The Export entry of the loaded ntdll was tampered

[王辉]

I am developing a Chromium-based browser on Windows. I encountered a problem. The function address found by u ntdll!NtOpenProcess in windbg is not the same as the address calculated by PIMAGE_EXPORT_DIRECTORY.

The encapsulation of the function address calculated by PIMAGE_EXPORT_DIRECTORY is here https://source.chromium.org/chromium/chromium/src/+/master:sandbox/win/src/service_resolver.cc;l=25

The address 0x0000FFEd786E9C0 calculated by PIMAGE_EXPORT_DIRECTORY is wrong as shown in the figure below. memory of error address find_in_windbg

[Chris Hamilton]

Is this occurring in a child process (ie, a renderer?) If so this looks like sandbox patching of ntdll (in which case it is working as intended and expected behaviour). Adding +Will Harris as Windows sandbox expert to confirm.

Cheers,

Chris

[Will Harris]

Yes - NtOpenProcess is patched by the broker to allow the sandboxed target to be able to open its own process which would normally not be possible under the right restrictions it operates within.

Will

[王辉]

Now the behavior of my browser is  that the webpage cannot be opened. The error message is "failed to lauch gpu process". If i add the command line --no-sandbox, the page can be opened normally. After investigation, it is found that the content of  ReadProcessMemory for NtOpenProcess  is 0x00000000000000000000 and failed in https://source.chromium.org/chromium/chromium/src/+/master:sandbox/win/src/service_resolver_64.cc;drc=820712f20d3eaf481b9d4043a090e4947b52907f;l=243.

But in fact, the content on the address of NtOpenProcess is shown in the figure 

00007ffe`d786e9c0 48b86062004000000000 mov rax,40006260h

00007ffe`d786e9ca ffe0            jmp     rax

00007ffe`d786e9cc 0000            add     byte ptr [rax],al

00007ffe`d786e9ce 0000            add     byte ptr [rax],al

and  the address queried by this "u ntdll!NtOpenProcess" is

  

0:000> u ntdll!NtOpenProcess

ntdll!NtOpenProcess:

00007ffe`d77fae50 4c8bd1          mov     r10,rcx

00007ffe`d77fae53 b826000000      mov     eax,26h

00007ffe`d77fae58 f604250803fe7f01 test    byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1

00007ffe`d77fae60 7503            jne     ntdll!NtOpenProcess+0x15 (00007ffe`d77fae65)

00007ffe`d77fae62 0f05            syscall

00007ffe`d77fae64 c3              ret

00007ffe`d77fae65 cd2e            int     2Eh

00007ffe`d77fae67 c3              ret

This is not the same as the function address calculated by  PIMAGE_EXPORT_DIRECTORY ,

And chrome works normally on this machine. Edge has the same error as my own chromium but if I change the name of the exe(my.exe/edge.exe) to chrome.exe, it returns to normal

[王辉]

00007ffe`d786e9c0   is  calculated by  PIMAGE_EXPORT_DIRECTORY  and   00007ffe`d77fae50  is  queried by this "u ntdll!NtOpenProcess"  in windbg. 

[Will Harris]

Hi,

I'm not sure exactly what you mean here. Are the sandbox tests (sbox_integration_tests.exe) passing on your machine? Are you running any third party software that might be interfering with normal process operation, such as AntiVirus?

If Chrome is working, but Edge and your own browser aren't, it might be worth working out what the differences between those are.

Will

[王辉]

Yes, by comparison, there is an antivirus software interfering my process but no interfering chrome, thank you everyone