Developing Kernel mode security package

KSecRegisterSecurityProvider from driverentry

Understanding the registration of Microsoft packages

Registration of classic package

Registration is done in ksecpkg!KsecExRegisterOneExtension.

The job is done ksecdd!KsecRegisterExtension (KsecInstallBuiltinPackages) via a IOCTL 0x390038 ( CTL_CODE(FILE_DEVICE_KSEC,0xE,FILE_ANY_ACCESS,METHOD_BUFFERED) ) to \device\ksecdd

Parmeter size is 0x10 and consists of : 2 8 bytes data.

  • First is : 0x2 (the code)
  • Second is : a pointer to an array of structure

The structure is composed by 2 pointers

  • First is a pointer to SECPKG_KERNEL_FUNCTION_TABLE (look in ntsecpkg.h)
  • Second is a pointer to an UNICODE_STRING

The array is stopped by an zeroized structure.

The negotiate package is loaded directly in ksecdd

Initialization of classic package

Initializing classing package is done when LSA is initialized

ksecpkg!NtLmInitKernelPackage
ksecdd!InitializePackages+0x327
ksecdd!CreateClient+0xfe
ksecdd!IsOkayToExec+0x1c
ksecdd!InitSecurityInterfaceW+0xb
ksecdd! ?? ::NNGAKEGL::`string'+0x48c
ksecdd!KsecDispatch+0x9a
nt!IopXxxControlFile+0x607
nt!NtDeviceIoControlFile+0x56
nt!KiSystemServiceCopyEnd+0x13
ntdll!ZwDeviceIoControlFile+0xa
lsass!LsapOpenKsec+0xec
lsass!main+0x14f
lsass!MIDL_user_free+0x1b5
kernel32!BaseThreadInitThunk+0xd
ntdll!RtlUserThreadStart+0x1d

Registration of a new SSP

Call KSecRegisterSecurityProvider() directly in the driverentry function of a legacy driver. This is an export of ksecdd.sys. The driver MUST be loaded with the system AFTER ksecpkg.sys and BEFORE lsass.exe to be active. That means that if the driver is installed, the computer MUST reboot.

KSecRegisterSecurityProvider

If it is done AFTER lsass.exe, the package can be used but NegoEx will fail. This is because LocatePackageById will return NULL. Indeed, the translation of the name to the ID is made at the LSA initialization.

miscellaneous

debug output

You can set the flag [ed nt!Kd_KSECDD_Mask 0xFFFFFFFF] and [e ksecpkg!KsecInfoLevel 6]

Here is a debug ouput of a checked build version.

0xe100b30.0xe302060> KSec:  Calling TlsDecryptMessage()
0xe100b30.0xe302060> KSec:  Calling SslDecryptPacket()
0xe100b30.0xe302060> KSec:  SslDecryptPacket: returned 0x0
0xe100b30.0xe302060> KSec:  TlsDecryptMessage returned 0x0
0xe100b30.0xe302060> KSec:  TlsDecryptMessage: returned 0x0
0xe100b30.0xe302060> KSec:      Read Sequence [IN]: 2
0xe100b30.0xe302060> KSec:  Header (plaintext): cbBuffer:0x5, pvBuffer:0x02a52d70
0xe100b30.0xe302060> KSec:  Data (plaintext): cbBuffer:0x121, pvBuffer:0x02a52d75
0xe100b30.0xe302060> KSec:  Trailer (plaintext): cbBuffer:0x1f, pvBuffer:0x02a52e96
(...)
0xcd1f740.0xe5117b0> KSec:  NegoExtsQueryContextAttributes returned 0
0xcd1f740.0xe5117b0> KSec:  NegoExtsGetContextToken called