Upload
ernest-bishop
View
231
Download
0
Tags:
Embed Size (px)
Citation preview
Introduction to Introduction to Windows System Windows System Internals part IIInternals part II
bybyTim SheltonTim Shelton
Black SecurityBlack Security
[email protected]@blacksecurity.org
OutlineOutline
Windows SubsystemsWindows Subsystems API BreakdownAPI Breakdown
The API LayersThe API Layers User-land and Kernel-landUser-land and Kernel-land Processes, Threads, and JobsProcesses, Threads, and Jobs Virtual Memory ManagerVirtual Memory Manager
Windows SubsystemWindows Subsystem Is the Windows NT structure Is the Windows NT structure considered a “microkernel”? No!considered a “microkernel”? No!
A A microkernelmicrokernel is a type of kernel in which the principal operating is a type of kernel in which the principal operating system components (such as memory manager, process manager, system components (such as memory manager, process manager, and I/O manager) run as separate processes in their own separated and I/O manager) run as separate processes in their own separated address space. EX: Carnegie Mellon University’s Mach (OSX) address space. EX: Carnegie Mellon University’s Mach (OSX) operating kernel.operating kernel.
Shares address space with rest of Shares address space with rest of kernel componentskernel components
Windows SubsystemWindows Subsystem 3 Basic Types of User-Mode Processes
Fixed processes ie: logon process, session manager
Service Processes – runs independently of user logons.
ie: Task Scheduler, Spooler service. Environment Subsystem
Windows, POSIX, and OS/2
Windows NT LayerWindows NT Layer
Executive
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
User
Kernel
Win32
User Apps
Subsystem DLL
System & ServiceProcesses
POSIXOS/2
Win32User/GDI
Environment Subsystems
Windows SubsystemWindows Subsystem
Each Subsystem Contains Subsystem Service Process (csrss) Subsystem API library
e.g. kernel32, advapi32, gdi32, ntdll Hooks in CreateProcess code
Pseudo Subsystems ex: LSASS and CLR
Services & KernelServices & Kernel
3 Different Implimentations Application’s Container (Libraries) Separate Containers (Services) Central, Universally Shared Container (kernel)
KernelKernel
Disadvantages of Kernel Less Flexible Single sysentry mechanism Inter-operation requires shared abstractions Access controls limited (ACLS)
ServicesServices
Services have natural advantage Filtering and refinement of operations provides finer-grained access control Easy to provide alternative abstractions Seperated in their own protected private address space
Execution LayersExecution Layers
Executive Execution LayerExecutive Execution Layer Kernel Execution LayerKernel Execution Layer
Executive Execution Executive Execution LayerLayer Executive Execution LayerExecutive Execution Layer
Upper Layers of Operating SystemUpper Layers of Operating System Provides “generic operating system” Provides “generic operating system” functionsfunctions
Creating/deleting processes and Creating/deleting processes and threadsthreads Memory managementMemory management I/OI/O Interprocess communicationInterprocess communication SecuritySecurity
Windows NT LayerWindows NT Layer
Executive
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
User
Kernel
Win32
User Apps
Subsystem DLL
System & ServiceProcesses
POSIXOS/2
Win32User/GDI
Environment Subsystems
Executive Execution Executive Execution LayerLayer
Almost completely portable C code. Almost completely portable C code. (bits of object oriented c++ and asm)(bits of object oriented c++ and asm)
