I don't do Windows but here are some (initial) details about why the CrowdStrike's CSAgent.sys crashed
Faulting inst: mov r9d, [r8]
R8: unmapped address
...taken from an array of pointers (held in RAX), index RDX (0x14 * 0x8) holds the invalid memory address
@_JohnHammond
The other "drivers" (e.g. 'C-00000291-...32.sys') appear to be obfuscated data ...and are x-ref'd (perhaps ingested?) by CSAgent.sys
...so maybe invalid (config/signature) data triggered the fault in CSAgent.sys
This would be easier to tell/confirm via debugging 😅
This is all surmised static analysis ...reversing CSAgent.sys (now on VT: )
and data from a single crash dump ...so take with a pinch of 🧂🫣
...and big mahalo to Tom! 🧠🙏🏽virustotal.com/gui/file/fc17c…
Sharing a .zip with:
▫️A few versions of CSAgent.sys (+idb)
▫️Various C-....sys files (including the latest that I believe contains the "fix"?)
I don't have any Windows systems/VMs, so hopefully ya'll can keep digging 🥰
#SharingIsCaringdrive.google.com/file/d/1OVIWLD…
A big outstanding questions to me is; what are the 'C-00000291-...xxx.sys' files?
As deleting them fixes the crash, this seems imply their contents matter (as its CSAgent.sys that has references to them, that is crashing).
But as their contents change between systems... 🤔
"The .sys files causing the issue are channel update files, they cause the top level CS driver to crash as they're invalidly formatted." -Kevin Beaumont
cyberplace.social/@GossiTheDog/1…
Note "channel updates ...bypassed client's staging controls and was rolled out to everyone regardless"
A few IT folks who had set the CS policy to ignore latest version confirmed this was, ya, bypassed, as this was "content" update (vs. a version update)resetera.com/threads/window…
An update from @CrowdStrike confirms our analysis:
Namely:
▫️ The C-...sys files aren't kernel drivers, but rather are "configuration files" dubbed "Channel Files"
▫️ C-00000291- "triggered a logic error that resulted in an OS crash" (via CSAgent.sys)crowdstrike.com/blog/technical…
@CrowdStrike
Some surmised a blank (0x0, ...) Channel File was to blame.
@CrowdStrike debunked that stating the issue was "not related to null bytes contained in ...any... Channel File"
Also @MalwareUtkonos notes a check that shows files must start w/ "0xaaaaaaaa":
(Others may have mentioned this?) but we find many references "channel files" in @CrowdStrike's patents that provide more insight into their purpose, format, etc.
Search:
"channel file" assignee:(Crowdstrike, Inc.)
For example in US11822515B2 & US11645397B2:
(attempting) to explain this all to the general America public on @ABC's "Good Morning America" @GMA #TalkingNerdy 📺🇺🇸🍿🤓
Yes, @Apple should be lauded for deprecating 3rd-party kexts & supporting the move to user-mode System Extensions.
However this has been fraught w/ kernel panics (ha!), privilege escalations ...& worse unprivileged code/malware can still trivially unload macOS security tools! 🫣
@Apple macOS kernel code that facilities user-mode System Extensions was (is?) notorious buggy.
Ironically this resulted in security tools that had been migrated to user-mode, now inadvertently triggering wide-spread kernel panics (in core Apple kexts) 🤦🏻♂️ #YouHadOneJob
@Apple Other issues included new privilege escalations in core macOS System Extension framework(s) such as CVE-2019-8805
See "Endpoint Security and Insecurity" by @sdotknight (presented at #OBTS 🥰): objectivebythesea.org/v3/talks/OBTS_…
Finally due to flaw in🍎's handling of System Extensions unpriv'd code/malware may trigger their unloading 😱
It's trivial to exploit this 0day, e.g. to nuke LuLu (a firewall that runs as a trusted System Extension) even on the latest version of macOS!
ℹ️ bug not LuLu-specific!
I'm stoked to talking more about crash reports (which provided both the means to gain insight into @CrowdStrike's crash as well as revealed this and other macOS 0days) at @BlackHatEvents! 🖤🥰
Talk: "The Hidden Treasure of Crash Reports?" blackhat.com/us-24/briefing…
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.