ERROR: UMD EXEC: Could not get IAT Info #8
Comments
|
Hi @Ac1d-0-0 , thank you for your interest in the rootkit. First, EDK2 actually handles the switching to long mode. Otherwise there would not be 64-bit memory access to even start with. Second, I'm sorry but during developing I've found no better way to output data from the system than actually printing out debug log via serial port. If you have a better solution, please let me know and I'll see if it could be added to the project. Now, to your problem. Which program are you using as the target process for the rootkit? If you are using the sample program form this repo (smm_target), are you compiling it as a 64-bit binary and debugging symbols enabled? If the debugging is disabled, the rootkit was having some issues finding a codecave for the shellcode injected by SMM part of the rootkit. |
|
Thanks for reply! |
|
Rebuild the smm_target using vs 2019 solve the problem. Maybe the problem is caused by vs 2023.Thanks for your patient reply. |
@Ac1d-0-0 Sorry for taking long to answer, I was sleeping :-) But interesting find! If you have time to research the root cause, it would surely be nice add to the rootkit, since it seems like the IAT hooking method used is a bit dated (if it doesn't work with executables compiled by newer MSVC). Since the IAT hooking and most of the WinTools is copied from Ulf Frisk's memprocfs/pcileech, you could check what has changed in his IAT hooking implementation: memprocfs's vmmwin.c. This corresponds to my function But if you don't have the time, I don't blame you. However, I want to remind that the repo is licensed under GPL3. I.e., if you make improvements/changes, please make them publicly available. |
@Ac1d-0-0 , ah, there was also this question. This rootkit registers itself as the "root SMI handler" which means that any SMI generated should first execute our SMM rootkit's code, then forward to the real designated SMI handler. It is kind of "hooking" any incoming SMI to first execute our code. SMI generation: There are multiple ways to trigger SMIs. One way is to generate them programmatically. And you are right, the system generates them automatically. You can also generate them periodically if you have Intel CPU. See "Periodic SMI" slide on https://opensecuritytraining.info/IntroBIOS_files/Day1_07_Advanced%20x86%20-%20BIOS%20and%20SMM%20Internals%20-%20SMM.pdf |
|
Bad news is that i still get the |
You can reopen this issue if it persists. Did your VM windows version update after these reboots? What is the current build version from Windows version info? |
|
It's still 1909. I disable the windows update after install.And i also made a clone of the vm before using the UEFI rookit. |
how about the kernel version? did it change? sounds very weird to me that it stops working after some time! |
|
It seems not the kernel version problem.Because replace the clone didn't fix.
But when i'm trying to add more serial output to figure out what's wrong.It suddenly miraculously obtained IAT and stuck at stage three here.The SMI didn't give back the control to the windows so windows also stucked. |
|
@Ac1d-0-0 Have you found out anything regarding the other problems? Even if not, let's keep this issue open for the time being - if someone else tries out the rootkit they will very likely face the same issue! So thanks for reporting. By the way, what operating system are you running in your host system? Ubuntu? |
|
I use Windows 11 as my host system and WSL Ubuntu to run a libvirt and start the qemu. |
|
I seems figuring out what's the problem. |
@Ac1d-0-0 very interesting find! I cannot believe that the page(s) are swapped out... However, it can be checked! So, could you please check it via disabling swapping on Windows? I found this link: https://answers.microsoft.com/en-us/windows/forum/all/is-it-possible-to-disable-swapfilesys-to-minimize/ea0fe5dc-ad5c-4cf2-ab28-6a53ef964729 . The first suspect to me was the The second idea I got now is that maybe the target process is only partially initialized when SMM rootkit runs and fails (IAT imports are not initialized yet but the memory for them is allocated, or then the memory is not allocated and we are just reading some garbage data since the whole |
|
I disabled the swap and checked the serial output. It still not working.(seems not the swap problem)
|
|
@Ac1d-0-0
Hmmm, ok, does it retry and fail again?
