Hacking & Security
On September 9th, during Apple’s iPhone press event, the corporation announced a few new products, of which you’re probably already aware of. Two new iPhones to catch up with innovations that debuted with high end Android smartphones (such as the “phablet” form factor), an Apple Watch (surprisingly not called an [...]
Introduction The cloud has been around for some time now and is still gaining popularity in every day operations of IT companies. I’ve seen different companies with operational models 90% based on cloud services, where the rest of the 10% is constituted of in-house servers. The basic response after asking [...]
The post Top Cloud Computing Threats in Enterprise Environments appeared first on InfoSec Institute.
Well-known companies and brands are favorite targets for fraudsters. After all, it is much easier to get people's attention with the use of a popular name, so scammers have more chance of trapping a gullible user.
In this article, we will analyze phishing and malicious emails sent by fraudsters that claim to come from international delivery services. The most popular of these are DHL (Germany), FedEx and United Parcel Service (USA), TNT (Netherlands). All of these companies are international, with millions of customers using branches in major countries all over the world. They provide similar services, so scammers use the same methods and techniques in their fraudulent mails.
The phishers' goals include:
- Theft of confidential data (bank card credentials, logins and passwords from personal accounts), mainly with the help of fake web pages imitating official pages of the site. In a phishing attack users provides the fraudsters with their personal data by filling the fields on fake sites or sending them via email.
- Installing various malicious programs on users' computers. These programs are used not only to monitor user online activity and steal personal information, but also to organize botnets to distribute spam and launch DDoS attacks.
Structurally, the address in the From field looks like this: Sender Name . To confuse recipients, scammers can change parts of the address and often make it look very similar to an official address of the delivery service.
There are several groups of email addresses seen in fraudulent emails:
- Email addresses which closely resemble companies' legitimate public addresses. Generally, they use the name of the company (DHL INC, TNT COURIER SERVICE, Fedex, etc.) as the sender name. The name of the mailbox often includes the words info, service, noreply, mail, support which are typical of email addresses used to send official notifications. The server domain name often has a real or very plausible company domain.
- Addresses which do not resemble legitimate company addresses. The sender name still reflects the company name (FedEx, DHL Service, FedEx.com) but the domain name usually belongs to a free email service or an absolutely different company. The email address could be taken from a real user (taken from public sources or hacked mailboxes) or automatically generated addresses. The latter usually appear as a random sequence of letters, words and numbers.
- Addresses that resemble e-mail addresses of company employees. The sender name may contain the name and surname of a supposed employee, or the company name, or a position (courier, manager, etc). The name of the email box usually contains the same name and surname as the sender name because any difference in the data may alert the recipient to a fraudulent email. Either the real company domain or other domains not related to delivery companies might be used as a domain name.
- Addresses which only indicate the sender's address without a name.
While analyzing sender address, remember that scammers do not need to hack the company servers to use the real company domain in the From field. They can simply insert the necessary domain name of the server into the From field.The Subject field
The subject of the fraudulent mail should capture the imagination of recipients and encourage them to open the message, but it also needs to be plausible. Therefore spammers choose common phrases typical of official notifications from delivery services. After sending a parcel or a document, customers worry about its successful delivery and try to follow its progress by reading any notification from a delivery service.
The most popular subjects are:
- Subjects related to the delivery/shipment (shipment notifications, delivery status, shipping confirmation, shipment documents, delivery information, etc.).
- Subjects related to tracking shipments, order information and invoices (the tracking number of the shipment, tracking the shipment, etc.).
- Subjects related to notifications about messages and accounts (creation and confirmation of accounts, new messages, etc.).
Scammers pay special attention to the design of the email. Their main goal is to make message as believable as possible. After all, if it looks suspicious, a potential victim will most likely delete it despite the attractive subject and plausible sender address. Let's analyze the basic techniques that fraudsters use to make emails look legitimate.Graphic design
All major international companies have their own corporate style, including wordmarks, graphic trademarks, corporate fonts, slogans and color schemes. These are used on the official website, in mailings and commercials, and in other design components. Scammers use at least some of these elements when designing fraudulent emails to make them look convincing. Usually phishers focus on logos because these elements are unique to each company and is an immediate identifying mark.
Examples of DHL company logos used in fraudulent emails.
Let's take a closer look at these examples. It's immediately obvious that the second example is very different from the company's official logo. Another sign of a forgery is the difference in size between the false logo and the original, as seen in the fourth example where the logo takes almost a third of the message. Here the plan is probably to attract the reader's attention with a large bright picture rather than plain text. That also explains why the phishing links appear in a larger font: users should respond to it immediately, without trying to read the small print.
