PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Send a file File manager PDF Toolbox Search Help Contact



Documenting the Undocumented Adding CFG Exceptions .pdf



Original filename: Documenting_the_Undocumented_Adding_CFG_Exceptions.pdf

This PDF 1.4 document has been generated by Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 / Skia/PDF m51, and has been sent on pdf-archive.com on 24/06/2016 at 13:25, from IP address 80.246.x.x. The current document download page has been viewed 308 times.
File size: 2.1 MB (18 pages).
Privacy: public file




Download original PDF file









Document preview


6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

(http://breakingmalware.com/)
(http://breakingmalware.com/)

 (http://breakingmalware.com/)

(http://breakingmalware.com/)Sponsored by enSilo (http://www.ensilo.com/)



Tal Liberman (http://breakingmalware.com/author/tal­liberman/)



June 21, 2016 (http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/)



2 Comments (http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­
exceptions/#comments)

Documenting the Undocumented: Adding
CFG Exceptions
(http://breakingmalware.com/documenta
tion/documenting-undocumentedadding-control- ow-guard-exceptions/)

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

1/18

6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

TL;DR Microsoft’s Control Flow Guard (CFG) is a security feature that prevents the abuse of indirect calls from
calling addresses that are not marked as safe. CFG can cause problems for anyone trying to execute malicious
memory manipulations on Windows. In such cases, this can be bypassed by adding an exception to the CFG
bitmap (a mapping of all the “safe” addresses). How can we add such an exception? There are actually two
ways: one documented, the other undocumented. In this post, we’ll walk you through both while analyzing the
undocumented syscall in depth.

What is Microsoft’s Control Flow Guard
(CFG)?
A combination of compile and run­time support from CFG implements control flow integrity that tightly restricts
where indirect call instructions can execute.
The compiler does the following:
Adds a lightweight security check before each indirect call in the compiled code
Identifies the set of functions in the application that are valid targets for indirect calls
The runtime support, provided by Windows (both kernel mode and user mode code are involved):
Efficiently maintains state that identifies valid indirect call targets
Implements the logic that verifies that an indirect call target is valid

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­1­CFG­From­Microsoft­Com.jpg)

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

2/18

6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

For those who would like to get better acquainted with CFG internals I recommend looking into the following
reading material:
Exploring Control Flow Guard in Windows 10 – http://sjc1­te­ftp.trendmicro.com/assets/wp/exploring­
control­flow­guard­in­windows10.pdf (http://sjc1­te­ftp.trendmicro.com/assets/wp/exploring­control­flow­
guard­in­windows10.pdf)
Windows 10 Control Flow Guard Internals –http://www.powerofcommunity.net/poc2014/mj0011.pdf
(http://www.powerofcommunity.net/poc2014/mj0011.pdf)

It Always Starts with a Crash
I was working on a completely different project (a new Windows code injection technique which I will be posting
about in the coming weeks so stay tuned!) when I encountered CFG, which meant I had one more hurdle to
jump over.
I was able to successfully inject code into various 3rd party applications, such as VLC and Chrome; but when I
tried to inject code into mspaint.exe (on Windows 10 mspaint.exe is compiled with CFG support, while VLC and
Chrome are not), the application crashed.

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­2­Hijacking­Remote­Thread.png)
And this was the result:

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

3/18

6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­3­MsPaint­Crash.png)

Down the Rabbit Hole We Go
I ran it again with my debugger attached to “mspaint.exe” to see what had happened.

(2e18.3520): Security check failure or stack buffer overrun ‐ code c0000409 (!!! second c
hance !!!) 
eax=00000005 ebx=00547d88 ecx=0000000a edx=773182f0 esi=773182f0 edi=0017cb34 
eip=7732b5a0 esp=0017ca70 ebp=0017ca98 iopl=0         nv up ei pl zr na pe nc 
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246 
ntdll!RtlFailFast2: 
7732b5a0 cd29            int     29h

If you’ve never seen “int 29h” I would advise you to run a quick Google search for “int 29h Windows”. You’ll find
a few interesting articles that will tell you that “int 29h” leads to nt!KiRaiseSecurityCheckFailure which will not
help you very much because it’s very generic.
At any rate, it looks like we failed some kind of security check (maybe stack cookies?). The next step would be
to look at the call stack to see if perhaps that would give us a hint as to what was the root cause of the
exception.

