwPrepareEnlistment" "ZwPropagationComplete" "ZwPropagationFailed" "ZwPulseEvent" "ZwQueryBootEntryOrder" "ZwQueryBootOptions" "ZwQueryDefaultLocale" "ZwQueryDefaultUILanguage" "ZwQueryDirectoryFile" "ZwQueryDirectoryObject" "ZwQueryDriverEntryOrder" "ZwQueryEaFile" "ZwQueryFullAttributesFile" "ZwQueryInformationEnlistment" "ZwQueryInformationFile" "ZwQueryInformationJobObject" "ZwQueryInformationProcess" "ZwQueryInformationResourceManage" "ZwQueryInformationThread" "ZwQueryInformationToken" "ZwQueryInformationTransaction" "ZwQueryInformationTransactionMan" "ZwQueryInstallUILanguage" "ZwQueryKey" "ZwQueryLicenseValue" "ZwQueryObject" "ZwQueryQuotaInformationFile" "ZwQuerySection" "ZwQuerySecurityAttributesToken" "ZwQuerySecurityObject" "ZwQuerySymbolicLinkObject" "ZwQuerySystemEnvironmentValueEx" "ZwQuerySystemInformation" "ZwQueryValueKey" "ZwQueryVirtualMemory" "ZwQueryVolumeInformationFile" "ZwQueryWnfStateData" "ZwQueryWnfStateNameInformation" "ZwReadFile" "ZwReadOnlyEnlistment" "ZwRecoverEnlistment" "ZwRecoverResourceManager" "ZwRecoverTransactionManager" "ZwRemoveIoCompletion" "ZwRemoveIoCompletionEx" "ZwRenameKey" "ZwReplaceKey" "ZwRequestPort" "ZwRequestWaitReplyPort" "ZwResetEvent" "ZwRestoreKey" "ZwRollbackComplete" "ZwRollbackEnlistment" "ZwRollbackTransaction" "ZwSaveKey" "ZwSaveKeyEx"

81339bff "ZwSecureConnectPort" 81339c13 "ZwSetBootEntryOrder" 81339c27 "ZwSetBootOptions" 81339c38 "ZwSetCachedSigningLevel" 81339c50 "ZwSetDefaultLocale" 81339c63 "ZwSetDefaultUILanguage" 81339c7a "ZwSetDriverEntryOrder" 81339c90 "ZwSetEaFile" 81339c9c "ZwSetEvent" 81339ca7 "ZwSetInformationEnlistment" 81339cc2 "ZwSetInformationFile" 81339cd7 "ZwSetInformationJobObject" 81339cf1 "ZwSetInformationKey" 81339d05 "ZwSetInformationObject" 81339d1c "ZwSetInformationProcess" 81339d34 "ZwSetInformationResourceManager" 81339d54 "ZwSetInformationThread" 81339d6b "ZwSetInformationToken" 81339d81 "ZwSetInformationTransaction" 81339d9d "ZwSetInformationVirtualMemory" 81339dbb "ZwSetQuotaInformationFile" 81339dd5 "ZwSetSecurityObject" 81339de9 "ZwSetSystemEnvironmentValueEx" 81339e07 "ZwSetSystemInformation" 81339e1e "ZwSetSystemTime" 81339e2e "ZwSetTimer" 81339e39 "ZwSetTimerEx" 81339e46 "ZwSetValueKey" 81339e54 "ZwSetVolumeInformationFile" 81339e6f "ZwTerminateJobObject" 81339e84 "ZwTerminateProcess" 81339e97 "ZwTraceEvent" 81339ea4 "ZwTranslateFilePath" 81339eb8 "ZwUnloadDriver" 81339ec7 "ZwUnloadKey" 81339ed3 "ZwUnloadKeyEx" 81339ee1 "ZwUnlockFile" 81339eee "ZwUnlockVirtualMemory" 81339f04 "ZwUnmapViewOfSection" 81339f19 "ZwUpdateWnfStateData" 81339f2e "ZwWaitForMultipleObjects" 81339f47 "ZwWaitForSingleObject" 81339f5d "ZwWriteFile" 81339f69 "ZwYieldExecution" .shell: Process exited Yes, we get the complete list. This technique is really helpful when I did memory analysis of kernel pool to build a kernel shellcode testing platform in windbg.