In the first example, the scammers are trying to copy the design from the official site (a very popular method). However the logo is placed on the right-hand side rather than on the left. Also they are using a color blend for the logo background rather than making it single-color. The logo in the third example most closely imitates the original DHL logo: the scammers have tried to match its size and design. It's not really all that difficult to make a logo for a fake notification: there are plenty of versions of the original image available online in several formats, including vector graphics. In addition to the logo the fraudsters use the color spectrum chosen by the company in its official resources and mailings. For example, for DHL it is a combination of yellow and red.The text design
In most official emails we find a number of set phrases, especially when it comes to standard notifications generated and sent automatically. These messages often include contacts and links to the official resources of the sender. Therefore, to make the text of the fake email look like an original notification from a delivery service the fraudsters use:
- Standard phrases typical of official mass mailings: Please do not reply to this email, This is automatically generated email, please do not reply, All rights reserved, Diese Versendung ist automatisch, Bitte beantworten Sie diese nicht, This communication contains proprietary information and may be confidential. Questo e' un email automatico, Si prega di non rispondere, etc.
- Links to the official page of the company. Not all links contained in the fraudulent email are phishing - spammers may also use the links which really lead to the official resources on order to make their emails look legitimate and bypass spam filtering.
- Contact for feedback. The fraudsters often indicate the contact information of the sender or the company (name, surname, position, office address). These contacts might be real or fictitious.
When fraudsters send out fake emails convincing readers that it is a real message is only part of the battle. The next step is to persuade the potential victim to do what the scammer requires, such as providing personal information or installing a malicious file. This is where psychology comes into play, and the email content is the main tool.
In fraudulent notifications allegedly sent on behalf of delivery services often use the following tricks:
- Notifications of various problems (eg. unsuccessful delivery, lack of information, wrong address, no recipient at the delivery address). These phrases are usually related to the delivery since the companies in question are in the service sector. Therefore, a logistics company warning of a problem with a delivery doesn't prompt any suspicion, especially if the email contains some details of the situation.
- A demand to do something or face some consequence. For example, "collect your parcel within 5 days otherwise it will be returned to the sender".
- Phrases about the content of an attachment or link (invoices, detailed information, documents).
- Phrases about the need to do something (follow a link, open an attachment, print out a file, etc.).
The scammers use deadlines like this to make recipients react immediately. The phishers hope that users will be so worried about losing the parcel or paying extra costs that they won't hesitate to provide personal details or open a suspicious attachment.
Users are unlikely to open unknown attachments or follow unknown links. That's why scammers imitate official websites and present malware as a document with information a parcel. In addition, if the text of the notification states that the attachment contains, for example, a consignment document, the malicious archive will have a similar name, such as "consignment.zip." This applies to phishing links as well - scammers name their links with an appropriate phrase from the text, such as "shipping information".
This simple trick is intended to reassure recipients that the attachment or link is perfectly legitimate.
Assuming the fraudsters have convinced the recipients that the email is real, the next step is to tell the victims how to solve their problems. Fulfilling these instructions is the ultimate goal of the fraudulent email. Here it is important for the scammers not just to tell recipients what they need to do, but to make them understand correctly what is written in the message. To avoid any misunderstanding on the part of the recipients, messages often contains detailed instructions about what to do.
Cheating the user is not the only thing scammers have to do. They also need to bypass spam filters and deliver the email to the email boxes of potential victims. One of the most popular and long-used methods to bypass filtering is to change text fragments within the email. Modern programs designed to send out spam messages include ample opportunities to generate multiple changes in the text. The text of a message which varies from email to email makes the email unique, while different personal information specified within one mailing (such as the number of the shipment, the form of the address, the dates) helps to convince recipients that the email is intended for them. In addition, the fraudsters can send out emails designed in the same style for several months - they only need to change some elements in the text.
Fraudulent notifications from delivery services can change:
- The information about the order/shipment, including the tracking number of the shipment, delivery dates, etc.)
- Contact details, sender names and company names. Some mass mailings provide an e-mail address or a phone number of a company representative for feedback. This particular data changes from email to email. In addition, names of company representatives and even company names themselves may also vary.
- The name of the attachment. It mainly refers to malicious attachments which names vary in messages within one mass mailing while these different names hide one and the same malicious program.
- Links. In phishing emails and emails with malicious attachments scammers often specifically change the addresses of the links, masking them with the help of different URL shorteners. Most of these links are quickly blocked by current antivirus programs.
- Phrases indicating numbers and dates. These can refer to timetables (days, hours), sums of money and dates (day and month)
- The greeting. Here spammers generally use the email address and/or the name of the recipient. Sometimes they use generic expressions (Dear client, Dear customer, etc.) instead.
