Introduction to Windows System Internals part II by Tim Shelton Black Security [email protected]

Introduction to Introduction to Windows System Windows System Internals part IIInternals part II

bybyTim SheltonTim Shelton

Black SecurityBlack Security

[email protected]@blacksecurity.org

OutlineOutline

Windows SubsystemsWindows Subsystems API BreakdownAPI Breakdown

The API LayersThe API Layers User-land and Kernel-landUser-land and Kernel-land Processes, Threads, and JobsProcesses, Threads, and Jobs Virtual Memory ManagerVirtual Memory Manager

Windows SubsystemWindows Subsystem Is the Windows NT structure Is the Windows NT structure considered a “microkernel”? No!considered a “microkernel”? No!

A A microkernelmicrokernel is a type of kernel in which the principal operating is a type of kernel in which the principal operating system components (such as memory manager, process manager, system components (such as memory manager, process manager, and I/O manager) run as separate processes in their own separated and I/O manager) run as separate processes in their own separated address space. EX: Carnegie Mellon University’s Mach (OSX) address space. EX: Carnegie Mellon University’s Mach (OSX) operating kernel.operating kernel.

Shares address space with rest of Shares address space with rest of kernel componentskernel components

Windows SubsystemWindows Subsystem 3 Basic Types of User-Mode Processes

Fixed processes ie: logon process, session manager

Service Processes – runs independently of user logons.

ie: Task Scheduler, Spooler service. Environment Subsystem

Windows, POSIX, and OS/2

Windows NT LayerWindows NT Layer

Executive

DeviceDrivers

Hardware Abstraction Layer (HAL)

Kernel

User

Kernel

Win32

User Apps

Subsystem DLL

System & ServiceProcesses

POSIXOS/2

Win32User/GDI

Environment Subsystems

Windows SubsystemWindows Subsystem

Each Subsystem Contains Subsystem Service Process (csrss) Subsystem API library

e.g. kernel32, advapi32, gdi32, ntdll Hooks in CreateProcess code

Pseudo Subsystems ex: LSASS and CLR

Services & KernelServices & Kernel

3 Different Implimentations Application’s Container (Libraries) Separate Containers (Services) Central, Universally Shared Container (kernel)

KernelKernel

Disadvantages of Kernel Less Flexible Single sysentry mechanism Inter-operation requires shared abstractions Access controls limited (ACLS)

ServicesServices

Services have natural advantage Filtering and refinement of operations provides finer-grained access control Easy to provide alternative abstractions Seperated in their own protected private address space

Execution LayersExecution Layers

Executive Execution LayerExecutive Execution Layer Kernel Execution LayerKernel Execution Layer

Executive Execution Executive Execution LayerLayer Executive Execution LayerExecutive Execution Layer

Upper Layers of Operating SystemUpper Layers of Operating System Provides “generic operating system” Provides “generic operating system” functionsfunctions

Creating/deleting processes and Creating/deleting processes and threadsthreads Memory managementMemory management I/OI/O Interprocess communicationInterprocess communication SecuritySecurity


Executive

DeviceDrivers


Kernel

User

Kernel

Win32

User Apps

Subsystem DLL


POSIXOS/2

Win32User/GDI


Executive Execution Executive Execution LayerLayer

Almost completely portable C code. Almost completely portable C code. (bits of object oriented c++ and asm)(bits of object oriented c++ and asm)

Private internal O/S structurePrivate internal O/S structure Runs in kernel ("privileged", ring 0) mode Runs in kernel ("privileged", ring 0) mode Many interfaces to executive O/S services Many interfaces to executive O/S services undocumentedundocumented

Executive Execution Executive Execution LayerLayer

Lower Layers of O/SLower Layers of O/S Processor dependant functions Processor dependant functions

(x86 vs. alpha vs. embedded etc)(x86 vs. alpha vs. embedded etc) Processor independant functions closely Processor independant functions closely associated with processor dependant associated with processor dependant functionsfunctions