Next thing I would do would be to log the physical page addresses from the |
|
It seems the problem is the I am thinking why not directly calculate the required virtual address through virtual address and offset, and then use VTOP to obtain the actual address before processing, so there should be no need for memory replication? |
Great find! So just bypassing the return value from
Hmm, what do you mean by this? I would believe that this is just what we are doing in But great that you found the root cause for this issue - let's find a fix for it. It might be that |
|
I just had a short conversation with @pRain1337 about this issue. He pointed out that the problem might be |
|
But if its |
|
@Ac1d-0-0 Ah, you are correct. So it must be something else failing then. Could you please check which if branch of the |
|
@Ac1d-0-0 could you please also check here some of failing physical addresses (here 0x1aa7c46d8 for example) inside windows by using cheatengine/rweverything. Do they exist when you check via Windows? Or are they NULL there as well? |
|
According to the screenshot.It return at the final I check some of the failing physical address.It's indeed zero in that physical memory.And i also use windbg's VTOP cmd to convert the virtual memory to physical memory.It get the same result and say zero PTE. Interesting found is that some of the failing physical address will be filled with the right value after some time. |
Hm, so it seems like the SMM code is indeed correct. We just need to modify it so that with pages mapped to "0" mem address or that fail the p_memcpy operation (also resulting physical address 0 / NULL) due to invalid address, the It seems like the behaviour you are witnessing is just Windows saving some RAM. Maybe your VM is configured for such low RAM that Windows thinks it's better to save some space by not loading the whole program to the memory at once. In system context (NTOS / kernel) this generates a page fault when the program tries to access these areas (and therefore you can also see some of the memory getting valid addresses "on demand" if you wait a bit) and the kernel then loads the required part from disk to memory and populates the PTE. But naturally we cannot do this from SMM. I think that's the problem. https://en.wikipedia.org/wiki/Page_fault |
|
Ah,that's what I meant when I said the memory was swapped out earlier. Maybe the 8G of memory I allocated to the VM was not really enough. I'm currently skipping those invalid virtual addresses directly which does solve the problem. I also find the reason why i cannot find code cave when i hook explorer.exe. The VTOP return zero in the code below.(Really a tricky problem) if (!vaCodeCave && (pSections[i].Characteristics & IMAGE_SCN_MEM_EXECUTE) && ((pSections[i].Misc.VirtualSize & 0xfff) < (0x1000 - 0x100)))
{
vaCodeCave = TargetModule.baseAddress + ((pSections[i].VirtualAddress + pSections[i].Misc.VirtualSize + 0xfff) & ~0xfff) - 0x100;
if (!VTOP(vaCodeCave & ~0xfff, TargetProcess.dirBase, TRUE))
{
SerialPrintString("read test failed!");
vaCodeCave = 0; // read test failed!
}
}
By the way. I also tried my real PC. I simply replaced the SMM driver and the PiSmmCpuDxeSmm(a bit lazy). But i got the exception below when the code clean up the old windows struct and lead to the cpu deadloop.It seems some driver is still preventing me from accessing the memory outside the SRAM. Is there something that i miss? Thanks again for your patient reply!(Just started to learn these aspects so lots of questions to ask. 😆 ). Your project is really helpful to learn the whole process of making a SMM rootkit. |
Hmm, 8 GB sounds enough to my ears but well, Windows does Windows things. However, if you can come up with a code patch fixing this issue, please contribute it (clone the repo and create a pull request) and let's find a good way to make it working but not too broken at the same time :-)
This sounds like something is not patched properly. Copying of PiSmmCpuDxeSmm module might not be sufficient since the version of EDK running on your machine may be way newer than the one we are building on (there might be more security features/renamed ones in newer versions than we have patched). So most likely you need to byte patch them from the dumped firmware image extracted from your mobo. Maybe @pRain1337 can help here, he has done it more recently :) |
|
Sure. I'll let you know if I come up with a better solution to the above problem. looks like I need to do some reverse work now. Thanks a lot! 😄 |
It could also be that the compiled PiSmmCpuDxeSmm module is not suitable with the rest of the uefi modules on your board, as it's quite old. The patching itself still works, I've done it on a recent z690p board and it works just fine. Some quick tips for the patch, i can create a more detailed guide on the weekend if you still need help. 😄 I usually patch this variable initialization out and hard code the variable itself to 0 with IDA: Easiest way to find that function (SmmInitPageTable) is to search for the strings of the error messages: Which is referenced multiple times in the SMI Page fault handler: And the page fault handler is initialized in the same function as the variable initialization (SmmInitPageTable): Hope this helps 😄 |