- Other text fragments. Some words are replaced with other phrases that have a similar meaning so the general sense of the sentence remains unchanged.
Let's analyze some examples of changes in the text of fraudulent emails.
Below are some emails from yet another mass mailing.Fake pages
To steal personal information from users, scammers create phishing HTML pages which partially or completely copy the official website of a company. If victims of fraud enters their personal information (bank details, usernames and passwords) on this page, that data immediately falls into the fraudsters' hands.
To mask the links leading to phishing websites the fraudsters often use popular free URL shorteners. In addition, most services offer customers the ability to view the statistics on the short link which tells fraudsters more about the number of clicks on any links etc. Phishing pages can be located on specially registered domains which usually have a short life span as well as on compromised domains whose owner may not even be aware that the web site is being used for fraudulent purposes.
Let's analyze a fake email sent on behalf of FedEx in which recipients are asked to update their account information. The text of the email contains a link to the official website of the company while the real address to which the user is redirected is nothing like the legitimate page and is located on a free URL shortener service. This becomes obvious when you hover on the link.
After clicking the link, users get to a fraudulent page imitating the official website of FedEx, where they are asked to enter their logins and passwords to access their accounts. Once the users fill in the fields and click "Login", the entered information is transmitted to the scammers who can then access the victims' personal accounts. The menu tabs and other links on the phishing page are often inactive, so clicking on them will not take users to the appropriate page. However, in some cases, phishers imitate all links on the page so that users do not have any doubt about its legitimacy. Sometimes the design of the page imitates the official site but does not copy it completely. If you have a closer look at the details, you will see some differences between the designs of the real and the fake pages. However, most users do not pay attention to small details and this carelessness helps the scammers to steal personal information.
Below is yet another example of an email sent on behalf of FedEx. This time it contains a malicious link. The email informs recipients that delivery is impossible because of missing information. And now users have to follow the specified link for verification.
The link leads to a fraudulent page where potential victims are invited to download a program that will supposedly check whether they are really going to receive a parcel. Naturally, the program turns to be the well-known Zeus Trojan, which helps the fraudsters to access the computer and all the personal information on it.
Scammers might not only include a phishing link in the body of the email, but also attach an HTML phishing page designed to steal personal data. However this use of HTML attachments as phishing pages is unusual for fraudulent mailings sent on behalf of delivery services.Fraudulent emails in different languages
To increase the audience of recipients and customers, spammers are mastering new languages. In addition to traditional English and German, current spam traffic includes emails in Hebrew, Albanian and other languages which were found in advertising and fraudulent mailings a few years ago. For example, you may come across fake notifications from international delivery services written in Italian and Dutch. These emails do not have any special features that distinguish them from English- or German-language messages - to cheat users, the fraudsters resort to the same tricks.
For example, this Italian-language fake notification from FedEx tells users to confirm their identity by following a fraudulent link.
Yet another mass mailing in Italian contained a malicious archive which included the Zeus/Zbot Trojan used to steal personal data. The fraudulent email claimed that the user profiles on the website had been updated and there was more detailed information about it in the archive.
Another fake notification written in Dutch on behalf of TNT informs recipients that new accounts have been formed for them, with details in the attachment. The archive attached to the email contains Backdoor.Win32.Andromeda, a malicious file that allows the scammers to control the infected computer without the user knowing.Malware in fraudulent emails
Spam is one of the most popular ways of spreading malware and infecting computers on the Internet. Attackers have various tricks to make victims install malicious software on their computers. Email traffic includes a variety of private emails, such as wedding invitations, dating offers and other similar messages. However, fake notifications from well-known companies and brands providing different services remain the most popular cybercriminal trick. International delivery services are also used by spammers as a cover for malicious spam.
Malware spread in fake notifications from delivery services is divided into:
- Trojan programs developed to perform unauthorized operations in order to delete, block, modify or copy data, to disrupt computer or network performance. Trojans distributed in spam include Backdoors, Trojan-Downloaders, Trojan-Proxies, Trojan-PSWs, Trojan-Spies, Trojan-Bankers and others
- Worms, malicious programs capable of unauthorized self-proliferation on computers or computer networks. Those copies go on to spread themselves further.
What is dangerous about malicious programs?
- They can steal usernames and passwords from users' accounts, as well as financial or other information sought by the attackers.
- They can create botnets for distributing spam, DDoS attacks and other criminal activity
- They can provide fraudsters with control over victim computers, including the ability to run, delete or install any files or programs.
Current malicious programs integrate broad-ranging fraudulent functionality. In addition, some malicious programs can download other malware, providing additional opportunities. These might include stealing usernames and passwords entered in the browser or seizing remote control over the whole computer.