Kernel Execution LayerKernel Execution Layer Kernel Execution LayerKernel Execution Layer

Private internal O/S structurePrivate internal O/S structure Heart and Soul of O/SHeart and Soul of O/S Executes in kernel modeExecutes in kernel mode API not documented!API not documented! Accessed indirectly via subsystem Accessed indirectly via subsystem APIsAPIs

Windows NT SubsystemWindows NT Subsystem

Executive Services APII/O

SystemSecurityMonitor

Win32GDI

ObjectServices

MemoryMgmt

Processes/Threads

Exec.RTL

DeviceDrivers


Kernel

Object ManagementFileSystems

I/ODevices

DMA/BusControl

CacheControl

Clocks/Timers

PrivilegedArchitecture

InterruptDispatch

Registry

User

Kernel

SystemProcesses

Services User AppsEnvironmentSubsystems

Subsystem DLLInterface DLL

Session MgrWinLogon

ReplicatorAlerter

Event Log

Win32POSIXOS/2

Kernel Execution LayerKernel Execution Layer Reasons for Kernel Code Execution

Requests from user mode (system calls)

Via system service dispatch mechanism (dispatcher) Kernel-mode code runs in context of requesting thread

Windows NT SubsystemWindows NT Subsystem

Executive Services APII/O

SystemSecurityMonitor

Win32GDI

ObjectServices

MemoryMgmt

Processes/Threads

Exec.RTL

DeviceDrivers


Kernel

Object ManagementFileSystems

I/ODevices

DMA/BusControl

CacheControl

Clocks/Timers

PrivilegedArchitecture

InterruptDispatch

Registry

User

Kernel

SystemProcesses

Services User AppsEnvironmentSubsystems

Subsystem DLLInterface DLL

Session MgrWinLogon

ReplicatorAlerter

Event Log

Win32POSIXOS/2

Kernel Execution LayerKernel Execution Layer Reasons for Kernel Code Execution

Interrupts from external devices Interrupts (like all traps) are handled in kernel mode NT-supplied interrupt dispatcher invokes interrupt service routiner ISR runs in context of interrupted thread ("arbitrary thread context") ISR requests execution of "DPC routine", which also runs in kernel mode

Kernel Execution LayerKernel Execution Layer

Reasons for Kernel Code Execution Dedicated kernel-mode threads

Some threads in system stay in kernel mode at all times (mostly "System" process) Scheduled, preempted, etc., like any other threads

Hardware Abstraction Hardware Abstraction LayerLayer

Subroutine library for kernel and device drivers Seperates Kernel and Executive from platform-specific details Presents uniform model of I/O hardware interface to drivers


Executive

DeviceDrivers


Kernel

User

Kernel

Win32

User Apps

Subsystem DLL


POSIXOS/2

Win32User/GDI


Hardware Abstraction Hardware Abstraction LayerLayer

HAL abstracts System timers, cache coherency & flushing SMP support, Hardware interrupt priorities HAL implements functions in both Executive and Kernel Layers

Processes, Threads & Processes, Threads & JobsJobs

Process Layout Each Process Has Its Own:

Virtual address space Program Global Storage Heap Storage Threads' stacks

ProcessesProcesses

Process Layout - Continued Processes cannot corrupt each others address space by mistake (sort of!)

CreateRemoteThread Injection Working set

physical memory "owned" by process

ProcessesProcesses

Process Layout - Continued Access token

includes security identifiers (objects) Handle Table for Win32 kernel objects Resources available to all threads in process Resources separate and protected between processes

ThreadsThreads

Each Thread has: Stack

local variable storage, call frames, etc. Instance of top-level function Scheduling state

Wait, Ready, and Running states Kernel Thread Priority Execution

ThreadsThreads Each Thread has:

Current access mode user-land kernel-land

Saved CPU state of not Running Access token

optional - overrides process token if present

ProcessesProcesses

Processes Continued Container for address space and threads Associated User-mode Process Environment Block (PEB) Primary Access Token (objects) Quota, Debug port, Handle Table (objects)