Private internal O/S structurePrivate internal O/S structure Runs in kernel ("privileged", ring 0) mode Runs in kernel ("privileged", ring 0) mode Many interfaces to executive O/S services Many interfaces to executive O/S services undocumentedundocumented
Executive Execution Executive Execution LayerLayer
Lower Layers of O/SLower Layers of O/S Processor dependant functions Processor dependant functions
(x86 vs. alpha vs. embedded etc)(x86 vs. alpha vs. embedded etc) Processor independant functions closely Processor independant functions closely associated with processor dependant associated with processor dependant functionsfunctions
Kernel Execution LayerKernel Execution Layer Kernel Execution LayerKernel Execution Layer
Private internal O/S structurePrivate internal O/S structure Heart and Soul of O/SHeart and Soul of O/S Executes in kernel modeExecutes in kernel mode API not documented!API not documented! Accessed indirectly via subsystem Accessed indirectly via subsystem APIsAPIs
Windows NT SubsystemWindows NT Subsystem
Executive Services APII/O
SystemSecurityMonitor
Win32GDI
ObjectServices
MemoryMgmt
Processes/Threads
Exec.RTL
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
Object ManagementFileSystems
I/ODevices
DMA/BusControl
CacheControl
Clocks/Timers
PrivilegedArchitecture
InterruptDispatch
Registry
User
Kernel
SystemProcesses
Services User AppsEnvironmentSubsystems
Subsystem DLLInterface DLL
Session MgrWinLogon
ReplicatorAlerter
Event Log
Win32POSIXOS/2
Kernel Execution LayerKernel Execution Layer Reasons for Kernel Code Execution
Requests from user mode (system calls)
Via system service dispatch mechanism (dispatcher) Kernel-mode code runs in context of requesting thread
Windows NT SubsystemWindows NT Subsystem
Executive Services APII/O
SystemSecurityMonitor
Win32GDI
ObjectServices
MemoryMgmt
Processes/Threads
Exec.RTL
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
Object ManagementFileSystems
I/ODevices
DMA/BusControl
CacheControl
Clocks/Timers
PrivilegedArchitecture
InterruptDispatch
Registry
User
Kernel
SystemProcesses
Services User AppsEnvironmentSubsystems
Subsystem DLLInterface DLL
Session MgrWinLogon
ReplicatorAlerter
Event Log
Win32POSIXOS/2
Kernel Execution LayerKernel Execution Layer Reasons for Kernel Code Execution
Interrupts from external devices Interrupts (like all traps) are handled in kernel mode NT-supplied interrupt dispatcher invokes interrupt service routiner ISR runs in context of interrupted thread ("arbitrary thread context") ISR requests execution of "DPC routine", which also runs in kernel mode
Kernel Execution LayerKernel Execution Layer
Reasons for Kernel Code Execution Dedicated kernel-mode threads
Some threads in system stay in kernel mode at all times (mostly "System" process) Scheduled, preempted, etc., like any other threads
Hardware Abstraction Hardware Abstraction LayerLayer
Subroutine library for kernel and device drivers Seperates Kernel and Executive from platform-specific details Presents uniform model of I/O hardware interface to drivers
Windows NT LayerWindows NT Layer
Executive
DeviceDrivers
Hardware Abstraction Layer (HAL)
Kernel
User
Kernel
Win32
User Apps
Subsystem DLL
System & ServiceProcesses
POSIXOS/2
Win32User/GDI
Environment Subsystems
Hardware Abstraction Hardware Abstraction LayerLayer
HAL abstracts System timers, cache coherency & flushing SMP support, Hardware interrupt priorities HAL implements functions in both Executive and Kernel Layers
Processes, Threads & Processes, Threads & JobsJobs
Process Layout Each Process Has Its Own:
Virtual address space Program Global Storage Heap Storage Threads' stacks
ProcessesProcesses
Process Layout - Continued Processes cannot corrupt each others address space by mistake (sort of!)