Malicious objects in fraudulent notifications can be embedded directly in the email or downloaded from a link provided in the body of the message. The most dangerous thing about it is that malware can be run and installed without users being aware or installing any software themselves. Typically, malicious ZIP (less often RAR) files enclosed in fraudulent emails have an executable .exe extension.How to recognize phishing emails
Below are a number of features that can help to identify a fraudulent email.
- The sender address. If the sender address includes a random sequence of letters, words or numbers, or the domain has no connection with the official address of the company, the emails should undoubtedly be considered fraudulent and deleted without opening.
- Grammar and spelling mistakes. Wrong word order, incorrect punctuation, grammar and spelling mistakes can also be a sign of a fraudulent mailing.
- Graphic design. Scammers are doing their best to make the email look very similar to the original. To this ends they are trying to imitate other companies' corporate styles using some of their elements such as color schemes and logos. Inaccuracies and noticeable design errors are among the signs of a fake email.
- The content of the email. If the recipient of the email is asked under various pretexts to urgently provide or confirm personal information, download a file or a link – especially while being threatened with sanctions for not doing so – the email may well be fraudulent.
- Links with different addresses. If the address of the link specified in the body of the email and address of the actual link to which you are redirected do not match, you are definitely looking at a fraudulent email. If you are viewing your email from the browser, the actual link can be usually seen in the bottom left of the browser window. If you use an email client, the actual link can be displayed in a popup window if you hover the cursor over the link in the text. Fraudulent links can also be attached to a text phrase in the email.
- Attached archives. Generally, ZIP and RAR archives are used by cybercriminals to hide malicious executable EXE-files. Therefore, you should not open these archives or run the attached files.
- Lack of contacts for feedback. Legitimate emails always provide contact information for feedback - either the company or the sender's personal contacts.
- Form of address. Fraudulent emails do not necessarily use the first name or the surname to address the recipient; sometimes a universal form of address ("client", etc.) is used.
PDF version: link
Kernel Patch Protection (also known as "patchguard") is a Windows mechanism designed to
control the integrity of vital code and data structures used by the operating system. It was
introduced in Windows 2003 x64 and has been constantly improved in further Windows
versions. In this article we present a descriptive analysis of the patchguard for the latest
Windows 8.1 x64 OS, and primarily focus on patchguard initialization and attack vectors related
It is natural that kernel patch protection is being developed incrementally, so the initialization
process is common for all versions of Windows that have patchguard. There are a lot of papers
published about kernel patch protection on Windows, which describe the process of its
initialization, so you may use references at the end of this article to obtain details.
As widely known, the main component of patchguard is initialized in a misleadingly named
function "KiFilterFiberContext". It will be the starting point of our investigation. Looking for
cross-references doesn't help us much for pointing out its call site, but several articles help us
by stating that patchguard initialization is called indirectly in a function
"KeInitAmd64SpecificState". By indirectly we mean here not just an indirect call, but the usage
of exception handlers. It is a very common trick often found in patchguard-related functions, as
we'll see further. So, we have an initialization function call stack:
... --> Phase1InitializationDiscard --> KeInitAmd64SpecificState -> KiFilterFiberContext
(call) (call) (exception)
This type of initialization is described in more detail in . By the way, this one is always called
on the last CPU core, if it matters.
However, it is not the only way that kernel uses to initialize patchguard. With a 4% probability
patchguard context can also be initialized from a function also misleadingly called
... --> Phase1InitializationDiscard --> sub_14071815C (obviously with a stripped symbol because this one processes Windows license type for a current PC) --> ExpLicenseWatchInitWorker
The pseudocode of this function looks like this:
NTSTATUS (*KiFilterFiberContext)(PVOID pFilterparam);
// KiServiceTablesLocked == KiFilterParam
KiFilterParam = KiInitialPcr.Prcb.HalReserved;
KiInitialPcr.Prcb.HalReserved = NULL;
KiFilterFiberContext = KiInitialPcr.Prcb.HalReserved;
KiInitialPcr.Prcb.HalReserved = NULL;
ForgetAboutPG = (InitSafeBootMode != 0) | (KUSER_SHARED_DATA.KdDebuggerEnabled >> 1);
// 96% of cases will fail
if ( __rdtsc() % 100 > 3 )
ForgetAboutPG |= 1;
if ( !ForgetAboutPG && KiFilterFiberContext(KiFilterParam) != 1 )
KeBugCheckEx(SYSTEM_LICENSE_VIOLATION, 0x42424242, 0xC000026A, 0, 0);
As you may notice, there is a small "present" in the “HalReserved” processor control block field
left for this initialization case. Tracing down the guy who left it leads us to the very beginning of
... --> KiSystemStartup --> KiInitializeKernel --> KeCompactServiceTable --> KiLockServiceTable -v ??????