ProcessesProcesses Processes Continued

Unique process ID Process Object Queued

Job List Global Process List Session list

MM structures like WorkingSet, VAD tree, AWE etc

ThreadsThreads Threads Continued

Fundamental schedulable entity on system Represented by ETHREAD (includes KTHREAD) Queued to Process (both E & K thread) IRP List Impersonation Access Token Unique Thread ID

ThreadsThreads Threads Continued

Associated User-mode Thread Environment Block (TEB) User-mode stack Kernel-mode stack Process Control Block (in KTHREAD)

for cpu state when not running Holds Ready, or Waiting status

JobsJobs Each Job contains:

Container for multiple processes Queued

Global Job List Processes and Jobs in Job Set

Security token filters and job token Completion ports Counters, limits etc

Virtual Memory Virtual Memory ManagerManager

How Do We Allocate Memory? Virtual Memory Manager

User Land Memory Manager Kernel Land Memory Manager


Allocating User Memory Space Virtual Memory Manager

Handles 4gb flat of VA space (IA32) Manages process address space Handles pagefaults Manages process working sets

Virtual Memory Virtual Memory ManagerManager Allocating User Memory Space

Virtual Memory Manager continued… Manages physical memory Provides memory-mapped files Allows pages shared between processes Structure for I/O subsystem and device drivers Supports file system cache manager



Internal API NtCreatePagingFile() NtAllocateVirtualMemory() NtFreeVirtualMemory() NtQueryVirtualMemory() NtProtectVirtualMemory()



Pagefault NtLockVirtualMemory NtUnlockVirtualMemory NtReadVirtualMemory NtWriteVirtualMemory

(OMG!! Thread Injection Tangent) NtFlushVirtualMemory

Remote Thread Injection Remote Thread Injection TangentTangent

One way to copy some code to another process's address space and then execute it in the context of this process involves the use of remote threads and the WriteProcessMemory API. Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.


The CreateRemoteThread & WriteProcessMemory technique of code injection is, when compared to the other methods, more flexible in that you don't need an additional DLL. Unfortunately, it is also more complicated and riskier than the other methods.


You can (and most probably will) easily crash the remote process, as soon as something is wrong with your Injected Thread. Because debugging a remote Thread can also be a nightmare, you should use this technique only when injecting at most a few instructions.

Virtual Memory Virtual Memory ManagerManager Allocating Kernel Memory Pool

Tightest x86 system resource is KVA Kernel Virtual Address Space

Pool allocates in small chunks< 4kb: 8b granularity>= 4kb: page granularity

Paged & Non-panged pool Paged pool backed by pagefile

Special pool used to find corruptors Lots of support for debugging/diagnosis

Virtual Memory Virtual Memory ManagerManager Memory Paging

(writing unused memory to disk and paging (pulling it back into active memory)

Working Sets - list of valid pages each process and kernel

Pages 'trimmed' from working set on lists

Standby list: pages backed by disk Modified List: dirty pages to push to disk Free list: pages not associated with disk Zero List: supply of demand-zero pages


Memory Paging – Continued… Modify/standby pages can be faulted back into a working set w/ disk activity (soft fault) Background system threads trim working sets, write modified pages and produce zero pages based on memory stat and config parameters

Virtual Memory Virtual Memory ManagerManager Managing Working Sets

Aging pages - Increment age counts for pages which haven't been accessed

Estimate unused pages: count in working set and keep a global count of estimate When memory starts to become scarce

replace rather than add pages when fault occurs in working set with significant unused pages

When memory IS scarce reduce (trim) working sets which are above maximum


Memory Paging – Continued…Managing Working Sets

Balance Set Manager periodically runs Working Set Trimmer, also swaps out kernel stacks of long-waiting threads

ReviewReview

Windows is segmented into many different layers in order to control the flow of execution.

Windows does many things unique to any other publicly available operating system (obviously)

Questions?Questions?

\o/\o/||

/\ /\

Documents

Introduction to Windows System Internals part II by Tim Shelton Black Security [email protected]