Win32k. sys keyboard layout file to mention the right vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201130501
Type myhack58
Reporter 佚名
Modified 2011-05-17T00:00:00


Author: Sebastien Renaud

Translator: riusksk(springs brother: the

This article will give you shed some light on the Stuxnet Virus the technical details, mainly aimed at the about the author is how to use 0day vulnerabilities to achieve code versatility. Discussed below are those of the author the use of two Windows to mention the right vulnerability. This is a vulnerability in the Microsoft released MS10-0 to 7 3 upgrade patch has been fixed, but there is another windows Task scheduling Task Scheduler)vulnerability has not been patched. Although this article will be the in-depth analysis of the Stuxnet virus and its implementing malicious behavior, but we still will not release from Symantec and ESET's friends wrote two detailed documents, including the specific directory and the contents. We will focus on the following Windows Win32K.sys keyboard layout file to mention the right Vulnerability(CVE-2 0 1 0-2 7 4 3), and analysis of the Stuxnet virus is the How to use custom Portable Executable (PE)parsing way to achieve the code's versatility.

<!-- [if ! supportLists]-->1. <!-- [endif] - >vulnerability analysis

This vulnerability exists in the windows driver file”win32k.sys”when its from disk loading a keyboard layout file, due to improper de-indexed a list of function pointers, leading the local to mention the right vulnerability. Typically, the keyboard layout file is through the”LoadKeyboardLayout()”function to load, the function is actually the win32k syscall function ”NtUserLoadKeyboardLayoutEx()” package. The following is loading a keyboard layout file after the kernel stack case:

kd> kn

ChildEBP RetAddr

0 0 b0982944 bf861cd1 win32k! SetGlobalKeyboardTableInfo

0 1 b0982958 bf889720 win32k! ChangeForegroundKeyboardTable+0x11c

0 2 b0982978 bf87580e win32k! xxxSetPKLinThreads+0x37

0 3 b09829f0 bf875588 win32k! xxxLoadKeyboardLayoutEx+0x395

0 4 b0982d40 8053d658 win32k! NtUserLoadKeyboardLayoutEx+0x164

0 5 b0982d40 7c90e514 nt! KiFastCallEntry+0xf8

0 6 0012fccc 0 0 4 0 2 3 4 7 ntdll! KiFastSystemCallRet ; (transition from user to kernel)

Once the malformed keyboard layout file is win32k kernel driver is loaded, the malicious program will to the keyboard input stream sends an event, thus effectively triggering the vulnerability. This process will call”user32! SendUserInput()”function to perform, in fact, it is a call to”win32k! NtUserSendInput()”and”win32k! xxxKENLSProcs()”this two function:

kd> kn

ChildEBP RetAddr

0 0 b0a5ac88 bf848c64 win32k! xxxKENLSProcs

0 1 b0a5aca4 bf8c355b win32k! xxxProcessKeyEvent+0x1f9

0 2 b0a5ace4 bf8c341b win32k! xxxInternalKeyEventDirect+0x158

0 3 b0a5ad0c bf8c3299 win32k! xxxSendInput+0xa2

0 4 b0a5ad50 8053d658 win32k! NtUserSendInput+0xcd

0 5 b0a5ad50 7c90e514 nt! KiFastCallEntry+0xf8

0 6 0012fd08 7e42f14c ntdll! KiFastSystemCallRet

0 7 0012fd7c 00401ded USER32! NtUserSendInput+0xc

WARNING: Stack unwind information not available. Following frames may be wrong.

0 8 0012fdac 0 0 4 0 1 3 3 1 CVE_2010_2743+0x1ded

In the”win32k! xxxKENLSProcs()”function inside the win32k driver will go to retrieve the previously loaded keyboard layout file in a byte. This byte will be placed in the ECX register and then used as a function pointer table index value:

; In win32k! xxxKENLSProcs() function starting at 0xBF8A1F9C

; Module: win32k.sys - Module Base: 0xBF800000 - version: 5.1.2600.6003


. text:BF8A1F50 movzx ecx, byte ptr [eax-83h] // ECX is attacker-controlled

. text:BF8A1F57 push edi

. text:BF8A1F58 add eax, 0FFFFFF7Ch

. text:BF8A1F5D push eax

. text:BF8A1F5E call _aNLSVKFProc[ecx*4] // The index of the function array pointer

aNLSVKFProc function array contains 3 functions, and is followed by a byte group:

. data:BF99C4B8 _aNLSVKFProc dd offset _NlsNullProc@1 2

. data:BF99C4BC dd offset _KbdNlsFuncTypeNormal@1 2

. data:BF99C4C0 dd offset _KbdNlsFuncTypeAlt@1 2

. data:BF99C4C4 _aVkNumpad db 67h

. data:BF99C4C5 db 68h

. data:BF99C4C6 db 69h

. data:BF99C4C7 db 0FFh

. data:BF99C4C8 db 64h

. data:BF99C4C9 db 65h

. data:BF99C4CA db 66h

. data:BF99C4CB db 0FFh

. data:BF99C4CC db 61h

. data:BF99C4CD db 62h

. data:BF99C4CE db 63h

[1] [2] [3] [4] [5] next