Developing Kernel mode security package
Understanding the registration of Microsoft packages
Registration of classic package
Registration is done in ksecpkg!KsecExRegisterOneExtension.
The job is done ksecdd!KsecRegisterExtension (KsecInstallBuiltinPackages) via a IOCTL 0x390038 ( CTL_CODE(FILE_DEVICE_KSEC,0xE,FILE_ANY_ACCESS,METHOD_BUFFERED) ) to \device\ksecdd
Parmeter size is 0x10 and consists of : 2 8 bytes data.
- First is : 0x2 (the code)
- Second is : a pointer to an array of structure
The structure is composed by 2 pointers
- First is a pointer to SECPKG_KERNEL_FUNCTION_TABLE (look in ntsecpkg.h)
- Second is a pointer to an UNICODE_STRING
The array is stopped by an zeroized structure.
The negotiate package is loaded directly in ksecdd
Initialization of classic package
Initializing classing package is done when LSA is initialized
ksecpkg!NtLmInitKernelPackage ksecdd!InitializePackages+0x327 ksecdd!CreateClient+0xfe ksecdd!IsOkayToExec+0x1c ksecdd!InitSecurityInterfaceW+0xb ksecdd! ?? ::NNGAKEGL::`string'+0x48c ksecdd!KsecDispatch+0x9a nt!IopXxxControlFile+0x607 nt!NtDeviceIoControlFile+0x56 nt!KiSystemServiceCopyEnd+0x13 ntdll!ZwDeviceIoControlFile+0xa lsass!LsapOpenKsec+0xec lsass!main+0x14f lsass!MIDL_user_free+0x1b5 kernel32!BaseThreadInitThunk+0xd ntdll!RtlUserThreadStart+0x1d
Registration of a new SSP
Call KSecRegisterSecurityProvider() directly in the driverentry function of a legacy driver. This is an export of ksecdd.sys. The driver MUST be loaded with the system AFTER ksecpkg.sys and BEFORE lsass.exe to be active. That means that if the driver is installed, the computer MUST reboot.
If it is done AFTER lsass.exe, the package can be used but NegoEx will fail. This is because LocatePackageById will return NULL. Indeed, the translation of the name to the ID is made at the LSA initialization.
miscellaneous
debug output
You can set the flag [ed nt!Kd_KSECDD_Mask 0xFFFFFFFF] and [e ksecpkg!KsecInfoLevel 6]
Here is a debug ouput of a checked build version.
0xe100b30.0xe302060> KSec: Calling TlsDecryptMessage() 0xe100b30.0xe302060> KSec: Calling SslDecryptPacket() 0xe100b30.0xe302060> KSec: SslDecryptPacket: returned 0x0 0xe100b30.0xe302060> KSec: TlsDecryptMessage returned 0x0 0xe100b30.0xe302060> KSec: TlsDecryptMessage: returned 0x0 0xe100b30.0xe302060> KSec: Read Sequence [IN]: 2 0xe100b30.0xe302060> KSec: Header (plaintext): cbBuffer:0x5, pvBuffer:0x02a52d70 0xe100b30.0xe302060> KSec: Data (plaintext): cbBuffer:0x121, pvBuffer:0x02a52d75 0xe100b30.0xe302060> KSec: Trailer (plaintext): cbBuffer:0x1f, pvBuffer:0x02a52e96 (...) 0xcd1f740.0xe5117b0> KSec: NegoExtsQueryContextAttributes returned 0 0xcd1f740.0xe5117b0> KSec: NegoExtsGetContextToken called