We have to pause here, because there is no code that puts data into HalReserved fields
directly. As instead, it is done using the exception handler. And it is done in a different way
from "KeInitAmd64SpecificState", because it doesn't trigger any exceptions. What it does
instead is – it directly looks up the current instruction pointer, finds the corresponding function
and it's exception handler manually, and then calls it. The exception handler of
"KiLockServiceTable" function is an unnamed stub to the "KiFatalExceptionFilter".
?????? ---> KiFatalExceptionFilter
“KiFatalExceptionFilter” in turn looks up an exception handler for "KiServiceTablesLocked"
function. And surprisingly it is the "KiFilterFiberContext"! Also, a parameter that is passed to
"KiFilterFiberContext" is located right after the "KiServiceTablesLocked" function. It is a small
typedef struct _KI_FILTER_FIBER_PARAM
NTSTATUS (*PsCreateSystemThread)(); // a pointer to
// PsCreateSystemThread function
KSTART_ROUTINE sub_140235C44; // unnamed checker subroutine
KDPC KiBalanceSetManagerPeriodicDpc; // global DPC struct
} KI_FILTER_FIBER_PARAM, *PKI_FILTER_FIBER_PARAM;
"KiFatalExceptionFilter" stores these pointers to “HalReserved” fields.
Creating patchguard context
Let's get back to the "KiFilterFiberContext" function. It's pseudocode is given below:
BOOLEAN KiFilterFiberContext(PVOID pKiFilterParam)
BOOLEAN Result = TRUE;
DWORD64 dwDpcIdx1 = __rdtsc() % 13;
DWORD64 dwRand2 = __rdtsc() % 10;
DWORD64 dwMethod1 = __rdtsc() % 6;
// Let's call sub_1406D6F78 KiInitializePatchGuardContext since it does initialize patchguard context
Result = KiInitializePatchGuardContext(dwDpcIdx, dwMethod1, (dwRand2 < 6) + 1, pKiFilterParam, TRUE);
// A 50% chance to create two patchguard contexts
if (dwRand2 < 6)
DWORD64 dwDpcIdx2 = __rdtsc() % 13;
DWORD64 dwMethod2 = __rdtsc() % 6;
dwMethod2 = __rdtsc() % 6;
while ((dwMethod1 != 0) && (dwMethod1 == dwMethod2));
Result = KiInitializePatchGuardContext(dwDpcIdx2, dwMethod2, 2, pKiFilterParam, FALSE);
It is rather clear, and with provided code we can assume that up to 4 patchguard contexts can
be active on a running system simultaneously. Remember this one because wherever it is
called, we can be 100% sure that a new patchguard context is being initialized.
The function that creates and initializes patchguard context is so-called
"KiInitializePatchGuardContext". It is a huge obfuscated function. I guess it is suitable to
reference Alex's Ionescu tweet about it:
"I love the new #Windows 8 Patch Guard. Fixes so many of the obvious holes in downlevel, and the new hyper-inlined obfuscation makes me cry."
You bet it! IDA Pro's decompiler works on it ~20 min on 3770 Core i7 CPU and spews out 26K
lines of code. It is not worth dealing with it as a single unit. Luckily, you can bite out small
pieces of information that give you a clue about methods that the new patchguard uses. That's
why we did not reverse engineer it entirely, as instead we took and analyzed several parts in it.
Feel free to explore this function yourself, and you may discover new wonderful things!
It takes 5 parameters on Windows 8.1:
1. Index of DPC routine to be called from a created patchguard DPC for checking the
patchguard context. It may be one of these:
// These ones don't use exception handlers to fire checks
KiTimerDispatch (copied to random pool allocation)
KiDpcDispatch (copied into patchguard context)
// These use exception handlers to fire patchguard checks
Also those 10 DPCs are regular system DPCs with useful payload, but when they encounter a
DeferredContext which has non-canonical address, they fire a corresponding
These functions are only called when an appropriate scheduling method is used (0, 1, 2, 5)
2. Scheduling method:
These are the methods that are used to fire a patchguard DPC object that is created inside
- KeSetCoalescableTimer (0). A timer object is created with a random fire period between 2 minutes and 2 minutes and 10 seconds.
- Prcb.AcpiReserved (1). In this case a patchguard DPC is fired when a certain ACPI event occurs, f.e. transitioning to idle state. In this case "HalpTimerDPCRoutine" checks if 2 minutes have passed since last queued by itself DPC, and queues another one, taken from Prcb.AcpiReserved field.