CreateRemoteThread Injection Working set
physical memory "owned" by process
ProcessesProcesses
Process Layout - Continued Access token
includes security identifiers (objects) Handle Table for Win32 kernel objects Resources available to all threads in process Resources separate and protected between processes
ThreadsThreads
Each Thread has: Stack
local variable storage, call frames, etc. Instance of top-level function Scheduling state
Wait, Ready, and Running states Kernel Thread Priority Execution
ThreadsThreads Each Thread has:
Current access mode user-land kernel-land
Saved CPU state of not Running Access token
optional - overrides process token if present
ProcessesProcesses
Processes Continued Container for address space and threads Associated User-mode Process Environment Block (PEB) Primary Access Token (objects) Quota, Debug port, Handle Table (objects)
ProcessesProcesses Processes Continued
Unique process ID Process Object Queued
Job List Global Process List Session list
MM structures like WorkingSet, VAD tree, AWE etc
ThreadsThreads Threads Continued
Fundamental schedulable entity on system Represented by ETHREAD (includes KTHREAD) Queued to Process (both E & K thread) IRP List Impersonation Access Token Unique Thread ID
ThreadsThreads Threads Continued
Associated User-mode Thread Environment Block (TEB) User-mode stack Kernel-mode stack Process Control Block (in KTHREAD)
for cpu state when not running Holds Ready, or Waiting status
JobsJobs Each Job contains:
Container for multiple processes Queued
Global Job List Processes and Jobs in Job Set
Security token filters and job token Completion ports Counters, limits etc
Virtual Memory Virtual Memory ManagerManager
How Do We Allocate Memory? Virtual Memory Manager
User Land Memory Manager Kernel Land Memory Manager
Virtual Memory Virtual Memory ManagerManager
Allocating User Memory Space Virtual Memory Manager
Handles 4gb flat of VA space (IA32) Manages process address space Handles pagefaults Manages process working sets
Virtual Memory Virtual Memory ManagerManager Allocating User Memory Space
Virtual Memory Manager continued… Manages physical memory Provides memory-mapped files Allows pages shared between processes Structure for I/O subsystem and device drivers Supports file system cache manager
Virtual Memory Virtual Memory ManagerManager
Allocating User Memory Space Virtual Memory Manager
Internal API NtCreatePagingFile() NtAllocateVirtualMemory() NtFreeVirtualMemory() NtQueryVirtualMemory() NtProtectVirtualMemory()
Virtual Memory Virtual Memory ManagerManager
Allocating User Memory Space Virtual Memory Manager
Pagefault NtLockVirtualMemory NtUnlockVirtualMemory NtReadVirtualMemory NtWriteVirtualMemory
(OMG!! Thread Injection Tangent) NtFlushVirtualMemory
Remote Thread Injection Remote Thread Injection TangentTangent
One way to copy some code to another process's address space and then execute it in the context of this process involves the use of remote threads and the WriteProcessMemory API. Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.
Remote Thread Injection Remote Thread Injection TangentTangent
The CreateRemoteThread & WriteProcessMemory technique of code injection is, when compared to the other methods, more flexible in that you don't need an additional DLL. Unfortunately, it is also more complicated and riskier than the other methods.
Remote Thread Injection Remote Thread Injection TangentTangent
You can (and most probably will) easily crash the remote process, as soon as something is wrong with your Injected Thread. Because debugging a remote Thread can also be a nightmare, you should use this technique only when injecting at most a few instructions.
Virtual Memory Virtual Memory ManagerManager Allocating Kernel Memory Pool
Tightest x86 system resource is KVA Kernel Virtual Address Space
Pool allocates in small chunks< 4kb: 8b granularity>= 4kb: page granularity
Paged & Non-panged pool Paged pool backed by pagefile
Special pool used to find corruptors Lots of support for debugging/diagnosis
Virtual Memory Virtual Memory ManagerManager Memory Paging
(writing unused memory to disk and paging (pulling it back into active memory)
Working Sets - list of valid pages each process and kernel
Pages 'trimmed' from working set on lists
Standby list: pages backed by disk Modified List: dirty pages to push to disk Free list: pages not associated with disk Zero List: supply of demand-zero pages
Virtual Memory Virtual Memory ManagerManager
Memory Paging – Continued… Modify/standby pages can be faulted back into a working set w/ disk activity (soft fault) Background system threads trim working sets, write modified pages and produce zero pages based on memory stat and config parameters
Virtual Memory Virtual Memory ManagerManager Managing Working Sets
Aging pages - Increment age counts for pages which haven't been accessed
Estimate unused pages: count in working set and keep a global count of estimate When memory starts to become scarce
replace rather than add pages when fault occurs in working set with significant unused pages
When memory IS scarce reduce (trim) working sets which are above maximum
Virtual Memory Virtual Memory ManagerManager
Memory Paging – Continued…Managing Working Sets
Balance Set Manager periodically runs Working Set Trimmer, also swaps out kernel stacks of long-waiting threads
ReviewReview
Windows is segmented into many different layers in order to control the flow of execution.
Windows does many things unique to any other publicly available operating system (obviously)
Questions?Questions?
\o/\o/||
/\ /\