One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8663753 |
| Date de publication | 2025-04-16 14:34:14 (vue: 2025-04-16 22:06:59) |
| Titre | The Windows Registry Adventure # 6: objets en mode noyau The Windows Registry Adventure #6: Kernel-mode objects |
| Texte | Posted by Mateusz Jurczyk, Google Project Zero Welcome back to the Windows Registry Adventure! In the previous installment of the series, we took a deep look into the internals of the regf hive format. Understanding this foundational aspect of the registry is crucial, as it illuminates the design principles behind the mechanism, as well as its inherent strengths and weaknesses. The data stored within the regf file represents the definitive state of the hive. Knowing how to parse this data is sufficient for handling static files encoded in this format, such as when writing a custom regf parser to inspect hives extracted from a hard drive. However, for those interested in how regf files are managed by Windows at runtime, rather than just their behavior in isolation, there\'s a whole other dimension to explore: the multitude of kernel-mode objects allocated and maintained throughout the lifecycle of an active hive. These auxiliary objects are essential for several reasons: To track all currently loaded hives, their properties (e.g., load flags), their memory mappings, and the relationships between them (especially for delta hives overlaid on top of each other).To synchronize access to keys and hives within the multithreaded Windows environment.To cache hive information for faster access compared to direct memory mapping lookups.To integrate the registry with the NT Object Manager and support standard operations (opening/closing handles, setting/querying security descriptors, enforcing access checks, etc.).To manage the state of pending transactions before they are fully committed to the underlying hive. To address these diverse requirements, the Windows kernel employs numerous interconnected structures. In this post, we will examine some of the most critical ones, how they function, and how they can be effectively enumerated and inspected using WinDbg. It\'s important to note that Microsoft provides official definitions only for some registry-related structures through PDB symbols for ntoskrnl.exe. In many cases, I had to reverse-engineer the relevant code to recover structure layouts, as well as infer the types and names of particular fields and enums. Throughout this write-up, I will clearly indicate whether each structure definition is official or reverse-engineered. If you spot any inaccuracies, please let me know. The definitions presented here are primarily derived from Windows Server 2019 with the March 2022 patches (kernel build 10.0.17763.2686), which was the kernel version used for the majority of my registry code analysis. However, over 99% of registry structure definitions appear to be identical between this version and the latest Windows 11, making the information directly applicable to the latest systems as well. |
| Notes | ★★★★ |
| Envoyé | Oui |
| Condensat | #2 in #6: $kernel & 0x1ff & 0x3ff + entry +0x000 refcount +0x004 accesscheckedlayerheight : uint2b +0x040 +0x060 restrictedaccessmask : uint4b +0x064 lastsearchedindex : uint4b +0x068 lockedmemorymdls : ptr64 void +0x678 kcbcachetablesize : uint4b 1 1 bit : : pos 20 : ptr64 : uint4b = 0x1 = 0x10 = 0x10000 = 0x100000 = 0x2 = 0x4 = 0x40 = 0x400 = 0x7e25f69d = 0x8 a additionally after although an as at before being both callers consequently conversely each even extended failing first for given hcell helper historically however i if in instead integer interestingly internally it its kcb kcbs keycell linked more notably page resolving second several specifically subsequently suppose thanks the the process the tree therefore these they they are this thus to two we when whenever whether which while //cached 0000 009 08002be10318 0: kd> 0: kd> dt 0: kd> 0: kd> dt 0x0 0x1 0x10 0x100 0x1000 0x12f8 0x2 0x20 0x200 0x220008 0x3 0x312 0x4 0x40 0x58 0x600 0x6b793032 0x7f00cd26 × 372 + 0x2f7de68b × 371 + 0x7e25f69d × 370 = 0x86a158ea 0x8 0x80 0x84 0x86a158ea 0x8c 0xa4 0xbee0bee0 0xc2c65312 0xcc 0xfff 0xffffffff 1023 1024 11: 11ce 128 128 buckets 14393 150 15063 1607 168 1703 17763 1990 1999 19h1 2019 2022 2023 2024 21748 and 23420 256 2686 28271 3–6 312 32key 36404 370 4096 43452 was 49114 4ac0 4d36e968 4da2000 512 64key 6daabfe57722 85b8669a 86a158ea kcb=ffffe10d2d576a30 cell=000a58e8 f=00200000 9 to : : if : ptr64 : ptr64 void : uint4b :get :information : int2b : int4b : pos 0 : pos 16 : pos 17 : pos 2 : pos 21 : pos 3 : pos 6 : ptr64 : ptr64 char : ptr64 void : uchar : uint2b : uint4b : uint8b ; i++ = 0x1 = 0x10 = 0x2 = 0x20 = 0x20000 = 0x8 = 0x80 = 0x8000 = 0x80000 = 0x2f7de68b = 0x7f00cd26 >blockoffset + >directory >getcellroutine >kcbcachetable >kcbcachetablesize >keycell >keycontrolblock >keyhive >keyhive; >permanentbinaddress & >storage >table Enum: a core a descriptor a direct a structure ability able about about:operation above absolute abstract abstraction abusing access accesscheckedlayerheight: a accessed accesses accessible accidentally accommodate accompanying according account accurate accurately achieve achieved across action actions active actively actual actualfilesize actually added adding addition additional additionally address addresses adescriptor adjusting administrator administrators advanced advantage adventure after afterwards again against agreement aims algorithm aligned alive all alloc alloc alloc: indicates allocate allocated allocating allocation allocations allow allowed allowing allows almost already also altered alternative always among amount analogous analysis analysis: analysis: the analyze analyzed analyzing ancestor ancestors anchors and/or another anticipating any anymore anyone anywhere api apis app apparent appeal appear appeared appears applicable application applications applied approach appropriate arbitrary architectures are are essential are: are: area areas aren arguably argument arguments arises arose arrangement array arr |
| Tags | Vulnerability Threat Cloud Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.