- Prcb.HalReserved (2). Here a patchguard DPC is queued when HAL timer clock interrupt occurs, in the "HalpMcaQueueDpc". It is also done with 2 minutes period at least. Queued patchguard DPC is taken from Prcb.HalReserved field.
- PsCreateSystemThread (3). In this case, patchguard DPC routine is not used, as instead a system thread is created. The thread procedure is taken from KI_FILTER_FIBER_PARAM structure. Patchguard DPC in turn is used just as a container of the address of a newly created patchguard context.
- KeInsertQueueApc (4). This time a regular kernel APC is queued to the one of the system threads with "KiDispatchCallout" APC procedure. No patchguard DPC is fired also. System thread is chosen based on its start address, i.e. it must be equal to either PopIrpWorkerControl or CcQueueLazyWriteScanThread.
- KiBalanceSetManagerPeriodicDpc (5). Patchguard DPC is stored in a global variable named "KiBalanceSetManagerPeriodicDpc". It is queued in "KiUpdateTimeAssist" function and "KeClockInterruptNotify" function within every "KiBalanceSetManagerPeriod" ticks.
3. This parameter can be either 1 or 2. We are not sure about how it affects "KiInitializePatchGuardContext" function, but it is somehow connected to the quantity of checks
being done during patchguard context verification routine execution.
4. A pointer to KI_FILTER_FIBER_PARAM structure. It is noticeable that a method chosen inside
"KiInitializePatchGuardContext" is selected based on the presence of this parameter. If it is
present, a method bit mask is tested with 0x29 (101001b) which allows methods 0, 3 and 5.
Otherwise methods 0, 1, 2 and 4 are available. That makes sense, because methods 3 and 5
require a valid KI_FILTER_FIBER_PARAM structure.
5. Boolean parameter which tells if NT kernel functions checksums have to be recalculated.
As you might guess, the only scheduling method that can be initialized twice is 0, so
"KiFilterFiberContext" takes this fact into account when chooses a method for a second call of
Firing a patchguard check
Methods that fire patchguard DPC
The main principle of patchguard check routine is to launch a patchguard context verification
routine on a DPC level, and then queue a work item that will check vital system structures on a
passive level with a proceeding context recreation and rescheduling. The verification work item
uses a copy of "FsRtlUninitializeSmallMcb" function. You can check this one out, if you want to
figure out how the check works.
For the methods which use DPC activation there is a common code inside 10 listed DPC
routines, which checks "DeferredContext" for being a non-canonical address. If it is OK, DPC
just executes its payload. Otherwise one of 10 "KiCustomAccessRoutineX" functions is called.
When "KiCustomAccessRoutineX" is called, (last 2 bits + 1) of "DeferredContext" are taken and
used to roll along "KiCustomRecurseRoutineX". These recursive routines are cycled
incrementing X value. When the roll is over, "KiCustomRecurseRoutineX" tries to dereference a
DeferredContext value as a pointer, which inevitably generates #GP exception since this
address is non-canonical.
// Inside DPC routine
if ( (DeferredContext >> 47) < 0xFFFFFFFFFFFFFFFFui64 && DeferredContext >> 47 != 0 )
// Is DeferredContext a canonical address
void KiCustomAccessRoutine9(DWORD64 DeferredContext)
return KiCustomRecurseRoutine9((DeferredContext & 3) + 1, DeferredContext);
void KiCustomRecurseRoutine9(DWORD dwRoll, DWORD64 DeferredContext)
dwNextRoll = dwRoll - 1;
if ( dwNextRoll )
go_go_GP = *DeferredContext; // #GP
// DPC routine call sequence
ExpTimerDpcRoutine -> KiCustomAccessRoutine0 -> KiCustomRecurseRoutine0 ...
IopTimerDispatch -> KiCustomAccessRoutine1 -> KiCustomRecurseRoutine1 ...
IopIrpStackProfilerTimer -> KiCustomAccessRoutine2 -> KiCustomRecurseRoutine2 ...