|
Really appreciate your help. 😄 |
|
Hi, I found the rootkit driver or the SMI handler seems to be unloaded after the full windows boot in my patched MSI PC(Never happened in virtual machine). And I use RWEverything to write data to 0xb2 to trigger the SMI, there is no data output to the serial port, according to the SMI counter in the MSR register, I can confirm that there is an SMI trigger. I also commented out the rest of the code to only let the serial port output data when SMI is triggered, and found that the serial port output stopped after the complete startup of windows.What i did is finding a SMM Driver using UEFITools and change its PE body with the SMMRookit.efi(I also tried patch different SMM drivers. Same Result). Is there something that i miss?Or do you know how to check the SMI/UEFI driver status? |
|
The missing communication is due to the windows serial driver. You can get serial output working after windows has started, using two ways:
Checking the status else is not really possible without enabling a different communication method. |
|
Hmmm, it could be a good idea to also have a FAQ section in the readme for these issues. @Ac1d-0-0 , It might be that you are the first person ever to really try this on real motherboard besides me and @pRain1337 😄 |
Ah , Looks like I was looking for a solution in the wrong direction. I can at least successfully run the rootkit in my PC now.(Except the VTOP problem:smile: I will keep trying to find a solution) Everything works fine in my MSI now. Beside what you metioned before. I also patched the
Indeed it could be. The real motherboard test did encounter many unexpected problems. Thanks for you and pRain1337's patient reply. Otherwise I would never be able to solve these problem(Totally wrong direction😆). And, really awesome project! Learned a lot. |
|
@Ac1d-0-0 great to hear that you got it working, I will try to make some time to refine the And of course if you want to implement and test it, feel free to do so and open a pull request :) |
@Ac1d-0-0 |
|
Another amazing project :) I just had a general read through your new code in the memory management section. I didn't seem to see a new solution for this problem in that part of the code. Did i miss something? I will read up on it in a few days. I've been trying to figure out how to solve that problem above for a long time, but I've realized that it's probably unsolvable for the time being. Because it's hard to get the UEFI code to control Windows memory management code to allocate physical memory to the virtual address I want. So I will definitely get 0 when I do the virtual memory to physical memory conversion. So my current solution is to not looking for a code cave but just find some code snippet that may not be very useful for the target process and replace it. (Although it will affect the target process, but it ensures that the virtual address will be physically allocated by windows). |
|
The memory management code did not really get any changes, that is true, but the newer code might allow you to develop or find the faulty behavior faster as you can check stuff at runtime with the user mode application. |
|
I know I'm a little late to the party but I manged to fixed the error by these things:
By doing these, I did manage to trigger the rootkit and replicate everything under QEMU, Ubuntu 22.04, kernel 6.2.0-36! |
@HirbodBehnam Hi and thanks for the reply, here are some thoughts, just my 2 cents
But anyway, thanks for reporting that 10 22H2 build 19045.3448 enterprise edition. Maybe we will have time some day to compare the newest build of Win11 and the system version you reported and see where they differ and what is causing the crashes in Win11! |
|
@jussihi Yes I do agree. I didn't "fix" anything I just "glued" some stuff together! |
Hi.
After building everything in need. I try to insert rootkit to windows 10.But i get this error
ERROR: UMD EXEC: Could not get IAT InfoAfter tring to figure out what's wrong using serial.It seems that the while loop in the 1243 line of function
ProcessGetThunkInfoIATin WinTools.c all goes to the continue and return False.How can i figure out what's wrong.Is there any way to debug this except printing infomation to serial.By the way. I didn't find the code of switching to the LONG mode like Longkit you mentioned in your blog. Just found some defination of asm code deal with CR3 and CR4 without call them. Could you give me some indication about that.
The text was updated successfully, but these errors were encountered: