Patrick Wardle@patrickwardle
Jul 19
17 tweets
I don't do Windows but here are some (initial) details about why the CrowdStrike's CSAgent.sys crashed
Faulting inst: mov r9d, [r8]
R8: unmapped address
...taken from an array of pointers (held in RAX), index RDX (0x14 * 0x8) holds the invalid memory address
@John Hammond
The other "drivers" (e.g. 'C-00000291-...32.sys') appear to be obfuscated data ...and are x-ref'd (perhaps ingested?) by CSAgent.sys
...so maybe invalid (config/signature) data triggered the fault in CSAgent.sys
This would be easier to tell/confirm via debugging 
This is all surmised static analysis ...reversing CSAgent.sys (now on VT: virustotal.com/gui/file/fc17c)
and data from a single crash dump ...so take with a pinch of 
...and big mahalo to Tom! 
...and big mahalo to Tom! Sharing a .zip with:
A few versions of CSAgent.sys (+idb)
Various C-....sys files (including the latest that I believe contains the "fix"?)
I don't have any Windows systems/VMs, so hopefully ya'll can keep digging 
drive.google.com/file/d/1OVIWLD
#SharingIsCaring
A few versions of CSAgent.sys (+idb)
Various C-....sys files (including the latest that I believe contains the "fix"?)
I don't have any Windows systems/VMs, so hopefully ya'll can keep digging
drive.google.com/file/d/1OVIWLD
#SharingIsCaringA big outstanding questions to me is; what are the 'C-00000291-...xxx.sys' files?
As deleting them fixes the crash, this seems imply their contents matter (as its CSAgent.sys that has references to them, that is crashing).
But as their contents change between systems... 
"The .sys files causing the issue are channel update files, they cause the top level CS driver to crash as they're invalidly formatted." -Kevin Beaumont
cyberplace.social/@GossiTheDog/1
Note "channel updates ...bypassed client's staging controls and was rolled out to everyone regardless" resetera.com/threads/window
A few IT folks who had set the CS policy to ignore latest version confirmed this was, ya, bypassed, as this was "content" update (vs. a version update)
An update from @CrowdStrike confirms our analysis: crowdstrike.com/blog/technical
Namely:
The C-...sys files aren't kernel drivers, but rather are "configuration files" dubbed "Channel Files"
C-00000291- "triggered a logic error that resulted in an OS crash" (via CSAgent.sys)
The C-...sys files aren't kernel drivers, but rather are "configuration files" dubbed "Channel Files"
C-00000291- "triggered a logic error that resulted in an OS crash" (via CSAgent.sys)
Some surmised a blank (0x0, ...) Channel File was to blame.
@CrowdStrike debunked that stating the issue was "not related to null bytes contained in ...any... Channel File"
Also @Malware Utkonos notes a check that shows files must start w/ "0xaaaaaaaa":
x.com/MalwareUtkonos
Malware Utkonos@MalwareUtkonos
Jul 20
View on Twitter
There is what appears to be a file magic check for 0xAAAAAAAA at this address in:
37c78ba2eac468941a80f4e12aa390a00cb22337fbf87a94c59cee05473d1c66
This byte pattern is also the first four bytes of the "Channel Files". A file with all NULLs may fail this cmp.
(Others may have mentioned this?) but we find many references "channel files" in @CrowdStrike's patents that provide more insight into their purpose, format, etc.
Search:
"channel file" assignee:(Crowdstrike, Inc.)
For example in US11822515B2 & US11645397B2:
(attempting) to explain this all to the general America public on @ABC News's "Good Morning America" @Good Morning America #TalkingNerdy 
Yes, @Apple should be lauded for deprecating 3rd-party kexts & supporting the move to user-mode System Extensions.
However this has been fraught w/ kernel panics (ha!), privilege escalations ...& worse unprivileged code/malware can still trivially unload macOS security tools!
macOS kernel code that facilities user-mode System Extensions was (is?) notorious buggy.
Ironically this resulted in security tools that had been migrated to user-mode, now inadvertently triggering wide-spread kernel panics (in core Apple kexts) 
#YouHadOneJob
#YouHadOneJob 
Other issues included new privilege escalations in core macOS System Extension framework(s) such as CVE-2019-8805
See "Endpoint Security and Insecurity" by @Scott Knight (presented at #OBTS ): objectivebythesea.org/v3/talks/OBTS_
): objectivebythesea.org/v3/talks/OBTS_ 
Finally due to flaw in
's handling of System Extensions unpriv'd code/malware may trigger their unloading 
It's trivial to exploit this 0day, e.g. to nuke LuLu (a firewall that runs as a trusted System Extension) even on the latest version of macOS!
bug not LuLu-specific!
's handling of System Extensions unpriv'd code/malware may trigger their unloading
It's trivial to exploit this 0day, e.g. to nuke LuLu (a firewall that runs as a trusted System Extension) even on the latest version of macOS!
bug not LuLu-specific! I'm stoked to talking more about crash reports (which provided both the means to gain insight into @CrowdStrike's crash as well as revealed this and other macOS 0days) at @Black Hat! 
Talk: "The Hidden Treasure of Crash Reports?" blackhat.com/us-24/briefing
Talk: "The Hidden Treasure of Crash Reports?" blackhat.com/us-24/briefing
Missing some tweets in this thread? Or failed to load images or videos? You can try to .