PopThermalZoneDpc -> KiCustomAccessRoutine3 -> KiCustomRecurseRoutine3 ... KiCustomRecurseRoutineN
CmpEnableLazyFlushDpcRoutine -> KiCustomAccessRoutine4 -> KiCustomRecurseRoutine4 ... KiCustomRecurseRoutineN
CmpLazyFlushDpcRoutine -> KiCustomAccessRoutine5 -> KiCustomRecurseRoutine5 ... KiCustomRecurseRoutineN
KiBalanceSetManagerDeferredRoutine -> KiCustomAccessRoutine6 -> KiCustomRecurseRoutine6 ... KiCustomRecurseRoutineN
ExpTimeRefreshDpcRoutine -> KiCustomAccessRoutine7 -> KiCustomRecurseRoutine7 ... KiCustomRecurseRoutineN
ExpTimeZoneDpcRoutine -> KiCustomAccessRoutine8 -> KiCustomRecurseRoutine8 ... KiCustomRecurseRoutineN
ExpCenturyDpcRoutine -> KiCustomAccessRoutine9 -> KiCustomRecurseRoutine9 ... KiCustomRecurseRoutineN
Here comes vectored exception handling again. If you look up all the exception handlers for
these DPC routines, you'll discover that there are several nested __try\__except and
__try\__finally blocks. For example, "ExpTimerDpcRoutine" looks something like this:
__except (FilterSub1()) // patchguard context decryption occurs here
ExpCenturyDpcRoutine, ExpTimeZoneDpcRoutine, ExpTimeRefreshDpcRoutine,
KiBalanceSetManagerDeferredRoutine, CmpLazyFlushDpcRoutine, CmpEnableLazyFlushDpcRoutine,
PopThermalZoneDpc, ExpTimerDpcRoutine … -> _C_specific_handler
IopIrpStackProfilerTimer , IopTimerDispatch … -> _GSHandlerCheck_SEH (GS check + _C_specific_handler)
Depending on the DPC routine, decryption routine (based on KiWaitAlways and KiWaitNever
variables) may reside in one of the exception filters, exception handlers or termination handlers.
Further patchguard context verification occurs also inside decryption routine, right after the
As for "KiTimerDispatch" and "KiDpcDispatch" DPC routines - they call patchguard context
verification directly. Also, depending on the DPC routine a different type of patchguard context
encryption is used (or not used at all).
Method 3 creates a system thread. System thread procedure sleeps between 2 minutes and 2
minutes and 10 seconds using "KeDelayExecutionThread" or "KeWaitForSingleObject" on a
kernel object, which is always not signaled. After the wait is timed out it decrypts patchguard
context and executes verification routine.
Method 4 inserts an APC with "KiDispatchCallout" function as a kernel routine and
"EmpCheckErrataList" as a normal routine. Patchguard context decryption and validation occurs
upon APC delivery to the target waiting thread, which happens almost immediately. A 2 minutes
wait is located inside the verifier work item routine in this method.
One more piece of a puzzle
That would be it about patchguard initialization, but looking for the cross-references to
KUSER_SHARED_DATA.KdDebuggerEnabled lead me to a suspicious function named
"CcInitializeBcbProfiler". It is full of bit rotations and magic numbers, which forced me to check
whether it is related to patchguard mechanism.
... -> Phase1InitializationDiscard --> CcInitializeCacheManager --> CcInitializeBcbProfiler
It seems to have the same roots!
With 50% chance it queues DPC with "CcBcbProfiler" routine or a work item with an unnamed
work item routine (which is almost identical to the "CcBcbProfiler" routine). This mechanism
picks one random function from NT kernel module and checks its consistency every 2 minutes.
It is interesting that all of the patchguard-related functions are located nearby, one after
another starting from "FsRtlMdlReadCompleteDevEx". It tells us that they are likely to be
located in a single compilation unit. This fact gives us a hope that all of the patchguard
initialization paths have been covered in this article.
Now, as we covered patchguard initialization, we know what wires of a patchguard bomb can
be cut to defuse it! However, there are several ways depending on a patchguard DPC
scheduling method. Since we cover a specific version of patchguard, i.e. Windows 8.1, we are
going to use precomputed offsets for accessing the private kernel structures' fields.
The common defusing principle is firstly to check if verification routine is in progress, and wait a
bit if it is true. Then do the following:
- KeSetCoalescableTimer (0). Scan through the Prcb timer table and disable the one with suitable DPC object.
- AcpiReserved field (1). Zero this field out, so the DPC won't be fired again.
- HalReserved field (2). Same here.
- PspCreateSystemThread (3). Enumerate all threads in a system and unwind their stacks. Then check if a start routine from “KiServiceTablesLocked” structure is present in a call stack. If it is there, it's a patchguard thread. Disable it while it is in a wait state setting the wait time to infinite.
- APC (4). Take the current Prcb NUMA Node and its worker thread pool. Scan through its sleeping worker threads unwinding the stacks until "ExpWorkerThread" function. If there are functions that are not to be found in NT image runtime function data, try to unwind them sequentially with runtime data for "FsRtlMdlReadCompleteDevEx" and "FsRtlUninitializeSmallMcb". If succeeded, than it is a patchguard worker. Disable it setting the wait time to infinity.