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

4/18

6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

0:001> k 
ChildEBP RetAddr  
0017ca6c 7730c7a2 ntdll!RtlFailFast2 
0017ca98 7732aa88 ntdll!RtlpHandleInvalidUserCallTarget+0x73 
0017cb20 77318d7b ntdll!LdrpValidateUserCallTargetBitMapRet+0x3b

Looking at this call stack, things are starting to make sense. It looks like a call was made to
ntdll!LdrpValidateUserCallTargetBitMapRet.
Let’s take a look at ntdll!LdrpValidateUserCallTargetBitMapRet with IDA:

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­4­IDA­Functions­Windows­
LdrpValidateUserCallTarget.png)
Looking at the disassembly (after undefining these three functions and redefining them as one) we can probably
infer that the call was actually made to ntdll!LdrpValidateUserCallTarget. This can also be verified by further
examining the call stack – which we will do in a future post.

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

5/18

6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­5­IDA­View­LdrpValidateUserCallTarget.png)
The call to ntdll!LdrpValidateUserCallTarget led to the call to ntdll!RtlpHandleInvalidUserCallTarget.
Clearly, we did not pass CFG’s check and were therefore led to ntdll!RtlpHandleInvalidUserCallTarget.
The call to ntdll!RtlpHandleInvalidUserCallTarget led us to ntdll!RtlFailFast2.

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­6­IDA­View­RtlpHandleInvalidUserCallTarget­
RtlFailFast2.png)

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

6/18

6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

ntdll!RtlFailFast2 is a very simple function that looks like this:

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­7­IDA­View­RtlFailFast2.png)
If you are not familiar with these functions run a quick search for “LdrpValidateUserCallTarget”. It shouldn’t be
too hard to understand that this is CFG’s validator function.
Right before the exception occurred the address, to which an indirect call was attempted to be made to, was
stored in ESI.

0:001> u esi 
ntdll!NtSetContextThread: 
773182f0 b872010000   mov     eax,172h 
773182f5 bab0b53277   mov     edx,offset ntdll!Wow64SystemServiceCall (7732b5b0) 
773182fa ffd2         call    edx
773182fc c20800       ret     8 
773182ff 90           nop

The attempted indirect call address was NtSetContextThread (the syscall behind the beloved API call:
SetThreadContext). This function has been used to bypass CFG in the past
(https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentati
ons/SyScan15%20Yuki%20Chen%20­
%20The%20Birth%20of%20a%20Complete%20IE11%20Exploit%20Under%20the%20New%20Exploit%20Mitiga
tions.pdf) and has therefore been marked as invalid.

Eureka
Now, if we look at the code surrounding the call to ntdll!RtlFailFast2 we can see a call to another function with a
rather interesting name: ntdll!RtlpGuardGrantSuppressedCallAccess.

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

7/18

6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­8­IDA­View­RtlpHandleInvalidUserCallTarget­
RtlpGuardGrantSuppressedCallAccess.png)
This function is a wrapper around the new ntdll!NtSetInformationVirtualMemory syscall.

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

8/18

6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­9­IDA­View­
RtlpGuardGrantSuppressedCallAccess.png)
Which, if we take a quick glance at the MSDN (https://msdn.microsoft.com/en­
us/library/windows/hardware/mt629134(v=vs.85).aspx) is only partially documented.

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

9/18


Related documents


PDF Document documenting the undocumented adding cfg exceptions
PDF Document frequently pop ups appear in firebox
PDF Document does windows 10 require antivirus software norton
PDF Document usage errors in the k3 user guide 5th ed
PDF Document technical help for browser popup
PDF Document useful ways to block pop ups in chrome


Related keywords