- KiBalanceSetManagerPeriodicDpc (5). Zero this struct out.
By disabling a timer we mean setting its due time to infinity, so it never fires. And by suitable
DPC object we mean a DPC object with a deferred context set to a non-canonical address.
Furthermore, you can additionally check this pointer to be valid after XORing its value with a
quad-word following right after KDPC struct and ANDing it with 0xFFFF800000000000.
As for the "CcBcbProfiler" piece, we consider it not to be relevant since there is a small chance
that it will check exactly the needed function.
A quality of Windows 8.1 kernel patch protection mechanism is extremely high. There are a lot
of interesting anti-debugging tricks used again dynamic analysis, f.e. resetting IDT before
accessing debug registers (which leads you to hanging if you set break on debug registers
access), overall obfuscation like using macroses for generating pseudo-random values, loop
unrolling etc. It is also extremely difficult to do a static analysis since a lot of indirect function
calls are used including the usage of exception handlers.
It is a really nice tool to keep the system safe. Therefore we hope that as a developer you
won't face situations when you need to disable this cool mechanism!
1. Andrea Allievi. "The Windows 8.1 Kernel Patch Protection". VRT blog. August 14, 2014.
2. Skape, Bypassing PatchGuard on Windows x64, Uninformed, December 2005
3. Skywing, PatchGuard Reloaded - A Brief Analysis of PatchGuard Version 3, Uninformed, September 2007
4. Christoph Husse, Bypassing PatchGuard 3 - CodeProject, August 2008
Authors: Mark Ermolov, Artem Shishkin // Positive Research
Browsers are generally designed to prevent a script from one site from being able to access content from another site. They do this by enforcing what is called the Same Origin Policy (SOP): scripts can only read or modify resources (such as the elements of a webpage) that come from the same origin as the script, where the origin is determined by the combination of scheme (which is to say, protocol, typically HTTP or HTTPS), domain, and port number.
The SOP should then prevent a script loaded from http://malware.bad/ from being able to access content at https://paypal.com/.
Apple has put fixes in place to its iCloud cloud storage service that now prevent an attacker from mining data from an iOS device backup stored in the cloud by gaining access to the user’s password—at least if that user has turned on Apple’s new two-factor authentication.
As we reported last week, iCloud previously did not use two-factor authentication to help protect backup data or the Find My iPhone service. This meant that the accounts of victims of social engineering attacks or those who used passwords based on personal data could be harvested of their backup data—allowing the attacker to gain access to photos, call records, SMS records, e-mail, and other personal data. Apple had said that it was moving to provide additional protection through two-factor authentication in advance of the release of iOS 8.
We tried accessing one of the accounts attacked during our testing just prior to the Apple event last week using Elcomsoft Phone Password Breaker, a forensic tool that uses a reverse-engineered version of Apple’s iOS backup protocols to extract backup data from an iCloud account. The account now has two-factor authentication turned on, and the attempt failed—it yielded an unspecified HTTP error.
Česká spořitelna opět upozorňuje své klienty na možné zneužití internetového bankovnictví prostřednictvím sociální sítě Facebook. Pachatelé se jejím prostřednictvím snaží vylákat přihlašovací údaje k internetovému bankovnictví klienta. Podvodník osloví klienta pod profilem někoho z jeho přátel s žádostí o zaslání nějakého finančního obnosu (obvykle ve výši 30 až 50 Kč). Klientovi následně přes Facebook pošle odkaz na platební bránu a požádá ho o vyplnění údajů k jeho internetovému bankovnictví. Pokud klient údaje vyplní, podvodník je okamžitě zneužije.
DDoS útoky se stávají stále sofistikovanějšími a komplexnějšími a podle bezpečnostních expertů bude příštím vektorem, kterým bychom se měli znepokojovat, SNMP (Simple Network Management Protocol) amplification útok. Během včerejšího dne bylo zaznamenáno mnoho pokusů o hledání zařízení, která by se dala zneužít pro spuštění útoku pomocí SNMP. Při hledání byla jako zdrojová podvržena IP adresa 184.108.40.206, která patří DNS serverům společnosti Google, Experti se proto obávají, že se může jednat o část připravovaného útoku na Google, který má použít SNMP k jeho zesílení. Vše o SNMP amplification útoku a správné konfiguraci SNMP zařízení můžete najít na našich stránkách. Nedopusťte zneužití vašich zařízení k těmto útokům!
Společnost Trustwave detekovala novou sérii útoků na servery po celém světě, která je založena na zneužití staré CGI-PHP zranitelnosti k šíření BoSSaBoTv2 botnetu. Primárním účelem tohoto botnetu je pak těžba bitcoinů.